Security Event Messages

Appendix E
Security Event Messages

This document was previously published in Appendix E of the Microsoft Windows XP
Professional Resource Kit, Second Edition, by the Microsoft Windows Team (Microsoft
Press, 2003).
This appendix contains information that can help you interpret security event messages.
When security event auditing is enabled, you can review security-related events by using
Event Viewer, a Microsoft Management Console snap-in. For information about enabling secu-
rity event auditing, see “Logon and Authentication” and “Authorization and Access Control”
in this book.
In this appendix:
Viewing Security Event Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
System Event Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Logon Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Object Access Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Privilege Use Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Detailed Tracking Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Policy Change Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
User Management Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Account Logon Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Directory Service Access Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Related Information
■ For more information about security events, see “Auditing Microsoft Windows Security
Events” in the Microsoft® Windows® Security Resource Kit.
1
2 Appendix E: Security Event Messages
Viewing Security Event Messages

You can review security-related events by using Event Viewer, a Microsoft Management Con-
sole snap-in.
To view security event messages

1. Open Event Viewer.
2. In the console tree, click Security.
3. Sort events based on any column in the details pane, such as Event ID, User, or Type.
4. Filter events based on severity, source, or event ID.
Using the event ID number, you can locate the information you need in this appendix. The
security event messages are organized by category and include the following categories of
event messages:
■ System
■ Logon
■ Object access
■ Privilege use
■ Detailed tracking
■ Policy change
■ User management
■ Account logon
■ Directory service access
To simplify scanning and finding the information that you need, the event listings are sorted
numerically from lowest event ID number to highest. This numerical ordering is also helpful
because related security events are generally grouped together.
Note In several cases, numerical grouping of like events does not apply. These events are
cross-referenced in both their numerical and logical locations.
The following information is provided for each event:
■ Event number and title.

■ Parameters that describe the types of detailed information that is provided each time
this particular event occurs. Parameters are listed in the order in which they appear in
the event.
Appendix E: Security Event Messages 3
■ Configurable information that indicates whether the event can be configured to log
successes (that is, something happened), failures (something failed to happen), or both
failures and successes.
■ Formal name, which is the formal name for the security event. This information is use-
ful for programmers.
Note Many of the error event messages in this appendix apply to Active Directory®–based
environments and are not seen on Microsoft® Windows® XP Professional.
System Event Messages

The following messages document local system processes such as system startup and shut-
down and changes to the system time or audit log.
512 Windows is starting up.

Parameters: None.
Configurable Information: Success
Formal name: SE_AUDITID_SYSTEM_RESTART
513 Windows is shutting down.

Parameters: None.
Formal name: SE_AUDITID_SYSTEM_SHUTDOWN
514 An authentication package was loaded by the Local Security

Authority.
Parameters: Authentication package name.
Formal name: SE_AUDITID_AUTH_PACKAGE_LOAD
515 A trusted logon process has registered with the Local Security
Authority.
Parameters: Logon process name.
Formal name: SE_AUDITID_SYSTEM_LOGON_PROC_REGISTER
516 Internal resources allocated for the queuing of security event

messages have been exhausted, leading to the loss of some security
event messages.
Parameters: Number of audit messages discarded.
Formal name: SE_AUDITID_AUDITS_DISCARDED
517 The audit log was cleared.

Parameters: Primary user name, primary domain, primary logon ID, client user name, client
domain, client logon ID
Formal name: SE_AUDITID_AUDIT_LOG_CLEARED
518 A notification package was loaded by the Security Accounts

Manager.
Parameter: Notification package name.
Formal name: SE_AUDITID_NOTIFY_PACKAGE_LOAD
519 A process is using an invalid local procedure call (LPC) port in an

attempt to impersonate a client and reply or read from or write to a
client address space.
Parameters: Process ID, type of invalid use (either impersonation or reply), server port name,
primary user name, primary domain, primary logon ID, client user name, client domain, cli-
ent logon ID.
Formal name: SE_AUDITID_LPC_INVALID_USE
520 The system time was changed.

Parameters: Process ID, process name, primary user name, primary domain, primary logon
ID, client user name, client domain, client logon ID, previous time, new time.
Formal name: SE_AUDITID_SYSTEM_TIME_CHANGE
This audit normally appears twice. This is necessary to deal with time zone changes.
Logon Events
Windows XP Professional and Windows 2000 Server generate logon-related events when a
user logs on interactively or remotely. These events are generated on the computer to which
the logon attempt was made. For more information about the different types of logons and the
logon process, see “Logon and Authentication” in this book.
528 A user successfully logged on to a computer.

Parameters: User name, domain, or workstation involved in the logon attempt, logon ID,
logon type, source of the logon attempt, authentication package (NTLM, Kerberos V5, or
negotiate) involved in the logon attempt, workstation name.
Formal names: SE_AUDITID_SUCCESSFUL_LOGON SE_AUDITID_ NETWORK_LOGON
This event is identical to event 528.
529 The logon attempt was made with an unknown user name or a
known user name with a bad password.
Parameters: User name, domain, or workstation that controls the user account, logon type,
source of the logon attempt, authentication package used for the logon attempt, name of the
workstation at which the logon attempt was made.
Configurable Information: Failure
Formal name: SE_AUDITID_UNKNOWN_USER_OR_PWD
530 The user account tried to log on outside of the allowed time.
Formal name: SE_AUDITID_ACCOUNT_TIME_RESTR
Logon time restrictions can only be configured for domain accounts. However, for non-
domain accounts, it is still possible to configure logon time restrictions programmatically.
531 A logon attempt was made by using a disabled account.

Formal name: SE_AUDITID_ACCOUNT_DISABLED
532 A logon attempt was made by using an expired account.

Formal name: SE_AUDITID_ACCOUNT_EXPIRED
533 The user is not allowed to log on at this computer.

Formal name: SE_AUDITID_WORKSTATION_RESTR
534 The user attempted to log on with a type (such as network,

interactive, batch, service, or remote interactive) that is not allowed.
Formal name: SE_AUDITID_LOGON_TYPE_RESTR
535 The password for the specified account has expired.

Formal name: SE_AUDITID_PASSWORD_EXPIRED

536 The Net Logon service is not active.

Formal name: SE_AUDITID_NETLOGON_NOT_STARTED
The Net Logon service is needed for domain-style logon attempts or logon attempts to an
account that does not exist on the workstation at which the logon attempt is occurring.
537 The logon attempt failed for other reasons.

workstation from which the logon attempt was made, one or two status codes indicating why
the logon failed.
Formal name: SE_AUDITID_UNSUCCESSFUL_LOGON
In some cases, the reason for the logon failure might not be known. To find the individual sta-
tus codes, search for the files Ntstatus.h or Winerror.h, and then open them by using a text
editor such as Notepad.
538 A user logged off.

Formal name: SE_AUDITID_LOGOFF
The logoff message can be caused by any type of logoff attempt.
539 The account was locked out at the time the logon attempt was made.
workstation from which the logon attempt was made.
Formal name: SE_AUDITID_ACCOUNT_LOCKED

540 A user successfully logged on to a computer.

Parameters: User name, domain, or workstation involved in the logon attempt, logon ID,
logon type, source of the logon attempt, authentication package (NTLM, Kerberos V5, or
negotiate) involved in the logon attempt, workstation name.
Formal names: SE_AUDITID_SUCCESSFUL_LOGON SE_AUDITID_ NETWORK_LOGON
This event is identical to event 528.
541 Main mode Internet Key Exchange (IKE) authentication was

completed between the local computer and the listed peer identity
(establishing a security association), or quick mode has established a
data channel.
Parameters: Mode (main or quick), the IP address and name of the other host involved in the
authentication, a filter specifying source and destination addresses (address can be either spe-
cific IP, IP subnet, or all computers), an encryption algorithm, hashing algorithm, and timeout
for the security association.
Formal name: SE_AUDITID_IPSEC_LOGON_SUCCESS
542 A data channel was terminated.

Parameters: Mode (main or quick), a filter indicating a subnet, a particular host, or all com-
puters, the inbound Service Parameters Index (SPI) or local host, the outbound SPI (the other
peer in the connection).
Note Data transfer mode is the same as quick mode (QM).

Formal name: SE_AUDITID_IPSEC_LOGOFF_QM
543 Main mode was terminated.

Parameters: A filter indicating a subnet, a particular host, or all computers.
Formal name: SE_AUDITID_IPSEC_LOGOFF_MM
This might occur as a result of the time limit on the security association expiring (the default
is eight hours), policy changes, peer termination, and so on.
544 Main mode authentication failed because the peer did not provide a
valid certificate or the signature was not validated.
Parameters: Peer identity (the other host involved in the authentication), a filter indicating a
subnet, a particular host, or all computers.
Formal name: SE_AUDITID_IPSEC_AUTH_FAIL_CERT_TRUST
545 Main mode authentication failed because of a Kerberos failure or a

password that is not valid.
Parameters: Peer identity (the other host involved in the authentication), filter indicating a
subnet, a particular host, or all computers.
Formal name: SE_AUDITID_IPSEC_AUTH_FAIL
546 IKE security association establishment failed because the peer sent a
proposal that is not valid. A packet was received that contained data that
is not valid.
Parameters: Mode (main or quick, depending when the error occurred), a filter indicating a
subnet, a particular host, or all computers), incorrect attribute, expected value, received value.
Formal name: SE_AUDITID_IPSEC_ATTRIB_FAIL
547 A failure occurred during an IKE handshake.

Parameters: Mode (indicates when the failure occurred), a filter indicating a subnet, particu-
lar host, or all computers, the point of failure, and the reason for the failure.
Formal name: SE_AUDITID_IPSEC_NEGOTIATION_FAIL

548 The security ID (SID) from a trusted domain does not match the
home domain SID of the client.
Parameters: User name, domain name, logon type, logon process, authentication package,
workstation name, impersonated domain.
Formal name: SE_AUDITID_DOMAIN_TRUST_INCONSISTENT
549 All SIDs were filtered out during a cross-forest authentication.

