SE_AUDIT_PROCESS_CREATION_INFO
The SE_AUDIT_PROCESS_CREATION_INFO structure (formally _SE_AUDIT_PROCESS_CREATION_INFO) was introduced for Windows XP to support the Security event log as a record of events that would better tell something of which processes are involved. The structure’s only known persistence is as the SeAuditProcessCreationInfo member of the EPROCESS. The structure has never developed beyond recording the name of the process’s executable image.
Layout
The SE_AUDIT_PROCESS_CREATION_INFO is 0x04 or 0x08 bytes in 32-bit and 64-bit Windows, respectively.
| Offset | Definition | Versions |
|---|---|---|
| 0x00 |
OBJECT_NAME_INFORMATION *ImageFileName; |
5.1 and higher |