1001 Event ID with event source "save dump" is generated.
Windows NT and Windows 2000 include the ability to log the creation and destruction of each process on the system. To enable this feature, set the system's Audit policy to audit success and failure events in the "Detailed Tracking" category.
Windows NT and Windows 2000 enable you to monitor accesses to specific objects: files and directories, registry keys, directory service objects, and kernel objects.
Several kinds of objects can be audited. Each type of object has unique access types; that is, each kind of object is accessed in a way appropriate only to that kind of object. For example, while the "start" and "stop" accesses are appropriate to services, they don't make much sense when talking about files and directories.
Here are the most common auditable objects:
You can monitor logon activity in Windows NT and Windows 2000 in a very detailed way by enabling success and failure auditing of the "Logon" category activity in the system's Audit policy.
One of the most useful reasons to monitor logons is to capture account lockout events. Any reasonably secure site will have an account lockout policy, and every account lockout event will be useful either to the help desk for gathering statistics on how often users lock themselves out, or to your security team for watching for possible password-guessing attacks.