Task Manager PID vs. Audit Event Process ID
From: Wayne Harris (wayne@nospam-point-of-rental.com)
Date: 05/08/02
- Next message: syn: "Re: Security warning..."
- Previous message: Lanwench: "Re: http://localhost/localstart.asp : File not found???"
- Next in thread: Eric Fitzgerald [MS]: "Re: Task Manager PID vs. Audit Event Process ID"
- Reply: Eric Fitzgerald [MS]: "Re: Task Manager PID vs. Audit Event Process ID"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Wayne Harris" <wayne@nospam-point-of-rental.com> Date: Wed, 08 May 2002 17:50:10 GMT
The Task Manager lists the currently active processes,
displaying the process name and the PID, among others.
For example, winlogon.exe may have a PID of 34, and the
taskmgr.exe may have a PID of 111.
When auditing is turned on, one of the options is to
turn on Process Tracking. This produces audit events
when processes are created and when they are deleted.
For example, when I start a new notepad.exe, an event
number 592 is generated. This event tells me that a new
process has been created with "New Process ID: 2162912448",
and "Creator Process ID: 2159721984".
However, when I look at the Task Manager, the notepad.exe
has a PID of 126. I have been unable to determine how the
New Process ID generated in the audit event is related to
the PID of 126 displayed in the Task Manager.
Can anyone help me determine how I can relate the Audit
Event Process ID to a currently running process?
Any help appreciated.
wh
- Next message: syn: "Re: Security warning..."
- Previous message: Lanwench: "Re: http://localhost/localstart.asp : File not found???"
- Next in thread: Eric Fitzgerald [MS]: "Re: Task Manager PID vs. Audit Event Process ID"
- Reply: Eric Fitzgerald [MS]: "Re: Task Manager PID vs. Audit Event Process ID"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
