A very short article that I think will be useful to DFIR colleagues. According to this article from Microsoft, after installing Windows 11 build 22H2, Windows events 4688 stopped working correctly.

Event ID 4688 is a Windows security event that is generated when a new process is created. This event is usually logged on the computer where the process is created, and it contains information such as the process name, ID, and the user who created it: this event can be useful in identifying potentially malicious activity. In addition, the event can provide information about the parent process, which can help to trace the origin of a process and identify the initial point of execution.


The problem was fixed with OS build 22621.900 (KB5020044). So if you’re investigating an incident on a Windows 11 system and you can’t find a 4688 event, check that it’s build 22H2!