Account login event
(Event number and description)
672
Authentication Service (AS) ticket is successfully issued and verified.
673
Ticket Authorization Service (TGS) ticket is authorized. TGS is a copy of Kerberos
The 5.0 Version Certificate Authorization Service (TGS) is issued, and the user is allowed to authenticate the specific service in the domain.
674
Safety entity reconstructs AS ticket or TGS ticket.
675
Pre-authentication failed. This event will be generated by the Key Distribution Center (KDC) when the user enters the error password.
676
Authentication ticket request failed. This event is in Windows
XP
Professional operating system or windows
The Server product family members will not be produced.
677
TGS tickets cannot be authorized. This event is in Windows
XP
Professional operating system or windows
The Server product family members will not be produced.
678
The specified account is successfully mapped to a domain account.
681
Login failed. Domain account attempt to log in. This event is in Windows
XP
Professional operating system or windows
The Server product family members will not be produced.
682
The user is reconnected to a terminal server session that has been disconnected.
683
The user is disconnected with the terminal server with the terminal server without cancellation.
Account management event
624
A user account is created.
627
A user password is modified.
628
A user password is set.
630
A user password is deleted.
631
A global group is created.
632
A member is added to a particular global group.
633
One member is deleted from a particular global group.
634
A global group is deleted.
635
A new local group is created.
636
A member is added to the local group.
637
One member is deleted from the local group.
638
A local group is deleted.
639
A local group account is modified.
641
A global group account is modified.
642
A user account is modified.
643
A domain policy is modified.
644
A user account is automatically locked.
645
A computer account is created.
646
A computer account is modified.
647
A computer account is deleted.
648
A local security group that disables security features is created. Note: The security_disabled in the official name means that this group cannot be used to grant permissions in the access check.
649
A local security group that disables security features is modified.
650
A member is added to a local security group that disables security features.
651
A member is deleted from a local security group that disables security features.
652
A local group that disables security features is deleted.
653
A global group for disabling security features is created.
654
A global group for disabling security features is modified.
655
A member is added to a global group that disables security features.
656
A member is deleted from a global group of disable security features.
657
A global group for disabling security features is deleted.
658
A universal group that enables security features is created.
659
A universal group that enables security features is modified.
660
A member is added to a universal group that enables security features.
661
A member is deleted from a universal group that enables security features.
662
A universal group that enables security features is deleted.
663
A universal group for disable security features is created.
664
A universal group that disables security features is modified.
665
A member is added to a universal group that disables security features.
666
A member is deleted from a universal group that disables security features.
667
A universal group that disables security features is deleted.
668
A group type is modified.
684
The security descriptor for the management group member is set. Description: On the domain controller, a background thread will search all members in the management group every 60 seconds to search and apply a fixed security descriptor for each of the fixed security descriptors. . This event will be recorded.
685
An account name is modified.
Audit login event
528
The user successfully logged in to the computer.
529
Login Failure: Try to use unknown user names or log in with known user names with error password. 530
Login Failure: Try to log in outside the allowable time range.
531
Login Failure: Try to log in by disabling the account.
532
Login failed: attempt to log in with an expiration account.
533
Login Fail: Trying to log in by logging in a user account that is not allowed to log in on a particular computer.
534
Login failed: The user tried to log in by the password type that is not allowed.
535
Login failed: The password for the specified account has expired.
536
Login failed: Network login service is not activated.
537
Login failed: The login failed due to other reasons. Explanation: In some cases, the cause of login failure may not be determined.
538
Completed for a user's logout operation.
539
Login failed: The login account has been locked at the login time.
540
Users have successfully logged in to the network.
541
The main mode Internet Key Exchange (IKE) authentication operation between the local computer and the listed client identity has been completed (establishing a security association), or a quick mode has established a data channel.
542
The data channel is interrupted.
543
The main mode is interrupted. Description: This event may occur during the expiration of the security association time limit (the default is 8 hours), the policy modification or the peer interruption.
544
Due to the right customers who fail to provide legal certificates or signed failures, the main mode authentication fails.
545
Because the Kerberos fails or password is illegal, the main mode authentication failed.
546
Due to the peer to send illegal proposals, IKE
Safety association has not been successful. Receive a packet containing illegal data.
547
An error occurred during the IKE handshake.
548
Login Failure: The security identifier (SID) from the letter of the letter does not match the client's account field SID.
549
Login failed: In the cross-domain authentication process, all SIDs corresponding to all non-credit namespaces have been filtered out.
550
Cannot indicate a notification message that may have a denial of service (DOS) attack.
551
User initiates a logout operation.
552
The user has successfully logged in to the computer in the case of using the clear credentials in the case of other identity logins.
682
The user is reconnected to a terminal server session that has been disconnected.
683
The user is disconnected with the terminal server with the terminal server without cancellation. Description: This event will be generated when the user is connected to the terminal server session through the network. It will appear on the terminal server.
Object Access Event
560
Access is authorized by an existing object.
562
An object access handle is turned off.
563
Try to open and delete an object. Note: This event will be used by the file system when you specify the file_delete_on_close flag in the createfile () function.
564
A protective object is deleted.
565
Access is authorized by an existing object type.
567
A permission associated with the handle is used. Description: A handle granted a granted specific permissions (read, write, etc.) is created. When this handle is used, at most the permissions used for each permissions are used.
568
Trying to create a hard connection for files that are reviewing the audit.
569
The resource manager in the Authentication Manager attempts to create a client context.
570
The client tries to access an object. Note: An event will be generated for each operational attempt to object.
571
The client context is deleted by the authentication manager application.
572
Administrator Manager Initialize the application.
772
The certificate manager refused the suspended certificate application.
773
The certificate service receives a re-submit certificate application.
774
The certificate service revokes the certificate.
775
Certificate Service Received List of Revokes (CRL)
Request.
776
The certificate service issued a certificate revocation list (CRL).
777
Changed the certificate application extension.
778
Changes multiple certificate application properties.
779
Certificate service receives a shutdown request.
780
The certificate service backup has been started.
781
Certificate service backup has been completed.
782
The certificate service is restored.
783
Certificate service is completed.
784
Certificate service has begun.
785
The certificate service has stopped.
786
Secure permissions for certificates for changes.
787
The certificate service retrieves the archive key.
788
Certificate service imports the certificate into the database.
789
Review screening of certificate service changes.
790
The certificate service received a certificate application.
791
The certificate service approved the certificate application and issued a certificate.
792
Certificate service rejects the certificate application.
793
The certificate service sets the certificate application status to hang.
794
Certificate Manager settings for certificates
795
Certificate service changes configuration item.
796
Certificate service changes attribute.
797
The certificate service archives the key.
798
Certificate service import and archive the key.
799
Certificate Service will be released to Active Certificate Authority (CA) certificate
Directory.
800
Delete one or more lines from the certificate database.
801
The role is separated.
Audit policy change event
608
User permissions have been assigned.
609
User privileges have been deleted.
610
The trust relationship with another domain has been created.
611
The trust relationship with another domain has been deleted.
612
The audit strategy has been changed.
613
Internet Protocol Security (IPSec) Policy Agent has started.
614
IPsec policy agents have been disabled.
615
The IPSec policy agent has been changed.
616
IPSec policy agents encounter a potential serious problem.
617
Kerberos
The 5.0 version of the policy has been changed.
618
The encrypted data recovery policy has been changed.
620
The trust relationship with another domain has been modified.
621
System Access Permissions have been granted account.
622
System Access Permissions have been removed from an account.
623
The audit strategy is set in units of peers.
625
The audit strategy is refreshed in units of peers.
768
The namespace elements in a forest have conflicted with namespace elements in another forest. Note: When the namespace elements in a forest are overlap with namespace elements in another forest, it will not be able to clarify the names belonging to these two namespace elements. This overlap is also called conflict. It is not legal for each record type. For example, a field such as a DNS name, a NetBIOS name, and SID is illegal for the "TopLevelName" type.
769
Added trusted forest information. Note: This event message will be generated when updating trusted forest information and adding one or more records. An event message will be generated for records for each addition, delete, or modified. If you add, delete or modify multiple records in a single update operation for forest trust information, all event messages generated will be assigned an identical and unique identifier (called operation number). This approach allows you to determine that multiple event messages are generated by one operation. It is not legal for each record type. For example, a field such as a DNS name, a NetBIOS name, and SID is illegal for the "TopLevelName" type.
770
Deleted trusted forest information. Description: View an event description number number 769.
771
The trusted forest information was modified. Description: View an event description number number 769.
805
Event Log Service Reads Anti-Privalence Usage Events for Sessions
Permission use event
576
Specific permissions have been added to the user access token. Description: This event will be generated when the user is logged in.
577
The user attempts to perform system service operations received by permission.
578
Use permissions on the protected object handle that is already in an open state.
Detailed tracking event
592
A new process has been created.
593
A process has been quit.
594
The handle of the object is repeated
595
Indirect access has been obtained.
596
Data protection master key backup. Description: The master key will be used by the CryptProtectData and CryptunProtectData routines and encryption file systems (EFS). This master key will be backed up every time you create a new primary key. (The default is set to 90 days.) Key backup operations are typically performed by domain controllers. 597
The data protection master key has been restored by the recovery server.
598
The audit data has been protected.
599
Audit data has been canceled.
600
Assign a primary signage.
601
Users try to install the service.
602
A planning job has been created.
System event message for audit system events
512
turning on
WINDOWS.
513
Windows
It is turning off.
514
Local security mechanisms have loaded authentication packets.
515
The trusted login process has been registered in the local security mechanism.
516
The internal resources used to queue audit messages have been used, causing partial audit data loss.
517
The audit log has been cleared.
518
The Security Account Manager has loaded a notification packet.
519
A process is attempting to simulate the client by invalid local process call (LPC) port and perform reply, read or write operations for client address space.
520
The system time has changed. Note: This review is usually paired.
