Tuesday, February 28, 2006
Windows Security Log Encyclopedia
www.ultimatewindowssecurity.com/encyclopedia.html
Event ID OS: Title:
512 All Versions Windows NT is starting up
513 XP, Win2003 Windows NT is shutting down
514 All Versions An authentication package has been loaded by the Local Security Authority
515 All Versions A trusted logon process has registered with the Local Security Authority
516 All Versions Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
517 All Versions The audit log was cleared
518 All Versions An notification package has been loaded by the Security Account Manager
519 Win2003 A process is using an invalid local procedure call (LPC) port
520 Win2003 The system time was changed
528 All Versions Successful Logon
529 All Versions Logon Failure - Unknown user name or bad password
530 All Versions Logon Failure - Account logon time restriction violation
531 All Versions Logon Failure - Account currently disabled
532 All Versions Logon Failure - The specified user account has expired
533 All Versions Logon Failure - User not allowed to logon at this computer
534 All Versions Logon Failure - The user has not been granted the requested logon type at this machine
535 All Versions Logon Failure - The specified account's password has expired
536 All Versions Logon Failure - The NetLogon component is not active
537 All Versions Logon failure - The logon attempt failed for other reasons
538 All Versions User Logoff
539 All Versions Logon Failure - Account locked out
540 XP, Win2000, Win2003 Successful Network Logon
552 Win2003 Logon attempt using explicit credentials
560 All Versions Object Open
561 All Versions Handle Allocated
562 All Versions Handle Closed
563 All Versions Object Open for Delete
564 All Versions Object Deleted
565 Win2000 Object Open (Active Directory)
Win2003 Object Open (W3 Active Directory)
566 Win2003 Object Operation (W3 Active Directory)
567 Win2003 Object Access Attempt
576 All Versions Special privileges assigned to new logon
577 All Versions Privileged Service Called
578 All Versions Privileged object operation
592 All Versions A new process has been created
593 All Versions A process has exited
594 All Versions A handle to an object has been duplicated
595 All Versions Indirect access to an object has been obtained
600 All Versions A process was assigned a primary token
601 Win2003 Attempt to install service
602 Win2003 Scheduled Task created
608 Win2003 User Right Assigned
609 All Versions User Right Removed
610 Win2000 New Trusted Domain
Win2003 New Trusted Domain
611 Win2000 Removing Trusted Domain
Win2003 Trusted Domain Removed
612 All Versions Audit Policy Change
613 All Versions IPSec policy agent started
614 All Versions IPSec policy agent disabled
615 Win2000 IPSEC PolicyAgent Service
Win2003 IPSec Services
616 Win2000 IPSec policy agent encountered a potentially serious failure
617 Win2000, Win2003, DC Kerberos Policy Changed
618 XP, Win2000, Win2003 Encrypted Data Recovery Policy Changed
619 All Versions Quality of Service Policy Changed
620 Win2000 Trusted Domain Information Modified
Win2003 Trusted Domain Information Modified
621 Win2003 System Security Access Granted
622 Win2003 System Security Access Removed
623 Win2003 Per User Audit Policy was refreshed
624 Win2000, Win2003 User Account Created
625 Win2003 Per user auditing policy set for user
Win2000, DC User Account Type Change
626 Win2000, Win2003 User Account Enabled
627 Win2000, Win2003 Change Password Attempt
628 Win2000, Win2003 User Account password set
629 Win2003 User Account Disabled
630 Win2000, Win2003 User Account Deleted
631 Win2000, Win2003, DC Group created
632 Win2000, Win2003, DC Group member added or removed
633 Win2000, Win2003, DC Group member added or removed
634 Win2000, Win2003, DC Group deleted
635 Win2000, Win2003 Group created
636 Win2000, Win2003 Group member added or removed
637 Win2000, Win2003 Group member added or removed
638 Win2000, Win2003 Group deleted
639 Win2000, Win2003 Group changed
640 All Versions General Account Database Change
641 Win2000, Win2003, DC Group changed
642 Win2000, Win2003 User Account Changed
643 Win2000 Domain Policy Changed
Win2003 Domain Policy Changed
644 All Versions User Account Locked Out
645 Win2000, Win2003, DC Computer Account Created
646 Win2000, Win2003, DC Computer Account Changed
647 Win2000, Win2003, DC Computer Account Deleted
648 Win2000, Win2003, DC Group created
649 Win2000, Win2003, DC Group changed
650 Win2000, Win2003, DC Group member added or removed
651 Win2000, Win2003, DC Group member added or removed
652 Win2000, Win2003, DC Group deleted
