Windows NT Event Log ID NumbersTable 1: Logon Events That Appear in the Security Event Log Event ID Description 528 A user successfully logged on to a computer. 529 The logon attempt was made with an unknown user name or a known user name with a bad password. 530 An attempt was made to log on with the user account outside of the allowed time. 531 A logon attempt was made using a disabled account. 532 A logon attempt was made using an expired account. 533 The user is not allowed to log on at this computer. 534 The user attempted to log on with a logon type that is not allowed, such as network, interactive, batch, service, or remote interactive. 535 The password for the specified account has expired. 536 The Net Logon service is not active. 537 The logon attempt failed for other reasons. 538 A user logged off. 539 The account was locked out at the time the logon attempt was made. This event can indicate that a password attack was launched unsuccessfully resulting in the account being locked out. 540 Successful Network Logon. This event indicates that a remote user has successfully connected from the network to a local resource on the server, generating a token for the network user. 682 A user has reconnected to a disconnected Terminal Services session. This event indicates that a previous Terminal Services session was connected to. 683 A user disconnected a Terminal Services session without logging off. This event is generated when a user is connected to a Terminal Services session over the network. It appears on the terminal server. Table 2: Account Logon Events That Appear in the Event Log Event ID Description 672 An authentication service (AS) ticket was successfully issued and validated. 673 A ticket granting service (TGS) ticket was granted. 674 A security principal renewed an AS ticket or TGS ticket. 675 Pre-authentication failed. (If a client computer's time differs from the authenticating domain controller's by more than five minutes (by default), Event ID 675 will appear in the security log.) 676 Authentication Ticket Request failed. 677 A TGS ticket was not granted. 678 An account was successfully mapped to a domain account. 680 Identifies the account used for the successful logon attempt. This event also indicates the authentication package used to authenticate the account. 681 A domain account logon was attempted. 682 A user has reconnected to a disconnected Terminal Services session. 683 A user disconnected a Terminal Services session without logging off. Table 3: Account Management Events That Appear in the Event Log Event ID Description 624 User Account Created 625 User Account Type Change 626 User Account Enabled 627 Password Change Attempted 628 User Account Password Set 629 User Account Disabled 630 User Account Deleted 631 Security Enabled Global Group Created 632 Security Enabled Global Group Member Added 633 Security Enabled Global Group Member Removed 634 Security Enabled Global Group Deleted 635 Security Disabled Local Group Created 636 Security Enabled Local Group Member Added 637 Security Enabled Local Group Member Removed 638 Security Enabled Local Group Deleted 639 Security Enabled Local Group Changed 641 Security Enabled Global Group Changed 642 User Account Changed 643 Domain Policy Changed 644 User Account Locked Out Table 4: Object Access Events That Appear in the Event Log Event ID Description 560 Access was granted to an already existing object. 562 A handle to an object was closed. 563 An attempt was made to open an object with the intent to delete it. (This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified.) 564 A protected object was deleted. 565 Access was granted to an already existing object type. Table 6: Privilege Use Events That Appear in the Event Log Event ID Description 576 Specified privileges were added to a user's access token. (This event is generated when the user logs on.) 577 A user attempted to perform a privileged system service operation. 578 Privileges were used on an already open handle to a protected object. Table 7: Process Tracking Events That Appear in the Event Log Event ID Description 592 A new process was created. 593 A process exited. 594 A handle to an object was duplicated. 595 Indirect access to an object was obtained. Table 8: System Events That Appear in the Event Log Event ID Description 512 Windows is starting up. 513 Windows is shutting down. 514 An authentication package was loaded by the Local Security Authority. 515 A trusted logon process has registered with the Local Security Authority. 516 Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages. 517 The security log was cleared. 518 A notification package was loaded by the Security Accounts Manager. Table 9: Policy Change Events That Appear in the Event Log Event ID Description 608 A user right was assigned. 609 A user right was removed. 610 A trust relationship with another domain was created. 611 A trust relationship with another domain was removed. 612 An audit policy was changed. 768 A collision was detected between a namespace element in one forest and a namespace element in another forest. (Occurs when a namespace element in one forest overlaps a namespace element in another forest.)
|
|
About NPI |
Contact Us |
Services | Tools |
Site Map |
Reseller Programs
Professional Ethics |
Privacy
Copyright 1993-2024 Network Partners, Inc. All rights reserved