Security Event Messages

1

Appendix E

Security Event Messages

This document was previously published in Appendix E of the Microsoft Windows XP Professional Resource Kit, Second Edition, by the Microsoft Windows Team (Microsoft Press, 2003).

This appendix contains information that can help you interpret security event messages. When security event auditing is enabled, you can review security-related events by using Event Viewer, a Microsoft Management Console snap-in. For information about enabling secu-rity event auditing, see “Logon and Authentication” and “Authorization and Access Control” in this book.

In this appendix:

Viewing Security Event Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

System Event Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Logon Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Object Access Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Privilege Use Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Detailed Tracking Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Policy Change Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

User Management Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Account Logon Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Directory Service Access Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Related Information

■ For more information about security events, see “Auditing Microsoft Windows Security Events” in the Microsoft® Windows® Security Resource Kit.

2 Appendix E: Security Event Messages

Viewing Security Event MessagesYou can review security-related events by using Event Viewer, a Microsoft Management Con-sole snap-in.

To view security event messages

1. Open Event Viewer.

2. In the console tree, click Security.

3. Sort events based on any column in the details pane, such as Event ID, User, or Type.

4. Filter events based on severity, source, or event ID.

Using the event ID number, you can locate the information you need in this appendix. The security event messages are organized by category and include the following categories of event messages:

■ System

■ Logon

■ Object access

■ Privilege use

■ Detailed tracking

■ Policy change

■ User management

■ Account logon

■ Directory service access

To simplify scanning and finding the information that you need, the event listings are sorted numerically from lowest event ID number to highest. This numerical ordering is also helpful because related security events are generally grouped together.

Note In several cases, numerical grouping of like events does not apply. These events are cross-referenced in both their numerical and logical locations.

The following information is provided for each event:

■ Event number and title.

■ Parameters that describe the types of detailed information that is provided each time this particular event occurs. Parameters are listed in the order in which they appear in the event.

Appendix E: Security Event Messages 3

■ Configurable information that indicates whether the event can be configured to log successes (that is, something happened), failures (something failed to happen), or both failures and successes.

■ Formal name, which is the formal name for the security event. This information is use-ful for programmers.

Note Many of the error event messages in this appendix apply to Active Directory®–based environments and are not seen on Microsoft® Windows® XP Professional.

System Event MessagesThe following messages document local system processes such as system startup and shut-down and changes to the system time or audit log.

512 Windows is starting up.

Parameters: None.

Configurable Information: Success

Formal name: SE_AUDITID_SYSTEM_RESTART

513 Windows is shutting down.

Parameters: None.


Formal name: SE_AUDITID_SYSTEM_SHUTDOWN

514 An authentication package was loaded by the Local Security Authority.

Parameters: Authentication package name.


Formal name: SE_AUDITID_AUTH_PACKAGE_LOAD

515 A trusted logon process has registered with the Local Security Authority.

Parameters: Logon process name.


Formal name: SE_AUDITID_SYSTEM_LOGON_PROC_REGISTER


516 Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.

Parameters: Number of audit messages discarded.


Formal name: SE_AUDITID_AUDITS_DISCARDED

517 The audit log was cleared.

Parameters: Primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID


Formal name: SE_AUDITID_AUDIT_LOG_CLEARED

518 A notification package was loaded by the Security Accounts Manager.

Parameter: Notification package name.


Formal name: SE_AUDITID_NOTIFY_PACKAGE_LOAD

519 A process is using an invalid local procedure call (LPC) port in an attempt to impersonate a client and reply or read from or write to a client address space.

Parameters: Process ID, type of invalid use (either impersonation or reply), server port name, primary user name, primary domain, primary logon ID, client user name, client domain, cli-ent logon ID.


Formal name: SE_AUDITID_LPC_INVALID_USE

520 The system time was changed.

Parameters: Process ID, process name, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, previous time, new time.


Formal name: SE_AUDITID_SYSTEM_TIME_CHANGE

This audit normally appears twice. This is necessary to deal with time zone changes.


Logon EventsWindows XP Professional and Windows 2000 Server generate logon-related events when a user logs on interactively or remotely. These events are generated on the computer to which the logon attempt was made. For more information about the different types of logons and the logon process, see “Logon and Authentication” in this book.

528 A user successfully logged on to a computer.

Parameters: User name, domain, or workstation involved in the logon attempt, logon ID, logon type, source of the logon attempt, authentication package (NTLM, Kerberos V5, or negotiate) involved in the logon attempt, workstation name.


Formal names: SE_AUDITID_SUCCESSFUL_LOGON SE_AUDITID_ NETWORK_LOGON

This event is identical to event 528.

529 The logon attempt was made with an unknown user name or a known user name with a bad password.

Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.

Configurable Information: Failure

Formal name: SE_AUDITID_UNKNOWN_USER_OR_PWD

530 The user account tried to log on outside of the allowed time.



Formal name: SE_AUDITID_ACCOUNT_TIME_RESTR

Logon time restrictions can only be configured for domain accounts. However, for non-domain accounts, it is still possible to configure logon time restrictions programmatically.


531 A logon attempt was made by using a disabled account.



Formal name: SE_AUDITID_ACCOUNT_DISABLED

532 A logon attempt was made by using an expired account.



Formal name: SE_AUDITID_ACCOUNT_EXPIRED

533 The user is not allowed to log on at this computer.



Formal name: SE_AUDITID_WORKSTATION_RESTR

534 The user attempted to log on with a type (such as network, interactive, batch, service, or remote interactive) that is not allowed.



Formal name: SE_AUDITID_LOGON_TYPE_RESTR

535 The password for the specified account has expired.



Formal name: SE_AUDITID_PASSWORD_EXPIRED


536 The Net Logon service is not active.



Formal name: SE_AUDITID_NETLOGON_NOT_STARTED

The Net Logon service is needed for domain-style logon attempts or logon attempts to an account that does not exist on the workstation at which the logon attempt is occurring.

537 The logon attempt failed for other reasons.

Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation from which the logon attempt was made, one or two status codes indicating why the logon failed.


Formal name: SE_AUDITID_UNSUCCESSFUL_LOGON

In some cases, the reason for the logon failure might not be known. To find the individual sta-tus codes, search for the files Ntstatus.h or Winerror.h, and then open them by using a text editor such as Notepad.

538 A user logged off.



Formal name: SE_AUDITID_LOGOFF

The logoff message can be caused by any type of logoff attempt.

539 The account was locked out at the time the logon attempt was made.

Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation from which the logon attempt was made.


Formal name: SE_AUDITID_ACCOUNT_LOCKED


540 A user successfully logged on to a computer.

Parameters: User name, domain, or workstation involved in the logon attempt, logon ID, logon type, source of the logon attempt, authentication package (NTLM, Kerberos V5, or negotiate) involved in the logon attempt, workstation name.


Formal names: SE_AUDITID_SUCCESSFUL_LOGON SE_AUDITID_ NETWORK_LOGON

This event is identical to event 528.

541 Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel.

Parameters: Mode (main or quick), the IP address and name of the other host involved in the authentication, a filter specifying source and destination addresses (address can be either spe-cific IP, IP subnet, or all computers), an encryption algorithm, hashing algorithm, and timeout for the security association.


Formal name: SE_AUDITID_IPSEC_LOGON_SUCCESS

542 A data channel was terminated.

Parameters: Mode (main or quick), a filter indicating a subnet, a particular host, or all com-puters, the inbound Service Parameters Index (SPI) or local host, the outbound SPI (the other peer in the connection).

Note Data transfer mode is the same as quick mode (QM).


Formal name: SE_AUDITID_IPSEC_LOGOFF_QM

543 Main mode was terminated.

Parameters: A filter indicating a subnet, a particular host, or all computers.


Formal name: SE_AUDITID_IPSEC_LOGOFF_MM

This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, peer termination, and so on.


544 Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.

Parameters: Peer identity (the other host involved in the authentication), a filter indicating a subnet, a particular host, or all computers.


Formal name: SE_AUDITID_IPSEC_AUTH_FAIL_CERT_TRUST

545 Main mode authentication failed because of a Kerberos failure or a password that is not valid.

Parameters: Peer identity (the other host involved in the authentication), filter indicating a subnet, a particular host, or all computers.


Formal name: SE_AUDITID_IPSEC_AUTH_FAIL

546 IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.

Parameters: Mode (main or quick, depending when the error occurred), a filter indicating a subnet, a particular host, or all computers), incorrect attribute, expected value, received value.


Formal name: SE_AUDITID_IPSEC_ATTRIB_FAIL

547 A failure occurred during an IKE handshake.

Parameters: Mode (indicates when the failure occurred), a filter indicating a subnet, particu-lar host, or all computers, the point of failure, and the reason for the failure.


Formal name: SE_AUDITID_IPSEC_NEGOTIATION_FAIL


548 The security ID (SID) from a trusted domain does not match the home domain SID of the client.

Parameters: User name, domain name, logon type, logon process, authentication package, workstation name, impersonated domain.