653 Win2000, Win2003, DC Group created
654 Win2000, Win2003, DC Group changed
655 Win2000, Win2003, DC Group member added or removed
656 Win2000, Win2003, DC Group member added or removed
657 Win2000, Win2003, DC Group deleted
658 Win2000, Win2003, DC Group created
659 Win2000, Win2003, DC Group changed
660 Win2000, Win2003, DC Group member added or removed
661 Win2000, Win2003, DC Group member added or removed
662 Win2000, Win2003, DC Group deleted
663 Win2000, Win2003, DC Group created
664 Win2000, Win2003, DC Group changed
665 Win2000, Win2003, DC Group member added or removed
666 Win2000, Win2003, DC Group member added or removed
667 Win2000, Win2003, DC Group deleted
668 Win2000, Win2003, DC Group Type Changed
669 All Versions Add SID History
670 All Versions Add SID History
671 Win2003 User Account Unlocked
672 Win2000 Authentication Ticket Granted
Win2003 Authentication Ticket Request
673 Win2000 Service Ticket Granted
Win2003 Service Ticket Request
674 Win2000 Ticket Granted Renewed
Win2003 Service Ticket Renewed
675 Win2000, Win2003, DC Pre-authentication failed
676 Win2000 Authentication Ticket Request Failed
Win2003 Authentication Ticket Request Failed
677 Win2000 Service Ticket Request Failed
Win2003 Service Ticket Request Failed
678 All Versions Account Mapped for Logon by
679 Win2000 The name: %2 could not be mapped for logon by: %1
680 Win2000 Account Used for Logon by
Win2003 Logon attempt
681 Win2000 The logon to account: %2 by: %1 from workstation: %3 failed
Win2003 The logon to account: %2 by: %1 from workstation: %3 failed
682 XP, Win2000, Win2003 Session reconnected to winstation
683 XP, Win2000, Win2003 Session disconnected from winstation
684 Win2003 Set the security descriptor of members of administrative groups
685 Win2003 Account Name Changed
686 Win2003 Password of the following user accessed
687 All Versions Application group operation
688 Win2003 Application group operation
689 Win2003 Application group operation
690 Win2003 Application group operation
691 Win2003 Application group operation
692 All Versions Application group operation
693 Win2003 Application group operation
694 Win2003 Application group operation
695 Win2003 Application group operation
696 Win2003 Application group operation
806 Win2003 Per User Audit Policy was refreshed
807 Win2003 Per user auditing policy set for user
Event ID OS: Title:
512 All Versions Windows NT is starting up
513 XP, Win2003 Windows NT is shutting down
514 All Versions An authentication package has been loaded by the Local Security Authority
515 All Versions A trusted logon process has registered with the Local Security Authority
516 All Versions Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
517 All Versions The audit log was cleared
518 All Versions An notification package has been loaded by the Security Account Manager
519 Win2003 A process is using an invalid local procedure call (LPC) port
520 Win2003 The system time was changed
528 All Versions Successful Logon
529 All Versions Logon Failure - Unknown user name or bad password
530 All Versions Logon Failure - Account logon time restriction violation
531 All Versions Logon Failure - Account currently disabled
532 All Versions Logon Failure - The specified user account has expired
533 All Versions Logon Failure - User not allowed to logon at this computer
534 All Versions Logon Failure - The user has not been granted the requested logon type at this machine
535 All Versions Logon Failure - The specified account's password has expired
536 All Versions Logon Failure - The NetLogon component is not active
537 All Versions Logon failure - The logon attempt failed for other reasons
538 All Versions User Logoff
539 All Versions Logon Failure - Account locked out
540 XP, Win2000, Win2003 Successful Network Logon
552 Win2003 Logon attempt using explicit credentials
560 All Versions Object Open
561 All Versions Handle Allocated
562 All Versions Handle Closed
563 All Versions Object Open for Delete
564 All Versions Object Deleted
565 Win2000 Object Open (Active Directory)
Win2003 Object Open (W3 Active Directory)
566 Win2003 Object Operation (W3 Active Directory)
567 Win2003 Object Access Attempt
576 All Versions Special privileges assigned to new logon
577 All Versions Privileged Service Called
578 All Versions Privileged object operation
592 All Versions A new process has been created
593 All Versions A process has exited
594 All Versions A handle to an object has been duplicated
595 All Versions Indirect access to an object has been obtained
600 All Versions A process was assigned a primary token
