INFO: Event Log Message for Security Event 592

ID: Q221212

The information in this article applies to:

Microsoft Win32 Application Programming Interface (API), included with:
- Microsoft Windows NT 4.0
- Microsoft Windows 2000

SUMMARY

When auditing the creation of a process, the system logs an event message similar to the following:


A new process has been created:
   New Process ID:      2209180864
   Image File Name:     \temp\myprog.exe
   Creator Process ID:  2159539168
   User Name:           SYSTEM
   Domain:              NT AUTHORITY
   Logon ID:            (0x0,0x3E7)

The type of process ID that is displayed in an audit log, depends on the version of Windows that you are running.

In Windows NT 4.0 the Audit Process ID (APID) logged in this message is not the same as the Process ID (PID) returned in the PROCESS_INFORMATION structure passed to the CreateProcess() Win32 API. PIDs identify running processes on the system. When a process exits, its PID is recycled back to the system. In Windows NT 4.0, these PIDs are reused quickly as processes are created and destroyed.

In Windows 2000, all audit logs use the actual PID when identifying a process. APIDs are NOT used in Windows 2000.

MORE INFORMATION

The purpose of APIDs are to provide better 32-bit identifiers for processes. Eventually, they are also recycled. However, APIDs should be useful over a longer period of time than PIDs. APIDs are not intended for programmatic use. There is no way to relate an APID to a PID. Rather, APIDs provide system administrators with correlative values to use when reviewing system activity.

For additional information about auditing process tracking events, please see the following article in the Microsoft Knowledge Base:

Q157238 How to Activate Security Event Logging in Windows NT 4.0

Additional query words:

Keywords : kbAPI kbEventLog kbKernBase kbNTOS400 kbWinOS2000 kbSecurity kbDSupport kbGrpKernBase
Version : winnt:4.0
Platform : winnt
Issue type : kbinfo