Formal name: SE_AUDITID_DOMAIN_TRUST_INCONSISTENT

549 All SIDs were filtered out during a cross-forest authentication.

Parameters: User name, domain name, logon type, logon process, authentication package, workstation name.


Formal name: SE_AUDITID_ALL_SIDS_FILTERED

During cross-forest authentication, all SIDs corresponding to untrusted namespaces are fil-tered out. This event is triggered when this filtering action removes all SIDs.

550 Indicates a possible denial-of-service attack.

Parameters: No parameters, other than the above text describing the beginning or ending of a denial-of-service attack.

Configurable Information: Success or Failure

Formal name: SE_AUDITID_IPSEC_IKE_NOTIFICATION

This event message is generated when IKE has a large number of pending requests to establish security associations and is beginning denial-of-service prevention mode. This might be nor-mal if caused by high computer loads or a large number of client connection attempts. It also might be the result of a denial-of-service attack against IKE. If this is a denial-of-service attack, there is usually many audits for failed IKE negotiations to spoofed IP addresses. Otherwise, the computer is only extremely heavily loaded.

682 A user has reconnected to a disconnected terminal server session.

Parameters: User name, domain name, logon ID, session name, client name, client address.


Formal name: SE_AUDITID_SESSION_RECONNECTED

This event message is generated on a terminal server.


683 A user disconnected a terminal server session without logging off.

Parameters: User name, domain, logon ID, session name, client name, client address.

Configurable Information: Success or Failure.

Formal name: SE_AUDITID_SESSION_DISCONNECTED

This event message is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.

Object Access EventsObject access events must be enabled on a per object basis by configuring the system access control list (SACL) for that object. For information about how to configure SACLs, see “Autho-rization and Access Control” in this book.

560 Access was granted to an already existing object.

Parameters: Object server, object type, object name, handle ID, operation ID, process ID, image file name, primary user name, primary domain, primary logon ID, client user name, cli-ent domain, client logon ID, access privileges, restricted SID count.


Formal name: SE_AUDITID_OPEN_HANDLE

Objects are accessed with handles. This event means that a handle was opened. It does not mean that the object was actually accessed.

562 A handle to an object was closed.

Parameters: Object server, handle ID, process ID, image file name.


Formal name: SE_AUDITID_CLOSE_HANDLE

563 An attempt was made to open an object with the intent to delete it.

Parameters: Object server, object type, object name, handle ID, operation ID, process ID, pri-mary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, privileges.


Formal name: SE_AUDITID_OPEN_OBJECT_FOR_DELETE

This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified.


564 A protected object was deleted.

Parameters: Object server, handle ID, process ID.


Formal name: SE_AUDITID_DELETE_OBJECT,

565 Access was granted to an already existing object type.

Parameters: Object server, object type, object name, handle ID, operation ID, process ID, pro-cess name, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, privileges, properties.


Formal name: SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE

566 A generic object operation took place.

Parameters: Operation type, object type, object name, handle ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, proper-ties.


Formal name: SE_AUDITID_OBJECT_OPERATION

This event message is also used to audit directory service access events.

567 A permission associated with a handle was used.

Parameters: Name of the object being accessed, object server, handle ID, object type, process ID, access mask.


Formal name: SE_AUDITID_OBJECT_ACCESS

A handle is created with certain granted permissions (read, write, and so on). When the han-dle is used, one audit is generated for each of the permissions that was used.


568 An attempt was made to create a hard link to a file that is being audited.

Parameters: Primary user name, primary domain, primary logon ID, object name, link name.


Formal name: SE_AUDITID_HARDLINK_CREATION

Privilege Use EventsChanges to a user’s privileges or attempts to use privileges in an unauthorized manner might require investigation. These events help support these queries.

576 Specified privileges were added to a user’s token.

Parameters: Special privileges assigned to the new user (SeChangeNotifyPrivilege, SeAudit-Privilege, SeCreateTokenPrivilege, SeAssignPrimaryTokenPrivilege, SeBackupPrivilege, SeRe-storePrivilege, SeDebugPrivilege), user name, domain, logon ID, privileges.


Formal name: SE_AUDITID_ ASSIGN_SPECIAL_PRIV

This event message is generated when the user logs on.

577 A user attempted to perform a privileged system service operation.

Parameters: Privileged service called, server, service, primary user name, primary domain, pri-mary logon ID, client user name, client domain, client logon ID, privileges.


Formal name: SE_AUDITID_ PRIVILEGED_SERVICE

Callers of PrivilegedServiceAuditAlarm generate this event.

578 Privileges were used on an already open handle to a protected object.

Parameters: Privileged object operation, object server, object handle, process ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, privileges.


