In Windows XP Professional and Windows 2000 Server, all processes occur in a security context. At times you might need to investigate the security implications of the processes initiated on a computer. The following messages allow you to see security events that relate to system processes.
Parameters: New process ID, image file name, creator process ID, user name, domain logon ID.
Configurable Information: Success
Formal name: SE_AUDITID_PROCESS_CREATED
Parameters: Process ID, image file name, user name, domain name, logon ID.
Configurable Information: Success
Formal name: SE_AUDITID_PROCESS_EXIT
Parameters: Source handle ID, source process ID, target handle ID, target process ID.
Configurable Information: Success
Formal name: SE_AUDITID_DUPLICATE_HANDLE
Parameters: Object type, object name, process ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses.
Configurable Information: Success
Formal name: SE_AUDITID_INDIRECT_REFERENCE
Parameters: Key ID, recovery server (the computer to which the key was backed up), recovery key ID (identifies the key on the domain controller that was used to encrypt the master key), failure reason.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_DPAPI_BACKUP
The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created (the default is 90 days). The key is usually backed up to a domain controller.
Parameters: Key ID, recovery server (the computer to which the key was backed up), recovery key ID (identifying the key on the domain controller used to encrypt the master key), failure reason.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_DPAPI_RECOVERY
Parameters: Data description, key ID (the master key GUID), protected data flags (CRYPTPROTECT_AUDIT, which indicates that the audit should be generated or CRYPTPROTECT_SYSTEM, which indicates that this is system information and should not be viewed in the user space), name of the protection algorithm, failure reason.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_DPAPI_PROTECT
Parameters: Data description, key ID, protected data flags (including CRYPTPROTECT_AUDIT, which indicates that the audit should be generated, and CRYPTPROTECT_SYSTEM, which indicates that this is system information and should not be viewed in the user space), name of the protection algorithm, failure reason.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_DPAPI_UNPROTECT
This often happens when a service starts. The following parameters are tracked for both the assigning process and the new process.
Parameters: Process ID, image file name (the name of the process), user name, domain name, logon ID.
Configurable Information: Success
Formal name: SE_AUDITID_ASSIGN_TOKEN