Parameters: User name, domain name, logon type, logon process, authentication package,
workstation name.
Formal name: SE_AUDITID_ALL_SIDS_FILTERED
During cross-forest authentication, all SIDs corresponding to untrusted namespaces are fil-
tered out. This event is triggered when this filtering action removes all SIDs.
550 Indicates a possible denial-of-service attack.

Parameters: No parameters, other than the above text describing the beginning or ending of
a denial-of-service attack.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_IPSEC_IKE_NOTIFICATION
This event message is generated when IKE has a large number of pending requests to establish
security associations and is beginning denial-of-service prevention mode. This might be nor-
mal if caused by high computer loads or a large number of client connection attempts. It also
might be the result of a denial-of-service attack against IKE. If this is a denial-of-service attack,
there is usually many audits for failed IKE negotiations to spoofed IP addresses. Otherwise,
the computer is only extremely heavily loaded.
682 A user has reconnected to a disconnected terminal server session.

Parameters: User name, domain name, logon ID, session name, client name, client address.
Formal name: SE_AUDITID_SESSION_RECONNECTED
This event message is generated on a terminal server.

683 A user disconnected a terminal server session without logging off.

Parameters: User name, domain, logon ID, session name, client name, client address.
Configurable Information: Success or Failure.
Formal name: SE_AUDITID_SESSION_DISCONNECTED
This event message is generated when a user is connected to a terminal server session over the
network. It appears on the terminal server.
Object Access Events

Object access events must be enabled on a per object basis by configuring the system access
control list (SACL) for that object. For information about how to configure SACLs, see “Autho-
rization and Access Control” in this book.
560 Access was granted to an already existing object.

Parameters: Object server, object type, object name, handle ID, operation ID, process ID,
image file name, primary user name, primary domain, primary logon ID, client user name, cli-
ent domain, client logon ID, access privileges, restricted SID count.
Formal name: SE_AUDITID_OPEN_HANDLE
Objects are accessed with handles. This event means that a handle was opened. It does not
mean that the object was actually accessed.
562 A handle to an object was closed.

Parameters: Object server, handle ID, process ID, image file name.
Formal name: SE_AUDITID_CLOSE_HANDLE
563 An attempt was made to open an object with the intent to delete it.
Parameters: Object server, object type, object name, handle ID, operation ID, process ID, pri-
mary user name, primary domain, primary logon ID, client user name, client domain, client
logon ID, accesses, privileges.
Formal name: SE_AUDITID_OPEN_OBJECT_FOR_DELETE
This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified.

564 A protected object was deleted.

Parameters: Object server, handle ID, process ID.
Formal name: SE_AUDITID_DELETE_OBJECT,
565 Access was granted to an already existing object type.

Parameters: Object server, object type, object name, handle ID, operation ID, process ID, pro-
cess name, primary user name, primary domain, primary logon ID, client user name, client
domain, client logon ID, accesses, privileges, properties.
Formal name: SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE
566 A generic object operation took place.

Parameters: Operation type, object type, object name, handle ID, primary user name, primary
domain, primary logon ID, client user name, client domain, client logon ID, accesses, proper-
ties.
Formal name: SE_AUDITID_OBJECT_OPERATION
This event message is also used to audit directory service access events.
567 A permission associated with a handle was used.

Parameters: Name of the object being accessed, object server, handle ID, object type, process
ID, access mask.
Formal name: SE_AUDITID_OBJECT_ACCESS
A handle is created with certain granted permissions (read, write, and so on). When the han-
dle is used, one audit is generated for each of the permissions that was used.
568 An attempt was made to create a hard link to a file that is being
audited.
Parameters: Primary user name, primary domain, primary logon ID, object name, link name.
Formal name: SE_AUDITID_HARDLINK_CREATION
Privilege Use Events

Changes to a user’s privileges or attempts to use privileges in an unauthorized manner might
require investigation. These events help support these queries.
576 Specified privileges were added to a user’s token.

Parameters: Special privileges assigned to the new user (SeChangeNotifyPrivilege, SeAudit-
Privilege, SeCreateTokenPrivilege, SeAssignPrimaryTokenPrivilege, SeBackupPrivilege, SeRe-
storePrivilege, SeDebugPrivilege), user name, domain, logon ID, privileges.
Formal name: SE_AUDITID_ ASSIGN_SPECIAL_PRIV
This event message is generated when the user logs on.
577 A user attempted to perform a privileged system service operation.

