Event ID 4689 - A process has exited
|Sub category||Process termination|
|Description||A process has exited|
In Active Directory, when a program is terminated, event ID 4689 is logged.
This log data gives the following information:
|Subject: User who performed the action||
Why event ID 4689 needs to be monitored?
- Prevention of privilege abuse
- Detection of potential malicious activity
- Operational purposes like getting information on user activity like user attendance, peak logon times, etc.
- Compliance mandates
User management audit reports from ADAudit Plus help in monitoring user management actions in real-time and maintaining a record of actions done by users, administrators and technicians that helps in efficient functioning of an organization.
Event 4689 applies to the following operating systems:
- Windows Server 2008 R2 and Windows 7
- Windows Server 2012 R2 and Windows 8.1
- Windows Server 2016 and Windows 10
- Corresponding event ID for 4689 in Windows Server 2003 and older is 593
Explore Active Directory auditing and reporting with ADAudit Plus.
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Self-Service Password Management
- AD360 Integrated Identity & Access Management
- Log360 Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools