EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4689Audit SuccessSecurity

Windows Event ID 4689Process Exited

Logged when a process terminates. Paired with 4688 it gives the full lifetime of a process.

Why It Matters

Short-lived processes that execute and immediately exit are common for one-shot attack tools (droppers, reconnaissance commands). The exit status code can also reveal crashes or unexpected terminations.

Key Fields

Process NameThe executable that exited
Exit Status0 = clean exit; non-zero may indicate a crash or error
Process IDLinks back to the 4688 event for this process

Investigation Tips

  1. 1.Very short-lived processes (milliseconds between 4688 and 4689) executing cmd.exe with base64 arguments are suspicious.

Seeing Event ID 4689 in your own logs? Upload an .evtx file — EventPeeker flags process exited automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4688Process creation — the matching start event

Go deeper: the full Suspicious Process Creation — Abnormal Parent-Child Relationships guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Suspicious Process Creation — Abnormal Parent-Child Relationships guide

See Event ID 4689 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects process exited patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →