Site icon Winhelponline

Event ID 1108/4688 Process Creation Audit Issue Fixed in KB5020044

If process creation audit is enabled, Windows is supposed to create an event log entry (ID: 4688) for every new process creation event. However, Windows 11 22H2 had a bug wherein the process creation audit logging didn’t work.

Instead, Windows 11 generated the event entry 1108 for each process creation event. Event 1108 is a malformed entry that generates when the event logging service encounters an error while processing an incoming event.

Here’s a sample event:

Log Name:      Security
Source:        Microsoft-Windows-Eventlog
Date:          11/27/2022 1:55:42 PM
Event ID:      1108
Task Category: Event processing
Level:         Error
Keywords:      Audit Success
User:          N/A
Computer:      OptiPlex-9020
Description:
The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.
Event Xml:
[Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"]
  [System]
    [Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" /]
    [EventID]1108[/EventID]
    [Version]0[/Version]
    [Level]2[/Level]
    [Task]101[/Task]
    [Opcode]0[/Opcode]
    [Keywords]0x4020000000000000[/Keywords]
    [TimeCreated SystemTime="2022-11-27T08:25:42.0751430Z" /]
    [EventRecordID]857[/EventRecordID]
    [Correlation /]
    [Execution ProcessID="2904" ThreadID="3148" /]
    [Channel]Security[/Channel]
    [Computer]OptiPlex-9020[/Computer]
    [Security /]
  [/System]
  [UserData]
    [EventProcessingFailure xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"]
      [ErrorCode]15003[/ErrorCode]
      [EventID]4688[/EventID]
      [PublisherID]Microsoft-Windows-Security-Auditing[/PublisherID]
    [/EventProcessingFailure]
  [/UserData]
[/Event]

Microsoft says in the article The event logging service encountered an error 1108:

It typically generates (the event 1108) when logging service will not be able to correctly write the event to the event log or some parameters were not passed to logging service to log the event correctly. You will typically see a defective or incorrect event before 1108.

Resolution

To resolve the issue, install the November 29, 2022—KB5020044 (OS Build 22621.900) Preview Cumulative Update. The 1108 events should stop after updating to 22621.900.

Also, the 4688 (Process creation event) entries appear correctly after installing the update.

From November 29, 2022—KB5020044 (OS Build 22621.900) Preview:

Improvements: “It addresses an issue that affects process creation. It fails to create security audits for it and other related audit events.”

Exit mobile version