Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 592 Source: Security

A new process has been created:
New Process ID: <process id>
Image File Name: <process name and path>
Creator Process ID: <parent process id>
User Name: <user name>
Domain: <domain name>
Logon ID: <logon id>
See the link to "Windows 2000 Magazine" for a complete overview on this event.

See MSW2KDB for additional information about this event.
A new process has been created. This type of events will only be recorded if the "Audit process tracking" audit policy is set to audit the creation of new processes.

In most cases, this indicates that the user started an application (identified by the "Image File Name" field). The "New Process ID" is the application process id as one can see using Task Manager. Except maybe the basic Windows subsystems, most of the applications are started from within another process. For example the vast majority of user-started application will be initiated by Explorer.exe. The "Creator Process ID" indicates the id of the process that spawned the "New Process ID". Again, for user-initiated application, this id will correspond the the id of explorer.exe.

When the appication is terminated, event id 593 will be recorded (the process id will be shown).

The pair of 592/593 events can be used to track what applications a user is running and for how long. For example, an event id 592 showing "\Program Files\SuperScan\scanner.exe" as "Image File Name" indicates that the Foundstone SuperScan port scanner was started. By recording the process ID, let's say 1788 and the time (10:55:47 AM) and looking for a 593 event with this process id
and comparing the time (10:59:52 AM) with the 592 event time, one can see that the user ran the scanner for approx. 4 minutes. This information may be then correlated with other events that occured within that time frame.

The process audit should be enabled on "as-needed" basis since it imposes an additional load on the system. You should enable it only if it is necessary to monitor the use of that computer.

See also ME274176.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.