Event ID 4688: What Is It & How to Enable It

Check out the overview of the Event ID 4688

by Henderson Jayden Harper
Henderson Jayden Harper
Henderson Jayden Harper
Passionate about technology, Crypto, software, Windows, and everything computer-related, he spends most of his time developing new skills and learning more about the tech world. He also enjoys... read more
Reviewed by Alex Serban
Alex Serban
Alex Serban
Windows Server & Networking Expert
After moving away from the corporate work-style, Alex has found rewards in a lifestyle of constant analysis, team coordination and pestering his colleagues. Holding an MCSA Windows Server... read more
Affiliate Disclosure
  • Event ID 4688 is a process creation event on the windows event viewer.
  • It’s a part of the advanced windows security audit policy.
  • Note that Event ID 4688 is either enabled by group or local policy.
event id 4688

To fix various PC problems, we recommend Restoro PC Repair Tool:
This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues and remove viruses now in 3 easy steps:

  1. Download Restoro PC Repair Tool that comes with Patented Technologies (patent available here).
  2. Click Start Scan to find Windows issues that could be causing PC problems.
  3. Click Repair All to fix issues affecting your computer's security and performance
  • Restoro has been downloaded by 0 readers this month.

Many processes on the Windows PC. Some can’t be trusted, while some are marked as trusted by the Security Identifier. Event ID 4688 is a process creation command written in Windows viewer as Event ID 4688.

Alternatively, you can check on Fix: Event ID 4648 A Logon Was Attempted Using Credentials.

What is event ID 4688?

On a Windows computer, an event process is simply a running program. The Windows Event Viewer Windows event log provides an in-depth record of events concerning the system, security, and application stored on the windows operating system.

Many processes will be started as part of the operation on a standard workstation or server throughout a working day. Consequently, malware frequently starts one or more processes as part of its operation.

However, Event ID 4688 can log these malicious activities with process creation events. If their malware activities appear in log files, they can be detected and tracked using thread haunting.

So, it starts a new process that contains information such as time, process name, parent process, source, level, computer, etc.

How do I enable the event ID 4688?

1. Via the Group policy

  1. Press the Windows + R keys to launch the Run window, type gpedit.msc, and click OK.
  2. Navigate through this path: Windows Settings\ Security Settings\ Advanced Audit Policy Configuration\ Audit Policies\ Detailed Tracking\ Audit Process Creation
  3. Also, double-click on the Include Command Line in Process Creation Events, select Enabled, and click OK.

Event viewer on Windows will record all process creation logs on Windows. Furthermore, you can read more on Event viewer on Windows.

2. Enabling Event ID 4688 with local policy

  1. Left-click the Start button, search the Event viewer, and launch it.
  2. Also, select the Windows Logs and click Security from the top left corner.
  3. Choose the Event and click on the Filter Current log from the right side.
  4. Select the Event ID bar from the pop-up menu, type in 4688, and click OK.
  5. It will display the event process creation records.

Event ID 4688 is an advance window policy. Enabling the event process creation with the windows event viewer makes it more accessible.

Also, users can protect themselves from malware with our guide on how to download Microsoft’s Malicious Software Removal Tool.

Let us know how the procedure went for you in the comments area below.

Still having issues? Fix them with this tool:


If the advices above haven't solved your issue, your PC may experience deeper Windows problems. We recommend downloading this PC Repair tool (rated Great on TrustPilot.com) to easily address them. After installation, simply click the Start Scan button and then press on Repair All.

This article covers:Topics: