Windows Security Log Event ID 592

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryProcess Tracking
Type Success
Corresponding events
in Windows 2008
and Vista
4688  

592: A new process has been created

On this page

This event allows you to monitor each program as it is executed. Image File Name identify) the executable. Prior to w2k, image file name did not include the path - just the file name itself.

New Process ID: allows you to link this event to other events such as object accesses. To determine when the program ended look for a subsequent event 593 with the same Process ID.

Creator Process ID:identifies the processes that started this process. Look for a preceding event 592 with a New Process ID that matches this Creator Process process ID.

Username and domain identify the user who started the process.

Logon ID can be used to find related object accessand other events that have the same Logon ID including the event 528 and 540 logon events.

Free Security Log Resources by Randy

Description Fields in 592

  • New Process ID:
  • Image File Name:
  • Creator Process ID:
  • User Name:
  • Domain:
  • Logon ID:

Supercharger Enterprise


Load Balancing for Windows Event Collection

 

Examples of 592

New process has been created:
New Process ID:2167588800
Image File Name:\WINNT\system32\notepad.exe
Creator Process ID:2167187648
User Name:administrator
Domain:ELMW2
Logon ID:(0x0,0x804C2)

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources