Why is Event ID 4688 flooding my Security log?

Every process creation generates a 4688 — a busy Windows system can produce thousands per hour from background services, antivirus scans, browser processes, update agents, and user activity. The event itself is not the signal; what's inside it is. Instead of reducing 4688 volume, filter on specific child-parent combinations: powershell.exe spawned by WINWORD.EXE, cmd.exe spawned by svchost, certutil with -urlcache in the command line. Process creation auditing is the most valuable visibility you have — suppress noise through detection logic, not by disabling the event.

Is Event ID 4688 malicious?

The event itself is not malicious — it is a visibility record of every process that started. Malicious activity shows up in what's inside the event: the parent process (Office app spawning a shell = macro delivery), the command line flags (powershell.exe -EncodedCommand, certutil -urlcache -f, rundll32 loading a non-system DLL), and the executable path (process running from Temp, AppData, or a user-writable location). A 4688 for notepad.exe launched by a user from C:\Windows\System32 is benign. The same event for powershell.exe launched by WINWORD.EXE with a Base64-encoded command is an active attack.

How do I enable command-line logging in Event ID 4688?

By default, 4688 omits the command line — you see the process name but not the arguments. To enable full command-line logging: open Group Policy, go to Computer Configuration → Administrative Templates → System → Audit Process Creation, and enable 'Include command line in process creation events'. This is the single most valuable change for improving process execution visibility. Without it, you cannot detect encoded PowerShell, LOLBin abuse, or any attack that hides in command-line arguments.

What processes in Event ID 4688 should I always investigate?

High-priority parent-child combinations: powershell.exe or cmd.exe spawned by WINWORD.EXE, EXCEL.EXE, OUTLOOK.EXE, or any browser process (macro/phishing delivery); cmd.exe or powershell.exe spawned by svchost.exe or services.exe outside a known software deployment window (service-based persistence); wscript.exe or cscript.exe from Temp or AppData (script dropper); mshta.exe from any parent (HTML application abuse). High-priority command lines: certutil -urlcache or -decode (payload download/decoding), rundll32 with a DLL outside System32, regsvr32 with /s and a URL (/i:http://), bitsadmin /transfer (download via BITS).

Scan your Security and Sysmon logs·Detection guides

Event ID 4688Audit SuccessSecurityT1059

Windows Event ID 4688 — Process Created

Logged every time a new process is created on Windows. Requires Process Creation auditing to be enabled via Group Policy. With command-line logging enabled, 4688 captures the full arguments passed to each process — making it one of the most operationally valuable events for detecting living-off-the-land attacks, script-based execution, parent-child anomalies, and encoded payload delivery.

MITRE ATT&CK

Technique

T1059 · Command and Scripting Interpreter

Tactic

Execution

View on attack.mitre.org →

Why It Matters

Most attacks that execute code on Windows generate 4688 events. Without command-line logging, 4688 shows only the executable name; with it, you see the full command including encoded payloads, remote file paths, and LOLBin-specific flags. Parent-child relationships are the most reliable detection signal: legitimate applications have predictable parents, and deviations — Office spawning PowerShell, explorer.exe launching cmd.exe with base64 arguments — are near-definitive malicious execution indicators.

Key Fields

New Process NameFull path of the launched executable — look for suspicious paths (Users\, Temp\, AppData\), names mimicking system processes (svch0st.exe, Iexplore.exe with capital I), or known LOLBins (certutil.exe, mshta.exe, rundll32.exe, regsvr32.exe) running from unusual locations

Process Command LineFull command with arguments — requires GPO: Computer Configuration → Admin Templates → System → Audit Process Creation → 'Include command line in process creation events'. Key patterns: -EncodedCommand or -enc (base64 PowerShell), IEX/Invoke-Expression, certutil -urlcache/-decode, regsvr32 /s /n /u /i:http (Squiblydoo), mshta.exe http://, bitsadmin /transfer

Creator Process NameThe parent process — the most reliable detection signal. High-confidence anomalies: Office apps (winword.exe, excel.exe, powerpnt.exe, onenote.exe) spawning cmd.exe/powershell.exe/wscript.exe/mshta.exe; browser processes spawning script interpreters; LSASS spawning unexpected children

Subject Account NameThe account that launched the process — SYSTEM spawning unexpected user-space tools, or a standard user launching administrative binaries, indicates privilege abuse

Token Elevation Type%%1936 = full admin token (UAC elevated); %%1937 = standard/limited token; %%1938 = elevated via RunAs. Unexpected full elevation from a non-admin context indicates a UAC bypass or privilege escalation

New Process IDCorrelate with 4689 (exit) for process lifetime, and with 4663/4656 for file/object access within that process's context

