Account Logon Events
(Event ID and description)
672 the Identity Authentication Service (AS) ticket is successfully issued and verified.
673 the ticket Authorization Service (TGs) ticket is authorized. TGS is a ticket issued by the ticket Authorization Service (TGs) for Kerberos version 5.0 and allows users to authenticate specific services in the domain.
674 The Security subject recreates the as ticket or TGS ticket.
675 pre-authentication failed. This event will be generated by the key distribution center (kdc) when the user enters the wrong password.
676 authentication ticket request failed. Such events will not occur in Windows XP Professional operating systems or members of the Windows server product family.
677 The TGS ticket cannot be authorized. Such events will not occur in Windows XP Professional operating systems or members of the Windows server product family.
678 the specified account is successfully mapped to a domain account.
681 Logon Failed. The domain account attempts to log on. Such events will not occur in Windows XP Professional operating systems or members of the Windows server product family.
682 the user reconnects to a disconnected Terminal Server session.
683 the user is disconnected from the terminal server session without cancellation.
Account management events
624 a user account is created.
627 a user password is modified.
628 a user password is set.
630 A User Password is deleted.
631 a global group is created.
632 a member is added to a specific global group.
633 a member is deleted from a specified global group.
634 a global group is deleted.
635 a new local group is created.
636 a member is added to a local group.
637 A member is deleted from the local group.
638 a local group is deleted.
639 an account in the Local Group is modified.
641 a global group account is modified.
642 a user account is modified.
643 a Domain Policy is modified.
644 a user account is automatically locked.
645 A computer account is created.
646 a computer account is modified.
647 a computer account is deleted.
648 a local security group with security features disabled is created. Note: security_disabled in the formal name means that this group cannot be used to grant permissions during access checks.
649 A local security group with security features disabled is modified.
650 a member is added to a local security group with security features disabled.
651 a member is deleted from a local security group with security features disabled.
652 a local group with security features disabled is deleted.
653 a global group with security features disabled is created.
654 a global group with security features disabled is modified.
655 a member is added to a global group that disables security features.
656 a member is deleted from a global group with security features disabled.
657 a global group with security features disabled is deleted.
658 a general group with security features enabled is created.
659 a general group with security features enabled is modified.
660 A member is added to a general security feature-enabled group.
661 a member is deleted from a general security feature-enabled group.
662 a general security group is deleted.
663 a general group with security features disabled is created.
664 a general group that disables security features is modified.
665 a member is added to a general group that disables security features.
666 a member is deleted from a general group with security features disabled.
667 a general group with security features disabled is deleted.
668 a group type is modified.
684 the security descriptor of the Management Group member is set. Note: On the domain controller, a background thread applies to all Members in the management group every 60 seconds (such as the domain administrator, enterprise administrator, and architecture administrator) perform a search and apply a repaired security descriptor to the application. Such events will be recorded.
685 the name of an account is modified.
Audit Logon Events
528 the user successfully logged on to the computer.
529 Logon Failed: attempt to log on with an unknown user name or a known user name with an incorrect password.
530 Logon Failed: an attempt is made to log on outside the permitted time range.
531 Logon Failed: an attempt was made to disable the account for logon.
532 Logon Failed: an attempt was made to log on through an expired account.
533 Logon Failed: attempt to log on by a user account that is not allowed to log on to a specific computer.
534 Logon Failed: the user attempted to log on by using an unsupported password type.
535 Logon Failed: the password for the specified account has expired.
536 Logon Failed: The network logon service is not activated.
537 Logon Failed: logons failed due to other reasons. Note: In some cases, the cause of Logon failure may be uncertain.
538 cancellation is completed for a user.
539 Logon Failed: The Logon account is locked at the logon time.
540 the user successfully logged on to the network.
541 the master mode Internet Key Exchange (IKE) authentication between the local computer and the listed peer-to-peer customer identity has been completed (a security association is established), or a data channel has been established in quick mode.
542 the data channel is interrupted.
543 the master mode is interrupted. Note: This event may occur when the security association time limit expires (the default value is 8 hours), Policy Modification, or peer-to-peer interruption occurs.
544 primary-Mode Authentication fails because the peer client fails to provide a valid certificate or the signature fails verification.
545 authentication in master mode fails due to Kerberos failure or invalid password.
546 the IKE security association fails to be established because the peer client has sent an illegal proposal. Receives a packet containing invalid data.
An error occurs during the 547 Ike handshake.
548 Logon Failed: The security identifier (SID) from the trusted domain does not match the account domain sid of the client.
549 Logon Failed: during cross-origin authentication, all the SID corresponding to the untrusted namespace has been filtered out.
550 indicates a notification message indicating a possible DoS attack.
551 the user initiates the logout operation.
552 the user successfully logs on to the computer with clear creden。 when he or she has logged on with another identity.
682 the user reconnects to a disconnected Terminal Server session.
683 the user is disconnected from the terminal server session without cancellation. Note: This event is generated when you establish a connection with the terminal server session over the network. It will appear on the terminal server.
Object Access event
560 access is authorized by an existing object.
562 an object access handle is disabled.
563 try to open and delete an object. Note: When you specify the file_delete_on_close flag in the createfile () function, this event will be used by the file system.
564 a protected object is deleted.
565 access is authorized by an existing object type.
567 a permission associated with the handle is used. Note: A handle granted with specific permissions (read and write) is created. When this handle is used, an audit is generated at most for each type of permissions used.
568 try to create a hard connection for files under review.
569 The resource manager in the authentication manager tries to create the client context.
570 the client tries to access an object. Note: Each operation attempt on an object generates an event.
571 the client context is deleted by the Authentication Manager application.
572 the Administrator manager initializes the application.
772 the Certificate Manager rejects the pending certificate application.
773 the Certificate Service receives a re-submitted certificate application.
774 the Certificate Service revoked the certificate.
775 the Certificate Service receives a request to issue the Certificate Revocation List (CRL.
776 Certificate Service issued a certificate revocation list (CRL ).
777 changed the certificate application extension.
778 Multiple Certificate Application attributes have been changed.
779 the Certificate Service receives a shutdown request.
780 Certificate Service backup has been started.
781 Certificate Service backup has been completed.
782 restore the Certificate Service.
783 the Certificate Service has been restored.
784 the Certificate Service has started.
785 the Certificate Service has stopped.
786 security permissions changed by the certificate service.
787 the Certificate Service retrieves the archive key.
788 the Certificate Service imports the certificate into the database.
789 audit and filtering of certificate service changes.
790 the Certificate Service receives the certificate application.
791 the Certificate Service has approved the certificate application and issued the certificate.
792 the Certificate Service rejects the certificate application.
793 Certificate Service sets the Certificate Application Status to pending.
794 Certificate Manager settings changed by the Certificate Service
795 configuration items changed by the certificate service.
796 Certificate Service Changes attributes.
797 the Certificate Service archived the key.
798 the Certificate Service imports and archives keys.
799 the Certificate Service issues the CA certificate to Active Directory.
800 delete one or more rows from the certificate database.
801 role separation is enabled.
Audit Policy Change Events
608 user permissions have been assigned.
609 the user permission has been deleted.
610 the trust relationship with another domain has been created.
611 the trust relationship with another domain has been deleted.
612 the audit policy has been changed.
613 the Internet Protocol Security (IPSec) policy proxy has been started.
614 the IPsec Policy proxy is disabled.
615 the IPsec Policy proxy has been changed.
616 the IPsec Policy proxy encounters a potential serious problem.
617 Kerberos version 5.0 policy has been changed.
618 the encrypted data recovery policy has been changed.
620 the trust relationship with another domain has been modified.
621 the system access permission has been granted to the account.
622 the system access permission has been deleted from the account.
623 the audit policy is set on the basis of peer users.
625 refresh the audit policy based on peer users.
768 it is detected that the namespace element in a forest conflicts with the namespace element in another forest. Note: When a namespace element in a forest overlaps with a namespace element in another forest, it cannot explicitly parse the names of the two namespace elements. This overlap is also known as conflict. Not all parameters for each record type are valid. For example, fields such as DNS name, NetBIOS name, and Sid are invalid for "toplevelname" records.
769 added trusted forest information. Note: This event message is generated when you update trusted forest information and add one or more records. An event message is generated for each added, deleted, or modified record. If multiple records are added, deleted, or modified in a single update operation on forest trust information, all generated event messages will be assigned an identical and unique identifier (called the operation number ). This method allows you to determine that multiple event messages are generated by one operation. Not all parameters for each record type are valid. For example, fields such as DNS name, NetBIOS name, and Sid are invalid for "toplevelname" records.
770 deleted trusted forest information. Description: view the Event Description numbered 769.
771 modified trusted forest information. Description: view the Event Description numbered 769.
805 Event Log Service reads session-specific security permission usage events
Permission usage event
576 the specified permission has been added to the user access token. Note: this event will be generated during user logon.
577 the user attempts to perform system service operations protected by permissions.
578 use the permission on the opened protected object handle.
Detailed event tracking
592 A new process has been created.
593 has exited a certain process.
594 the object's handle is duplicated
595 indirect access to the object has been obtained.
596 Data Protection master key backup. Note: The master key will be used by cryptprotectdata, cryptunprotectdata routines, and encrypted file systems (EFS. This CMK is backed up every time a new CMK is created. (The default value is 90 days .) Key backup is usually performed by the domain controller.
597 the Data Protection master key has been restored by the recovery server.
598 audit data is protected.
599 audit data protection has been canceled.
600 assign a Master Card to the process.
601 users try to install the service.
602 a scheduled job has been created.
System Event message for review system events
512 windows is being started.
513 windows is shutting down.
514 the local security mechanism has loaded authentication data packets.
515 the trusted login process has been registered with the local security mechanism.
516 internal resources used to queue for review messages have been used up, leading to the loss of some audit data.
517 audit logs have been cleared.
518 the security account manager has loaded notification packets.
519 a process is attempting to simulate the client through an invalid local process call (LPC) port and perform the reply, read, or write operation on the client address space.
520 the system time has been changed. Note: This audit operation is usually performed in pairs.