DOCUMENT:Q174074 09-AUG-2001 [winnt] TITLE :Security Event Descriptions PRODUCT :Microsoft Windows NT PROD/VER:winnt:3.5,3.51,4.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation versions 3.5, 3.51, 4.0 - Microsoft Windows NT Server versions 3.5, 3.51, 4.0 ------------------------------------------------------------------------------- SUMMARY ======= This article contains descriptions of various security-related and auditing- related events, and tips for interpreting them. These events will all appear in the Security event log and will be logged with a source of "Security." MORE INFORMATION ================ Event ID: 512 Type: Success Audit Description: Windows NT is starting up. Event ID: 513 Type: Success Audit Description: Windows NT is shutting down. All logon sessions will be terminated by this shutdown. Event ID: 514 Type: Success Audit Description: An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts. Authentication Package Name: %1 Event ID: 515 Type: Success Audit Description: A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Logon Process Name: %1 Event ID: 516 Type: Success Audit Description: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. Number of audit messages discarded: %1 Event ID: 517 Type: Success Audit Description: The audit log was cleared Primary User Name: %1 Primary Domain: %2 Primary Logon ID: %3 Client User Name: %4 Client Domain: %5 Client Logon ID: %6 Event ID: 518 Type: Success Audit Description: A notification package has been loaded by the Security Account Manager. This package will be notified of any account or password changes. Notification Package Name: %1 Event ID: 528 Type: Success Audit Description: Successful Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Event ID: 529 Type: Failure Audit Description: Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 530 Type: Failure Audit Description: Logon Failure: Reason: Account logon time restriction violation User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 531 Type: Failure Audit Description: Logon Failure: Reason: Account currently disabled User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 532 Type: Failure Audit Description: Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 533 Type: Failure Audit Description: Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 534 Type: Failure Audit Description: Logon Failure: Reason: The user has not been granted the requested logon type at this machine User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 535 Type: Failure Audit Description: Logon Failure: Reason: The specified account's password has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 536 Type: Failure Audit Description: Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 537 Type: Failure Audit Description: Logon Failure: Reason: An unexpected error occurred during logon User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 538 Type: Success Audit Description: User Logoff: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Event ID: 539 Type: Failure Audit Description: Logon Failure: Reason: Account locked out User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 560 Type: Success Audit Description: Object Open: Object Server: %1 Object Type: %2 Object Name: %3 New Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Primary User Name: %8 Primary Domain: %9 Primary Logon ID: %10 Client User Name: %11 Client Domain: %12 Client Logon ID: %13 Accesses %14 Privileges %15 Event ID: 561 Type: Success Audit Description: Handle Allocated: Handle ID: %1 Operation ID: {%2,%3} Process ID: %4 Event ID: 562 Type: Success Audit Description: Handle Closed: Object Server: %1 Handle ID: %2 Process ID: %3 Event ID: 563 Type: Success Audit Description: Object Open for Delete: Object Server: %1 Object Type: %2 Object Name: %3 New Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Primary User Name: %8 Primary Domain: %9 Primary Logon ID: %10 Client User Name: %11 Client Domain: %12 Client Logon ID: %13 Accesses %14 Privileges %15 Event ID: 564 Type: Success Audit Description: Object Deleted: Object Server: %1 Handle ID: %2 Process ID: %3 Event ID: 576 Type: Success Audit Description: Special privileges assigned to new logon: User Name: %1 Domain: %2 Logon ID: %3 Assigned: %4 Event ID: 577 Type: Success Audit Description: Privileged Service Called: Server: %1 Service: %2 Primary User Name: %3 Primary Domain: %4 Primary Logon ID: %5 Client User Name: %6 Client Domain: %7 Client Logon ID: %8 Privileges: %9 Event ID: 578 Type: Failure Audit Description: Privileged object operation: Object Server: %1 Object Handle: %2 Process ID: %3 Primary User Name: %4 Primary Domain: %5 Primary Logon ID: %6 Client User Name: %7 Client Domain: %8 Client Logon ID: %9 Privileges: %10 Event ID: 592 Type: Success Audit Description: A new process has been created: New Process ID: %1 Image File Name: %2 Creator Process ID: %3 User Name: %4 Domain: %5 Logon ID: %6 Event ID: 593 Type: Success Audit Description: A process has exited: Process ID: %1 User Name: %2 Domain: %3 Logon ID: %4 Event ID: 594 Type: Success Audit