* Jean-Baptiste Marchand <Jean-Baptiste.Marchandat_private> [03/07/03 - 20:47]: > it seems that SP4 of Windows 2000 fixes a bug that appear in 592 > events in the security eventlog. Correction, the bug has actually been fixed in SP3, as explained in MSKB #277743: http://support.microsoft.com/?id=277743 This knowledge base article explains that in Windows NT 4.0, all security events use APID (Audit Process ID), instead of directly using process identifiers. This is explained in details in MSKB #221212: http://support.microsoft.com/?id=221212 In Windows 2000, before SP3, all security events containing reference to process use process identifiers instead of APID but 592 events still use APID. So, it is probably a good idea to run at least W2K SP3 if you want to be able to correlate security events on Windows 2000... Jean-Baptiste Marchand -- Jean-Baptiste.Marchandat_private Hervé Schauer Consultants http://www.hsc.fr/ _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jul 04 2003 - 11:28:44 PDT