601 Win2003 Attempt to install service
602 Win2003 Scheduled Task created
608 Win2003 User Right Assigned
609 All Versions User Right Removed
610 Win2000 New Trusted Domain
Win2003 New Trusted Domain
611 Win2000 Removing Trusted Domain
Win2003 Trusted Domain Removed
612 All Versions Audit Policy Change
613 All Versions IPSec policy agent started
614 All Versions IPSec policy agent disabled
615 Win2000 IPSEC PolicyAgent Service
Win2003 IPSec Services
616 Win2000 IPSec policy agent encountered a potentially serious failure
617 Win2000, Win2003, DC Kerberos Policy Changed
618 XP, Win2000, Win2003 Encrypted Data Recovery Policy Changed
619 All Versions Quality of Service Policy Changed
620 Win2000 Trusted Domain Information Modified
Win2003 Trusted Domain Information Modified
621 Win2003 System Security Access Granted
622 Win2003 System Security Access Removed
623 Win2003 Per User Audit Policy was refreshed
624 Win2000, Win2003 User Account Created
625 Win2003 Per user auditing policy set for user
Win2000, DC User Account Type Change
626 Win2000, Win2003 User Account Enabled
627 Win2000, Win2003 Change Password Attempt
628 Win2000, Win2003 User Account password set
629 Win2003 User Account Disabled
630 Win2000, Win2003 User Account Deleted
631 Win2000, Win2003, DC Group created
632 Win2000, Win2003, DC Group member added or removed
633 Win2000, Win2003, DC Group member added or removed
634 Win2000, Win2003, DC Group deleted
635 Win2000, Win2003 Group created
636 Win2000, Win2003 Group member added or removed
637 Win2000, Win2003 Group member added or removed
638 Win2000, Win2003 Group deleted
639 Win2000, Win2003 Group changed
640 All Versions General Account Database Change
641 Win2000, Win2003, DC Group changed
642 Win2000, Win2003 User Account Changed
643 Win2000 Domain Policy Changed
Win2003 Domain Policy Changed
644 All Versions User Account Locked Out
645 Win2000, Win2003, DC Computer Account Created
646 Win2000, Win2003, DC Computer Account Changed
647 Win2000, Win2003, DC Computer Account Deleted
648 Win2000, Win2003, DC Group created
649 Win2000, Win2003, DC Group changed
650 Win2000, Win2003, DC Group member added or removed
651 Win2000, Win2003, DC Group member added or removed
652 Win2000, Win2003, DC Group deleted
653 Win2000, Win2003, DC Group created
654 Win2000, Win2003, DC Group changed
655 Win2000, Win2003, DC Group member added or removed
656 Win2000, Win2003, DC Group member added or removed
657 Win2000, Win2003, DC Group deleted
658 Win2000, Win2003, DC Group created
659 Win2000, Win2003, DC Group changed
660 Win2000, Win2003, DC Group member added or removed
661 Win2000, Win2003, DC Group member added or removed
662 Win2000, Win2003, DC Group deleted
663 Win2000, Win2003, DC Group created
664 Win2000, Win2003, DC Group changed
665 Win2000, Win2003, DC Group member added or removed
666 Win2000, Win2003, DC Group member added or removed
667 Win2000, Win2003, DC Group deleted
668 Win2000, Win2003, DC Group Type Changed
669 All Versions Add SID History
670 All Versions Add SID History
671 Win2003 User Account Unlocked
672 Win2000 Authentication Ticket Granted
Win2003 Authentication Ticket Request
673 Win2000 Service Ticket Granted
Win2003 Service Ticket Request
674 Win2000 Ticket Granted Renewed
Win2003 Service Ticket Renewed
675 Win2000, Win2003, DC Pre-authentication failed
676 Win2000 Authentication Ticket Request Failed
Win2003 Authentication Ticket Request Failed
677 Win2000 Service Ticket Request Failed
Win2003 Service Ticket Request Failed
678 All Versions Account Mapped for Logon by
679 Win2000 The name: %2 could not be mapped for logon by: %1
680 Win2000 Account Used for Logon by
Win2003 Logon attempt
681 Win2000 The logon to account: %2 by: %1 from workstation: %3 failed
Win2003 The logon to account: %2 by: %1 from workstation: %3 failed
682 XP, Win2000, Win2003 Session reconnected to winstation
683 XP, Win2000, Win2003 Session disconnected from winstation
684 Win2003 Set the security descriptor of members of administrative groups
685 Win2003 Account Name Changed
686 Win2003 Password of the following user accessed
687 All Versions Application group operation
688 Win2003 Application group operation
689 Win2003 Application group operation
690 Win2003 Application group operation
691 Win2003 Application group operation
692 All Versions Application group operation
693 Win2003 Application group operation
694 Win2003 Application group operation
695 Win2003 Application group operation
696 Win2003 Application group operation
806 Win2003 Per User Audit Policy was refreshed
807 Win2003 Per user auditing policy set for user
