Account Logon Events
Table 1 shows the security events generated by the "Audit Account Logon Events" security template settings.
Table 1: Audit Account Logon Events
Event ID |
Event Description |
672 |
The authentication service (AS) ticket has been issued and verified. |
673 |
The authorization ticket service (TGS) ticket is authorized. TGS is a ticket issued by the Kerberos v5 ticket Authorization Service (TGS). It allows users to authenticate specific services in the domain. |
674 |
The security subject has updated the AS ticket or TGS ticket. |
675 |
Pre-authentication failed. This event is generated in the Key Distribution Center (KDC) when you type an incorrect password. |
676 |
Authentication ticket request failed. This event is not generated in members of Windows XP Professional or Windows Server family. |
677 |
The TGS ticket is not authorized. This event is not generated in members of Windows XP Professional or Windows Server family. |
678 |
The account has been successfully mapped to the domain account. |
681 |
Logon Failed. Attempt to log on to the domain account. This event is not generated in members of Windows XP Professional or Windows Server family. |
682 |
The user has reconnected to the disconnected Terminal Server session. |
683 |
The user disconnects the Terminal Server session without logging out. |
Account management events
Table 2 shows the security events generated by the "Audit Account Management" security template settings.
Table 2: Audit account management events
Event ID |
Event Description |
624 |
The user account has been created. |
627 |
The user password has been changed. |
628 |
The user password has been set. |
630 |
The user account has been deleted. |
631 |
The global group has been created. |
632 |
The member has been added to the global group. |
633 |
The member has been deleted from the global group. |
634 |
The global group has been deleted. |
635 |
You have created a local group. |
636 |
The member has been added to the local group. |
637 |
The member has been deleted from the local group. |
638 |
The local group has been deleted. |
639 |
The local group account has been changed. |
641 |
The global group account has been changed. |
642 |
The user account has been changed. |
643 |
The Domain Policy has been modified. |
644 |
The user account is automatically locked. |
645 |
The computer account has been created. |
646 |
The computer account has been changed. |
647 |
The computer account has been deleted. |
648 |
The local security group to disable security has been created. Note:: In the official name, SECURITY_DISABLED means that the group cannot be used to authorize access checks. |
649 |
The local security group to disable security has been changed. |
650 |
The member has been added to the security-disabled local security group. |
651 |
The member has been deleted from the security-disabled local security group. |
652 |
The security disabled local group has been deleted. |
653 |
The global group to disable security has been created. |
654 |
The global group to disable security has been changed. |
655 |
The member has been added to the disabled security global group. |
656 |
The member has been deleted from the disabled security global group. |
657 |
The globally disabled security group has been deleted. |
658 |
The security-enabled universal group has been created. |
659 |
The security-enabled universal group has been changed. |
660 |
The member has been added to a security-enabled universal group. |
661 |
The member has been deleted from the security-enabled universal group. |
662 |
The security-enabled generic group has been deleted. |
663 |
The security-disabled general group has been created. |
664 |
The security disabled universal group has been changed. |
665 |
The member has been added to the disabled security group. |
666 |
The member has been deleted from the disabled security group. |
667 |
The security disabled general group has been deleted. |
668 |
The group type has been changed. |
684 |
The security descriptor of the Management Group member has been set. Note:On the domain controller, every 60 Minutes, the background thread searches all the members of the Management Group (such as the domain, enterprise, and architecture administrator) and applies a fixed security descriptor to it. This event has been recorded. |
685 |
The account name has been changed. |
Directory Service Access event
Table 3 shows the security events generated by the "Audit Directory Service Access" security template settings.
Table 3: Audit Directory Service Access Events
Event ID |
Event Description |
566 |
A common object operation occurs. |
Audit Logon Events
Table 4 contains the security events generated by the "Audit Logon Events" security template settings.
Table 4: Audit Logon Events
Event ID |
Audit Logon Events |
528 |
The user successfully logs on to the computer. |
529 |
Logon Failed. Attempt to log on with an unknown user name or known user name but incorrect password. |
530 |
Logon Failed. Try to log on outside of the permitted time. |
531 |
Logon Failed. Attempt to log on with a disabled account. |
532 |
Logon Failed. Try to log on with an expired account. |
533 |
Logon Failed. User attempts to log on to the specified computer are not allowed. |
534 |
Logon Failed. The user attempts to log on with an unsupported password. |
535 |
Logon Failed. The password of the specified account has expired. |
536 |
Logon Failed. The. Net Logon Service is not started. |
537 |
Logon Failed. The logon attempt fails for other reasons. Note:: In some cases, the cause of Logon failure may be unknown. |
538 |
The cancellation process has been completed. |
539 |
Logon Failed. The account is locked when you try to log on. |
540 |
The user successfully logs on to the network. |
541 |
The main mode Internet Key Exchange (IKE) authentication between the local computer and the listed peer-to-peer client identity (Security Association established) has been completed, or the data channel has been established in quick mode. |
542 |
The data channel has been terminated. |
543 |
The main mode has been terminated. Note:: This situation occurs if the security association time limit (8 hours by default) expires, the policy is changed, or the peer-to-peer termination occurs. |
544 |
The primary Mode Authentication fails because the peer client does not provide a valid certificate or the signature is invalid. |
545 |
Authentication in main mode fails because of Kerberos failure or invalid password. |
546 |
The proposal sent by the peer client is invalid, causing the establishment of IKE Security Association to fail. The received package contains invalid data. |
547 |
An error occurs during the IKE handshake. |
548 |
Logon Failed. The security identifier (SID) from the trusted domain does not match the account domain SID of the client. |
549 |
Logon Failed. When the forest performs identity authentication, all the sid related to the untrusted namespace will be filtered out. |
550 |
A notification message that can be used to indicate possible DoS attacks. |
551 |
The user has started the logout process. |
552 |
You can use clear creden。 to successfully log on to a computer that has been logged on as another user. |
682 |
The user has reconnected to the disconnected Terminal Server session. |
683 |
Disconnect the Terminal Server session before you log off. Note: This event is generated when you connect to the terminal server session over the network. This event appears on the terminal server. |
2. When the system verifies whether \ Device \ Serial1 is a Serial port, the system detects the fifo mode ). This method will be used.
