Right, for Windows 2003, but not for Windows 2000, specifically for process name for object access events. There are other events that log process ID without image path name. Eric ________________________________ From: loganalysis-bouncesat_private on behalf of Jean-Baptiste Marchand Sent: Mon 7/14/2003 9:46 AM To: loganalysisat_private Subject: Re: [logs] [W2K] New Process ID field in 592 events * Eric Fitzgerald <ericfat_private> [13/07/03 - 15:55]: > Additional note: Many events in windows contain only the process ID > and not the executable image path & name. I generally recommend that > if you audit anything other than logon/logoff & account management, > that you also audit process creation success events, so that you can > get a process name via correlation on the process ID. In Windows Server 2003, this is probably no longer necessary, as the _Image File Name_ field is always present (at least, in all 560 events I've seen...): [...] Object Open: Object Server: LSA Object Type: PolicyObject Object Name: Policy Handle ID: 629600 Operation ID: {0,278535} Process ID: 504 Image File Name: C:\WINDOWS\system32\lsass.exe [...] Jean-Baptiste Marchand -- Jean-Baptiste.Marchandat_private Hervé Schauer Consultants http://www.hsc.fr/ _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Jul 21 2003 - 13:18:26 PDT