Windows 2003 Security Events

<< Click to Display Table of Contents >>

Navigation:  Additional Tips and Resources > Event Log Reference > Security Events >

Windows 2003 Security Events

Account Logon Events

 

Event ID: 672

Description: An authentication service (AS) ticket was successfully issued and validated.

 

Event ID: 673

A ticket granting service (TGS) ticket was granted. A TGS is a ticket issued by the Kerberos version 5 ticket-granting service TGS that allows a user to authenticate to a specific service in the domain.

 

Event ID: 674

A security principal renewed an AS ticket or TGS ticket.

 

Event ID: 675

Pre-authentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.

 

Event ID: 676

Authentication ticket request failed. This event is not generated in Windows XP Professional or in members of the Windows Server family.

 

Event ID: 677

A TGS ticket was not granted. This event is not generated in Windows XP Professional or in the members of the Windows Server family.

 

Event ID: 678

An account was successfully mapped to a domain account.

 

Event ID: 681

Logon failure. A domain account logon was attempted. This event is not generated in Windows XP Professional or in members of the Windows Server family.

 

Event ID: 682

A user has reconnected to a disconnected terminal server session.

 

Event ID: 683

A user disconnected a terminal server session without logging off.

 

Account Management Events

 

Event ID: 624

A user account was created.

 

Event ID: 627

A user password was changed.

 

Event ID: 628

A user password was set.

 

Event ID: 630

A user account was deleted.

 

Event ID: 631

A global group was created.

 

Event ID: 632

A member was added to a global group.

 

Event ID: 633

A member was removed from a global group.

 

Event ID: 634

A global group was deleted.

 

Event ID: 635

A new local group was created.

 

Event ID: 636

A member was added to a local group.

 

Event ID: 637

A member was removed from a local group.

 

Event ID: 638

A local group was deleted.

 

Event ID: 639

A local group account was changed.

 

Event ID: 641

A global group account was changed.

 

Event ID: 642

A user account was changed.

 

Event ID: 643

A domain policy was modified.

 

Event ID: 644

A user account was automatically locked.

 

Event ID: 645

A computer account was created.

 

Event ID: 646

A computer account was changed.

 

Event ID: 647

A computer account was deleted.

 

Event ID: 648

A local security group with security disabled was created.

 

Note: SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks.

 

Event ID: 649

A local security group with security disabled was changed.

 

Event ID: 650

A member was added to a security-disabled local security group.

 

Event ID: 651

A member was removed from a security-disabled local security group.

 

Event ID: 652

A security-disabled local group was deleted.

 

Event ID: 653

A security-disabled global group was created.

 

Event ID: 654

A security-disabled global group was changed.

 

Event ID: 655

A member was added to a security-disabled global group.

 

Event ID: 656

A member was removed from a security-disabled global group.

 

Event ID: 657

A security-disabled global group was deleted.

 

Event ID: 658

A security-enabled universal group was created.

 

Event ID: 659

A security-enabled universal group was changed.

 

Event ID: 660

A member was added to a security-enabled universal group.

 

Event ID: 661

A member was removed from a security-enabled universal group.

 

Event ID: 662

A security-enabled universal group was deleted.

 

Event ID: 663

A security-disabled universal group was created.

 

Event ID: 664

A security-disabled universal group was changed.

 

Event ID: 665

A member was added to a security-disabled universal group.

 

Event ID: 666

A member was removed from a security-disabled universal group.

 

Event ID: 667

A security-disabled universal group was deleted.

 

Event ID: 668

A group type was changed.

 

Event ID: 684

The security descriptor of administrative group members was set.

 

Note: Every 60 minutes on a domain controller, a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.

 

Event ID: 685

Name of an account was changed.

 

Directory Service Access Events

 

Event ID: 566

A generic object operation took place.

 

Audit Logon Events

 

Event ID: 528

A user successfully logged on to a computer.

 

Event ID: 529

Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.

 

Event ID: 530

Logon failure. A logon attempt was made outside the allowed time.

 

Event ID: 531

Logon failure. A logon attempt was made using a disabled account.

 

Event ID: 532

Logon failure. A logon attempt was made using an expired account.

 

Event ID: 533

Logon failure. A logon attempt was made by a user who is not allowed to log on at the specified computer.

 

Event ID: 534

Logon failure. The user attempted to log on with a password type that is not allowed.

 

Event ID: 535

Logon failure. The password for the specified account has expired.

 

Event ID: 536

Logon failure. The Net Logon service is not active.

 

Event ID: 537

Logon failure. The logon attempt failed for other reasons.

 

Note: In some cases, the reason for the logon failure may not be known.

 

Event ID: 538

The logoff process was completed for a user.

 

Event ID: 539

Logon failure. The account was locked out at the time the logon attempt was made.

 

Event ID: 540

A user successfully logged on to a network.

 

Event ID: 541

Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel.

 

Event ID: 542

A data channel was terminated.

 

Event ID: 543

Main mode was terminated.

 

Note: This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, or peer termination.

 

Event ID: 544

Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.

 

Event ID: 545

Main mode authentication failed because of a Kerberos failure or a password that is not valid.

 

Event ID: 546

IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.

 

Event ID: 547

A failure occurred during an IKE handshake.

 

Event ID: 548

Logon failure. The security identifier (SID) from a trusted domain does not match the account domain SID of the client.

 

Event ID: 549

Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests.

 

Event ID: 550

Notification message that could indicate a possible denial-of-service (DoS) attack.

 

Event ID: 551

A user initiated the logoff process.

 

Event ID: 552

A user successfully logged on to a computer using explicit credentials while already logged on as a different user.

 

Event ID: 682

A user has reconnected to a disconnected terminal server session.

 

Event ID: 683

A user disconnected a terminal server session without logging off.

 

Note: This event is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.

 

Object Access Events

 

Event ID: 560

Access was granted to an already existing object.

 

Event ID: 562

A handle to an object was closed.

 

Event ID: 563

An attempt was made to open an object with the intent to delete it.

 

Note: This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().

 

Event ID: 564

A protected object was deleted.

 

Event ID: 565

Access was granted to an already existing object type.

 

Event ID: 567

A permission associated with a handle was used.

 

Note: A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that were used.

 

Event ID: 568

An attempt was made to create a hard link to a file that is being audited.

 

Event ID: 569

The resource manager in Authorization Manager attempted to create a client context.

 

Event ID: 570

A client attempted to access an object.

 

Note: An event will be generated for every attempted operation on the object.

 

Event ID: 571

The client context was deleted by the Authorization Manager application.

 

Event ID: 572

The Administrator Manager initialized the application.

 

Event ID: 772

The Certificate Manager denied a pending certificate request.

 

Event ID: 773

Certificate Services received a resubmitted certificate request.

 

Event ID: 774

Certificate Services revoked a certificate.

 

Event ID: 775

Certificate Services received a request to publish the certificate revocation list (CRL).

 

Event ID: 776

Certificate Services published the CRL.

 

Event ID: 777

A certificate request extension was made.

 

Event ID: 778

One or more certificate request attributes changed.

 

Event ID: 779

Certificate Services received a request to shut down.

 

Event ID: 780

Certificate Services backup started.

 

Event ID: 781

Certificate Services backup completed.

 

Event ID: 782

Certificate Services restore started.

 

Event ID: 783

Certificate Services restore completed.

 

Event ID: 784

Certificate Services started.

 

Event ID: 785

Certificate Services stopped.

 

Event ID: 786

The security permissions for Certificate Services changed.

 

Event ID: 787

Certificate Services retrieved an archived key.

 

Event ID: 788

Certificate Services imported a certificate into its database.

 

Event ID: 789

The audit filter for Certificate Services changed.