Investigation Tips

1.Enable command-line logging first — without it, 4688 shows only the executable name and is far less valuable. GPO path: Computer Configuration → Administrative Templates → System → Audit Process Creation → 'Include command line in process creation events' → Enabled.
2.Parent-child anomaly: Office apps (winword.exe, excel.exe, powerpnt.exe, onenote.exe) spawning cmd.exe, powershell.exe, wscript.exe, mshta.exe, or cscript.exe = malicious macro or phishing document execution. Make this a high-priority alert with no exceptions.
3.Encoded PowerShell: look for -EncodedCommand or -enc in the command line. Legitimate PowerShell scripts rarely use encoding; attackers encode to bypass string-matching detection and obscure the payload. Decode with [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('...')) and inspect.
4.LOLBin patterns to alert on: certutil.exe -urlcache or -decode (file download/decode); bitsadmin.exe /transfer (background downloader); regsvr32.exe /s /n /u /i:http (remote scriptlet — Squiblydoo, no disk write); mshta.exe with http:// argument (HTA payload); rundll32.exe executing non-System32 DLLs; wscript.exe/cscript.exe from Temp or AppData.
5.Process masquerading: check that New Process Name paths match expected locations. Legitimate svchost.exe is always in C:\Windows\System32\. Any executable with a system-process name but running from Users\, Temp\, or Desktop\ is masquerading — a common malware technique.
6.PPID spoofing: attackers can forge the parent PID to make malicious code appear as a child of a trusted process (e.g., appearing as a child of explorer.exe). Detect by correlating New Process ID lineage — if the reported parent has no matching 4688 event from the expected time, the parent PID is spoofed.
7.Short-lived encoded processes: 4688 (powershell.exe -enc ...) immediately followed by 4689 (exit) = one-shot command execution. Attackers run a single command and exit to minimize presence in running process lists and reduce dwell time.

Detection Logic

Microsoft Sentinel (KQL) — detect Office-spawns-shell (macro/phishing delivery) and LOLBin command lines used for download, decode, or proxy execution.

// Office application spawning command interpreter — macro or phishing delivery
SecurityEvent
| where EventID == 4688
| where ParentProcessName has_any (
    "WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "OUTLOOK.EXE", "ONENOTE.EXE")
| where NewProcessName has_any (
    "cmd.exe", "powershell.exe", "wscript.exe",
    "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe")
| project TimeGenerated, SubjectAccount, ParentProcessName,
    NewProcessName, CommandLine, Computer
| sort by TimeGenerated desc

// LOLBin execution with suspicious arguments
SecurityEvent
| where EventID == 4688
| where NewProcessName has_any (
    "certutil.exe", "bitsadmin.exe", "mshta.exe", "regsvr32.exe")
| where CommandLine has_any (
    "-urlcache", "-decode", "/transfer", "http://", "https://",
    "/s /n /u /i:", "-EncodedCommand", "-enc ")
| project TimeGenerated, SubjectAccount, NewProcessName, CommandLine, Computer
| sort by TimeGenerated desc

Seeing Event ID 4688 in your own logs? Upload an .evtx file — EventPeeker flags process created automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4689Process exited — pair on Process ID for full execution lifetime

4104PowerShell script block — full script content for any PowerShell processes seen here

1102Audit log cleared — look for wevtutil.exe clearing Security logs via 4688

4624Logon event — correlate Subject Logon ID to establish session context

4697Service installed — services spawn processes; correlate to see what a service executed

Frequently Asked Questions

Why is Event ID 4688 flooding my Security log?: Every process creation generates a 4688 — a busy Windows system can produce thousands per hour from background services, antivirus scans, browser processes, update agents, and user activity. The event itself is not the signal; what's inside it is. Instead of reducing 4688 volume, filter on specific child-parent combinations: powershell.exe spawned by WINWORD.EXE, cmd.exe spawned by svchost, certutil with -urlcache in the command line. Process creation auditing is the most valuable visibility you have — suppress noise through detection logic, not by disabling the event.
Is Event ID 4688 malicious?: The event itself is not malicious — it is a visibility record of every process that started. Malicious activity shows up in what's inside the event: the parent process (Office app spawning a shell = macro delivery), the command line flags (powershell.exe -EncodedCommand, certutil -urlcache -f, rundll32 loading a non-system DLL), and the executable path (process running from Temp, AppData, or a user-writable location). A 4688 for notepad.exe launched by a user from C:\Windows\System32 is benign. The same event for powershell.exe launched by WINWORD.EXE with a Base64-encoded command is an active attack.
How do I enable command-line logging in Event ID 4688?: By default, 4688 omits the command line — you see the process name but not the arguments. To enable full command-line logging: open Group Policy, go to Computer Configuration → Administrative Templates → System → Audit Process Creation, and enable 'Include command line in process creation events'. This is the single most valuable change for improving process execution visibility. Without it, you cannot detect encoded PowerShell, LOLBin abuse, or any attack that hides in command-line arguments.
What processes in Event ID 4688 should I always investigate?: High-priority parent-child combinations: powershell.exe or cmd.exe spawned by WINWORD.EXE, EXCEL.EXE, OUTLOOK.EXE, or any browser process (macro/phishing delivery); cmd.exe or powershell.exe spawned by svchost.exe or services.exe outside a known software deployment window (service-based persistence); wscript.exe or cscript.exe from Temp or AppData (script dropper); mshta.exe from any parent (HTML application abuse). High-priority command lines: certutil -urlcache or -decode (payload download/decoding), rundll32 with a DLL outside System32, regsvr32 with /s and a URL (/i:http://), bitsadmin /transfer (download via BITS).

Go deeper: the full Suspicious Process Creation — Abnormal Parent-Child Relationships guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Suspicious Process Creation — Abnormal Parent-Child Relationships guide →

See Event ID 4688 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects process created patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →