Account Login Event (Event Number and Description) 672 Authentication Service (AS) ticket is successfully issued and verified. 673 Ticket Authorization Service (TGS) ticket is authorized. TGS is a ticket released by the Kerberos 5.0 Valentine's Certificate Authorization (TGS) and allows users to authenticate for specific services in the domain. 674 Safety body reconstruction AS ticket or TGS ticket. 675 Pre-authentication failed. This event will be generated by the Key Distribution Center (KDC) when the user enters the error password. 676 Authentication ticket request failed. This event will not be generated in the Windows XP Professional operating system or Windows Server product family members. 677 TGS tickets cannot be authorized. This event will not be generated in the Windows XP Professional operating system or Windows Server product family members. 678 Specify the account to successfully map to a domain account. 681 Login failed. Domain account attempt to log in. This event will not be generated in the Windows XP Professional operating system or Windows Server product family members. 682 The user reconnects to a terminal server session that has been disconnected. 683 The user disconnects the terminal server if it is not logged out. Account Management Event 624 A user account is created. 627 A user password is modified. 628 A user password is set. 630 A user password is deleted. 631 A global group was created. 632 A member is added to a particular global group. 633 A member is deleted from a particular global group. 634 A global group is deleted. 635 A new local group is created. 636 A member is added to the local group. 637 A member is deleted from the local group. 638 A local group is deleted. A local group account is modified 639. 641 A global group account is modified. 642 A user account is modified. 643 A domain policy is modified. 644 A user account is automatically locked. A computer account is created 645. A computer account is modified 646. 647 A computer account is deleted. 648 A local security group that disables security features is created. Note: The security_disabled in the official name means that this group cannot be used to grant permissions in the access check. 649 Local security group for disabling security features is modified. 650 A member is added to a local security group that disables security features. 651 A member is deleted from a local security group that disables security features. 652 A local group for disabling security features is deleted. 653 A global group for disabling security features is created. 654 A global group for disabling security features is modified. 655 A member is added to a global group that disables security features. 656 A member is deleted from a global group of disable security features. 657 A global group for disabling security features is deleted. 658 A universal group that enables security features is created. 659 A universal group that enables security features is modified. 660 A member is added to a universal group that enables security features. 661 A member is deleted from a universal group that enables security features. 662 A universal group that enables security features is deleted. 663 A universal group for disabling security features is created. 664 A universal group for disabling security features is modified. 665 A member is added to a universal group that disables security features. 666 A member is deleted from a universal group that disables security features. 667 Universal group for disabling security features is deleted. 668 A group type is modified. The security descriptor of the 684 management group is set. Description: On the domain controller, a background thread will search all members in the management group every 60 seconds to search and apply a fixed security descriptor for each of the fixed security descriptors. . This event will be recorded. 685 A account name is modified. Audit Login Event 528 The user successfully logged in to the computer. 529 Login Failure: Try to log in with unknown user names or known usernames with error passwords. 530 Login Failure: Try to log in outside the allowable time range. 531 Login Failure: Try to log in by disabling the account. 532 Login Failure: Attempt to log in with an expiration account.
533 Login Failure: Trying to log in by user accounts that are not allowed to log in on a particular computer. 534 Login Failure: The user tries to log in via the password type that is not allowed. 535 Login Failure: The password for the specified account has expired. 536 Login Failure: Network login service is not activated. 537 Login Failure: The login failed due to other reasons. Explanation: In some cases, the cause of login failure may not be determined. 538 Complete the logout operation of a certain user. 539 Login Failure: The login account has been locked at the login time. 540 users successfully log in to the network. 541 Main Mode Internet Key Exchange (IKE) authentication operation between the local computer and the listed customer identity (IKE) identity authentication operation has been completed (establishing a security association), or a data channel has been established. The 542 data channel is interrupted. 543 Main mode is interrupted. Description: This event may occur during the expiration of the security association time limit (the default is 8 hours), the policy modification or the peer interruption. 544 Because the peer customers fail to provide legal certificates or signing failures, the main mode authentication failed. 545 Because the Kerberos fails or password is illegal, the main mode authentication failed. 546 Due to the illegal proposal of illegal proposal to send other customers, IKE security association has not been successful. Receive a packet containing illegal data. The 547 IKE is incorrect during handshake. 548 Login Fail: The Safety Identifier (SID) from the letter is not matched to the client's account field SID. 549 Login failed: In the cross-domain authentication process, all SIDs corresponding to all non-credit namespaces have been filtered out. 550 can indicate a notification message that may have a denial of service (DOS) attack. 551 User initiates a logout operation. 552 Users use clear credentials to be successfully logged in to the computer in the case of other identity logins. 682 The user reconnects to a terminal server session that has been disconnected. 683 The user disconnects the terminal server if it is not logged out. Description: This event will be generated when the user is connected to the terminal server session through the network. It will appear on the terminal server. Object Access Event 560 Access is authorized by an existing object. 