Hi,
And now for something completely different ;-).
I discovered yesterday that Windows does not always log process creation
and termination. I was testing rasusers.exe from the Windows 2000 Server
Resource Kit on a Windows NT 4 SP 6 machine and noticed that rasusers
failed to log process termination. I also found that running "arp -a" also
failed to log process termination. So far I have not found any other
programs that have this behavior.
Switching to Windows 2000 Professional SP 3 and checking for this behavior,
I discovered that system was failing to log most process creation and
termination events. What the system was doing was adding the following
event to the security log every 4 seconds:
Source: Security
Category: Object Access
Type: Failure
EventID: 560
Description:
Object Open:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: cisvc
Also going on at this time was Microsoft Word was using 99% of the CPU
doing who knows what. Exiting Word stopped the above event messages, and
event logging returned to normal. It also correctly logged process
termination for rasusers, arp and everything else I tried.
Since Windows Event logging is unreliable, the results of log analysis may
also be unreliable.
B Cing U
Buck
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 09:18:43 PST