Windows Security Log Event ID 600
| Operating Systems |
Windows 2003 and XP
|
|
Category | Process Tracking |
|
Type
|
Success
Failure
|
Corresponding events
in Windows
2008
and Vista |
4696
|
600: A process was assigned a primary token
On this page
This often happens when a service starts or a scheduled task starts under the authority of a different user. You will see events 528/540 and 552 as well as 680 or 672 earlier in the log.
The Assigning process fields identify the process that started the child (new) process. Process ID allows you to link this event to the corresponding event 592 (process start of the parent process) but there is little need since this event gives you the program name (image) and the user under which the process was running (primary user fields). See 528/540 for explanation of Logon ID.
New process information identifies the new child process that was started under the Target user name. You can use the new process ID to link back to the earlier 592 for the new child process ID but again there is little need to do this since you have the image name right here in this event.
The following parameters are tracked for both the assigning process and the new process.
Free Security Log Resources by Randy
- Process ID:
- Image File Name:
- Primary User Name:
- Primary Domain:
- Primary Logon ID:
- Process ID:
- Image File Name:
- Target User Name:
- Target Domain:ELM
- Target Logon ID:
Setup PowerShell Audit Log Forwarding in 4 Minutes
A process was assigned a primary token.
Assigning Process Information:
Process ID: 700
Image File Name: C:\WINDOWS\system32\winlogon.exe
Primary User Name: DC3$
Primary Domain: ACME
Primary Logon ID: (0x0,0x3E7)
New Process Information:
Process ID: 3232
Image File Name: C:\WINDOWS\system32\userinit.exe
Target User Name: administrator
Target Domain: ACME
Target Logon ID: (0x0,0x2DFE8B)
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection