Windows security monitoring dashboard showing Event Viewer with process creation audit logs

Event ID 4111InformationMicrosoft-Windows-Kernel-ProcessWindows

Windows Event ID 4111 – Microsoft-Windows-Kernel-Process: Process Creation Auditing Event

Event ID 4111 tracks process creation events in Windows when advanced auditing is enabled. This security-focused event provides detailed information about new processes, including parent process details and command line arguments.

Emanuel DE ALMEIDA

18 March 202612 min read 0

Event ID 4111Microsoft-Windows-Kernel-Process 5 methods 12 min

Event Reference

What This Event Means

Event ID 4111 represents a kernel-level process creation notification that Windows generates when the system creates a new process instance. This event occurs at a lower level than standard application logging and captures the moment when the Windows kernel allocates resources for a new process.

The event contains comprehensive metadata about the newly created process, including the process ID (PID), parent process information, executable path, command line arguments, and security token details. This information proves invaluable for security analysts investigating potential threats or system administrators troubleshooting application behavior.

Windows generates this event regardless of whether the process creation succeeds or fails, making it useful for detecting both successful attacks and failed exploitation attempts. The event timing occurs immediately after the kernel creates the process structure but before the process begins executing, providing a precise timestamp for forensic reconstruction.

In modern Windows environments, Event ID 4111 has become a cornerstone of endpoint detection and response (EDR) solutions. Security tools parse these events in real-time to identify suspicious process trees, detect process hollowing techniques, and monitor for unauthorized privilege escalation. The event's rich metadata enables sophisticated behavioral analysis that can distinguish between legitimate administrative activities and malicious actions.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025

Analysis

Possible Causes

User launching applications through Start menu, desktop shortcuts, or command line
Windows services starting during system boot or on-demand activation
Scheduled tasks executing at predetermined intervals
System processes spawning child processes for normal operations
Software installers creating temporary processes during installation
Security software scanning processes creating analysis threads
PowerShell or command prompt executing scripts and commands
Remote desktop sessions launching user shell processes
Windows Update service creating update processes
Malware or suspicious software attempting to execute

Resolution Methods

Troubleshooting Steps

Review Event Details in Event Viewer

Start by examining the specific Event ID 4111 entries to understand what processes are being created and their context.

Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
Navigate to Windows Logs → Security
In the Actions pane, click Filter Current Log
Enter 4111 in the Event IDs field and click OK
Double-click on recent Event ID 4111 entries to examine details
Review the General tab for process name, PID, and parent process information
Check the Details tab for complete XML data including command line arguments
Note the timestamp, user account, and logon session details

Look for unusual process names, suspicious command line arguments, or processes running under unexpected user accounts. Pay attention to processes spawned by common attack vectors like Office applications, browsers, or email clients.

Query Events with PowerShell

Use PowerShell to programmatically analyze Event ID 4111 patterns and extract specific information for investigation.

Open PowerShell as Administrator
Query recent Event ID 4111 entries:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4111} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message

Filter events by specific time range:

$StartTime = (Get-Date).AddHours(-24)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4111; StartTime=$StartTime}
$Events | Format-Table TimeCreated, Id, Message -Wrap

Extract process creation details:

$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4111} -MaxEvents 100
foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $ProcessName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
    $PID = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessId'} | Select-Object -ExpandProperty '#text'
    Write-Output "Time: $($Event.TimeCreated) | Process: $ProcessName | PID: $PID"
}

Export results for further analysis:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4111} -MaxEvents 1000 | Export-Csv -Path "C:\Temp\ProcessCreation_4111.csv" -NoTypeInformation

Configure Advanced Audit Policies

Ensure proper audit policy configuration to capture Event ID 4111 consistently and adjust logging levels as needed.

Open Group Policy Management Console or Local Group Policy Editor (gpedit.msc)
Navigate to Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration
Expand Detailed Tracking
Double-click Audit Process Creation
Check Configure the following audit events
Select both Success and Failure checkboxes
Click OK and close Group Policy Editor
Update Group Policy by running:

gpupdate /force

Verify the audit policy is active:

auditpol /get /category:"Detailed Tracking"

For command line auditing, also enable:

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f

Pro tip: Enable command line auditing to capture full execution context, but be aware this increases log volume significantly in busy environments.

