Account Logon Events
Event ID: 672
Description: An authentication service (AS) ticket was successfully issued and validated.
Event ID: 673
A ticket granting service (TGS) ticket was granted. A TGS is a ticket issued by the Kerberos version 5 ticket-granting service TGS that allows a user to authenticate to a specific service in the domain.
Event ID: 674
A security principal renewed an AS ticket or TGS ticket.
Event ID: 675
Pre-authentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.
Event ID: 676
Authentication ticket request failed. This event is not generated in Windows XP Professional or in members of the Windows Server family.
Event ID: 677
A TGS ticket was not granted. This event is not generated in Windows XP Professional or in the members of the Windows Server family.
Event ID: 678
An account was successfully mapped to a domain account.
Event ID: 681
Logon failure. A domain account logon was attempted. This event is not generated in Windows XP Professional or in members of the Windows Server family.
Event ID: 682
A user has reconnected to a disconnected terminal server session.
Event ID: 683
A user disconnected a terminal server session without logging off.
Account Management Events
Event ID: 624
A user account was created.
Event ID: 627
A user password was changed.
Event ID: 628
A user password was set.
Event ID: 630
A user account was deleted.
Event ID: 631
A global group was created.
Event ID: 632
A member was added to a global group.
Event ID: 633
A member was removed from a global group.
Event ID: 634
A global group was deleted.
Event ID: 635
A new local group was created.
Event ID: 636
A member was added to a local group.
Event ID: 637
A member was removed from a local group.
Event ID: 638
A local group was deleted.
Event ID: 639
A local group account was changed.
Event ID: 641
A global group account was changed.
Event ID: 642
A user account was changed.
Event ID: 643
A domain policy was modified.
Event ID: 644
A user account was automatically locked.
Event ID: 645
A computer account was created.
Event ID: 646
A computer account was changed.
Event ID: 647
A computer account was deleted.
Event ID: 648
A local security group with security disabled was created.
Note: SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks.
Event ID: 649
A local security group with security disabled was changed.
Event ID: 650
A member was added to a security-disabled local security group.
Event ID: 651
A member was removed from a security-disabled local security group.
Event ID: 652
A security-disabled local group was deleted.
Event ID: 653
A security-disabled global group was created.
Event ID: 654
A security-disabled global group was changed.
Event ID: 655
A member was added to a security-disabled global group.
Event ID: 656
A member was removed from a security-disabled global group.
Event ID: 657
A security-disabled global group was deleted.
Event ID: 658
A security-enabled universal group was created.
Event ID: 659
A security-enabled universal group was changed.
Event ID: 660
A member was added to a security-enabled universal group.
Event ID: 661
A member was removed from a security-enabled universal group.
Event ID: 662
A security-enabled universal group was deleted.
Event ID: 663
A security-disabled universal group was created.
Event ID: 664
A security-disabled universal group was changed.
Event ID: 665
A member was added to a security-disabled universal group.
Event ID: 666
A member was removed from a security-disabled universal group.
Event ID: 667
A security-disabled universal group was deleted.
Event ID: 668
A group type was changed.
Event ID: 684
The security descriptor of administrative group members was set.
Note: Every 60 minutes on a domain controller, a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.
Event ID: 685
Name of an account was changed.
Directory Service Access Events
Event ID: 566
A generic object operation took place.
Audit Logon Events
Event ID: 528
A user successfully logged on to a computer.
Event ID: 529
Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
Event ID: 530
Logon failure. A logon attempt was made outside the allowed time.
Event ID: 531
Logon failure. A logon attempt was made using a disabled account.
Event ID: 532
Logon failure. A logon attempt was made using an expired account.
Event ID: 533
Logon failure. A logon attempt was made by a user who is not allowed to log on at the specified computer.
Event ID: 534
Logon failure. The user attempted to log on with a password type that is not allowed.
Event ID: 535
Logon failure. The password for the specified account has expired.
Event ID: 536
Logon failure. The Net Logon service is not active.
Event ID: 537
Logon failure. The logon attempt failed for other reasons.
Note: In some cases, the reason for the logon failure may not be known.
Event ID: 538
The logoff process was completed for a user.
Event ID: 539
Logon failure. The account was locked out at the time the logon attempt was made.
Event ID: 540
A user successfully logged on to a network.
Event ID: 541
Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel.
Event ID: 542
A data channel was terminated.
Event ID: 543
Main mode was terminated.
Note: This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, or peer termination.
Event ID: 544
Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.
Event ID: 545
Main mode authentication failed because of a Kerberos failure or a password that is not valid.
Event ID: 546
IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.
Event ID: 547
A failure occurred during an IKE handshake.
Event ID: 548
Logon failure. The security identifier (SID) from a trusted domain does not match the account domain SID of the client.
Event ID: 549
Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests.
Event ID: 550
Notification message that could indicate a possible denial-of-service (DoS) attack.
Event ID: 551
A user initiated the logoff process.
Event ID: 552
A user successfully logged on to a computer using explicit credentials while already logged on as a different user.
Event ID: 682
A user has reconnected to a disconnected terminal server session.
Event ID: 683
A user disconnected a terminal server session without logging off.
Note: This event is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.
Object Access Events
Event ID: 560
Access was granted to an already existing object.
Event ID: 562
A handle to an object was closed.
Event ID: 563
An attempt was made to open an object with the intent to delete it.
Note: This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().
Event ID: 564
A protected object was deleted.
Event ID: 565
Access was granted to an already existing object type.
Event ID: 567
A permission associated with a handle was used.
Note: A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that were used.
Event ID: 568
An attempt was made to create a hard link to a file that is being audited.
Event ID: 569
The resource manager in Authorization Manager attempted to create a client context.
Event ID: 570
A client attempted to access an object.
Note: An event will be generated for every attempted operation on the object.
Event ID: 571
The client context was deleted by the Authorization Manager application.
Event ID: 572
The Administrator Manager initialized the application.
Event ID: 772
The Certificate Manager denied a pending certificate request.
Event ID: 773
Certificate Services received a resubmitted certificate request.
Event ID: 774
Certificate Services revoked a certificate.
Event ID: 775
Certificate Services received a request to publish the certificate revocation list (CRL).
Event ID: 776
Certificate Services published the CRL.
Event ID: 777
A certificate request extension was made.
Event ID: 778
One or more certificate request attributes changed.
Event ID: 779
Certificate Services received a request to shut down.
Event ID: 780
Certificate Services backup started.
Event ID: 781
Certificate Services backup completed.
Event ID: 782
Certificate Services restore started.
Event ID: 783
Certificate Services restore completed.
Event ID: 784
Certificate Services started.
Event ID: 785
Certificate Services stopped.
Event ID: 786
The security permissions for Certificate Services changed.
Event ID: 787
Certificate Services retrieved an archived key.
Event ID: 788
Certificate Services imported a certificate into its database.
Event ID: 789
The audit filter for Certificate Services changed.
Event ID: 790
Certificate Services received a certificate request.
Event ID: 791
Certificate Services approved a certificate request and issued a certificate.
Event ID: 792
Certificate Services denied a certificate request.
Event ID: 793
Certificate Services set the status of a certificate request to pending.
Event ID: 794
The certificate manager settings for Certificate Services changed.
Event ID: 795
A configuration entry changed in Certificate Services.
Event ID: 796
A property of Certificate Services changed.
Event ID: 797
Certificate Services archived a key.
Event ID: 798
Certificate Services imported and archived a key.
Event ID: 799
Certificate Services published the certificate authority (CA) certificate to Microsoft Active Directory directory service.
Event ID: 800
One or more rows have been deleted from the certificate database.
Event ID: 801
Role separation enabled.
Audit Policy Change Events
Event ID: 608
A user right was assigned.
Event ID: 609
A user right was removed.
Event ID: 610
A trust relationship with another domain was created.
Event ID: 611
A trust relationship with another domain was removed.
Event ID: 612
An audit policy was changed.
Event ID: 613
An Internet Protocol security (IPSec) policy agent started.
Event ID: 614
An IPSec policy agent was disabled.
Event ID: 615
An IPSec policy agent changed.
Event ID: 616
An IPSec policy agent encountered a potentially serious failure.
Event ID: 617
A Kerberos version 5 policy changed.
Event ID: 618
Encrypted Data Recovery policy changed.
Event ID: 620
A trust relationship with another domain was modified.
Event ID: 621
System access was granted to an account.
Event ID: 622
System access was removed from an account.
Event ID: 623
Auditing policy was set on a per-user basis
Event ID: 625
Auditing policy was refreshed on a per-user basis.
Event ID: 768
A collision was detected between a namespace element in one forest and a namespace element in another forest.
Note: When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type. For example, fields such as DNS name, NetBIOS name, and SID are not valid for an entry of type 'TopLevelName.'
Event ID: 769
Trusted forest information was added.
Note: This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated for each added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages are assigned a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName."
Event ID: 770
Trusted forest information was deleted.
Note: See event description for event 769.
Event ID: 771
Trusted forest information was modified.
Note: See event description for event 769.
Event ID: 805
The event log service read the security log configuration for a session.
Privilege Use Events
Event ID: 576
Specified privileges were added to a user's access token.
Note: This event is generated when the user logs on.
Event ID: 577
A user attempted to perform a privileged system service operation.
Event ID: 578
Privileges were used on an already open handle to a protected object.
Detailed Tracking Events
Event ID: 592
A new process was created.
Event ID: 593
A process exited.
Event ID: 594
A handle to an object was duplicated.
Event ID: 595
Indirect access to an object was obtained.
Event ID: 596
A data protection master key was backed up.
Note: The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created. (The default setting is 90 days.) The key is usually backed up by a domain controller.
Event ID: 597
A data protection master key was recovered from a recovery server.
Event ID: 598
Auditable data was protected.
Event ID: 599
Auditable data was unprotected.
Event ID: 600
A process was assigned a primary token.
Event ID: 601
A user attempted to install a service.
Event ID: 602
A scheduler job was created.
Audit System Events
Event ID: 512
Windows is starting up.
Event ID: 513
Windows is shutting down.
Event ID: 514
An authentication package was loaded by the Local Security Authority.
Event ID: 515
A trusted logon process has registered with the Local Security Authority.
Event ID: 516
Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.
Event ID: 517
The audit log was cleared.
Event ID: 518
A notification package was loaded by the Security Accounts Manager.
Event ID: 519
A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.
Event ID: 520
The system time was changed.
Note: This audit normally appears twice.
