Process Termination
Enabled by default
Service: Microsoft Windows Security auditing
Log type: Security
Applications being closed is a common thing on a computer but may signal unusual software being closed or give a timeline of events.
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4689'} -MaxEvents 1 | Format-List
auditpol /get /subcategory:"Process Termination"
auditpol /set /subcategory:"Process Termination" /Success:Disable /Failure:Disable
auditpol /set /subcategory:"Process Termination" /Success:Enable /Failure:Enable
Compliance
HIPAA
Level: Recommended
PCI DSS
Level: Recommended
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1631643252599
To view the process creation log, navigate to the Windows Event Viewer and the security tab. Next, sort or filter the log by Event ID 4689.
![](/images//ProcessTermination/WEV.png)
To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4689'} -MaxEvents 1 | Format-List
![](/images//ProcessTermination/CLI-gwe.png)
To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the commandwevtutil qe Security "/q:*[System [(EventID=4689)]]"
![](/images//ProcessTermination/CLI-wevt.png)