Parameters: Privileged service called, server, service, primary user name, primary domain, pri-
mary logon ID, client user name, client domain, client logon ID, privileges.
Formal name: SE_AUDITID_ PRIVILEGED_SERVICE
Callers of PrivilegedServiceAuditAlarm generate this event.
578 Privileges were used on an already open handle to a protected

object.
Parameters: Privileged object operation, object server, object handle, process ID, primary
user name, primary domain, primary logon ID, client user name, client domain, client logon
ID, privileges.
Formal name: SE_AUDITID_PRIVILEGED_OBJECT

Detailed Tracking Events

In Windows XP Professional and Windows 2000 Server, all processes occur in a security con-
text. At times you might need to investigate the security implications of the processes initiated
on a computer. The following messages allow you to see security events that relate to system
processes.
592 A new process was created.

Parameters: New process ID, image file name, creator process ID, user name, domain logon
ID.
Formal name: SE_AUDITID_PROCESS_CREATED
593 A process exited.

Parameters: Process ID, image file name, user name, domain name, logon ID.
Formal name: SE_AUDITID_PROCESS_EXIT
594 A handle to an object was duplicated.

Parameters: Source handle ID, source process ID, target handle ID, target process ID.
Formal name: SE_AUDITID_DUPLICATE_HANDLE
595 Indirect access to an object was obtained.

Parameters: Object type, object name, process ID, primary user name, primary domain, pri-
mary logon ID, client user name, client domain, client logon ID, accesses.
Formal name: SE_AUDITID_INDIRECT_REFERENCE

596 A data protection master key was backed up.

Parameters: Key ID, recovery server (the computer to which the key was backed up), recovery
key ID (identifies the key on the domain controller that was used to encrypt the master key),
failure reason.
Formal name: SE_AUDITID_DPAPI_BACKUP
The master key is used by the CryptProtectData and CryptUnprotectData routines, and
Encrypting File System (EFS). The master key is backed up each time a new one is created
(the default is 90 days). The key is usually backed up to a domain controller.
597 A data protection master key was recovered from a recovery server.
Parameters: Key ID, recovery server (the computer to which the key was backed up), recovery
key ID (identifying the key on the domain controller used to encrypt the master key), failure
reason.
Formal name: SE_AUDITID_DPAPI_RECOVERY
598 Auditable data was protected.

Parameters: Data description, key ID (the master key GUID), protected data flags
(CRYPTPROTECT_AUDIT, which indicates that the audit should be generated or
CRYPTPROTECT_SYSTEM, which indicates that this is system information and should not
be viewed in the user space), name of the protection algorithm, failure reason.
Formal name: SE_AUDITID_DPAPI_PROTECT
599 Auditable data was unprotected.

Parameters: Data description, key ID, protected data flags (including
CRYPTPROTECT_AUDIT, which indicates that the audit should be generated, and
CRYPTPROTECT_SYSTEM, which indicates that this is system information and should not
be viewed in the user space), name of the protection algorithm, failure reason.
Formal name: SE_AUDITID_DPAPI_UNPROTECT

600 A process was assigned a primary token.

This often happens when a service starts. The following parameters are tracked for both the
assigning process and the new process.
Parameters: Process ID, image file name (the name of the process), user name, domain name,
logon ID.
Formal name: SE_AUDITID_ASSIGN_TOKEN
Policy Change Events

Policy change events include security event messages involving trust relationships, IPSec pol-
icy, and user rights assignments.
IPSec policy involves settings that need to be applied to the computer. The IPSec audits
include filters (what traffic should be processed by IPSec) and filter actions (such as encryp-
tion or authentication).
For more information about the user rights that are being audited, see the appendix “User
Rights” in this book.
608 A user right was assigned.

Parameters: User, right, assigned to, assigned by (includes user name, domain name, and
logon ID).
Formal name: SE_AUDITID_USER_RIGHT_ASSIGNED
609 A user right was removed.

Parameters: User, right, assigned to, assigned by (includes user name, domain, and logon
ID).
Formal name: SE_AUDITID_USER_RIGHT_REMOVED

610 A trust relationship with another domain was created.

Parameters: New trusted domain (domain name, domain ID), established by (user name,
domain name, logon ID), trust type, trust direction, trust attributes.
Formal name: SE_AUDITID_TRUSTED_DOMAIN_ADD
This event is recorded on the domain controller on which the trusted domain object (TDO) is
created and not on any other domain controller to which the TDO is replicated.
611 A trust relationship with another domain was removed.

Parameters: Trusted domain removed (domain name, domain ID), removed by (user name,
domain name, logon ID).
Formal name: SE_AUDITID_TRUSTED_DOMAIN_REM
This event is only recorded on the domain controller on which the trusted domain object
(TDO) is deleted.
612 An audit policy was changed.

Parameters: New policy (includes success, failure, or both for logon/logoff, object access,
privilege use, account management, policy change, system, detailed tracking, directory ser-
vice, access, account logon), changed by (user name, domain name, logon ID).
Formal name: SE_AUDITID_AUDIT_POLICY_CHANGE
The new policy is described in the audit body.
613 An IPSec policy agent started.

Parameters: Policy source.
Formal name: SE_AUDITID_IPSEC_POLICY_START
614 An IPSec policy agent was disabled.

Formal name: SE_AUDITID_IPSEC_POLICY_DISABLED

615 An IPSec policy agent changed.

Formal name: SE_AUDITID_IPSEC_POLICY_CHANGED
616 An IPSec policy agent encountered a potentially serious failure.

Formal name: SE_AUDITID_IPSEC_POLICY_FAILURE
617 A Kerberos policy changed.

Parameters: Changed by (user name, domain name, logon ID).
Formal name: SE_AUDITID_KERBEROS_POLICY_CHANGE
618 Encrypted Data Recovery policy changed.

Parameters: Changed by (user name, domain name, logon ID).
Formal name: SE_AUDITID_EFS_POLICY_CHANGE
620 A trust relationship with another domain was modified.

Parameters: Trusted domain information modified (domain name, domain ID), modified by
(user name, domain name, logon ID), trust type, trust direction, trust attributes.
Formal name: SE_AUDITID_TRUSTED_DOMAIN_MOD
This event is only recorded on the domain controller on which the trusted domain object
(TDO) is modified.
621 System access was granted to an account.

Parameters: Access granted, account modified, assigned by (user name, domain name, and
logon ID).
Formal name: SE_AUDITID_SYSTEM_ACCESS_GRANTED
System access permissions can be interactive, network, batch, service, proxy, deny interactive,
deny network, deny batch, deny service, remote interactive, or deny remote interactive.
622 System access was removed from an account.

Parameters: Access removed, account modified, assigned by (user name, domain name, and
logon ID).
Formal name: SE_AUDITID_SYSTEM_ACCESS_REMOVED
System access permissions can be interactive, network, batch, service, proxy, deny interactive,
deny network, deny batch, deny service, remote interactive, or deny remote interactive.
768 A collision was detected between a namespace element in one forest

and a namespace element in another forest.
Parameters: Target type, target name, forest root, top level name, DNS name, NetBIOS name,
SID, new flags.
Formal name: SE_AUDITID_NAMESPACE_COLLISION
When a namespace element in one forest overlaps a namespace element in another forest, it
can lead to ambiguity in resolving a name belonging to one of the namespace elements. This
overlap is also called a collision. Not all parameters are valid for each namespace element. For
example, parameters such as DNS name, NetBIOS name, and SID are not valid for a “TopLev-
elName” namespace element.
769 Trusted forest information was added.

Parameters: Forest root, forest root SID, operation ID, entry type, flags, top level name, DNS
name, NetBIOS name, domain SID, added by, client user name, client domain, client logon ID.
Formal name: SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_ADD
This event message is generated when forest trust information is updated and one or more
entries are added. One event message is generated per added entry. If multiple entries are
added, deleted, or modified in a single update of the forest trust information, all the generated
event messages have a single unique identifier called an operation ID. This allows you to deter-
mine that the multiple generated event messages are the result of a single operation. Not all
parameters are valid for each entry type. For example, parameters such as DNS name, Net-
BIOS name and SID are not valid for an entry of type “TopLevelName”.
770 Trusted forest information was deleted.

name, NetBIOS name, domain SID, deleted by, client user name, client domain, client logon
ID.
Formal name: SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_REM
entries are deleted. One event message is generated per deleted entry. If multiple entries are
added, deleted, or modified in a single update of the forest trust information, all the generated
event messages have a single unique identifier called an operation ID. This allows you to deter-
mine that the multiple generated event messages are the result of a single operation. Not all
parameters are valid for each entry type. For example, parameters such as DNS name, Net-
BIOS name, and SID are not valid for an entry of type “TopLevelName”.
771 Trusted forest information was modified.

name, NetBIOS name, domain SID, added by, client user name, client domain, client logon ID.
Formal name: SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_MOD
entries are modified. One event message is generated per modified entry. If multiple entries
are added, deleted, or modified in a single update of the forest trust information, all the gen-
erated event messages have a single unique identifier called an operation ID. This allows you
to determine that the multiple generated event messages are the result of a single operation.
Not all parameters are valid for each entry type. For example, parameters such as DNS name,
NetBIOS name and SID are not valid for an entry of type “TopLevelName”.
User Management Events

The bulk of the user management events are identical, with variation only in the activity (for
example, enabled versus disabled) and the security groups (local, global, or universal) to
which the audit applies.
In addition, from event 648 to event 685, some events include the phrase
SECURITY_DISABLED in their formal names. This means that these groups cannot be used
to grant permissions in access checks. If the SID representing a security-disabled group
appears in a user’s token, it is only used to verify deny access control entries (ACEs) during an
access check. A SECURITY_ENABLED group is used to verify all ACEs during an access
check.
For more information about access tokens and the roles and use of local, global, or universal
groups, see “Authorization and Access Control” in this book.
624 A user account was created.

