Additional note: Many events in windows contain only the process ID and not the executable image path & name. I generally recommend that if you audit anything other than logon/logoff & account management, that you also audit process creation success events, so that you can get a process name via correlation on the process ID. Eric Fitzgerald Program Manager, Windows Auditing Microsoft Corporation -----Original Message----- From: loganalysis-bouncesat_private [mailto:loganalysis-bouncesat_private] On Behalf Of Jean-Baptiste Marchand Sent: Thursday, July 03, 2003 12:35 PM To: loganalysisat_private Subject: Re: [logs] [W2K] New Process ID field in 592 events * Jean-Baptiste Marchand <Jean-Baptiste.Marchandat_private> [03/07/03 - 20:47]: > it seems that SP4 of Windows 2000 fixes a bug that appear in 592 > events in the security eventlog. Correction, the bug has actually been fixed in SP3, as explained in MSKB #277743: http://support.microsoft.com/?id=277743 This knowledge base article explains that in Windows NT 4.0, all security events use APID (Audit Process ID), instead of directly using process identifiers. This is explained in details in MSKB #221212: http://support.microsoft.com/?id=221212 In Windows 2000, before SP3, all security events containing reference to process use process identifiers instead of APID but 592 events still use APID. So, it is probably a good idea to run at least W2K SP3 if you want to be able to correlate security events on Windows 2000... Jean-Baptiste Marchand -- Jean-Baptiste.Marchandat_private Hervé Schauer Consultants http://www.hsc.fr/ _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jul 11 2003 - 17:36:06 PDT