Windows event viewer code meaning

Account Logon Events

Table 1 shows the security events generated by the "Audit Account Logon Events" security template settings.

Table 1: Audit Account Logon Events

Event ID	Event Description
672	The authentication service (AS) ticket has been issued and verified.
673	The authorization ticket service (TGS) ticket is authorized. TGS is a ticket issued by the Kerberos v5 ticket Authorization Service (TGS). It allows users to authenticate specific services in the domain.
674	The security subject has updated the AS ticket or TGS ticket.
675	Pre-authentication failed. This event is generated in the Key Distribution Center (KDC) when you type an incorrect password.
676	Authentication ticket request failed. This event is not generated in members of Windows XP Professional or Windows Server family.
677	The TGS ticket is not authorized. This event is not generated in members of Windows XP Professional or Windows Server family.
678	The account has been successfully mapped to the domain account.
681	Logon Failed. Attempt to log on to the domain account. This event is not generated in members of Windows XP Professional or Windows Server family.
682	The user has reconnected to the disconnected Terminal Server session.
683	The user disconnects the Terminal Server session without logging out.

Account management events

Table 2 shows the security events generated by the "Audit Account Management" security template settings.

Table 2: Audit account management events

Event ID	Event Description
624	The user account has been created.
627	The user password has been changed.
628	The user password has been set.
630	The user account has been deleted.
631	The global group has been created.
632	The member has been added to the global group.
633	The member has been deleted from the global group.
634	The global group has been deleted.
635	You have created a local group.
636	The member has been added to the local group.
637	The member has been deleted from the local group.
638	The local group has been deleted.
639	The local group account has been changed.
641	The global group account has been changed.
642	The user account has been changed.
643	The Domain Policy has been modified.
644	The user account is automatically locked.
645	The computer account has been created.
646	The computer account has been changed.
647	The computer account has been deleted.
648	The local security group to disable security has been created. Note:: In the official name, SECURITY_DISABLED means that the group cannot be used to authorize access checks.
649	The local security group to disable security has been changed.
650	The member has been added to the security-disabled local security group.
651	The member has been deleted from the security-disabled local security group.
652	The security disabled local group has been deleted.
653	The global group to disable security has been created.
654	The global group to disable security has been changed.
655	The member has been added to the disabled security global group.
656	The member has been deleted from the disabled security global group.
657	The globally disabled security group has been deleted.
658	The security-enabled universal group has been created.
659	The security-enabled universal group has been changed.
660	The member has been added to a security-enabled universal group.
661	The member has been deleted from the security-enabled universal group.
662	The security-enabled generic group has been deleted.
663	The security-disabled general group has been created.
664	The security disabled universal group has been changed.
665	The member has been added to the disabled security group.
666	The member has been deleted from the disabled security group.
667	The security disabled general group has been deleted.
668	The group type has been changed.
684	The security descriptor of the Management Group member has been set. Note:On the domain controller, every 60 Minutes, the background thread searches all the members of the Management Group (such as the domain, enterprise, and architecture administrator) and applies a fixed security descriptor to it. This event has been recorded.
685	The account name has been changed.

Directory Service Access event

Table 3 shows the security events generated by the "Audit Directory Service Access" security template settings.

Table 3: Audit Directory Service Access Events

Event ID	Event Description
566	A common object operation occurs.

Audit Logon Events

Table 4 contains the security events generated by the "Audit Logon Events" security template settings.

Table 4: Audit Logon Events

Event ID	Audit Logon Events
528	The user successfully logs on to the computer.
529	Logon Failed. Attempt to log on with an unknown user name or known user name but incorrect password.
530	Logon Failed. Try to log on outside of the permitted time.
531	Logon Failed. Attempt to log on with a disabled account.
532	Logon Failed. Try to log on with an expired account.
533	Logon Failed. User attempts to log on to the specified computer are not allowed.
534	Logon Failed. The user attempts to log on with an unsupported password.
535	Logon Failed. The password of the specified account has expired.
536	Logon Failed. The. Net Logon Service is not started.
537	Logon Failed. The logon attempt fails for other reasons. Note:: In some cases, the cause of Logon failure may be unknown.
538	The cancellation process has been completed.
539	Logon Failed. The account is locked when you try to log on.
540	The user successfully logs on to the network.
541	The main mode Internet Key Exchange (IKE) authentication between the local computer and the listed peer-to-peer client identity (Security Association established) has been completed, or the data channel has been established in quick mode.
542	The data channel has been terminated.
543	The main mode has been terminated. Note:: This situation occurs if the security association time limit (8 hours by default) expires, the policy is changed, or the peer-to-peer termination occurs.
544	The primary Mode Authentication fails because the peer client does not provide a valid certificate or the signature is invalid.
545	Authentication in main mode fails because of Kerberos failure or invalid password.
546	The proposal sent by the peer client is invalid, causing the establishment of IKE Security Association to fail. The received package contains invalid data.
547	An error occurs during the IKE handshake.
548	Logon Failed. The security identifier (SID) from the trusted domain does not match the account domain SID of the client.
549	Logon Failed. When the forest performs identity authentication, all the sid related to the untrusted namespace will be filtered out.
550	A notification message that can be used to indicate possible DoS attacks.
551	The user has started the logout process.
552	You can use clear creden。 to successfully log on to a computer that has been logged on as another user.
682	The user has reconnected to the disconnected Terminal Server session.
683	Disconnect the Terminal Server session before you log off. Note: This event is generated when you connect to the terminal server session over the network. This event appears on the terminal server.

