INFO: Event Log Message for Security Event 592 (221212)

SUMMARY

When auditing the creation of a process, the system logs an event message similar to the following:

A new process has been created:
   New Process ID:      2209180864
   Image File Name:     \temp\myprog.exe
   Creator Process ID:  2159539168
   User Name:           SYSTEM
   Domain:              NT AUTHORITY
   Logon ID:            (0x0,0x3E7)

The type of process ID that is displayed in an audit log, depends on the version of Windows that you are running.

In MIcrosoft Windows NT 4.0 the Audit Process ID (APID) logged in this message is not the same as the Process ID (PID) returned in the PROCESS_INFORMATION structure passed to the CreateProcess() Win32 API. PIDs identify running processes on the system. When a process exits, its PID is recycled back to the system. In Windows NT 4.0, these PIDs are reused quickly as processes are created and destroyed.

In Microsoft Windows 2000 and Microsoft Windows XP, all audit logs use the actual PID when identifying a process. APIDs are NOT used in Windows 2000 and Windows XP.

MORE INFORMATION

The purpose of APIDs are to provide better 32-bit identifiers for processes. Eventually, they are also recycled. However, APIDs should be useful over a longer period of time than PIDs. APIDs are not intended for programmatic use. There is no way to relate an APID to a PID. Rather, APIDs provide system administrators with correlative values to use when reviewing system activity.

For additional information about auditing process tracking events, please see the following article in the Microsoft Knowledge Base:

157238 How to Activate Security Event Logging in Windows NT 4.0

REFERENCES

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

277743 APID Is Reported in Process Tracking Audit Events