Windows NT Event Log ID Numbers
Table 1: Logon Events That Appear in the Security Event Log
Event ID Description 
528	 A user successfully logged on to a computer.
529	 The logon attempt was made with an unknown user name or a known user name with a bad password.
530	 An attempt was made to log on with the user account outside of the allowed time.
531	 A logon attempt was made using a disabled account.
532	 A logon attempt was made using an expired account.
533	 The user is not allowed to log on at this computer.
534	 The user attempted to log on with a logon type that is not allowed, such as network, interactive, batch, service, or remote interactive.
535	 The password for the specified account has expired.
536	 The Net Logon service is not active.
537	 The logon attempt failed for other reasons.
538	 A user logged off.
539	 The account was locked out at the time the logon attempt was made. This event can indicate that a password attack was launched unsuccessfully resulting in the account being locked out.
540	 Successful Network Logon. This event indicates that a remote user has successfully connected from the network to a local resource on the server, generating a token for the network user.
682	 A user has reconnected to a disconnected Terminal Services session. This event indicates that a previous Terminal Services session was connected to.
683	 A user disconnected a Terminal Services session without logging off. This event is generated when a user is connected to a Terminal Services session over the network. It appears on the terminal server.
 
Table 2: Account Logon Events That Appear in the Event Log
Event ID Description 
672	 An authentication service (AS) ticket was successfully issued and validated.
673	 A ticket granting service (TGS) ticket was granted.
674	 A security principal renewed an AS ticket or TGS ticket.
675	 Pre-authentication failed. (If a client computer's time differs from the authenticating domain controller's by more than five minutes (by default), Event ID 675 will appear in the security log.)
676	 Authentication Ticket Request failed.
677	 A TGS ticket was not granted.
678	 An account was successfully mapped to a domain account.
680	 Identifies the account used for the successful logon attempt. This event also indicates the authentication package used to authenticate the account.
681	 A domain account logon was attempted.
682	 A user has reconnected to a disconnected Terminal Services session.
683	 A user disconnected a Terminal Services session without logging off.
 
Table 3: Account Management Events That Appear in the Event Log
Event ID Description 
624	 User Account Created
625	 User Account Type Change
626	 User Account Enabled
627	 Password Change Attempted
628	 User Account Password Set
629	 User Account Disabled
630	 User Account Deleted
631	 Security Enabled Global Group Created
632	 Security Enabled Global Group Member Added
633	 Security Enabled Global Group Member Removed 
634	 Security Enabled Global Group Deleted
635	 Security Disabled Local Group Created
636	 Security Enabled Local Group Member Added
637	 Security Enabled Local Group Member Removed
638	 Security Enabled Local Group Deleted
639	 Security Enabled Local Group Changed
641	 Security Enabled Global Group Changed
642	 User Account Changed
643	 Domain Policy Changed
644	 User Account Locked Out
 
Table 4: Object Access Events That Appear in the Event Log
Event ID Description 
560	 Access was granted to an already existing object.
562	 A handle to an object was closed.
563	 An attempt was made to open an object with the intent to delete it. (This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified.)
564	 A protected object was deleted.
565	 Access was granted to an already existing object type.
 
Table 6: Privilege Use Events That Appear in the Event Log
Event ID Description 
576	 Specified privileges were added to a user's access token. (This event is generated when the user logs on.)
577	 A user attempted to perform a privileged system service operation.
578	 Privileges were used on an already open handle to a protected object.

Table 7: Process Tracking Events That Appear in the Event Log
Event ID Description 
592	 A new process was created.
593	 A process exited.
594	 A handle to an object was duplicated.
595	 Indirect access to an object was obtained.
  
Table 8: System Events That Appear in the Event Log
Event ID Description 
512	 Windows is starting up.
513	 Windows is shutting down.
514	 An authentication package was loaded by the Local Security Authority.
515	 A trusted logon process has registered with the Local Security Authority.
516	 Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.
517	 The security log was cleared.
518	 A notification package was loaded by the Security Accounts Manager.
 
Table 9: Policy Change Events That Appear in the Event Log
Event ID Description 
608	 A user right was assigned.
609	 A user right was removed.
610	 A trust relationship with another domain was created.
611	 A trust relationship with another domain was removed.
612	 An audit policy was changed.
768	 A collision was detected between a namespace element in one forest and a namespace element in another forest. (Occurs when a namespace element in one forest overlaps a namespace element in another forest.)
 

 


Client List
Partners
Press Releases
Client Comments
Past Projects
Information Request


Net Health Check
Net Performance Review
Vulnerability Assessment
Banking I/T Assessment
NetSentry Monitoring
Frame Relay Analysis
Custom Services
NetDocs Documentation
On-Site Training


NetLogger
NetSpector
Technical Reference






 

 


About NPI | Contact Us | Services | Tools | Site Map | Reseller Programs
Professional Ethics | Privacy
Copyright 1993-2024 Network Partners, Inc. All rights reserved