|
Latest Blog:
New Features in LogRhythm 4.0 Deserve a Place on Your Short List |
|
Windows Security Log Encyclopedia
Randy's plain English explanations of Windows security log events
Research by Category or Event ID: |
|
| Event ID |
OS: |
Title: |
| 512 |
All Versions |
Windows NT is starting up |
| 513 |
XP, Win2003 |
Windows NT is shutting down |
| 514 |
All Versions |
An authentication package has been loaded by the Local Security
Authority |
| 515 |
All Versions |
A trusted logon process has registered with the Local Security
Authority |
| 516 |
All Versions |
Internal resources allocated for the queuing of audit messages
have been exhausted, leading to the loss of some audits |
| 517 |
All Versions |
The audit log was cleared |
| 518 |
All Versions |
An notification package has been loaded by the Security Account
Manager |
| 519 |
Win2003 |
A process is using an invalid local procedure call (LPC) port |
| 520 |
Win2003 |
The system time was changed |
| 528 |
All Versions |
Successful Logon |
| 529 |
All Versions |
Logon Failure - Unknown user name or bad password |
| 530 |
All Versions |
Logon Failure - Account logon time restriction violation |
| 531 |
All Versions |
Logon Failure - Account currently disabled |
| 532 |
All Versions |
Logon Failure - The specified user account has expired |
| 533 |
All Versions |
Logon Failure - User not allowed to logon at this computer |
| 534 |
All Versions |
Logon Failure - The user has not been granted the requested logon
type at this machine |
| 535 |
All Versions |
Logon Failure - The specified account's password has expired |
| 536 |
All Versions |
Logon Failure - The NetLogon component is not active |
| 537 |
All Versions |
Logon failure - The logon attempt failed for other reasons |
| 538 |
All Versions |
User Logoff |
| 539 |
All Versions |
Logon Failure - Account locked out |
| 540 |
XP, Win2000, Win2003 |
Successful Network Logon |
| 552 |
Win2003 |
Logon attempt using explicit credentials |
| 560 |
All Versions |
Object Open |
| 561 |
All Versions |
Handle Allocated |
| 562 |
All Versions |
Handle Closed |
| 563 |
All Versions |
Object Open for Delete |
| 564 |
All Versions |
Object Deleted |
| 565 |
Win2000 |
Object Open (Active Directory) |
| |
Win2003 |
Object Open (W3 Active Directory) |
| 566 |
Win2003 |
Object Operation (W3 Active Directory) |
| 567 |
Win2003 |
Object Access Attempt |
| 576 |
All Versions |
Special privileges assigned to new logon |
| 577 |
All Versions |
Privileged Service Called |
| 578 |
All Versions |
Privileged object operation |
| 592 |
All Versions |
A new process has been created |
| 593 |
All Versions |
A process has exited |
| 594 |
All Versions |
A handle to an object has been duplicated |
| 595 |
All Versions |
Indirect access to an object has been obtained |
| 600 |
All Versions |
A process was assigned a primary token |
| 601 |
Win2003 |
Attempt to install service |
| 602 |
Win2003 |
Scheduled Task created |
| 608 |
Win2003 |
User Right Assigned |
| 609 |
All Versions |
User Right Removed |
| 610 |
Win2000 |
New Trusted Domain |
| |
Win2003 |
New Trusted Domain |
| 611 |
Win2000 |
Removing Trusted Domain |
| |
Win2003 |
Trusted Domain Removed |
| 612 |
All Versions |
Audit Policy Change |
| 613 |
All Versions |
IPSec policy agent started |
| 614 |
All Versions |
IPSec policy agent disabled |
| 615 |
Win2000 |
IPSEC PolicyAgent Service |
| |
Win2003 |
IPSec Services |
| 616 |
Win2000 |
IPSec policy agent encountered a potentially serious failure |
| 617 |
Win2000, Win2003, DC |
Kerberos Policy Changed |
| 618 |
XP, Win2000, Win2003 |
Encrypted Data Recovery Policy Changed |
| 619 |
All Versions |
Quality of Service Policy Changed |
| 620 |
Win2000 |
Trusted Domain Information Modified |
| |
Win2003 |
Trusted Domain Information Modified |
| 621 |
Win2003 |
System Security Access Granted |
| 622 |
Win2003 |
System Security Access Removed |
| 623 |
Win2003 |
Per User Audit Policy was refreshed |
| 624 |
Win2000, Win2003 |
User Account Created |
| 625 |
Win2003 |
Per user auditing policy set for user |
| |
Win2000, DC |
User Account Type Change |
| 626 |
Win2000, Win2003 |
User Account Enabled |
| 627 |
Win2000, Win2003 |
Change Password Attempt |
| 628 |
Win2000, Win2003 |
User Account password set |
| 629 |
Win2003 |
User Account Disabled |
| 630 |
Win2000, Win2003 |
User Account Deleted |
| 631 |
Win2000, Win2003, DC |
Group created |
| 632 |
Win2000, Win2003, DC |
Group member added or removed |
| 633 |
Win2000, Win2003, DC |
Group member added or removed |
| 634 |
Win2000, Win2003, DC |
Group deleted |
| 635 |
Win2000, Win2003 |
Group created |
| 636 |
Win2000, Win2003 |
Group member added or removed |
| 637 |
Win2000, Win2003 |
Group member added or removed |
| 638 |
Win2000, Win2003 |
Group deleted |
| 639 |
Win2000, Win2003 |
Group changed |
| 640 |
All Versions |
General Account Database Change |
| 641 |
Win2000, Win2003, DC |
Group changed |
| 642 |
Win2000, Win2003 |
User Account Changed |
| 643 |
Win2000 |
Domain Policy Changed |
| |
Win2003 |
Domain Policy Changed |
| 644 |
All Versions |
User Account Locked Out |
| 645 |
Win2000, Win2003, DC |
Computer Account Created |
| 646 |
Win2000, Win2003, DC |
Computer Account Changed |
| 647 |
Win2000, Win2003, DC |
Computer Account Deleted |
| 648 |
Win2000, Win2003, DC |
Group created |
| 649 |
Win2000, Win2003, DC |
Group changed |
| 650 |
Win2000, Win2003, DC |
Group member added or removed |
| 651 |
Win2000, Win2003, DC |
Group member added or removed |
| 652 |
Win2000, Win2003, DC |
Group deleted |
| 653 |
Win2000, Win2003, DC |
Group created |
| 654 |
Win2000, Win2003, DC |
Group changed |
| 655 |
Win2000, Win2003, DC |
Group member added or removed |
| 656 |
Win2000, Win2003, DC |
Group member added or removed |
| 657 |
Win2000, Win2003, DC |
Group deleted |
| 658 |
Win2000, Win2003, DC |
Group created |
| 659 |
Win2000, Win2003, DC |
Group changed |
| 660 |
Win2000, Win2003, DC |
Group member added or removed |
| 661 |
Win2000, Win2003, DC |
Group member added or removed |
| 662 |
Win2000, Win2003, DC |
Group deleted |
| 663 |
Win2000, Win2003, DC |
Group created |
| 664 |
Win2000, Win2003, DC |
Group changed |
| 665 |
Win2000, Win2003, DC |
Group member added or removed |
| 666 |
Win2000, Win2003, DC |
Group member added or removed |
| 667 |
Win2000, Win2003, DC |
Group deleted |
| 668 |
Win2000, Win2003, DC |
Group Type Changed |
| 669 |
All Versions |
Add SID History |
| 670 |
All Versions |
Add SID History |
| 671 |
Win2003 |
User Account Unlocked |
| 672 |
Win2000 |
Authentication Ticket Granted |
| |
Win2003 |
Authentication Ticket Request |
| 673 |
Win2000 |
Service Ticket Granted |
| |
Win2003 |
Service Ticket Request |
| 674 |
Win2000 |
Ticket Granted Renewed |
| |
Win2003 |
Service Ticket Renewed |
| 675 |
Win2000, Win2003, DC |
Pre-authentication failed |
| 676 |
Win2000 |
Authentication Ticket Request Failed |
| |
Win2003 |
Authentication Ticket Request Failed |
| 677 |
Win2000 |
Service Ticket Request Failed |
| |
Win2003 |
Service Ticket Request Failed |
| 678 |
All Versions |
Account Mapped for Logon by |
| 679 |
Win2000 |
The name: %2 could not be mapped for logon by: %1 |
| 680 |
Win2000 |
Account Used for Logon by |
| |
Win2003 |
Logon attempt |
| 681 |
Win2000 |
The logon to account: %2 by: %1 from workstation: %3 failed |
| |
Win2003 |
The logon to account: %2 by: %1 from workstation: %3 failed |
| 682 |
XP, Win2000, Win2003 |
Session reconnected to winstation |
| 683 |
XP, Win2000, Win2003 |
Session disconnected from winstation |
| 684 |
Win2003 |
Set the security descriptor of members of administrative groups |
| 685 |
Win2003 |
Account Name Changed |
| 686 |
Win2003 |
Password of the following user accessed |
| 687 |
All Versions |
Application group operation |
| 688 |
Win2003 |
Application group operation |
| 689 |
Win2003 |
Application group operation |
| 690 |
Win2003 |
Application group operation |
| 691 |
Win2003 |
Application group operation |
| 692 |
All Versions |
Application group operation |
| 693 |
Win2003 |
Application group operation |
| 694 |
Win2003 |
Application group operation |
| 695 |
Win2003 |
Application group operation |
| 696 |
Win2003 |
Application group operation |
| 806 |
Win2003 |
Per User Audit Policy was refreshed |
| 807 |
Win2003 |
Per user auditing policy set for user |
|
|
|