17 error W32Time provider NtpClient: an error occurs when the DNS queries the manually configured peer-to-peer machine 'time .windows.com, 0x1. NtpClient will retry the NDS Query within 15 minutes. The error is: the socket operation attempts a host that cannot be connected. (0x80072751)
20 warning Print has added or updated the Windows NT x86 Version-3 Printer Driver Canon PIXMA iP1000. File:-CNMDR6e. DLL, CNMUI6e. DLL, CNMCP6e. DLL, CNMMH6e. HLP, CNMD56e. DLL, CNMUR6e. DLL, CNMSR6e. DLL, CNMIN6e. INI, CNMPI6e. DLL, CNMSM6e. EXE, CNMSS6e. SMR, CNMSD6e. EXE, CNMSQ6e. EXE, CNMSH6e. HLP,
CNMSH6e
26. Application Popup: Rsaupd.exe-component not found: MFC71.DLL not found. Re-installing the application may fix this problem.
29 error W32Time time the service provider NtpClient is configured to obtain time from one or more time sources, but no source can be accessed. The contact time source will not be tried within 14 minutes. NtpClient does not have a time source for accurate time.
35. The W32Time Service uses the time source time.windows.com (ntp. m | 0x1 | 192.168.1.208: 123-> 207.46.197.32: 123) To synchronize the system time.
115 information SRService system recovery monitoring is enabled on all drives.
116 Letter SRService system recovery monitoring is disabled on all drives.
1001 information Save Dump the computer has restarted after detecting an error. Check error: 0x4a4b4d53 (0xc000000e, 0x01d04bf0, 0x00000010, 0x0000029a ). Dump data is saved in: C: \ WINDOWS \ Minidump \ Mini052809-01.dmp.
1005 warn Dhcp your computer that the IP address 192.168.1.100 of the NIC whose network address is 00E04C47978D is already in use on the network. The computer automatically obtains another address.
3260 information Workstation this computer is successfully added to the workgroup 'workgroup '.
4202 information the Tcpip system detects that the NIC Realtek... Family PCI Fast Ethernet NIC-the micro port of the package scheduler is disconnected from the network and the network configuration of the NIC has been released. If the network card is not disconnected, it may cause a fault. Please contact your vendor for updated drivers.
4226 warn that Tcpip TCP/IP has reached the security limit for the number of concurrent TCP connection attempts.
4377 information NtServicePack Windows XP Hotfix KB873339 was installed. 6005 information EventLog Event Log service has been started. (BOOT)
6006 EventLog Event Log Service has stopped. (Shutdown)
6009 press ctrl, alt, or delete (abnormal) to shut down EventLog.
6011 EventLog the machine's NetBIOS Name and DNS host name are changed from MACHINENAME to AA.
7000 error Service Control Manager failed to start npkcrypt due to the following error:
7031 error Service Control Manager Eset Service the unexpected termination of the Service has already occurred once. The following correction operations will run within 0 milliseconds: restart the service.
7035 the Information Service Control Manager xxx Service successfully sends a start Control.
7036 the Information Service Control Manager xxx Service is in the running or stopping status.
8033 information BROWSER: The main BROWSER has stopped the BROWSER from conducting mandatory elections on the \ Device \ NetBT_Tcpip _ {163DE7AB-92AE-499F-8340-B6358A4597CE} network.
10000 error DCOM cannot start the DCOM server: {80EE4902-33A8-11D1-A213-0080C88593A5 }.
Error: 15007 information HTTP successfully added the reserved namespace identified by the URL prefix http: // *: 2869.
60054 Setup successfully completed Windows internal version 2600 installation.
64002 Windows File Protection tries to replace the File on the protected system File c: \ windows \ system32 \ quartz. dll. To maintain system stability, this file is restored to the original version. The file version of the system file is 6.5.2600.3497.
64008 warning Windows File Protection unable to verify the Protected c: \ windows \ system32 \ quartz. dll system File because Windows File Protection is interrupted. Please use the SFC tool to verify the integrity of the file later