Windows 10: Event ID 4688 not showing anything, but 4696 does

Discus and support Event ID 4688 not showing anything, but 4696 does in Windows 10 Software and Apps to solve the problem; Hi,I have turned on Local Security Policy: Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking > Audit Process Creation =... Discussion in 'Windows 10 Software and Apps' started by ZXZS, Nov 5, 2022.

  1. ZXZS
    ZXZS Win User

    Event ID 4688 not showing anything, but 4696 does


    Hi,I have turned on Local Security Policy: Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking > Audit Process Creation = Success. And according to this : https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation I should get both event 4688 and event 4696. But I only get logs for 4696. And they don't show all of the programs that were started. Also I implemented MS Security Baseline for Win 11 22H2 from here: https://www.microsoft.com/en-us/download/details.aspx?id=55319What else do I have to enable to get e

    :)
     
    ZXZS, Nov 5, 2022
    #1
  2. ZXZS
    ZXZS Win User

    Event ID 4688 not showing anything, but 4696 does

    Hi,

    I have turned on Local Security Policy: Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking > Audit Process Creation = Success.

    And according to this :

    Audit Process Creation (Windows 10) - Windows security I should get both event 4688 and event 4696. But I only get logs for 4696. And they don't show all of the programs that were started.

    Also I implemented MS Security Baseline for Win 11 22H2 from here:

    https://www.microsoft.com/en-us/download/details.aspx?id=55319

    What else do I have to enable to get event 4688 ?
     
    ZXZS, Nov 5, 2022
    #2
  3. LAKEBERG
    LakeBerg Win User
    Event viewer - Event id 4688

    I tried to create a custom view, with Windows Logs as the event log, and 4688 as the event ID. I had no other changed settings, and I expected this to give me a stream of events showing whenever I opened an application. Instead I only got events related
    to Microsoft processes.

    I want to have this because I want to run a program whenever a specific program runs.

    I wonder if there is a problem with how I created the custom view, or if there is a different way to see when a program

    Edit : As per Igor Leyko's reply, I have tried to enable process auditing. I have done so in :

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit process tracking

    Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Detailed Tracking\Audit Process Creation

    But still it doesn't work, maybe I missed a setting, I'm not sure.
     
    LakeBerg, Nov 5, 2022
    #3
  4. IGOR LEYKO
    Igor Leyko Win User

    Event ID 4688 not showing anything, but 4696 does

    Igor Leyko, Nov 5, 2022
    #4
Thema:

Event ID 4688 not showing anything, but 4696 does

Loading...

  1. Event ID 4688 not showing anything, but 4696 does - Similar Threads - Event 4688 showing

  2. Need Thoughts on These Event 4688 and WMI Event 5861 Instances

    in Windows 10 Gaming
    Need Thoughts on These Event 4688 and WMI Event 5861 Instances: so my PC has a little bit of a kink to it where sometimes, during boot, the VGA light on the motherboard will hang and fast startup will fail; eventually, the monitor and Windows will come up as normal and everything will function perfectly fine. it's done this since I got...

  3. Need Thoughts on These Event 4688 and WMI Event 5861 Instances

    in Windows 10 Software and Apps
    Need Thoughts on These Event 4688 and WMI Event 5861 Instances: so my PC has a little bit of a kink to it where sometimes, during boot, the VGA light on the motherboard will hang and fast startup will fail; eventually, the monitor and Windows will come up as normal and everything will function perfectly fine. it's done this since I got...

  4. Event 1108 due to Event 4688

    in Windows 10 Gaming
    Event 1108 due to Event 4688: The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.None of my process creation event is being logged. All these logs are thrown as event 1108 with error code 15003 and 15005. Don't know what to...

  5. Event 1108 due to Event 4688

    in Windows 10 Software and Apps
    Event 1108 due to Event 4688: The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.None of my process creation event is being logged. All these logs are thrown as event 1108 with error code 15003 and 15005. Don't know what to...

  6. Event ID 4688 not showing anything, but 4696 does

    in Windows 10 Gaming
    Event ID 4688 not showing anything, but 4696 does: Hi,I have turned on Local Security Policy: Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking > Audit Process Creation = Success. And according to this :...

  7. Event viewer does not show event with ID 4689 on windows client

    in Windows 10 Gaming
    Event viewer does not show event with ID 4689 on windows client: Hello,I would like to see the event with ID 4689 in the event viewer. This event normally indicates that a process has exited. When I want to test this by stopping and starting the print spooler event for example, I can see this in the event viewer of my windows server....

  8. Event viewer does not show event with ID 4689 on windows client

    in Windows 10 Software and Apps
    Event viewer does not show event with ID 4689 on windows client: Hello,I would like to see the event with ID 4689 in the event viewer. This event normally indicates that a process has exited. When I want to test this by stopping and starting the print spooler event for example, I can see this in the event viewer of my windows server....

  9. Event viewer does not show event with ID 4689 on windows client

    in Windows 10 BSOD Crashes and Debugging
    Event viewer does not show event with ID 4689 on windows client: Hello,I would like to see the event with ID 4689 in the event viewer. This event normally indicates that a process has exited. When I want to test this by stopping and starting the print spooler event for example, I can see this in the event viewer of my windows server....

  10. Event viewer - Event id 4688

    in Windows 10 Customization
    Event viewer - Event id 4688: I tried to create a custom view, with àwindows as the event log, and 4688 as the event ID. I had no other changed settings, and I expected this to give me a stream of events showing whenever I opened an application. Instead I only got events related to Microsoft processes....