Analyze Process Trees and Parent-Child Relationships

Investigate suspicious process creation patterns by analyzing parent-child relationships and process execution chains.

Create a PowerShell script to map process relationships:

$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4111} -MaxEvents 500
$ProcessTree = @{}

foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $ProcessName = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'NewProcessName'}).'#text'
    $ProcessId = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'NewProcessId'}).'#text'
    $ParentProcessName = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'ParentProcessName'}).'#text'
    $ParentProcessId = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessId'}).'#text'
    
    $ProcessTree[$ProcessId] = @{
        'ProcessName' = $ProcessName
        'ParentProcessId' = $ParentProcessId
        'ParentProcessName' = $ParentProcessName
        'TimeCreated' = $Event.TimeCreated
    }
}

$ProcessTree | ConvertTo-Json -Depth 3

Identify suspicious process chains:

# Look for Office applications spawning unusual processes
$SuspiciousChains = $ProcessTree.GetEnumerator() | Where-Object {
    $_.Value.ParentProcessName -match "(winword|excel|powerpnt|outlook)" -and
    $_.Value.ProcessName -match "(powershell|cmd|wscript|cscript|rundll32)"
}

$SuspiciousChains | Format-Table -AutoSize

Monitor for living-off-the-land techniques:

# Detect potential LOLBins usage
$LOLBins = @('certutil', 'bitsadmin', 'regsvr32', 'mshta', 'rundll32', 'installutil')
$SuspiciousLOL = $ProcessTree.GetEnumerator() | Where-Object {
    $LOLBins -contains ($_.Value.ProcessName -replace '.*\\', '' -replace '\.exe$', '')
}

$SuspiciousLOL | Select-Object @{N='PID';E={$_.Key}}, @{N='Process';E={$_.Value.ProcessName}}, @{N='Parent';E={$_.Value.ParentProcessName}}, @{N='Time';E={$_.Value.TimeCreated}}

Warning: High-volume environments may generate thousands of Event ID 4111 entries daily. Implement filtering and retention policies to manage log storage effectively.

Implement Real-Time Monitoring and Alerting

Set up automated monitoring to detect suspicious Event ID 4111 patterns in real-time for proactive security response.

Create a scheduled task for continuous monitoring:

# Create monitoring script
$MonitorScript = @'
$LastCheck = (Get-Date).AddMinutes(-5)
$SuspiciousEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4111; StartTime=$LastCheck} | Where-Object {
    $_.Message -match "(powershell.*-enc|cmd.*\/c.*del|wscript.*\.vbs|cscript.*\.js)"
}

if ($SuspiciousEvents) {
    $AlertMessage = "Suspicious process creation detected: $($SuspiciousEvents.Count) events"
    Write-EventLog -LogName Application -Source "SecurityMonitor" -EventId 9001 -EntryType Warning -Message $AlertMessage
    # Send email or SIEM alert here
}
'@

$MonitorScript | Out-File -FilePath "C:\Scripts\Monitor4111.ps1" -Encoding UTF8

$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\Scripts\Monitor4111.ps1"
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries

Register-ScheduledTask -TaskName "Monitor-Event4111" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"

Configure Windows Event Forwarding for centralized collection:

# On collector server
wecutil cs subscription.xml

# Create subscription.xml with Event ID 4111 filter
$SubscriptionXML = @'
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>ProcessCreation4111</SubscriptionId>
    <Description>Collect Event ID 4111 from domain computers</Description>
    <Query>
        <Select Path="Security">*[System[EventID=4111]]</Select>
    </Query>
</Subscription>
'@

Set up custom Windows Performance Toolkit (WPT) tracing for advanced analysis:

# Create custom ETW session for process creation
logman create trace ProcessCreationTrace -p Microsoft-Windows-Kernel-Process -o C:\Logs\ProcessTrace.etl -ets

# Stop tracing after collection period
logman stop ProcessCreationTrace -ets

Pro tip: Integrate Event ID 4111 monitoring with SIEM solutions like Splunk, Sentinel, or QRadar for advanced correlation and threat hunting capabilities.

