{"id":30558,"date":"2022-12-04T11:03:23","date_gmt":"2022-12-04T05:33:23","guid":{"rendered":"http:\/\/198.58.113.91\/blog\/?p=30558"},"modified":"2022-12-19T21:28:44","modified_gmt":"2022-12-19T15:58:44","slug":"kb5020044-process-creation-audit-event-4688-1108","status":"publish","type":"post","link":"https:\/\/www.winhelponline.com\/blog\/kb5020044-process-creation-audit-event-4688-1108\/","title":{"rendered":"Event ID 1108\/4688 Process Creation Audit Issue Fixed in KB5020044"},"content":{"rendered":"<p>If process creation audit is enabled, Windows is supposed to create an event log entry (ID: <code>4688<\/code>) for every new process creation event. However, Windows 11 22H2 had a bug wherein the process creation audit logging didn&#8217;t work.<!--more--><\/p>\n<p>Instead, Windows 11 generated the event entry <code>1108<\/code> for each process creation event. Event 1108 is a malformed entry that generates when the event logging service encounters an error while processing an incoming event.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-30559\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/event-id-1108-4688.png\" alt=\"event id 1108 issue - 4688 process creation\" width=\"1301\" height=\"698\" srcset=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/event-id-1108-4688.png 1301w, https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/event-id-1108-4688-768x412.png 768w\" sizes=\"auto, (max-width: 1301px) 100vw, 1301px\" \/><\/p>\n<p>Here&#8217;s a sample event:<\/p>\n<pre>Log Name:      Security\r\nSource:        Microsoft-Windows-Eventlog\r\nDate:          11\/27\/2022 1:55:42 PM\r\nEvent ID:      1108\r\nTask Category: Event processing\r\nLevel:         Error\r\nKeywords:      Audit Success\r\nUser:          N\/A\r\nComputer:      OptiPlex-9020\r\nDescription:\r\nThe event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.\r\nEvent Xml:\r\n[Event xmlns=\"http:\/\/schemas.microsoft.com\/win\/2004\/08\/events\/event\"]\r\n  [System]\r\n    [Provider Name=\"Microsoft-Windows-Eventlog\" Guid=\"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}\" \/]\r\n    [EventID]1108[\/EventID]\r\n    [Version]0[\/Version]\r\n    [Level]2[\/Level]\r\n    [Task]101[\/Task]\r\n    [Opcode]0[\/Opcode]\r\n    [Keywords]0x4020000000000000[\/Keywords]\r\n    [TimeCreated SystemTime=\"2022-11-27T08:25:42.0751430Z\" \/]\r\n    [EventRecordID]857[\/EventRecordID]\r\n    [Correlation \/]\r\n    [Execution ProcessID=\"2904\" ThreadID=\"3148\" \/]\r\n    [Channel]Security[\/Channel]\r\n    [Computer]OptiPlex-9020[\/Computer]\r\n    [Security \/]\r\n  [\/System]\r\n  [UserData]\r\n    [EventProcessingFailure xmlns=\"http:\/\/manifests.microsoft.com\/win\/2004\/08\/windows\/eventlog\"]\r\n      [ErrorCode]15003[\/ErrorCode]\r\n      [EventID]<strong>4688<\/strong>[\/EventID]\r\n      [PublisherID]Microsoft-Windows-Security-Auditing[\/PublisherID]\r\n    [\/EventProcessingFailure]\r\n  [\/UserData]\r\n[\/Event]<\/pre>\n<p>Microsoft says in the article <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/threat-protection\/auditing\/event-1108\">The event logging service encountered an error 1108<\/a>:<\/p>\n<p><em>It typically generates (the event 1108) when logging service will not be able to correctly write the event to the event log or some parameters were not passed to logging service to log the event correctly. You will typically see a defective or incorrect event before 1108.<\/em><\/p>\n<h2>Resolution<\/h2>\n<p>To resolve the issue, install the November 29, 2022\u2014KB5020044 (OS Build 22621.900) Preview Cumulative Update.\u00a0The 1108 events should stop after updating to 22621.900.<\/p>\n<p>Also, the <code>4688<\/code> (Process creation event) entries appear correctly after installing the update.<\/p>\n<p>From <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/november-29-2022-kb5020044-os-build-22621-900-preview-43f0bdf9-0b75-4110-bab3-3bd2433d84b3\" target=\"_blank\" rel=\"noopener\">November 29, 2022\u2014KB5020044 (OS Build 22621.900) Preview<\/a>:<\/p>\n<p><strong>Improvements:\u00a0<\/strong><em>&#8220;It addresses an issue that affects process creation. It fails to create security audits for it and other related audit events.&#8221;<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If process creation audit is enabled, Windows is supposed to create an event log entry (ID: 4688) for every new process creation event. However, Windows 11 22H2 had a bug wherein the process creation audit logging didn&#8217;t work.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[869],"tags":[79,766,191],"class_list":["post-30558","post","type-post","status-publish","format-standard","hentry","category-windows-11","tag-bug","tag-cumulative-update","tag-error-messages"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":26889,"url":"https:\/\/www.winhelponline.com\/blog\/disable-filtering-platform-connection-audit-event-logging\/","url_meta":{"origin":30558,"position":0},"title":"Disable &#8220;Filtering Platform Connection&#8221; (Event ID 5156, 5158) Security Logging","author":"Ramesh","date":"July 19, 2022","format":false,"excerpt":"When you open the Security Event log, the log may contain many \"Filtering Platform Connection\" events. The event ID of these entries maybe 5156 or 5158. The security log may record close to 100 events per minute, containing the event ID 5156 or 5158. This causes the security event log\u2026","rel":"","context":"In &quot;Windows&quot;","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"malwarebytes brute force 5156 5158 wfp event log","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/07\/malwarebytes-brute-force-wfp-5156-event.