Event-o-Pedia EventID 592 - A new process has been created

	Event Details
	Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Detailed Tracking->EventID 592 - A new process has been created

EventID 592 - A new process has been created

Indicates a successful execution of a program by user.

Note:

New Process ID field allows you to correlate this event to events from the "Object Access" categroy, e.g. in order to find out what objects and how were accessed by the process you need to look for object access events with the same Process ID field value.
In order to find out when the started process ended look for a subsequent event 593 with the same Process ID.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2008

EventID 4688 - A new process has been created

Related Events:

To find out when the process ended look for the following event with the same Process ID:

Sample:

        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Detailed Tracking
        Event ID:       592
        Date:           10/26/2009
        Time:           07:31:43
        User:           RESEARCH\ALebovsky
        Computer:       DC1
        Description:
        A new process has been created:
        New Process ID:	2244
        Image File Name:	C:\utilities\unied.exe
        Creator Process ID:	528
        User Name:	Alebovsky
        Domain:		RESEARCH
        Logon ID:		(0x0,0x59DF36)

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows 2000 Windows XP Windows 2003
Category	Detailed Tracking
Source	Security
EventId	592

Field Matching

Field	Description	Stored in	Sample Value
DateTime	Date/Time of event origination in GMT format.	DateTime	10.10.2000 19:00:00
Source	Name of an Application or System Service originating the event.	Source	Security
Type	Warning, Information, Error, Success, Failure, etc.	Type	Success
User	Domain\Account name of user/service/computer initiating event.	User	RESEARCH\Alebovsky
Computer	Name of server workstation where event was logged.	Computer	DC1
EventID	Numerical ID of event. Unique within one Event Source.	EventId	576
Description	The entire unparsed event message.	Description	Special privileges assigned to new logon.
Log Name	The name of the event log (e.g. Application, Security, System, etc.)	LogName	Security
Category	A name for a subclass of events within the same Event Source.	Category	Logon/Logoff
New Process ID	Uniquely identifies the process to correlate to it in other events	InsertionString1	2244
Image File Name	Full path to the executable	InsertionString2	C:\utilities\unied.exe
Creator Process ID	ID of the parent process that started this process	InsertionString3	528
Domain	Domain of the user who started the process	InsertionString5	RESEARCH
Logon ID	ID of the logon session of the user who started the process. Allows to find other events initiated by the user in the same logon session.	InsertionString6	(0x0,0x59DF36)
User Name	The user who started the process	InsertionString4	Alebovsky