Event ID 4688
Windows Security event for process creation: requires 'Audit Process Creation' policy and command-line logging to be enabled
Sysmon ID 1
Sysmon process creation event: includes hash, parent command line, and full process tree by default
LOLBins
Living-off-the-land binaries: legitimate Windows tools (certutil, mshta, regsvr32, wscript) most commonly abused by attackers
8
Sysinternals tools that cover the majority of Windows process investigation needs

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

When an alert fires on a suspicious process: powershell.exe spawned by Word.exe, cmd.exe with an encoded command line, certutil.exe downloading from an external URL: the investigation follows a consistent pattern: understand the process creation context, examine what it did (network, file, registry), identify persistence, and determine scope.

This guide covers the tools and commands for each investigation step, in the order they should be executed.

Step 1: Process Creation Context

The most revealing aspect of a suspicious process is how it was created: what launched it, with what arguments, and under what user account.

Via Windows Event Log (requires 'Audit Process Creation' + command-line logging policy):

# Enable command-line logging if not already enabled
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' -Name ProcessCreationIncludeCmdLine_Enabled -Value 1

# Find process creation events for a specific process
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} |
    Where-Object { $_.Message -match 'powershell.exe' } |
    Select-Object TimeCreated, @{N='ProcessName';E={$_.Properties[5].Value}},
                              @{N='CommandLine';E={$_.Properties[8].Value}},
                              @{N='ParentProcess';E={$_.Properties[13].Value}},
                              @{N='User';E={$_.Properties[1].Value}} |
    Sort-Object TimeCreated -Descending | Select-Object -First 20

Via Sysmon (Event ID 1: process creation): Sysmon provides more detail than native event logging:

# Query Sysmon process creation events
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' -FilterXPath "*[System[EventID=1] and EventData[Data[@Name='Image'] and (Data='C:\Windows\System32\powershell.exe')]]" |
    ForEach-Object {
        $xml = [xml]$_.ToXml()
        [PSCustomObject]@{
            TimeCreated = $_.TimeCreated
            Image = $xml.Event.EventData.Data | Where-Object Name -eq 'Image' | Select-Object -ExpandProperty '#text'
            CommandLine = $xml.Event.EventData.Data | Where-Object Name -eq 'CommandLine' | Select-Object -ExpandProperty '#text'
            ParentImage = $xml.Event.EventData.Data | Where-Object Name -eq 'ParentImage' | Select-Object -ExpandProperty '#text'
            ParentCommandLine = $xml.Event.EventData.Data | Where-Object Name -eq 'ParentCommandLine' | Select-Object -ExpandProperty '#text'
            User = $xml.Event.EventData.Data | Where-Object Name -eq 'User' | Select-Object -ExpandProperty '#text'
            Hashes = $xml.Event.EventData.Data | Where-Object Name -eq 'Hashes' | Select-Object -ExpandProperty '#text'
        }
    }

High-suspicion parent-child combinations:

  • Word.exe / Excel.exe spawning powershell.exe, cmd.exe, or wscript.exe (macro execution)
  • browser process spawning cmd.exe or powershell.exe (browser exploit)
  • services.exe spawning cmd.exe with an encoded command line (service-based persistence)
  • msiexec.exe spawning cmd.exe (malicious installer)
  • Any process spawning certutil.exe, mshta.exe, regsvr32.exe, or bitsadmin.exe with network arguments

Step 2: Sysinternals Live Investigation

For a live system, Sysinternals tools provide immediate visibility.

Process Explorer: the first tool to open:

Download: https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
Run as Administrator

Process Explorer shows the full process tree, CPU/memory usage, and the DLLs loaded by each process. Right-click any process > Properties > Strings tab to see embedded strings (URLs, IP addresses, file paths).

Configure VirusTotal integration: Options > VirusTotal.com > Check VirusTotal.com. This checks each process's hash against VirusTotal: processes with positive detections appear highlighted in red.

Key indicators in Process Explorer:

  • Process without a parent (orphaned): suggests the parent was killed or the process was launched by malware that terminated itself
  • Process running from a temp directory (%TEMP%, %APPDATA%, C:\Windows\Temp): highly suspicious
  • Two processes with the same name but one has a different path (svchost.exe not in C:\Windows\System32 is always suspicious)
  • Process with a VirusTotal positive count > 0

Process Monitor: what the process is doing:

Download: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
Run as Administrator

Process Monitor captures all file system, registry, and network activity in real time. To investigate a specific process:

  1. Filter > Add Filter > Process Name > is > suspicious.exe > Include
  2. Look for: file writes to startup locations (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup), network connection events, reads of credential stores

Autoruns: persistence discovery:

Download: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
Run as Administrator with VirusTotal integration enabled (Options > Scan Options > Check VirusTotal.com)

Autoruns shows every startup location and mechanism in Windows. Malware persistence is highlighted by VirusTotal hits or entries in unusual locations. Sort by 'Image Not Found' (deleted persistence that still has a registry entry) and 'Entry Date' (recently created entries).

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Step 3: Network Connection Investigation

After understanding the process, identify its network activity.

Current connections (live system):

# All current network connections with process names and PIDs
Get-NetTCPConnection -State Established |
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort,
                  @{N='Process';E={(Get-Process -Id $_.OwningProcess).ProcessName}}, OwningProcess |
    Where-Object { $_.RemoteAddress -notmatch '^(127\.|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.)' } |
    Sort-Object Process

# Or with netstat (includes process names)
netstat -b -n -o

Historical network connections from Sysmon (Event ID 3: network connection):

$startTime = (Get-Date).AddHours(-24)
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' -FilterXPath "*[System[EventID=3 and TimeCreated[@SystemTime>='$($startTime.ToUniversalTime().ToString("o"))')]]" |
    ForEach-Object {
        $xml = [xml]$_.ToXml()
        [PSCustomObject]@{
            TimeCreated = $_.TimeCreated
            Image = ($xml.Event.EventData.Data | Where-Object Name -eq 'Image').'#text'
            DestinationIp = ($xml.Event.EventData.Data | Where-Object Name -eq 'DestinationIp').'#text'
            DestinationPort = ($xml.Event.EventData.Data | Where-Object Name -eq 'DestinationPort').'#text'
            DestinationHostname = ($xml.Event.EventData.Data | Where-Object Name -eq 'DestinationHostname').'#text'
        }
    } | Where-Object { $_.Image -match 'suspicious|powershell|cmd' }

Threat intelligence lookup on discovered IPs:

# Quick VirusTotal lookup via API (requires free API key)
$ip = '1.2.3.4'
$apiKey = $env:VT_API_KEY
Invoke-RestMethod -Uri "https://www.virustotal.com/api/v3/ip_addresses/$ip" -Headers @{'x-apikey'=$apiKey} |
    Select-Object -ExpandProperty data | Select-Object -ExpandProperty attributes |
    Select-Object last_analysis_stats, reputation

Step 4: Determine Scope and Contain

After identifying what the suspicious process did, determine how far the compromise extends.

Check for additional compromised systems using SIEM correlation:

// Microsoft Sentinel: find all systems where the same process hash was seen
DeviceProcessEvents
| where SHA256 == "<hash_of_suspicious_process>"
| distinct DeviceName, AccountName, FileName, ProcessCommandLine
| sort by DeviceName asc

Check for lateral movement from the compromised host:

// Network connections from the compromised host in the compromise window
DeviceNetworkEvents
| where DeviceName == "COMPROMISED-WORKSTATION"
| where Timestamp > datetime(2026-06-26T10:00:00) and Timestamp < datetime(2026-06-26T14:00:00)
| where RemoteIPType != "Private"
| project Timestamp, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName
| sort by Timestamp asc

Document and contain:

  1. Collect the process image (binary), parent process image, and any dropped files for malware analysis
  2. Preserve the process memory if live forensics is required: procdump -ma <PID> process.dmp
  3. Isolate the endpoint (EDR isolation, or network disconnect)
  4. Report findings: hash of malicious binary, C2 IPs/domains, persistence mechanism found, user account involved, first-seen timestamp
  5. Hunt for the same indicators across all other endpoints in your environment

The bottom line

Windows process investigation follows four steps: examine process creation context (parent process, command line, user: from Event ID 4688 with command-line logging or Sysmon Event ID 1), use Process Explorer and Process Monitor for live visibility into what the process is doing, investigate network connections from Sysmon Event ID 3 or current connection state, and scope the compromise by hunting the same indicators across other endpoints. Enable Sysmon before an incident: native Windows audit logging lacks the command-line detail needed for effective investigation.

