Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Type: Success Audit|
A new process has been created:
New Process ID: <process id>
Image File Name: <process name and path>
Creator Process ID: <parent process id>
User Name: <user name>
Domain: <domain name>
Logon ID: <logon id>
|English: Request a translation of the event description in plain English.|
See the link to "Windows 2000 Magazine" for a complete overview on this event.
See MSW2KDB for additional information about this event.
A new process has been created. This type of events will only be recorded if the "Audit process tracking" audit policy is set to audit the creation of new processes.
In most cases, this indicates that the user started an application (identified by the "Image File Name" field). The "New Process ID" is the application process id as one can see using Task Manager. Except maybe the basic Windows subsystems, most of the applications are started from within another process. For example the vast majority of user-started application will be initiated by Explorer.exe. The "Creator Process ID" indicates the id of the process that spawned the "New Process ID". Again, for user-initiated application, this id will correspond the the id of explorer.exe.
When the appication is terminated, event id 593 will be recorded (the process id will be shown).
The pair of 592/593 events can be used to track what applications a user is running and for how long. For example, an event id 592 showing "\Program Files\SuperScan\scanner.exe" as "Image File Name" indicates that the Foundstone SuperScan port scanner was started. By recording the process ID, let's say 1788 and the time (10:55:47 AM) and looking for a 593 event with this process id
and comparing the time (10:59:52 AM) with the 592 event time, one can see that the user ran the scanner for approx. 4 minutes. This information may be then correlated with other events that occured within that time frame.
The process audit should be enabled on "as-needed" basis since it imposes an additional load on the system. You should enable it only if it is necessary to monitor the use of that computer.
See also ME274176.
|Private comment: Subscribers only. See example of private comment|
|Links: ME174074, ME274176, Online Analysis of Security Event Log, Windows 2000 Magazine, MSW2KDB|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated