Event ID 1108/4688 Process Creation Audit Issue Fixed in KB5020044

If process creation audit is enabled, Windows is supposed to create an event log entry (ID: 4688) for every new process creation event. However, Windows 11 22H2 had a bug wherein the process creation audit logging didn’t work.

Instead, Windows 11 generated the event entry 1108 for each process creation event. Event 1108 is a malformed entry that generates when the event logging service encounters an error while processing an incoming event.

event id 1108 issue - 4688 process creation

Here’s a sample event:

Log Name:      Security
Source:        Microsoft-Windows-Eventlog
Date:          11/27/2022 1:55:42 PM
Event ID:      1108
Task Category: Event processing
Level:         Error
Keywords:      Audit Success
User:          N/A
Computer:      OptiPlex-9020
Description:
The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.
Event Xml:
[Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"]
  [System]
    [Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" /]
    [EventID]1108[/EventID]
    [Version]0[/Version]
    [Level]2[/Level]
    [Task]101[/Task]
    [Opcode]0[/Opcode]
    [Keywords]0x4020000000000000[/Keywords]
    [TimeCreated SystemTime="2022-11-27T08:25:42.0751430Z" /]
    [EventRecordID]857[/EventRecordID]
    [Correlation /]
    [Execution ProcessID="2904" ThreadID="3148" /]
    [Channel]Security[/Channel]
    [Computer]OptiPlex-9020[/Computer]
    [Security /]
  [/System]
  [UserData]
    [EventProcessingFailure xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"]
      [ErrorCode]15003[/ErrorCode]
      [EventID]4688[/EventID]
      [PublisherID]Microsoft-Windows-Security-Auditing[/PublisherID]
    [/EventProcessingFailure]
  [/UserData]
[/Event]

Microsoft says in the article The event logging service encountered an error 1108:

It typically generates (the event 1108) when logging service will not be able to correctly write the event to the event log or some parameters were not passed to logging service to log the event correctly. You will typically see a defective or incorrect event before 1108.

Resolution

To resolve the issue, install the November 29, 2022—KB5020044 (OS Build 22621.900) Preview Cumulative Update. The 1108 events should stop after updating to 22621.900.

Also, the 4688 (Process creation event) entries appear correctly after installing the update.

From November 29, 2022—KB5020044 (OS Build 22621.900) Preview:

Improvements: “It addresses an issue that affects process creation. It fails to create security audits for it and other related audit events.”

One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)
Tweet
Share
Share
0 Shares

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

...

Leave a Reply