Task Manager PID vs. Audit Event Process ID

From: Wayne Harris (wayne@nospam-point-of-rental.com)
Date: 05/08/02

From: "Wayne Harris" <wayne@nospam-point-of-rental.com>
Date: Wed, 08 May 2002 17:50:10 GMT

The Task Manager lists the currently active processes,
displaying the process name and the PID, among others.
For example, winlogon.exe may have a PID of 34, and the
taskmgr.exe may have a PID of 111.

When auditing is turned on, one of the options is to
turn on Process Tracking. This produces audit events
when processes are created and when they are deleted.

For example, when I start a new notepad.exe, an event
number 592 is generated. This event tells me that a new
process has been created with "New Process ID: 2162912448",
and "Creator Process ID: 2159721984".

However, when I look at the Task Manager, the notepad.exe
has a PID of 126. I have been unable to determine how the
New Process ID generated in the audit event is related to
the PID of 126 displayed in the Task Manager.

Can anyone help me determine how I can relate the Audit
Event Process ID to a currently running process?

Any help appreciated.

Relevant Pages

  • Re: Ftp Port Conflict
    ... In Task Manager, did you check the box at the foot of the "Processes" tab ... One other thing you can do is to try and connect to yourself with an FTP ... I did as you said and found PID 2524 was running a ... >>> My FTP service has stopped due to a port conflict with an application. ...
  • Re: Task Manager PID vs. Audit Event Process ID
    ... and the PID in task manager is a 4 digit number and the two don't appear to ... This was corrected for Windows 2000. ... This produces audit events ...
  • Re: Running Application Process id
    ... in the task manager this pid belongs to dllhost.exe (beacuse the iis use the ... it harder to know under wich dllhost.exe the "xxx" dll runs. ...
  • Re: Port 80 Problem MS Cant Fix. Help!!!!
    ... look up the PID and type (pro only, use Task Manager in home) ... What happens if you connect to this web server. ... > You must have a firewall, suggest Zone Alarm, but until you ...
  • Re: OT: identifying svchost instance in perfmon logs
    ... After you added the PID field in the Task Manager you ... I understand that the svchost process high ... click to check the "Hide All Microsoft ...