Security Reference

Correlation of Windows Process Tracking Events

Created on 2003-03-04 by Rainer Gerhards.

Applies to: Windows 2000

Events Correlated are:

Windows Event Log, Log: Security, Source: Security, EventID: 592
Windows Event Log, Log: Security, Source: Security, EventID: 593
Windows Event Log, Log: Security, Source: Security, EventID: 600

Desired result:

We would like to have a single event that specifies

at which time a process started and stopped
what was the image name
the user that it began to run under end ended to run under
any other properties that can be helpful

While correlating the event, we will probably lose information, for example if

the user identy changes more than once

Other anomalies can be caused by missing events, which yields to missing information on the overall process. This can potentially become a warning sign in its own. As such, it can make sense to generate alerts when one or more of the following conditions occur (if it should become a warning should be left to the configuration options done by the administrator):

missing start event id 592
missing end event id 593

How to correlate:

We need to go through all events in sequence of occurence. For each 592 event, we need to track the id of the newly created process (in event log parameter 1). We need to save the status of all active programs in a cache. When we see a 593 event, we need to look up the matching 592 event via its process id (specified as parameter 1 in the 593 event). Any interim changes of the access token (event 600) need to update the associated user ids.

Obviously, the correlation must take place not only on a per-process id basis but the process id is also related to a specific machine. Multiple machines will have different processes tracked by the same id.

Please note that some processes can be very long-running (e.g. explorer.exe on left open terminal server session). For the analysis program, it may be a good idea to save session state between runs. So the analysis can continue from where it left.

Other things to track:

The local time on the server may have changed between events. As such, the sequence can not be properly indicated from local time. One approach would be to use the message receive time, instead. An other approach would be to keep track of "time changed" events.

Would you like to discuss this object? Have a look at our Windows event forum or post a question there!

Analysis, monitoring, near-real-time alerting of the Windows event log can be done with by MonitorWare Agent.

All information in this section is to the best of our knowledge but without warrenty of any kind. This is free information - use it at your sole risk.

[Back to the Security Reference]

HomeProduct InfoGeneral InformationMonitorWare ProductsEdition ComparisonOrder and PricingUpgrade Insurance InfoNews ReleasesVersion HistoryProduct TourScreenshotsDownloadReference libraryGeneral InformationStep-by-step guidesAllMW Agent 4.0Installation and ConfigurationServices relatedActions relatedMW Agent All VersionsCommon UsesCentralized monitoringSecurity ReferenceHelpSupportManualFAQAllGeneral questionsConfiguration relatedInstallation and ConfigurationServices relatedActions relatedCentral MonitoringArticlesSeminars OnlineAllGeneralMonitorWare AgentOrder & pricingOrder nowEditionsPricing InformationUpgrade Insurance InfoLocal ResellerContact UsSearch

Printer Version Send this page to a friend