Parameters: Name of new user account, domain of new user account, SID string of new user
account, user name of subject creating the user account, domain name of subject creating the
user account, logon ID string of subject creating the user account, privileges used to create the
user account.
Formal name: SE_AUDITID_USER_CREATED
627 A user password was changed.

Parameters: Name of target user account, domain of target user account, SID string of target
user account, user name of subject changing the user account, domain name of subject chang-
ing the user account, logon ID string of subject changing the user account.
Formal name: SE_AUDITID_USER_PWD_CHANGED

628 A user password was set.

Formal name: SE_AUDITID_USER_PWD_SET
630 A user account was deleted.

user account, user name of subject deleting the user account, domain name of subject deleting
the user account, logon ID string of subject deleting the user account.
Formal name: SE_AUDITID_USER_DELETED
631 A global group was created.

Parameters: Name of new group account, domain of new group account, SID string of new
group account, user name of subject creating the account, domain name of subject creating
the account, logon ID string of subject creating the account.
Formal name: SE_AUDITID_GLOBAL_GROUP_CREATED
632 A member was added to a global group.

Parameters: SID string of member being added, name of target account, domain of target
account, SID string of target account, user name of subject changing the account, domain
name of subject changing the account, logon ID string of subject changing the account.
Formal name: SE_AUDITID_GLOBAL_GROUP_ADD
633 A member was removed from a global group.

Parameters: SID string of member being removed, name of target account, domain of target
Formal name: SE_AUDITID_GLOBAL_GROUP_REM

634 A global group was deleted.

Parameters: Name of the global group account, domain of the global group account, SID
string of the global group account, user name of subject deleting the global group, domain
name of subject deleting the global group, logon ID string of subject deleting the global
group.
Formal name: SE_AUDITID_GLOBAL_GROUP_DELETED
635 A new local group was created.

the account, logon ID string of subject creating the account.
Formal name: SE_AUDITID_LOCAL_GROUP_CREATED
636 A member was added to a local group.

Parameters: SID string of member being added, name of target account, domain of target
Formal name: SE_AUDITID_LOCAL_GROUP_ADD
637 A member was removed from a local group.

Parameters: SID string of member being removed, name of target account, domain of target
Formal name: SE_AUDITID_LOCAL_GROUP_REM

638 A local group was deleted.

Parameters: Name of group account being deleted, domain of the group account, SID string
of group account, user name of subject deleting the account, domain name of subject deleting
the account, logon ID string of subject deleting the account.
Formal name: SE_AUDITID_LOCAL_GROUP_DELETED
639 A local group account was changed.

Parameters: Name of group account being changed, domain of group account, SID string of
group account, user name of subject changing the account, domain name of subject changing
the account, logon ID string of subject changing the account.
Formal name: SE_AUDITID_LOCAL_GROUP_CHANGE
641 A global group account was changed.

Parameters: Name of group account being changed, domain of group account, SID string of
target account, user name of subject changing the account, domain name of subject changing
the account, logon ID string of subject changing the account.
Formal name: SE_AUDITID_GLOBAL_GROUP_CHANGE
642 A user account was changed.

Parameters: Name of user account, domain of user account, SID string of user account, user
name of subject changing the user account, domain name of subject changing the user
account, logon ID string of subject changing the user account.
Formal name: SE_AUDITID_USER_CHANGE
643 A domain policy was modified.

Parameters: Domain policy that was modified, domain name, domain ID, caller user name,
caller domain, caller logon ID, privileges used.
Formal name: SE_AUDITID_DOMAIN_POLICY_CHANGE

644 A user account was auto locked.

Formal name: SE_AUDITID_ACCOUNT_AUTO_LOCKED
This happens when a user attempts to log on unsuccessfully multiple times (the number of
attempts is configured by the administrator).
645 A computer account was created.

Parameters: Name of new computer account, domain of new computer account, SID string of
new computer account, user name of subject creating the computer account, domain name of
subject creating the computer account, logon ID string of subject creating the computer
account, privileges used to create the computer account.
Formal name: SE_AUDITID_COMPUTER_CREATED
646 A computer account was changed.

Parameters: Name of target computer account, domain of target computer account, SID
string of target computer account, user name of subject changing the computer account,
domain name of subject changing the computer account, logon ID string of subject changing
the computer account, privileges used to change the computer account.
Formal name: SE_AUDITID_COMPUTER_CHANGE
647 A computer account was deleted.

Parameters: Name of target computer account, domain of target computer account, SID
string of target computer account, user name of subject deleting the computer account,
domain name of subject deleting the computer account, logon ID string of subject deleting
the computer account, privileges used to delete the computer account.
Formal name: SE_AUDITID_COMPUTER_DELETED

648 A local security group with security disabled was created.

the account, logon ID string of subject creating the account, privileges used to create the
account.
Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED
SECURITY_DISABLED in the formal name means that this group cannot be used to grant
permissions in access checks. If the SID representing a security-disabled group appears in a
user’s token, it is only used to verify deny access control entries (ACEs) during an access
check. A SECURITY_ENABLED group is used to verify all ACEs during an access check.
For more information about access tokens and the roles and usage of local, global, or univer-
sal groups, see “Authorization and Access Control” in this book.
649 A local security group with security disabled was changed.

Parameters: Name of group account, domain of group account, SID string of group account,
user name of subject modifying the account, domain name of subject modifying the account,
logon ID string of subject modifying the account, privileges used to modify the account.
Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE
650 A member was added to a security-disabled local security group.

Parameters: SID string of member being added, name of security-disabled local security
group account, domain of security group account, SID string of security-disabled local secu-
rity group account, user name of subject changing the membership of the security-disabled
local security group, domain name of subject changing the membership of the security-dis-
abled local security group, logon ID string of subject changing the membership of the secu-
rity-disabled local security group.
Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD

651 A member was removed from a security-disabled local security

group.
Parameters: SID string of member being removed, name of security-disabled local security
group account, domain of security-disabled security group account, SID string of local secu-
rity group account, user name of subject changing the membership of the security-disabled
local security group, domain name of subject changing the membership of the security-dis-
abled local security group, logon ID string of subject changing the membership of the secu-
rity-disabled local security group.
Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM
652 A security-disabled local group was deleted.

Parameters: Name of the security-disabled local group, domain of security-disabled local
group, SID string of security-disabled local group, user name of subject deleting the security-
disabled local group, domain name of subject deleting the security-disabled local group,
logon ID string of subject deleting the security-disabled local group.
Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED
653 A security-disabled global group was created.

Parameters: Name of new security-disabled global group, domain of new security-disabled
global group, SID string of new security-disabled global group, user name of subject creating
the security-disabled global group, domain name of subject creating the security-disabled glo-
bal group, logon ID string of subject creating the security-disabled global group.
Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED
654 A security-disabled global group was changed.

Parameters: Name of security-disabled global group, domain of security-disabled global
group, SID string of security-disabled global group, user name of subject changing the secu-
rity-disabled global group, domain name of subject changing the security-disabled global
group, logon ID string of subject changing the security-disabled global group.
Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ CHANGE

655 A member was added to a security-disabled global group.

Parameters: SID string of member being added, name of security-disabled global group,
domain of security-disabled global group, SID string of security-disabled global group, user
name of subject changing the security-disabled global group, domain name of subject chang-
ing the security-disabled global group, logon ID string of subject changing the security-dis-
abled global group.
Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD
656 A member was removed from a security-disabled global group.

Parameters: SID string of member being removed, name of security-disabled global group,
domain of security-disabled global group, SID string of security-disabled global group, user
name of subject changing the security-disabled global group, domain name of subject chang-
ing the security-disabled global group, logon ID string of subject changing the security-dis-
abled global group.
Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM
657 A security-disabled global group was deleted.

Parameters: Name of security-disabled global group, domain of security-disabled global
group, SID string of security-disabled global group, user name of subject deleting the security-
disabled global group, domain name of subject deleting the security-disabled global group,
logon ID string of subject deleting the security-disabled global group.
Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ DELETED
658 A security-enabled universal group was created.

Parameters: Name of new group account, domain of new security-enabled universal group,
SID string of new security-enabled universal group, user name of subject creating the security-
enabled universal group, domain name of subject creating the security-enabled universal
group, logon ID string of subject creating the security-enabled universal group.
Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ CREATED

659 A security-enabled universal group was changed.

Parameters: Name of target security-enabled universal group, domain of security-enabled
universal group, SID string of security-enabled universal group, user name of subject chang-
ing the security-enabled universal group, domain name of subject changing the security-
enabled universal group, logon ID string of subject changing the security-enabled universal
group.
Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ CHANGE
660 A member was added to a security-enabled universal group.

Parameters: SID string of member being added, name of security-enabled universal group,
domain of security-enabled universal group, SID string of security-enabled universal group,
user name of subject changing the security-enabled universal group, domain name of subject
changing the security-enabled universal group, logon ID string of subject changing the secu-
rity-enabled universal group.
Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD
661 A member was removed from a security-enabled universal group.

Parameters: SID string of member being removed, name of security-enabled universal group,
domain of security-enabled universal group, SID string of security-enabled universal group,
user name of subject changing the security-enabled universal group, domain name of subject
changing the security-enabled universal group, logon ID string of subject changing the secu-
rity-enabled universal group.
Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM
662 A security-enabled universal group was deleted.

Parameters: Name of target account, domain of security-enabled universal group, SID string
of security-enabled universal group, user name of subject deleting the security-enabled univer-
sal group, domain name of subject deleting the security-enabled universal group, logon ID
string of subject deleting the security-enabled universal group.
Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ DELETED

663 A security-disabled universal group was created.

Parameters: Name of new security-disabled universal group, domain of new security-disabled
universal group, SID string of new security-disabled universal group, user name of subject cre-
ating the security-disabled universal group, domain name of subject creating the security-dis-
abled universal group, logon ID string of subject creating the security-disabled universal
group.
Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ CREATED
664 A security-disabled universal group was changed.