Description: A handle to an object has been duplicated: Source Handle ID: %1 Source Process ID: %2 Target Handle ID: %3 Target Process ID: %4 Event ID: 595 Type: Success Audit Description: Indirect access to an object has been obtained: Object Type: %1 Object Name: %2 Process ID: %3 Primary User Name: %4 Primary Domain: %5 Primary Logon ID: %6 Client User Name: %7 Client Domain: %8 Client Logon ID: %9 Accesses: %10 Event ID: 608 Type: Success Audit Description: User Right Assigned: User Right: %1 Assigned To: %2 Assigned By: User Name: %3 Domain: %4 Logon ID: %5 Event ID: 609 Type: Success Audit Description: User Right Removed: User Right: %1 Removed From: %2 Removed By: User Name: %3 Domain: %4 Logon ID: %5 Event ID: 610 Type: Success Audit Description: New Trusted Domain: Domain Name: %1 Domain ID: %2 Established By: User Name: %3 Domain: %4 Logon ID: %5 Event ID: 611 Type: Success Audit Description: Removing Trusted Domain: Domain Name: %1 Domain ID: %2 Removed By: User Name: %3 Domain: %4 Logon ID: %5 Event ID: 612 Type: Success Audit Description: Audit Policy Change: New Policy: Success Failure %1 %2 System %3 %4 Logon/Logoff %5 %6 Object Access %7 %8 Privilege Use %9 %10 Detailed Tracking %11 %12 Policy Change %13 %14 Account Management Changed By: User Name: %15 Domain Name: %16 Logon ID: %17 Event ID: 624 Type: Success Audit Description: User Account Created: New Account Name: %1 New Domain: %2 New Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges %7 Event ID: 625 Type: Success Audit Description: User Account Type Change: Target Account Name: %1 Target Domain: %2 Target Account ID: %3 New Type: %4 Caller User Name: %5 Caller Domain: %6 Caller Logon ID: %7 Event ID: 626 Type: Success Audit Description: User Account Enabled: Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Event ID: 627 Type: Success Audit Description: Change Password Attempt: Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7 Event ID: 628 Type: Success Audit Description: User Account password set: Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Event ID: 629 Type: Success Audit Description: User Account Disabled: Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Event ID: 630 Type: Success Audit Description: User Account Deleted: Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7 Event ID: 631 Type: Success Audit Description: Global Group Created: New Account Name: %1 New Domain: %2 New Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7 Event ID: 632 Type: Success Audit Description: Global Group Member Added: Member: %1 Target Account Name: %2 Target Domain: %3 Target Account ID: %4 Caller User Name: %5 Caller Domain: %6 Caller Logon ID: %7 Privileges: %8 Event ID: 633 Type: Success Audit Description: Global Group Member Removed: Member: %1 Target Account Name: %2 Target Domain: %3 Target Account ID: %4 Caller User Name: %5 Caller Domain: %6 Caller Logon ID: %7 Privileges: %8 Event ID: 634 Type: Success Audit Description: Global Group Deleted: Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7 Event ID: 635 Type: Success Audit Description: Local Group Created: New Account Name: %1 New Domain: %2 New Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7 Event ID: 636 Type: Success Audit Description: Local Group Member Added: Member: %1 Target Account Name: %2 Target Domain: %3 Target Account ID: %4 Caller User Name: %5 Caller Domain: %6 Caller Logon ID: %7 Privileges: %8 Event ID: 637 Type: Success Audit Description: Local Group Member Removed: Member: %1 Target Account Name: %2 Target Domain: %3 Target Account ID: %4 Caller User Name: %5 Caller Domain: %6 Caller Logon ID: %7 Privileges: %8 Event ID: 638 Type: Success Audit Description: Local Group Deleted: Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7 Event ID: 639 Type: Success Audit Description: Local Group Changed: Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7 Event ID: 640 Type: Success Audit Description: General Account Database Change: Type of change: %1 Object Type: %2 Object Name: %3 Object ID: %4 Caller User Name: %5 Caller Domain: %6 Caller Logon ID: %7 Event ID: 641 Type: Success Audit Description: Global Group Changed: Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7 Event ID: 642 Type: Success Audit Description: User Account Changed: Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7 Event ID: 643 Type: Success Audit Description: Domain Policy Changed: Domain: %1 Domain ID: %2 Caller User Name: %3 Caller Domain: %4 Caller Logon ID: %5 Privileges: %6 Event ID: 644 Event Type: Success Audit Description: User Account Locked Out Target Account Name: %1 Target Account ID: %2 Caller Machine Name: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Additional query words: hack sec evt ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT351search kbWinNT350search kbWinNT400search kbWinNTW350 kbWinNTW350search kbWinNTW351search kbWinNTW351 kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbWinNTS351 kbWinNTS350 kbWinNTS351search kbWinNTS350search Version : winnt:3.5,3.51,4.0 Hardware : x86 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.