Windows Security Log Event ID 4689
| Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category
• Subcategory | Process Tracking
• Process Termination |
|
Type
|
Success
|
Corresponding events
in Windows
2003
and before |
593
|
4689: A process has exited
On this page
Event 4689 documents when a process ends.
When you start a program you are creating a "process" that stays open until the program exits. This process is identified by the Process ID:.
You can use this event to tell how long the program ran by correlating it to the earlier 4688 with the same Process ID.
Free Security Log Resources by Randy
Subject:
The user and logon session that the program ran under.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Process Information:
- Process ID: is a semi-unique (unique between reboots) number that identifies the process. Process ID allows you to correlate other events logged during the same process. To determine when the program started look for a previous event 4688 with the same Process ID.
- Process Name: The full path of the executable
- Exit Status: the exit code of the process - normally 0.
Setup PowerShell Audit Log Forwarding in 4 Minutes