Frequently asked questions

How do you investigate a suspicious process on Windows?

Check the parent process and command-line arguments (Sysmon Event ID 1 or Windows Security Event ID 4688 with command-line logging enabled), open Process Explorer to see the full process tree and loaded DLLs with VirusTotal integration, use Process Monitor to capture file and registry writes, check network connections via Sysmon Event ID 3, and look for persistence via Autoruns.

What Windows event ID logs process creation?

Event ID 4688 in the Windows Security log records process creation, but it only includes command-line arguments if the 'Audit Process Creation' policy is enabled and the command-line audit subcategory is configured (via 'Audit Process Creation Include Command Line' registry setting). Sysmon Event ID 1 is more comprehensive: it includes the process hash, parent command line, and GUID: and is the preferred source for process investigation.

What is Sysmon and how do I deploy it for Windows process monitoring?

Sysmon (System Monitor) is a free Microsoft Sysinternals tool that provides detailed Windows telemetry not available in the native Windows event log: process creation with full command lines and hashes, network connections with process context, registry modifications, file creation timestamps, and driver loads. Deploy: download from Sysinternals, install with 'sysmon64.exe -accepteula -i sysmon-config.xml'. Use a community-maintained config (SwiftOnSecurity or olafhartong/sysmon-modular on GitHub) for a baseline ruleset. Deploy via GPO software installation, Intune, or Ansible at scale. Sysmon logs appear in Event Viewer under Applications and Services Logs > Microsoft > Windows > Sysmon > Operational.

How do I investigate a suspicious parent-child process relationship on Windows?

Suspicious parent-child relationships are a primary malware detection technique. Red flag combinations: Word.exe or Excel.exe spawning cmd.exe or PowerShell.exe (macro-based initial access); browser processes spawning cmd.exe (browser exploit); svchost.exe spawning unexpected child processes (service exploitation); powershell.exe spawning rundll32.exe or mshta.exe (PowerShell-based payload loading). In Sysmon Event ID 1, the ParentCommandLine field shows the exact command that spawned the suspicious process. Cross-reference with network connections (Sysmon Event ID 3) to determine if the process made external connections after launch. Use Process Hacker or Process Monitor on a live system to view the current process tree.

What is LOLBins and why do attackers use them?

LOLBins (Living off the Land Binaries) are legitimate Windows executables that attackers abuse for malicious purposes because they are pre-installed on every Windows system, trusted by application allowlisting, and signed by Microsoft. Common LOLBins: certutil.exe (download files and decode base64), regsvr32.exe (execute arbitrary DLLs), mshta.exe (execute HTA scripts), rundll32.exe (load arbitrary DLLs), wscript.exe/cscript.exe (execute scripts). Attackers prefer LOLBins because they evade signature-based AV detection and blend into normal Windows activity. Detection strategy: alert on LOLBins making outbound network connections, spawning unexpected child processes, or accessing file paths outside their normal scope.

How do you preserve forensic evidence when investigating a suspicious Windows process?

Forensic preservation during a live Windows investigation requires capturing volatile data before it disappears. Collect in order of volatility: running processes and their memory (procdump -ma <PID> process.dmp for targeted capture, or winpmem for full memory acquisition), current network connections (Get-NetTCPConnection output saved to file, or netstat -b -n -o), open handles and loaded DLLs for the suspicious process (handle.exe -p <PID> and listdlls.exe -p <PID> from Sysinternals), and registry run keys and startup locations (Autoruns output saved as CSV). Capture system event logs before they rotate: wevtutil epl Security security.evtx and the Sysmon log. Hash every collected artifact with Get-FileHash using SHA-256 before and after any transfer to document integrity. Avoid rebooting the system until volatile data collection is complete, as memory contents, network connection state, and some process artifacts are lost on reboot. If the endpoint must be reimaged immediately, at minimum capture the process memory dump, event logs, and a full disk image.

Sources & references

  1. Microsoft Sysinternals Suite
  2. MITRE ATT&CK: Process Injection Techniques
  3. Sigma Rules: Windows Process Investigation

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.