* Eric Fitzgerald <ericfat_private> [13/07/03 - 15:55]: > Additional note: Many events in windows contain only the process ID > and not the executable image path & name. I generally recommend that > if you audit anything other than logon/logoff & account management, > that you also audit process creation success events, so that you can > get a process name via correlation on the process ID. In Windows Server 2003, this is probably no longer necessary, as the _Image File Name_ field is always present (at least, in all 560 events I've seen...): [...] Object Open: Object Server: LSA Object Type: PolicyObject Object Name: Policy Handle ID: 629600 Operation ID: {0,278535} Process ID: 504 Image File Name: C:\WINDOWS\system32\lsass.exe [...] Jean-Baptiste Marchand -- Jean-Baptiste.Marchandat_private Hervé Schauer Consultants http://www.hsc.fr/ _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 15:31:51 PDT