Formal name: SE_AUDITID_PRIVILEGED_OBJECT


Detailed Tracking EventsIn Windows XP Professional and Windows 2000 Server, all processes occur in a security con-text. At times you might need to investigate the security implications of the processes initiated on a computer. The following messages allow you to see security events that relate to system processes.

592 A new process was created.

Parameters: New process ID, image file name, creator process ID, user name, domain logon ID.


Formal name: SE_AUDITID_PROCESS_CREATED

593 A process exited.

Parameters: Process ID, image file name, user name, domain name, logon ID.


Formal name: SE_AUDITID_PROCESS_EXIT

594 A handle to an object was duplicated.

Parameters: Source handle ID, source process ID, target handle ID, target process ID.


Formal name: SE_AUDITID_DUPLICATE_HANDLE

595 Indirect access to an object was obtained.

Parameters: Object type, object name, process ID, primary user name, primary domain, pri-mary logon ID, client user name, client domain, client logon ID, accesses.


Formal name: SE_AUDITID_INDIRECT_REFERENCE


596 A data protection master key was backed up.

Parameters: Key ID, recovery server (the computer to which the key was backed up), recovery key ID (identifies the key on the domain controller that was used to encrypt the master key), failure reason.


Formal name: SE_AUDITID_DPAPI_BACKUP

The master key is used by the CryptProtectData and CryptUnprotectData routines, and Encrypting File System (EFS). The master key is backed up each time a new one is created (the default is 90 days). The key is usually backed up to a domain controller.

597 A data protection master key was recovered from a recovery server.

Parameters: Key ID, recovery server (the computer to which the key was backed up), recovery key ID (identifying the key on the domain controller used to encrypt the master key), failure reason.


Formal name: SE_AUDITID_DPAPI_RECOVERY

598 Auditable data was protected.

Parameters: Data description, key ID (the master key GUID), protected data flags (CRYPTPROTECT_AUDIT, which indicates that the audit should be generated or CRYPTPROTECT_SYSTEM, which indicates that this is system information and should not be viewed in the user space), name of the protection algorithm, failure reason.


Formal name: SE_AUDITID_DPAPI_PROTECT

599 Auditable data was unprotected.

Parameters: Data description, key ID, protected data flags (including CRYPTPROTECT_AUDIT, which indicates that the audit should be generated, and CRYPTPROTECT_SYSTEM, which indicates that this is system information and should not be viewed in the user space), name of the protection algorithm, failure reason.


Formal name: SE_AUDITID_DPAPI_UNPROTECT


600 A process was assigned a primary token.

This often happens when a service starts. The following parameters are tracked for both the assigning process and the new process.

Parameters: Process ID, image file name (the name of the process), user name, domain name, logon ID.


Formal name: SE_AUDITID_ASSIGN_TOKEN

Policy Change EventsPolicy change events include security event messages involving trust relationships, IPSec pol-icy, and user rights assignments.

IPSec policy involves settings that need to be applied to the computer. The IPSec audits include filters (what traffic should be processed by IPSec) and filter actions (such as encryp-tion or authentication).

For more information about the user rights that are being audited, see the appendix “User Rights” in this book.

608 A user right was assigned.

Parameters: User, right, assigned to, assigned by (includes user name, domain name, and logon ID).


Formal name: SE_AUDITID_USER_RIGHT_ASSIGNED

609 A user right was removed.

Parameters: User, right, assigned to, assigned by (includes user name, domain, and logon ID).


Formal name: SE_AUDITID_USER_RIGHT_REMOVED


610 A trust relationship with another domain was created.

Parameters: New trusted domain (domain name, domain ID), established by (user name, domain name, logon ID), trust type, trust direction, trust attributes.


Formal name: SE_AUDITID_TRUSTED_DOMAIN_ADD

This event is recorded on the domain controller on which the trusted domain object (TDO) is created and not on any other domain controller to which the TDO is replicated.

611 A trust relationship with another domain was removed.

Parameters: Trusted domain removed (domain name, domain ID), removed by (user name, domain name, logon ID).


Formal name: SE_AUDITID_TRUSTED_DOMAIN_REM

This event is only recorded on the domain controller on which the trusted domain object (TDO) is deleted.

612 An audit policy was changed.

Parameters: New policy (includes success, failure, or both for logon/logoff, object access, privilege use, account management, policy change, system, detailed tracking, directory ser-vice, access, account logon), changed by (user name, domain name, logon ID).


Formal name: SE_AUDITID_AUDIT_POLICY_CHANGE

The new policy is described in the audit body.

