INFO: Event Log Message for Security Event 592

ID: Q221212

The information in this article applies to:

Microsoft Win32 Application Programming Interface (API), included with:
- Microsoft Windows NT 4.0
- Microsoft Windows 2000

SUMMARY

When auditing the creation of a process, the system logs an event message similar to the following:


A new process has been created:
   New Process ID:      2209180864
   Image File Name:     \temp\myprog.exe
   Creator Process ID:  2159539168
   User Name:           SYSTEM
   Domain:              NT AUTHORITY
   Logon ID:            (0x0,0x3E7)

The Audit Process ID (APID) logged in this message is not the same as the Process ID (PID) returned in PROCESS_INFORMATION structure by the CreateProcess() Win32 API. PIDs identify running processes on the system. When a process exits, its PID is recycled back by the system. On Windows NT, these PIDs are reused quickly as processes are created and destroyed.

MORE INFORMATION

The purpose of APIDs are to provide better 32-bit identifiers for processes. Eventually, they are also recycled. However, APIDs should be useful over a longer period of time than PIDs. APIDs are not intended for programmatic use. There is no way to relate an APID to a PID. Rather, APIDs provide system administrators with correlative values to use when reviewing system activity.

For additional information about auditing process tracking events, please see the following article in the Microsoft Knowledge Base:

Q157238 How to Activate Security Event Logging in Windows NT 4.0

Additional query words:


Keywords          : kbAPI kbEventLog kbKernBase kbNTOS400 kbWinOS2000 kbSecurity 
Version           : winnt:4.0
Platform          : winnt 
Issue type        : kbinfo

Last Reviewed: April 3, 1999