562 An object Access handle is turned off. 563 Attempts to open and delete an object. Note: This event will be used by the file system when you specify the file_delete_on_close flag in the createfile () function. 564 A protective object is deleted. 565 Access is authorized by an existing object type. 567 A permission associated with the handle is used. Description: A handle granted a granted specific permissions (read, write, etc.) is created. When this handle is used, at most the permissions used for each permissions are used. 568 Attempts to create a hard connection for files ongoing auditing. 569 The Explorer in the Authentication Manager attempts to create a client context. 570 The client tries to access an object. Note: An event will be generated for each operational attempt to object. 571 Client Context is deleted by the Authentication Manager application. 572 Administrator Manager Initialization Application. The 772 certificate manager rejected the suspended certificate application. 773 Certificate Service received a re-submit certificate application. The 774 certificate service was revoked. 775 Certificate Service Received Requests of Reviction List (CRL). The 776 certificate service issued a certificate revocation list (CRL). 777 Changed the certificate application extension. 778 Changes multiple certificate application properties. 779 certificate service received a shutdown request. 780 has started a certificate service backup. 781 has completed the certificate service backup. 782 The certificate service is restored. 783 The certificate service has been completed. The 784 certificate service has begun. The 785 certificate service has stopped. 786 Secure Permissions for Certificate Service Change. The 787 certificate service retrieves the archive key. The 788 certificate service imports the certificate into the database. 789 Certificate of Service Changes. The 790 certificate service received a certificate application. The 791 certificate service approved the certificate application and issued a certificate.
792 certificate service refused to apply. The 793 certificate service sets the certificate application status to hang. 794 Certificate Service Change Certificate Manager Sets the configuration item of the 795 certificate service change. 796 Certificate Service Change Properties. The 797 certificate service archives the key. 798 certificate service import and archive the key. 799 Certificate Services The certificate issuance agency (CA) certificate is issued to Active Directory. 800 deletes a row or more lines from the certificate database. 801 Role is enabled. Audit Policy Change Event 608 User Permissions have been assigned. 609 User Permissions have been deleted. 610 The trust relationship with another domain has been created. 611 The trust relationship with another domain has been deleted. 612 Audit Policy has been changed. 613 Internet Protocol Security (IPSec) Policy Agent has started. 614 IPsec Policy Agent has been disabled. 615 IPsec Policy Agent has been changed. 616 IPsec Policy Agent encountered a potential serious problem. 617 Kerberos 5.0 strategy has been changed. 618 The encrypted data recovery policy has been changed. 620 The trust relationship with another domain has been modified. 621 System Access Permissions have been awarded an account. 622 System Access Permissions have been removed from an account. 623 Audit Policy Settings in units of peers. 625 Audit Policy is refreshed in units of peers. 768 The namespace elements in a forest have conflicted with the namespace elements in another forest. Note: When the namespace elements in a forest are overlap with namespace elements in another forest, it will not be able to clarify the names belonging to these two namespace elements. This overlap is also called conflict. It is not legal for each record type. For example, a field such as a DNS name, a NetBIOS name, and SID is illegal for the "TopLevelName" type. 769 Added trusted forest information. Note: This event message will be generated when the trusted forest information is updated and the addition or multiple records. An event message will be generated for records for each addition, delete, or modified. If you add, delete or modify multiple records in a single updated operation for forest trust information, all event messages generated will be assigned an identical and unique identifier (called operation number). This approach allows you to determine that multiple event messages are generated by one operation. It is not legal for each record type. For example, a field such as a DNS name, a NetBIOS name, and SID is illegal for the "TopLevelName" type. 770 deletes trusted forest information. Description: View an event description number number 769. 771 revised trusted forest information. Description: View an event description number number 769. 805 Event Log Service Reads Annautical Limits for Sessions Using Event Permissions Use Event 576 Specific Permissions Has been added to the User Access token. Description: This event will be generated when the user is logged in. 577 Users try to perform system service operations protected by permission. 578 Use permissions on the protected object handle that is already open. Detailed tracking event 592 has created a new process. 593 has exited a process. 594 The handle of the object is repeated 595 has acquired indirect access to the object. 596 Data protection master key backup. Description: The master key will be used by the CryptProtectData and CryptunProtectData routines and encryption file systems (EFS). This master key will be backed up every time you create a new primary key. (The default is set to 90 days.) Key backup operations are typically performed by domain controllers. 597 Data Protection The master key has been completed by the recovery server. 598 Audit data has been protected. 599 Audit data protection has been canceled. 600 assignment to a primary sign. 601 Users try to install the service. 602 A planning job has been created. System event message 512 for audit system events 512 is starting Windows. 513 Windows is turning off. 514 Local Security Mechanism has loaded authentication packets. 515 The trusted login process has been registered in the local security mechanism. 516 The internal resources used to review the queue audit messages have been used, causing partial audit data loss. 517 Audit The log has been cleared.
