Detailed Tracking Events

Previous page
Table of content
Next page

In Windows XP Professional and Windows 2000 Server, all processes occur in a security context. At times you might need to investigate the security implications of the processes initiated on a computer. The following messages allow you to see security events that relate to system processes.

592 A new process was created.

Parameters: New process ID, image file name, creator process ID, user name, domain logon ID.

Configurable Information: Success

Formal name: SE_AUDITID_PROCESS_CREATED

593 A process exited.

Parameters: Process ID, image file name, user name, domain name, logon ID.

Configurable Information: Success

Formal name: SE_AUDITID_PROCESS_EXIT

594 A handle to an object was duplicated.

Parameters: Source handle ID, source process ID, target handle ID, target process ID.

Configurable Information: Success

Formal name: SE_AUDITID_DUPLICATE_HANDLE

595 Indirect access to an object was obtained.

Parameters: Object type, object name, process ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses.

Configurable Information: Success

Formal name: SE_AUDITID_INDIRECT_REFERENCE

596 A data protection master key was backed up.

Parameters: Key ID, recovery server (the computer to which the key was backed up), recovery key ID (identifies the key on the domain controller that was used to encrypt the master key), failure reason.

Configurable Information: Success or Failure

Formal name: SE_AUDITID_DPAPI_BACKUP

The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created (the default is 90 days). The key is usually backed up to a domain controller.

597 A data protection master key was recovered from a recovery server.

Parameters: Key ID, recovery server (the computer to which the key was backed up), recovery key ID (identifying the key on the domain controller used to encrypt the master key), failure reason.

Configurable Information: Success or Failure

Formal name: SE_AUDITID_DPAPI_RECOVERY

598 Auditable data was protected.

Parameters: Data description, key ID (the master key GUID), protected data flags (CRYPTPROTECT_AUDIT, which indicates that the audit should be generated or CRYPTPROTECT_SYSTEM, which indicates that this is system information and should not be viewed in the user space), name of the protection algorithm, failure reason.

Configurable Information: Success or Failure

Formal name: SE_AUDITID_DPAPI_PROTECT

599 Auditable data was unprotected.

Parameters: Data description, key ID, protected data flags (including CRYPTPROTECT_AUDIT, which indicates that the audit should be generated, and CRYPTPROTECT_SYSTEM, which indicates that this is system information and should not be viewed in the user space), name of the protection algorithm, failure reason.

Configurable Information: Success or Failure

Formal name: SE_AUDITID_DPAPI_UNPROTECT

600 A process was assigned a primary token.

This often happens when a service starts. The following parameters are tracked for both the assigning process and the new process.

Parameters: Process ID, image file name (the name of the process), user name, domain name, logon ID.

Configurable Information: Success

Formal name: SE_AUDITID_ASSIGN_TOKEN



Previous page
Table of content
Next page
Microsoft Windows XP Professional Resource Kit 2003
Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 338
BUY ON AMAZON
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Java How to Program (6th Edition) (How to Program (Deitel))
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Python Programming for the Absolute Beginner, 3rd Edition
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy