592: A new process has been created
On this page
This event allows you to monitor each program as it is executed. Image File Name identify) the executable. Prior to w2k, image file name did not include the path - just the file name itself. New Process ID: allows you to link this event to other events such as object accesses. To determine when the program ended look for a subsequent event 593 with the same Process ID. Creator Process ID:identifies the processes that started this process. Look for a preceding event 592 with a New Process ID that matches this Creator Process process ID. Username and domain identify the user who started the process. Logon ID can be used to find related object accessand other events that have the same Logon ID including the event 528 and 540 logon events.
Supercharger's built-in Xpath filters leave the noise behind.
Free.
New process has been created: New Process ID:2167588800 Image File Name:\WINNT\system32\notepad.exe Creator Process ID:2167187648 User Name:administrator Domain:ELMW2 Logon ID:(0x0,0x804C2)
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection
Go To Event ID: Must be a 1-5 digit number No such event ID
Security Log Quick Reference Chart Download now!