Windows Security Log Event ID 600

Operating Systems Windows 2003 and XP
CategoryProcess Tracking
Type Success
Corresponding events
in Windows 2008
and Vista

600: A process was assigned a primary token

On this page

This often happens when a service starts or a scheduled task starts under the authority of a different user. You will see events 528/540 and 552 as well as 680 or 672 earlier in the log.

The Assigning process fields identify the process that started the child (new) process. Process ID allows you to link this event to the corresponding event 592 (process start of the parent process) but there is little need since this event gives you the program name (image) and the user under which the process was running (primary user fields). See 528/540 for explanation of Logon ID.

New process information identifies the new child process that was started under the Target user name. You can use the new process ID to link back to the earlier 592 for the new child process ID but again there is little need to do this since you have the image name right here in this event.

The following parameters are tracked for both the assigning process and the new process.

Free Security Log Resources by Randy

Description Fields in 600

  • Process ID:
  • Image File Name:
  • Primary User Name:
  • Primary Domain:
  • Primary Logon ID:
  • Process ID:
  • Image File Name:
  • Target User Name:
  • Target Domain:ELM
  • Target Logon ID:

Supercharger Free Edition


Examples of 600

A process was assigned a primary token.
 Assigning Process Information:
  Process ID: 700
  Image File Name: C:\WINDOWS\system32\winlogon.exe
  Primary User Name: DC3$
  Primary Domain: ACME
  Primary Logon ID: (0x0,0x3E7)
 New Process Information:
  Process ID: 3232
  Image File Name: C:\WINDOWS\system32\userinit.exe
  Target User Name: administrator
  Target Domain: ACME
  Target Logon ID: (0x0,0x2DFE8B)

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources