Microsoft KB Archive/277743

= APID Is Reported in Process Tracking Audit Events =

Article ID: 277743

Article Last Modified on 1/29/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q277743



SYMPTOMS
When you perform process auditing on a Windows 2000-based computer, the creation and exit process identifications do not match and it is difficult to match the processes corresponding events.



CAUSE
Windows 2000 reports the Audit Process ID for process creation and Process ID for process exit audit events in the security log.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English-language version of this fix should have the following file attributes or later:  Date      Time      Version           Size        File name -- 5/29/2001 07:43a    5.0.2195.3649  1,685,632   Ntkrnlmp.exe 5/29/2001 07:43a    5.0.2195.3649  1,685,312   Ntkrnlpa.exe 5/29/2001 07:44a    5.0.2195.3649  1,705,984   Ntkrpamp.exe 5/29/2001 07:43a    5.0.2195.3649  1,663,424   Ntoskrnl.exe



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.



MORE INFORMATION
The type of process identification that is displayed in an audit event depends on the version of Windows that you are using. On a Windows NT 4.0-based computer, the Audit Process ID (APID) is reported in all process tracking audit events in the Security log. On a Windows 2000-based computer, all audit events have been changed to use the actual PID when identifying a process; however, the process creation audit event still reports the APID.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

221212 INFO: Event Log Message for Security Event 592

Additional query words:

Keywords: kbbug kbfix kbapi kbqfe kbwin2000sp3fix kbkernbase kbsecurity kbhotfixserver KB277743

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.