 

Event ID: 790

Certificate Services received a certificate request.

 

Event ID: 791

Certificate Services approved a certificate request and issued a certificate.

 

Event ID: 792

Certificate Services denied a certificate request.

 

Event ID: 793

Certificate Services set the status of a certificate request to pending.

 

Event ID: 794

The certificate manager settings for Certificate Services changed.

 

Event ID: 795

A configuration entry changed in Certificate Services.

 

Event ID: 796

A property of Certificate Services changed.

 

Event ID: 797

Certificate Services archived a key.

 

Event ID: 798

Certificate Services imported and archived a key.

 

Event ID: 799

Certificate Services published the certificate authority (CA) certificate to Microsoft Active Directory directory service.

 

Event ID: 800

One or more rows have been deleted from the certificate database.

 

Event ID: 801

Role separation enabled.

 

Audit Policy Change Events

 

Event ID: 608

A user right was assigned.

 

Event ID: 609

A user right was removed.

 

Event ID: 610

A trust relationship with another domain was created.

 

Event ID: 611

A trust relationship with another domain was removed.

 

Event ID: 612

An audit policy was changed.

 

Event ID: 613

An Internet Protocol security (IPSec) policy agent started.

 

Event ID: 614

An IPSec policy agent was disabled.

 

Event ID: 615

An IPSec policy agent changed.

 

Event ID: 616

An IPSec policy agent encountered a potentially serious failure.

 

Event ID: 617

A Kerberos version 5 policy changed.

 

Event ID: 618

Encrypted Data Recovery policy changed.

 

Event ID: 620

A trust relationship with another domain was modified.

 

Event ID: 621

System access was granted to an account.

 

Event ID: 622

System access was removed from an account.

 

Event ID: 623

Auditing policy was set on a per-user basis

 

Event ID: 625

Auditing policy was refreshed on a per-user basis.

 

Event ID: 768

A collision was detected between a namespace element in one forest and a namespace element in another forest.

 

Note: When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName.'

 

Event ID: 769

Trusted forest information was added.

 

Note: This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated for each added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages are assigned a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName."

 

Event ID: 770

Trusted forest information was deleted.

 

Note: See event description for event 769.

 

Event ID: 771

Trusted forest information was modified.

 

Note: See event description for event 769.

 

Event ID: 805

The event log service read the security log configuration for a session.

 

Privilege Use Events

 

Event ID: 576

Specified privileges were added to a user's access token.

 

Note: This event is generated when the user logs on.

 

Event ID: 577

A user attempted to perform a privileged system service operation.

 

Event ID: 578

Privileges were used on an already open handle to a protected object.

 

Detailed Tracking Events

 

Event ID: 592

A new process was created.

 

Event ID: 593

A process exited.

 

Event ID: 594

A handle to an object was duplicated.

 

Event ID: 595

Indirect access to an object was obtained.

 

Event ID: 596

A data protection master key was backed up.

 

Note: The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created. (The default setting is 90 days.) The key is usually backed up by a domain controller.

 

Event ID: 597

A data protection master key was recovered from a recovery server.

 

Event ID: 598

Auditable data was protected.

 

Event ID: 599

Auditable data was unprotected.

 

Event ID: 600

A process was assigned a primary token.

 

Event ID: 601

A user attempted to install a service.

 

Event ID: 602

A scheduler job was created.

 

Audit System Events

 

Event ID: 512

Windows is starting up.

 

Event ID: 513

Windows is shutting down.

 

Event ID: 514

An authentication package was loaded by the Local Security Authority.

 

Event ID: 515

A trusted logon process has registered with the Local Security Authority.

 

Event ID: 516

Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.

 

Event ID: 517

The audit log was cleared.

 

Event ID: 518

A notification package was loaded by the Security Accounts Manager.

 

Event ID: 519

A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.

 

Event ID: 520

The system time was changed.

 

Note: This audit normally appears twice.