Overview

Event ID 4111 fires when Windows creates a new process and advanced process auditing is configured through Group Policy or local security settings. This event belongs to the Microsoft-Windows-Kernel-Process provider and appears in the Security log when process creation monitoring is active.

Unlike the more common Event ID 4688 which provides basic process creation details, Event ID 4111 captures additional kernel-level information about process spawning, including detailed parent-child relationships and security context changes. This makes it particularly valuable for security monitoring, malware detection, and forensic analysis in enterprise environments.

The event typically appears during normal system operations as applications launch, services start, and users execute programs. However, security teams often monitor this event for suspicious process creation patterns, privilege escalation attempts, and unauthorized software execution. In 2026, this event has become increasingly important for detecting advanced persistent threats and living-off-the-land attacks that leverage legitimate Windows processes.

Frequently Asked Questions

What is the difference between Event ID 4111 and Event ID 4688?+

Event ID 4111 is generated by the Microsoft-Windows-Kernel-Process provider and captures kernel-level process creation events with detailed parent-child relationships. Event ID 4688 comes from the Microsoft-Windows-Security-Auditing provider and provides standard security audit information about process creation. Event ID 4111 typically contains more technical details about the process creation mechanism, while 4688 focuses on security context and user attribution. Both events are valuable for security monitoring, but 4111 provides deeper system-level insights that are particularly useful for malware analysis and advanced threat detection.

Why am I not seeing Event ID 4111 in my Security log?+

Event ID 4111 requires specific audit policy configuration to appear in logs. You must enable 'Audit Process Creation' under Advanced Audit Policy Configuration in Group Policy. Additionally, the Microsoft-Windows-Kernel-Process ETW provider must be active. Check your audit policy settings using 'auditpol /get /category:"Detailed Tracking"' and ensure both Success and Failure auditing are enabled. In some Windows versions, you may also need to enable additional registry settings or configure ETW tracing manually. Verify that your system has sufficient logging capacity and that the Security log isn't being overwritten due to size limitations.

How can I reduce the volume of Event ID 4111 logs in busy environments?+

High-volume environments can generate thousands of Event ID 4111 events daily. Implement selective filtering by configuring custom XML queries in Event Viewer or WEF subscriptions to focus on specific processes or users. Use PowerShell filtering to exclude known-good processes like system services and standard applications. Consider implementing log forwarding rules that only capture events from critical systems or during specific time windows. You can also adjust the Security log size and retention policies, or implement log rotation strategies. For enterprise environments, forward only suspicious events to SIEM systems while maintaining full logs locally for forensic purposes.

Can Event ID 4111 help detect malware and advanced persistent threats?+

Yes, Event ID 4111 is excellent for detecting malware and APTs because it captures detailed process creation information including parent-child relationships and command line arguments. Look for suspicious patterns like Office applications spawning PowerShell or cmd.exe, unusual process trees, processes running from temporary directories, or known living-off-the-land binaries (LOLBins) being executed. The event helps identify process hollowing, DLL injection, and other advanced techniques by showing abnormal process creation patterns. Combine Event ID 4111 analysis with other security events for comprehensive threat hunting. Many EDR solutions rely heavily on this event type for behavioral analysis and anomaly detection.

What should I investigate when Event ID 4111 shows processes with unusual parent-child relationships?+

Unusual parent-child relationships often indicate security incidents or system compromise. Investigate processes spawned by applications that normally don't create child processes, such as document viewers or media players launching command interpreters. Check for processes running under unexpected user accounts or with elevated privileges. Examine the command line arguments for encoded commands, suspicious file paths, or network-related activities. Verify the digital signatures of the parent and child processes. Cross-reference the timing with other security events like logon events, file access, or network connections. Pay special attention to processes created by web browsers, email clients, or productivity applications, as these are common attack vectors for malware delivery and execution.

Documentation

References (2)

Microsoft Learn - Advanced Security Audit Policy SettingsComprehensive guide to configuring advanced audit policies including process creation auditinghttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings

Microsoft Docs - Event Tracing for Windows (ETW)Technical documentation for ETW providers and event collection mechanismshttps://learn.microsoft.com/en-us/windows/win32/etw/event-tracing-portal

Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Discussion

Share your thoughts and insights

You must be logged in to comment.

Loading comments...