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/07\/malwarebytes-brute-force-wfp-5156-event.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/07\/malwarebytes-brute-force-wfp-5156-event.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/07\/malwarebytes-brute-force-wfp-5156-event.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":76299,"url":"https:\/\/www.winhelponline.com\/blog\/backup-error-0x81000019-0x8007085a\/","url_meta":{"origin":30558,"position":1},"title":"Fix: Windows Backup Errors 0x81000019 and 0x8007085a","author":"Ramesh","date":"August 10, 2024","format":false,"excerpt":"When you use the legacy backup tool, Backup and Restore (Windows 7), in Windows 10 or 11, the error code 0x81000019 may appear. Windows Backup did not complete successfully. If you click \"Options\" the following error message is shown: A shadow copy could not be created. Please check \"VSS\" and\u2026","rel":"","context":"In &quot;Windows 10&quot;","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"windows backup error","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/08\/windows-backup-error.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/08\/windows-backup-error.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2024\/08\/windows-backup-error.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":10260,"url":"https:\/\/www.winhelponline.com\/blog\/vss-event-log-errors-windows-10-event-ids-8193-and-13\/","url_meta":{"origin":30558,"position":2},"title":"VSS Event Log Errors: Event IDs 8193 and 13","author":"Ramesh","date":"July 9, 2019","format":false,"excerpt":"After upgrading to Windows 10 v1903, two VSS error entries appear in the Application event log during every shutdown. The Event IDs are 8193 and 13 with the event source as VSS. Along with the two error logs, an informational event (ID: 8224) is also recorded during the user session\u2026","rel":"","context":"In &quot;Windows 10&quot;","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"event viewer error - event id 8193","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2019\/07\/vss-error-8193-event-log.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2019\/07\/vss-error-8193-event-log.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2019\/07\/vss-error-8193-event-log.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":31266,"url":"https:\/\/www.winhelponline.com\/blog\/0x81000203-vss-system-restore-error\/","url_meta":{"origin":30558,"position":3},"title":"[Fix] System Restore Encountered an Error 0x81000203","author":"Ramesh","date":"December 25, 2022","format":false,"excerpt":"When you open the System Properties dialog (sysdm.cpl) and click System Protection, the error 0x81000203 occurs. Here's the full error message verbatim: There was an unexpected error in the property page: System Restore encountered an error. Please try to run System Restore again. (0x81000203) Please close the property page and\u2026","rel":"","context":"In &quot;Windows 10&quot;","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"8004230f windows upgrade - vss error","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/home-to-pro-upgrade-activation-error-1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/home-to-pro-upgrade-activation-error-1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/12\/home-to-pro-upgrade-activation-error-1.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":935,"url":"https:\/\/www.winhelponline.com\/blog\/fix-event-log-service-error-1079\/","url_meta":{"origin":30558,"position":4},"title":"Fix for Event Log Service Startup Error 1079","author":"Ramesh","date":"October 7, 2009","format":false,"excerpt":"When you start the Event Viewer, the following error message may be shown. Event Log service is unavailable. Verify that the service is running. Any attempts to start the Event Log service results in the following error: Windows could not start the Windows Event Log service on Local Computer. Error\u2026","rel":"","context":"In &quot;Windows&quot;","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":26807,"url":"https:\/\/www.winhelponline.com\/blog\/error-0x800f0922-print-pdf-xps-writer\/","url_meta":{"origin":30558,"position":5},"title":"(Solved) Microsoft Print to PDF Error 0x800f0922","author":"Ramesh","date":"July 6, 2022","format":false,"excerpt":"We saw in detail how to reinstall the Microsoft Print to PDF printer in Windows 10 or 11. During the process, some users have encountered the error 0x800f0922 no matter which method they used (DISM, PowerShell, the \"Add a Printer\" wizard, or the Windows Features GUI) to install the driver.\u2026","rel":"","context":"In &quot;Windows 10&quot;","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"add printer - pdf error - file not found","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/07\/add-printer-pdf-error.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/07\/add-printer-pdf-error.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/07\/add-printer-pdf-error.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/30558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/comments?post=30558"}],"version-history":[{"count":0,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/30558\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/media?parent=30558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/categories?post=30558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/tags?post=30558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}