613 An IPSec policy agent started.

Parameters: Policy source.


Formal name: SE_AUDITID_IPSEC_POLICY_START

614 An IPSec policy agent was disabled.



Formal name: SE_AUDITID_IPSEC_POLICY_DISABLED


615 An IPSec policy agent changed.



Formal name: SE_AUDITID_IPSEC_POLICY_CHANGED

616 An IPSec policy agent encountered a potentially serious failure.



Formal name: SE_AUDITID_IPSEC_POLICY_FAILURE

617 A Kerberos policy changed.

Parameters: Changed by (user name, domain name, logon ID).


Formal name: SE_AUDITID_KERBEROS_POLICY_CHANGE

618 Encrypted Data Recovery policy changed.

Parameters: Changed by (user name, domain name, logon ID).


Formal name: SE_AUDITID_EFS_POLICY_CHANGE

620 A trust relationship with another domain was modified.

Parameters: Trusted domain information modified (domain name, domain ID), modified by (user name, domain name, logon ID), trust type, trust direction, trust attributes.


Formal name: SE_AUDITID_TRUSTED_DOMAIN_MOD

This event is only recorded on the domain controller on which the trusted domain object (TDO) is modified.


621 System access was granted to an account.

Parameters: Access granted, account modified, assigned by (user name, domain name, and logon ID).


Formal name: SE_AUDITID_SYSTEM_ACCESS_GRANTED

System access permissions can be interactive, network, batch, service, proxy, deny interactive, deny network, deny batch, deny service, remote interactive, or deny remote interactive.

622 System access was removed from an account.

Parameters: Access removed, account modified, assigned by (user name, domain name, and logon ID).


Formal name: SE_AUDITID_SYSTEM_ACCESS_REMOVED

System access permissions can be interactive, network, batch, service, proxy, deny interactive, deny network, deny batch, deny service, remote interactive, or deny remote interactive.

768 A collision was detected between a namespace element in one forest and a namespace element in another forest.

Parameters: Target type, target name, forest root, top level name, DNS name, NetBIOS name, SID, new flags.


Formal name: SE_AUDITID_NAMESPACE_COLLISION

When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each namespace element. For example, parameters such as DNS name, NetBIOS name, and SID are not valid for a “TopLev-elName” namespace element.


769 Trusted forest information was added.

Parameters: Forest root, forest root SID, operation ID, entry type, flags, top level name, DNS name, NetBIOS name, domain SID, added by, client user name, client domain, client logon ID.


Formal name: SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_ADD

This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to deter-mine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, Net-BIOS name and SID are not valid for an entry of type “TopLevelName”.

770 Trusted forest information was deleted.

Parameters: Forest root, forest root SID, operation ID, entry type, flags, top level name, DNS name, NetBIOS name, domain SID, deleted by, client user name, client domain, client logon ID.


Formal name: SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_REM

This event message is generated when forest trust information is updated and one or more entries are deleted. One event message is generated per deleted entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to deter-mine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, Net-BIOS name, and SID are not valid for an entry of type “TopLevelName”.

771 Trusted forest information was modified.

Parameters: Forest root, forest root SID, operation ID, entry type, flags, top level name, DNS name, NetBIOS name, domain SID, added by, client user name, client domain, client logon ID.


Formal name: SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_MOD

This event message is generated when forest trust information is updated and one or more entries are modified. One event message is generated per modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the gen-erated event messages have a single unique identifier called an operation ID. This allows you


to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type “TopLevelName”.

User Management EventsThe bulk of the user management events are identical, with variation only in the activity (for example, enabled versus disabled) and the security groups (local, global, or universal) to which the audit applies.

In addition, from event 648 to event 685, some events include the phrase SECURITY_DISABLED in their formal names. This means that these groups cannot be used to grant permissions in access checks. If the SID representing a security-disabled group appears in a user’s token, it is only used to verify deny access control entries (ACEs) during an access check. A SECURITY_ENABLED group is used to verify all ACEs during an access check.

For more information about access tokens and the roles and use of local, global, or universal groups, see “Authorization and Access Control” in this book.

624 A user account was created.

Parameters: Name of new user account, domain of new user account, SID string of new user account, user name of subject creating the user account, domain name of subject creating the user account, logon ID string of subject creating the user account, privileges used to create the user account.


Formal name: SE_AUDITID_USER_CREATED

627 A user password was changed.

Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject chang-ing the user account, logon ID string of subject changing the user account.


Formal name: SE_AUDITID_USER_PWD_CHANGED


628 A user password was set.



Formal name: SE_AUDITID_USER_PWD_SET

630 A user account was deleted.

Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject deleting the user account, domain name of subject deleting the user account, logon ID string of subject deleting the user account.


Formal name: SE_AUDITID_USER_DELETED

631 A global group was created.

Parameters: Name of new group account, domain of new group account, SID string of new group account, user name of subject creating the account, domain name of subject creating the account, logon ID string of subject creating the account.


Formal name: SE_AUDITID_GLOBAL_GROUP_CREATED

632 A member was added to a global group.

Parameters: SID string of member being added, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.


Formal name: SE_AUDITID_GLOBAL_GROUP_ADD

633 A member was removed from a global group.

Parameters: SID string of member being removed, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.


Formal name: SE_AUDITID_GLOBAL_GROUP_REM


634 A global group was deleted.

Parameters: Name of the global group account, domain of the global group account, SID string of the global group account, user name of subject deleting the global group, domain name of subject deleting the global group, logon ID string of subject deleting the global group.


Formal name: SE_AUDITID_GLOBAL_GROUP_DELETED

635 A new local group was created.

Parameters: Name of new group account, domain of new group account, SID string of new group account, user name of subject creating the account, domain name of subject creating the account, logon ID string of subject creating the account.


Formal name: SE_AUDITID_LOCAL_GROUP_CREATED

636 A member was added to a local group.

Parameters: SID string of member being added, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.


Formal name: SE_AUDITID_LOCAL_GROUP_ADD

637 A member was removed from a local group.

Parameters: SID string of member being removed, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.


Formal name: SE_AUDITID_LOCAL_GROUP_REM


638 A local group was deleted.

Parameters: Name of group account being deleted, domain of the group account, SID string of group account, user name of subject deleting the account, domain name of subject deleting the account, logon ID string of subject deleting the account.


Formal name: SE_AUDITID_LOCAL_GROUP_DELETED

639 A local group account was changed.

Parameters: Name of group account being changed, domain of group account, SID string of group account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.


Formal name: SE_AUDITID_LOCAL_GROUP_CHANGE

641 A global group account was changed.

Parameters: Name of group account being changed, domain of group account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.


Formal name: SE_AUDITID_GLOBAL_GROUP_CHANGE

642 A user account was changed.

Parameters: Name of user account, domain of user account, SID string of user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account.


Formal name: SE_AUDITID_USER_CHANGE

643 A domain policy was modified.

Parameters: Domain policy that was modified, domain name, domain ID, caller user name, caller domain, caller logon ID, privileges used.


Formal name: SE_AUDITID_DOMAIN_POLICY_CHANGE


644 A user account was auto locked.



Formal name: SE_AUDITID_ACCOUNT_AUTO_LOCKED

This happens when a user attempts to log on unsuccessfully multiple times (the number of attempts is configured by the administrator).

645 A computer account was created.

Parameters: Name of new computer account, domain of new computer account, SID string of new computer account, user name of subject creating the computer account, domain name of subject creating the computer account, logon ID string of subject creating the computer account, privileges used to create the computer account.


Formal name: SE_AUDITID_COMPUTER_CREATED

646 A computer account was changed.

Parameters: Name of target computer account, domain of target computer account, SID string of target computer account, user name of subject changing the computer account, domain name of subject changing the computer account, logon ID string of subject changing the computer account, privileges used to change the computer account.


Formal name: SE_AUDITID_COMPUTER_CHANGE

647 A computer account was deleted.

Parameters: Name of target computer account, domain of target computer account, SID string of target computer account, user name of subject deleting the computer account, domain name of subject deleting the computer account, logon ID string of subject deleting the computer account, privileges used to delete the computer account.


Formal name: SE_AUDITID_COMPUTER_DELETED


648 A local security group with security disabled was created.

Parameters: Name of new group account, domain of new group account, SID string of new group account, user name of subject creating the account, domain name of subject creating the account, logon ID string of subject creating the account, privileges used to create the account.


Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED

SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. If the SID representing a security-disabled group appears in a user’s token, it is only used to verify deny access control entries (ACEs) during an access check. A SECURITY_ENABLED group is used to verify all ACEs during an access check.

For more information about access tokens and the roles and usage of local, global, or univer-sal groups, see “Authorization and Access Control” in this book.

649 A local security group with security disabled was changed.

Parameters: Name of group account, domain of group account, SID string of group account, user name of subject modifying the account, domain name of subject modifying the account, logon ID string of subject modifying the account, privileges used to modify the account.


Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE

650 A member was added to a security-disabled local security group.

Parameters: SID string of member being added, name of security-disabled local security group account, domain of security group account, SID string of security-disabled local secu-rity group account, user name of subject changing the membership of the security-disabled local security group, domain name of subject changing the membership of the security-dis-abled local security group, logon ID string of subject changing the membership of the secu-rity-disabled local security group.


Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD


651 A member was removed from a security-disabled local security group.

Parameters: SID string of member being removed, name of security-disabled local security group account, domain of security-disabled security group account, SID string of local secu-rity group account, user name of subject changing the membership of the security-disabled local security group, domain name of subject changing the membership of the security-dis-abled local security group, logon ID string of subject changing the membership of the secu-rity-disabled local security group.


Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM

652 A security-disabled local group was deleted.

Parameters: Name of the security-disabled local group, domain of security-disabled local group, SID string of security-disabled local group, user name of subject deleting the security-disabled local group, domain name of subject deleting the security-disabled local group, logon ID string of subject deleting the security-disabled local group.


Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED

653 A security-disabled global group was created.

Parameters: Name of new security-disabled global group, domain of new security-disabled global group, SID string of new security-disabled global group, user name of subject creating the security-disabled global group, domain name of subject creating the security-disabled glo-bal group, logon ID string of subject creating the security-disabled global group.


Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED

654 A security-disabled global group was changed.

Parameters: Name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject changing the secu-rity-disabled global group, domain name of subject changing the security-disabled global group, logon ID string of subject changing the security-disabled global group.


Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ CHANGE


655 A member was added to a security-disabled global group.

Parameters: SID string of member being added, name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject changing the security-disabled global group, domain name of subject chang-ing the security-disabled global group, logon ID string of subject changing the security-dis-abled global group.


Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD

656 A member was removed from a security-disabled global group.

Parameters: SID string of member being removed, name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject changing the security-disabled global group, domain name of subject chang-ing the security-disabled global group, logon ID string of subject changing the security-dis-abled global group.


Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM

657 A security-disabled global group was deleted.

Parameters: Name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject deleting the security-disabled global group, domain name of subject deleting the security-disabled global group, logon ID string of subject deleting the security-disabled global group.


Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ DELETED

658 A security-enabled universal group was created.

Parameters: Name of new group account, domain of new security-enabled universal group, SID string of new security-enabled universal group, user name of subject creating the security-enabled universal group, domain name of subject creating the security-enabled universal group, logon ID string of subject creating the security-enabled universal group.


Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ CREATED


659 A security-enabled universal group was changed.

Parameters: Name of target security-enabled universal group, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject chang-ing the security-enabled universal group, domain name of subject changing the security-enabled universal group, logon ID string of subject changing the security-enabled universal group.


Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ CHANGE

660 A member was added to a security-enabled universal group.

Parameters: SID string of member being added, name of security-enabled universal group, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject changing the security-enabled universal group, domain name of subject changing the security-enabled universal group, logon ID string of subject changing the secu-rity-enabled universal group.


Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD

661 A member was removed from a security-enabled universal group.

Parameters: SID string of member being removed, name of security-enabled universal group, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject changing the security-enabled universal group, domain name of subject changing the security-enabled universal group, logon ID string of subject changing the secu-rity-enabled universal group.


Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM

662 A security-enabled universal group was deleted.

Parameters: Name of target account, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject deleting the security-enabled univer-sal group, domain name of subject deleting the security-enabled universal group, logon ID string of subject deleting the security-enabled universal group.


Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ DELETED


663 A security-disabled universal group was created.

Parameters: Name of new security-disabled universal group, domain of new security-disabled universal group, SID string of new security-disabled universal group, user name of subject cre-ating the security-disabled universal group, domain name of subject creating the security-dis-abled universal group, logon ID string of subject creating the security-disabled universal group.


Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ CREATED

664 A security-disabled universal group was changed.

Parameters: Name of security-disabled universal group, domain of security-disabled univer-sal group, SID string of security-disabled universal group, user name of subject changing the security-disabled universal group, domain name of subject changing the security-disabled universal group, logon ID string of subject changing the security-disabled universal group.


Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ CHANGE

665 A member was added to a security-disabled universal group.

Parameters: SID string of member being added, name of security-disabled universal group, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject changing the security-disabled universal group, domain name of subject changing the security-disabled universal group, logon ID string of subject changing the secu-rity-disabled universal group.


Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD

666 A member was removed from a security-disabled universal group.

Parameters: SID string of member being removed, name of security-disabled universal group, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject changing the security-disabled universal group, domain name of subject changing the security-disabled universal group, logon ID string of subject changing the secu-rity-disabled universal group.


Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM


667 A security-disabled universal group was deleted.

Parameters: Name of target account, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject deleting the security-disabled uni-versal group, domain name of subject deleting the security-disabled universal group, logon ID string of subject deleting the security-disabled universal group.


Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ DELETED

668 A group type was changed.

Parameters: Nature of group type change, name of group being changed, domain of group being changed, SID string of group being changed, user name of subject changing the group type, domain name of subject changing the group type, logon ID string of subject changing the group type.


Formal name: SE_AUDITID_GROUP_TYPE_CHANGE

684 Set the security descriptor of members of administrative groups.

Parameters: Domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account.


Formal name: SE_AUDITID_SECURE_ADMIN_GROUP

Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.

685 Name of an account was changed.

Parameters: Name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.


Formal name: SE_AUDITID_ACCOUNT_NAME_CHANGE


Account Logon EventsUnlike the logon events described earlier in this appendix, the following security event mes-sages track activity specifically in relation to Kerberos logon attempts, which require Active Directory.

672 An authentication service (AS) ticket was successfully issued and validated.

Parameters: User name of client, domain name of client, SID of client, SID of service, ticket options, failure code, ticket encryption type, preauthentication type (such as PK_INIT), client IP address.


Formal name: SE_AUDITID_AS_TICKET_SUCCESS

This event occurs on the Key Distribution Center (KDC) when a Kerberos logon attempt takes place. One AS ticket is granted per logon session.

673 A ticket granting service (TGS) ticket was granted.

Parameters: User name of client, domain name of client, user name of service, SID of service, ticket options, ticket encryption type, client IP address.


Formal name: SE_AUDITID_TGS_TICKET_SUCCESS

This event occurs on the KDC and means that a user presented an AS ticket and was given a TGS ticket for some service.

674 A principal renewed an AS ticket or TGS ticket.

Parameters: User name of client, domain name of client, user name of service, SID of service, ticket options, ticket encryption type, client IP address.


Formal name: SE_AUDITID_TICKET_RENEW_SUCCESS

This event occurs on the KDC and is currently only caused by non-Windows-based clients because Windows-based clients do not renew tickets, but reacquire them instead. This event occurs on the KDC user name of the client.


675 Preauthentication failed.

Parameters: User name of client, SID of client, user name of service, preauthentication type, failure code, client IP address.


Formal name: SE_AUDITID_PREAUTH_FAILURE

This event message is generated on the KDC for reasons such as the user typing in a wrong password, a large difference between the clock time on the client and the KDC, or a smart card logon error.

677 A TGS ticket was not granted.

Parameters: User name of client, SID of client, user name of service, SID of service, preauthen-tication type, failure code, client IP address.


Formal name: SE_AUDITID_TGS_TICKET_FAILURE

This audit occurs on the KDC.

678 An account was successfully mapped to a domain account.

Parameters: Source, client name, mapped name.


Formal name: SE_AUDITID_ACCOUNT_MAPPED

An account mapping is a map of a user authenticated in an MIT Kerberos realm to a domain account.

681 A domain account logon attempt was made.

Parameters: Logon attempt by, logon account, source workstation, error code, if relevant.


Formal name: SE_AUDITID_ACCOUNT_LOGON

This audit appears on the domain controller or wherever the account exists. The following error codes are possible:

■ Unknown user name or bad password (1326)

■ Account logon time restriction violation (1328)

■ Account currently disabled (1331)


■ The specified user account has expired (1793)

■ User not allowed to log on at this computer (1329)

■ The user has not been granted the requested logon type at this computer (1327)

■ The specified account’s password has expired (1330)

■ The Net Logon service is not active (1792)

In each of these events, descriptive text gives detailed information about each specific logon attempt. Also, on Windows XP Professional you can enable success and failure auditing of the Account Logon category of events, which enables the following events:

■ Authentication ticket granted

■ Service ticket granted

■ Ticket renewed

■ Preauthentication failed

■ Authentication ticket request failed

■ Service ticket request failed

■ Account mapped for logon

■ Account could not be mapped for logging on

■ Account used for logging on

The following account logon events are included in “Logon Events” earlier in this appendix:

682 A user has reconnected to a disconnected terminal server session.

683 A user disconnected a terminal server session without logging off.

Directory Service Access EventsThe only directory service access event is also included in “Object Access Events” earlier in this appendix.

566 A generic object operation took place.

Parameters: Object operation, operation type, object type, object name, handle ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, accesses, properties.


Formal name: SE_AUDITID_OBJECT_OPERATION

Security Event Messages

Documents

Transcript of Security Event Messages