Microsoft-Windows-ProcessExitMonitor
4 events across 2 channels
| Event | Title | Channel | Sample |
|---|---|---|---|
| 3000 | The process 'param1' exited with exit code param2. | Application | N |
| 3001 | The process 'param1' was terminated by the process 'param2' with termination … | Application | Y |
| 1073744824 | The process 'param1' exited with exit code param2. | Operational | N |
| 1073744825 | The process 'param1' was terminated by the process 'param2' with termination … | Operational | N |
Event ID 3000: The process 'param1' exited with exit code param2.
#Description
The process 'param1' exited with exit code param2. The creation time for the exiting process was 0xparam3.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
ExitingProcessId UnicodeString |
Detection Rules #
View all rules referencing this event →Splunk # view in coverage
Event ID 3001: The process 'param1' was terminated by the process 'param2' with termination code param3.
#Description
The process 'param1' was terminated by the process 'param2' with termination code param3. The creation time for the exiting process was 0xparam4.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
param3 UnicodeString | |
param4 UnicodeString | |
ExitingProcessId UnicodeString | |
InitiatingProcessId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ProcessExitMonitor",
"guid": "{FD771D53-8492-4057-8E35-8C02813AF49B}",
"event_source_name": "Process Exit Monitor",
"event_id": 3001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2021-06-09T04:58:49.287418Z",
"event_record_id": 32887,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-21-3461203602-4096304019-2269080069-1000"
}
},
"event_data": {
"param1": "C:\\Windows\\System32\\lsass.exe",
"param2": "C:\\Users\\IEUser\\Desktop\\LsassSilentProcessExit.exe",
"param3": "0",
"param4": "01d75d3714c3280e"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1073744824: The process 'param1' exited with exit code param2.
#Description
The process 'param1' exited with exit code param2. The creation time for the exiting process was 0xparam3.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The process ' |
param2 UnicodeString | ' exited with exit code |
param3 UnicodeString | . The creation time for the exiting process was 0x |
ExitingProcessId UnicodeString |
Event ID 1073744825: The process 'param1' was terminated by the process 'param2' with termination code param3.
#Description
The process 'param1' was terminated by the process 'param2' with termination code param3. The creation time for the exiting process was 0xparam4.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | The process ' |
param2 UnicodeString | ' was terminated by the process ' |
param3 UnicodeString | ' with termination code |
param4 UnicodeString | . The creation time for the exiting process was 0x |
ExitingProcessId UnicodeString | |
InitiatingProcessId UnicodeString |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID fd771d53-8492-4057-8e35-8c02813af49b
Defined in werfault.exe, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02