Home
Resources
Training
About Us
eStore

>

resources > security log resource center > encyclopedia > event 600

 

 

 

 

 

 

 

Latest Blog: Log monitoring and the Terry Childs/City of San Francisco debacle

  

Windows Security Log Events by ID

look up more events by Event ID or Category

Event ID

600

Title

A process was assigned a primary token.
Type: Example: Randy's Comments:
Success
Failure

OS:

All versions

Category:

Detailed Tracking

A process was assigned a primary token.
Assigning Process Information:
Process ID:444
Image File Name:C:\WINDOWS\system32\winlogon.exe
Primary User Name:W3DC$
Primary Domain:ELM
Primary Logon ID:(0x0,0x3E7)
New Process Information:
Process ID:2664
Image File Name:C:\WINDOWS\system32\userinit.exe
Target User Name:administrator
Target Domain:ELM
Target Logon ID:(0x0,0x158EB7)

This often happens when a service starts or a scheduled task starts under the authority of a different user. You will see events 528/540 and 552 as well as 680 or 672 earlier in the log.

The Assigning process fields identify the process that started the child (new) process. Process ID allows you to link this event to the corresponding event 592 (process start of the parent process) but there is little need since this event gives you the program name (image) and the user under which the process was running (primary user fields). See 528/540 for explanation of Logon ID.

New process information identifies the new child process that was started under the Target user name. You can use the new process ID to link back to the earlier 592 for the new child process ID but again there is little need to do this since you have the image name right here in this event.

The following parameters are tracked for both the assigning process and the new process.

Next:

Get all the tools you need in one newsletter!
Free log parser scripts, clear explanations of Microsoft's latest security bulletins, and more. View a sample issue.
Email Address:
Your email address will not be shared. You may unsubscribe at any time.


Upcoming Webinars by Randy Franklin Smith

IT Audit: Understanding Active Directory Structure and How It Makes Auditing AD Different

Security Log Secrets: Auditing Unauthorized, Unrecognized Software

Filling the Gap in Windows Configuration Baselining


Additional Links

A
D
V

NEW! GFI EventsManager 8 Extends Event Management Capabilities. Find Out More.

Get Randy's Security Log Resource Kit


Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2007 Monterey Technology Group, All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.

Site Map