What is execution ThreadID and ProcessID in the Event Log

Question

_{Wednesday, March 29, 2017 6:33 PM}

As the title states, what is the ThreadID and ProcessID (under <System> tag) in the Windows event log? I have looked around and can't find any documentation that explains it at all? I am familiar with the terms but I have no idea what it means to the event log.

Not sure if this is the right place to post this.

Thanks

All replies (3)

_{Thursday, March 30, 2017 1:56 AM}

Hi Artust, 

In simplified terms, ProcessID is unique identifier for a process (at the name suggests) and process contain thread (or threads). Thread is smallest programs (small piece of code) which gets executed with in the process space. 

Process contains threads and each has identifier PID and TID respectively. 

Thanks Jegan

_{Wednesday, June 21, 2017 3:14 PM}

I don't believe this actually answers the question that was asked... For example, I'm looking at the exact same process start event, as recorded separately by the Security log and Sysmon. The ProcessId field in Sysmon, and the NewProcessId field in the security log have decimal and hex versions of the same number (20852 and 0x5174, respectively). However the two events each also have  completely different 'Execution' data (which contains ProcessID and ThreadID values [note the difference in case]), as follows:

Sysmon:     <Execution ProcessID='5900' ThreadID='6004'/>

Security:     <Execution ProcessID='4' ThreadID='104'/>

What do these values actually signify?

Thanks

_{Wednesday, December 4, 2019 12:51 PM}

And again no answer no surprise there I’m going to make a educated guess that theses are jump steps where the machine jumps what ever number is there out to a different machine ,, if that makes sense and that’s why no one will answer back because your not in the know that’s what I think happens when no one answers back because they are scared of the big kahona with a 001 access code and they all want to suck up his ass so he gives out access when they want it.