2. When the system verifies whether \ Device \ Serial1 is a Serial port, the system detects the fifo mode ). This method will be used.

17 error W32Time provider NtpClient: an error occurs when the DNS queries the manually configured peer-to-peer machine 'time .windows.com, 0x1. NtpClient will retry the NDS Query within 15 minutes. The error is: the socket operation attempts a host that cannot be connected. (0x80072751)

20 warning Print has added or updated the Windows NT x86 Version-3 Printer Driver Canon PIXMA iP1000. File:-CNMDR6e. DLL, CNMUI6e. DLL, CNMCP6e. DLL, CNMMH6e. HLP, CNMD56e. DLL, CNMUR6e. DLL, CNMSR6e. DLL, CNMIN6e. INI, CNMPI6e. DLL, CNMSM6e. EXE, CNMSS6e. SMR, CNMSD6e. EXE, CNMSQ6e. EXE, CNMSH6e. HLP,
CNMSH6e

26. Application Popup: Rsaupd.exe-component not found: MFC71.DLL not found. Re-installing the application may fix this problem.

29 error W32Time time the service provider NtpClient is configured to obtain time from one or more time sources, but no source can be accessed. The contact time source will not be tried within 14 minutes. NtpClient does not have a time source for accurate time.

35. The W32Time Service uses the time source time.windows.com (ntp. m | 0x1 | 192.168.1.208: 123-> 207.46.197.32: 123) To synchronize the system time.

115 information SRService system recovery monitoring is enabled on all drives.

116 Letter SRService system recovery monitoring is disabled on all drives.

1001 information Save Dump the computer has restarted after detecting an error. Check error: 0x4a4b4d53 (0xc000000e, 0x01d04bf0, 0x00000010, 0x0000029a ). Dump data is saved in: C: \ WINDOWS \ Minidump \ Mini052809-01.dmp.

1005 warn Dhcp your computer that the IP address 192.168.1.100 of the NIC whose network address is 00E04C47978D is already in use on the network. The computer automatically obtains another address.

3260 information Workstation this computer is successfully added to the workgroup 'workgroup '.

4202 information the Tcpip system detects that the NIC Realtek... Family PCI Fast Ethernet NIC-the micro port of the package scheduler is disconnected from the network and the network configuration of the NIC has been released. If the network card is not disconnected, it may cause a fault. Please contact your vendor for updated drivers.

4226 warn that Tcpip TCP/IP has reached the security limit for the number of concurrent TCP connection attempts.

4377 information NtServicePack Windows XP Hotfix KB873339 was installed. 6005 information EventLog Event Log service has been started. (BOOT)

6006 EventLog Event Log Service has stopped. (Shutdown)

6009 press ctrl, alt, or delete (abnormal) to shut down EventLog.

6011 EventLog the machine's NetBIOS Name and DNS host name are changed from MACHINENAME to AA.

7000 error Service Control Manager failed to start npkcrypt due to the following error:

7031 error Service Control Manager Eset Service the unexpected termination of the Service has already occurred once. The following correction operations will run within 0 milliseconds: restart the service.

7035 the Information Service Control Manager xxx Service successfully sends a start Control.

7036 the Information Service Control Manager xxx Service is in the running or stopping status.

8033 information BROWSER: The main BROWSER has stopped the BROWSER from conducting mandatory elections on the \ Device \ NetBT_Tcpip _ {163DE7AB-92AE-499F-8340-B6358A4597CE} network.

10000 error DCOM cannot start the DCOM server: {80EE4902-33A8-11D1-A213-0080C88593A5 }.

Error: 15007 information HTTP successfully added the reserved namespace identified by the URL prefix http: // *: 2869.

60054 Setup successfully completed Windows internal version 2600 installation.

64002 Windows File Protection tries to replace the File on the protected system File c: \ windows \ system32 \ quartz. dll. To maintain system stability, this file is restored to the original version. The file version of the system file is 6.5.2600.3497.

64008 warning Windows File Protection unable to verify the Protected c: \ windows \ system32 \ quartz. dll system File because Windows File Protection is interrupted. Please use the SFC tool to verify the integrity of the file later