EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4689Audit SuccessSecurity

Windows Event ID 4689Process Exited

Logged when a process terminates. Paired with 4688 it gives the full lifetime of a process.

Why It Matters

Short-lived processes that execute and immediately exit are common for one-shot attack tools (droppers, reconnaissance commands). The exit status code can also reveal crashes or unexpected terminations.

Key Fields

Process NameThe executable that exited
Exit Status0 = clean exit; non-zero may indicate a crash or error
Process IDLinks back to the 4688 event for this process

Investigation Tips

  1. 1.Very short-lived processes (milliseconds between 4688 and 4689) executing cmd.exe with base64 arguments are suspicious.

Related Event IDs

4688Process creation — the matching start event

See Event ID 4689 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects process exited patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →