Event ID 4688: What Is It & How to Enable It

Check out the overview of the Event ID 4688

Reading time icon 2 min. read


Readers help support Windows Report. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help Windows Report effortlessly and without spending any money. Read more

Key notes

  • Event ID 4688 is a process creation event on the windows event viewer.
  • It’s a part of the advanced windows security audit policy.
  • Note that Event ID 4688 is either enabled by group or local policy.
event id 4688

Many processes on the Windows PC. Some can’t be trusted, while some are marked as trusted by the Security Identifier. Event ID 4688 is a process creation command written in Windows viewer as Event ID 4688.

Alternatively, you can check on Fix: Event ID 4648 A Logon Was Attempted Using Credentials.

What is event ID 4688?

On a Windows computer, an event process is simply a running program. The Windows Event Viewer Windows event log provides an in-depth record of events concerning the system, security, and application stored on the windows operating system.

Many processes will be started as part of the operation on a standard workstation or server throughout a working day. Consequently, malware frequently starts one or more processes as part of its operation.

However, Event ID 4688 can log these malicious activities with process creation events. If their malware activities appear in log files, they can be detected and tracked using thread haunting.

So, it starts a new process that contains information such as time, process name, parent process, source, level, computer, etc.

How do I enable the event ID 4688?

1. Via the Group policy

  1. Press the Windows + R keys to launch the Run window, type gpedit.msc, and click OK.
  2. Navigate through this path: Windows Settings\ Security Settings\ Advanced Audit Policy Configuration\ Audit Policies\ Detailed Tracking\ Audit Process Creation
  3. Also, double-click on the Include Command Line in Process Creation Events, select Enabled, and click OK.

Event viewer on Windows will record all process creation logs on Windows. Furthermore, you can read more on Event viewer on Windows.

2. Enabling Event ID 4688 with local policy

  1. Left-click the Start button, search the Event viewer, and launch it.
  2. Also, select the Windows Logs and click Security from the top left corner.
  3. Choose the Event and click on the Filter Current log from the right side.
  4. Select the Event ID bar from the pop-up menu, type in 4688, and click OK.
  5. It will display the event process creation records.

Event ID 4688 is an advance window policy. Enabling the event process creation with the windows event viewer makes it more accessible.

Also, users can protect themselves from malware with our guide on how to download Microsoft’s Malicious Software Removal Tool.

Let us know how the procedure went for you in the comments area below.

More about the topics: event log viewers