4689 A process has exited
Written every time a process exits. Paired with 4688 (process creation), it lets you understand a process’s lifetime and when a suspicious process disappeared.
Overview
The subcategory is Audit Process Termination. It is generated when a process exits, recording the name, ID, and executing account of the terminated process. It ties to 4688 via Process ID, letting you reconstruct the span from a process’s start to its end.
How it is triggered
- Any process exit (whether a normal exit or a forced termination).
- An exit code (
Exit Status) may be included.
Security review points
- It is material for understanding how long a suspicious process (detected via 4688) ran. A short-lived process (gone right after starting) can indicate intent to leave no trace after execution.
- Unexpected termination of monitoring or defensive processes (EDR agents, log forwarders) is a focal point for suspecting defense evasion.
Notes for log review
- Process exits appear in volume like 4688. The main use is tracking the process lifecycle in combination with 4688, rather than reading it alone.
- Exit events do not always pair one-to-one with creation events (due to audit-setting differences or missed records). Treat lifetime analysis as supplementary.
Key fields
| Field | Meaning |
|---|---|
Process Name | The terminated process |
Process ID | The key for matching with 4688 |
Subject\Account Name | The account that was running the process |