A new process has been created. This type of events will only be recorded if the "Audit process tracking" audit policy is set to audit the creation of new processes.
In most cases, this indicates that the user started an application (identified by the "Image File Name" field). The "New Process ID" is the application process id as one can see using Task Manager. Except maybe the basic Windows subsystems, most of the applications are started from within another process. For example the vast majority of user-started application will be initiated by Explorer.exe. The "Creator Process ID" indicates the id of the process that spawned the "New Process ID". Again, for user-initiated application, this id will correspond the the id of explorer.exe.
When the appication is terminated, event id 593 will be recorded (the process id will be shown).
The pair of 592/593 events can be used to track what applications a user is running and for how long. For example, an event id 592 showing "\Program Files\SuperScan\scanner.exe" as "Image File Name" indicates that the Foundstone SuperScan port scanner was started. By recording the process ID, let's say 1788 and the time (10:55:47 AM) and looking for a 593 event with this process id
and comparing the time (10:59:52 AM) with the 592 event time, one can see that the user ran the scanner for approx. 4 minutes. This information may be then correlated with other events that occured within that time frame.
The process audit should be enabled on "as-needed" basis since it imposes an additional load on the system. You should enable it only if it is necessary to monitor the use of that computer.
See also ME274176