....log events in Windows event log?

Particularly I am interested in how to trace events when someone kills a
task and which one.

How to create custom events
http://support.microsoft.com/kb/324145


--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:%(E-Mail Removed),
Vlad Gonchar <(E-Mail Removed)> hunted and pecked:
> ...log events in Windows event log?
>
> Particularly I am interested in how to trace events when someone kills a
> task and which one.

You can enable auditing of process tracking in security policy though this
will generate a lot of events the info will probably be there and you can
use Event Viewer filter view or the free Event Comb from Microsoft to help
find pertinent events. Below is an example of a process tracking
ents. --- Steve

Event Type: Success Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 593
Date: 3/13/2006
Time: 9:53:35 PM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
A process has exited:
Process ID: 3120
Image File Name: D:\Program Files\Internet Explorer\iexplore.exe
User Name: Steve
Domain: STEVE-XP
Logon ID: (0x0,0xD853)


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


"Vlad Gonchar" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> ...log events in Windows event log?
>
> Particularly I am interested in how to trace events when someone kills a
> task and which one.
>

> How to create custom events
> http://support.microsoft.com/kb/324145
> Hope this helps. Let us know.

Unfortunately it does not. It is great utility, but my concern is a bit
different.

We have our server application running on dedicated box. At some moment we
observe it is stopped. The app logs show as if it was aborted manually
(usually they use taskmgr.exe). But there is no 100% confidence. I’d like to
know if Windows (or taskmgr.exe) has settings that create an event in
Windows event logs to track if the termination was manual. It looks natural
for Windows to have the ability. Isn’t it?

> You can enable auditing of process tracking in security policy though this
> will generate a lot of events the info will probably be there...

It is there:
A process has exited:

Process ID: 3088

Image File Name: D:\proj\panorama\pbviews\Release
Current\Release_7.1.1\Output\psvsrvr.exe

User Name: vgonchar

Domain: DEV

Logon ID: (0x0,0x13A2F)


but it is the same when I exit from process normally or kill it using task
manager.

That was the only thought I had on trying to do such. However you may want
to look in the list of process tracking events to see if Task Manager was
started or not before the process was exited. You also could enable
auditing of object access and then audit the Task Manager executable for
execute permission but that would generate a whole bunch more events but may
be worthwhile just to troubleshoot the problem. I find Event Comb helpful in
tracking down specific Event IDs and text strings such as the name of a
user, file, or permission. --- Steve


"Vlad Gonchar" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
>> You can enable auditing of process tracking in security policy though
>> this will generate a lot of events the info will probably be there...
>
> It is there:
> A process has exited:
>
> Process ID: 3088
>
> Image File Name: D:\proj\panorama\pbviews\Release
> Current\Release_7.1.1\Output\psvsrvr.exe
>
> User Name: vgonchar
>
> Domain: DEV
>
> Logon ID: (0x0,0x13A2F)
>
>
> but it is the same when I exit from process normally or kill it using task
> manager.
>

Thank you, Steve.
It did not help, but it was helpful lesson.