[logs] [W2K] New Process ID field in 592 events

• Previous message: Rainer Gerhards: "[logs] RE: Novell NetWare Log Files"
• Next in thread: Jean-Baptiste Marchand: "Re: [logs] [W2K] New Process ID field in 592 events"
• Reply: Jean-Baptiste Marchand: "Re: [logs] [W2K] New Process ID field in 592 events"
• Reply: Eric Fitzgerald: "RE: [logs] [W2K] New Process ID field in 592 events"
• Reply: Eric Fitzgerald: "RE: [logs] [W2K] New Process ID field in 592 events"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

it seems that SP4 of Windows 2000 fixes a bug that appear in 592
events in the security eventlog.

592 events are recorded in the security eventlog when the _Audit process
tracking_ auditing category is enabled. When enabled, a 592 is recorded
when a process starts and a 593 event when a process ends.

The New Process ID field of a 592 event is supposed to contain the
process identifier (pid) of the newly created process. The Creator
Process ID is supposed to contain the pid of the parent process.

On a Windows 2000 machine:

Event Type:     Success Audit
Event Source:   Security
Event Category: Detailed Tracking 
Event ID:       592
Date:           xx/xx/2003
Time:           xx:xx:xx
User:           BLAH\user
Computer:       BLAH
Description:
A new process has been created:
        New Process ID: 2171510832
        Image File Name:        \Program Files\Vim\vim60\gvim.exe
        Creator Process ID:     2174762128
        User Name:      user
        Domain:         BLAH
        Logon ID:               (0x0,0xB821)


As you can see, pid values are not correct (values are too high). The
relation between the incorrect value and the real pid is not evident to
determine.

However, pids that appear in 560 or 593 events are correct:

Event Type:     Success Audit
Event Source:   Security
Event Category: Detailed Tracking 
Event ID:       593
Date:           xx/xx/2003
Time:           xx:xx:xx
User:           BLAH\user
Computer:       BLAH
Description:
A process has exited:
        Process ID:     1520
        User Name:      user
        Domain:         BLAH
        Logon ID:               (0x0,0xB821)


Incorrect values in the New Process ID and Creator Process ID has
apparently been fixed in W2K SP4. However, this does not seem to be
documented in Microsoft Knowledge base...


Another bug, that is not fixed in W2K SP4, is that the Image File Name
does not contain the driver letter of the executable image. This is
fixed in Windows Server 2003:

Event Type:     Success Audit
Event Source:   Security
Event Category: Detailed Tracking 
Event ID:       592
Date:           xx/xx/2003
Time:           xx:xx:xx
User:           BLAH\user
Computer:       BLAH
Description:
A new process has been created:
        New Process ID: 876
        Image File Name:        C:\WINDOWS\system32\mmc.exe
        Creator Process ID:     1776
        User Name:      user
        Domain:         BLAH
        Logon ID:               (0x0,0x124B8)




Jean-Baptiste Marchand
-- 
Jean-Baptiste.Marchand@hsc.fr
Hervé Schauer Consultants
http://www.hsc.fr/
_______________________________________________
LogAnalysis mailing list
LogAnalysis@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Jean-Baptiste Marchand: "Re: [logs] [W2K] New Process ID field in 592 events"
• Previous message: Rainer Gerhards: "[logs] RE: Novell NetWare Log Files"
• Next in thread: Jean-Baptiste Marchand: "Re: [logs] [W2K] New Process ID field in 592 events"
• Reply: Jean-Baptiste Marchand: "Re: [logs] [W2K] New Process ID field in 592 events"
• Reply: Eric Fitzgerald: "RE: [logs] [W2K] New Process ID field in 592 events"
• Reply: Eric Fitzgerald: "RE: [logs] [W2K] New Process ID field in 592 events"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 03 2003 - 11:46:36 PDT