Article ID: 277743
Article Last Modified on 1/29/2007
APPLIES TO
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
This article was previously published under Q277743
SYMPTOMS
When you perform process auditing on a Windows 2000-based computer, the creation and exit process identifications do not match and it is difficult to match the processes corresponding events.
CAUSE
Windows 2000 reports the Audit Process ID for process creation and Process ID for process exit audit events in the security log.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English-language version of this fix should have the following file attributes or later:
Date Time Version Size File name ------------------------------------------------------------------ 5/29/2001 07:43a 5.0.2195.3649 1,685,632 Ntkrnlmp.exe 5/29/2001 07:43a 5.0.2195.3649 1,685,312 Ntkrnlpa.exe 5/29/2001 07:44a 5.0.2195.3649 1,705,984 Ntkrpamp.exe 5/29/2001 07:43a 5.0.2195.3649 1,663,424 Ntoskrnl.exe
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
MORE INFORMATION
The type of process identification that is displayed in an audit event depends on the version of Windows that you are using. On a Windows NT 4.0-based computer, the Audit Process ID (APID) is reported in all process tracking audit events in the Security log. On a Windows 2000-based computer, all audit events have been changed to use the actual PID when identifying a process; however, the process creation audit event still reports the APID.
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
221212 INFO: Event Log Message for Security Event 592
Additional query words:
Keywords: kbbug kbfix kbapi kbqfe kbwin2000sp3fix kbkernbase kbsecurity kbhotfixserver KB277743