Parameters: Name of security-disabled universal group, domain of security-disabled univer-
sal group, SID string of security-disabled universal group, user name of subject changing the
security-disabled universal group, domain name of subject changing the security-disabled
universal group, logon ID string of subject changing the security-disabled universal group.
Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ CHANGE
665 A member was added to a security-disabled universal group.

Parameters: SID string of member being added, name of security-disabled universal group,
domain of security-disabled universal group, SID string of security-disabled universal group,
user name of subject changing the security-disabled universal group, domain name of subject
changing the security-disabled universal group, logon ID string of subject changing the secu-
rity-disabled universal group.
Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD
666 A member was removed from a security-disabled universal group.

Parameters: SID string of member being removed, name of security-disabled universal group,
domain of security-disabled universal group, SID string of security-disabled universal group,
user name of subject changing the security-disabled universal group, domain name of subject
changing the security-disabled universal group, logon ID string of subject changing the secu-
rity-disabled universal group.
Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM

667 A security-disabled universal group was deleted.

Parameters: Name of target account, domain of security-disabled universal group, SID string
of security-disabled universal group, user name of subject deleting the security-disabled uni-
versal group, domain name of subject deleting the security-disabled universal group, logon ID
string of subject deleting the security-disabled universal group.
Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ DELETED
668 A group type was changed.

Parameters: Nature of group type change, name of group being changed, domain of group
being changed, SID string of group being changed, user name of subject changing the group
type, domain name of subject changing the group type, logon ID string of subject changing
the group type.
Formal name: SE_AUDITID_GROUP_TYPE_CHANGE
684 Set the security descriptor of members of administrative groups.

Parameters: Domain of target user account, SID string of target user account, user name of
subject changing the user account, domain name of subject changing the user account, logon
ID string of subject changing the user account.
Formal name: SE_AUDITID_SECURE_ADMIN_GROUP
Every 60 minutes on a domain controller a background thread searches all members of

administrative groups (such as domain, enterprise, and schema administrators) and applies a
fixed security descriptor on them. This event is logged.
685 Name of an account was changed.

Parameters: Name of target account, domain of target account, SID string of target account,
user name of subject changing the account, domain name of subject changing the account,
logon ID string of subject changing the account.
Formal name: SE_AUDITID_ACCOUNT_NAME_CHANGE

Account Logon Events

Unlike the logon events described earlier in this appendix, the following security event mes-
sages track activity specifically in relation to Kerberos logon attempts, which require Active
Directory.
672 An authentication service (AS) ticket was successfully issued and

validated.
Parameters: User name of client, domain name of client, SID of client, SID of service, ticket
options, failure code, ticket encryption type, preauthentication type (such as PK_INIT), client
IP address.
Formal name: SE_AUDITID_AS_TICKET_SUCCESS
This event occurs on the Key Distribution Center (KDC) when a Kerberos logon attempt takes
place. One AS ticket is granted per logon session.
673 A ticket granting service (TGS) ticket was granted.

Parameters: User name of client, domain name of client, user name of service, SID of service,
ticket options, ticket encryption type, client IP address.
Formal name: SE_AUDITID_TGS_TICKET_SUCCESS
This event occurs on the KDC and means that a user presented an AS ticket and was given a
TGS ticket for some service.
674 A principal renewed an AS ticket or TGS ticket.

Parameters: User name of client, domain name of client, user name of service, SID of service,
ticket options, ticket encryption type, client IP address.
Formal name: SE_AUDITID_TICKET_RENEW_SUCCESS
This event occurs on the KDC and is currently only caused by non-Windows-based clients
because Windows-based clients do not renew tickets, but reacquire them instead. This event
occurs on the KDC user name of the client.
675 Preauthentication failed.

Parameters: User name of client, SID of client, user name of service, preauthentication type,
failure code, client IP address.
Formal name: SE_AUDITID_PREAUTH_FAILURE
This event message is generated on the KDC for reasons such as the user typing in a wrong
password, a large difference between the clock time on the client and the KDC, or a smart card
logon error.
677 A TGS ticket was not granted.

Parameters: User name of client, SID of client, user name of service, SID of service, preauthen-
tication type, failure code, client IP address.
Formal name: SE_AUDITID_TGS_TICKET_FAILURE
This audit occurs on the KDC.
678 An account was successfully mapped to a domain account.

Parameters: Source, client name, mapped name.
Formal name: SE_AUDITID_ACCOUNT_MAPPED
An account mapping is a map of a user authenticated in an MIT Kerberos realm to a domain

account.
681 A domain account logon attempt was made.

Parameters: Logon attempt by, logon account, source workstation, error code, if relevant.
Formal name: SE_AUDITID_ACCOUNT_LOGON
This audit appears on the domain controller or wherever the account exists. The following
error codes are possible:
■ Unknown user name or bad password (1326)

■ Account logon time restriction violation (1328)
■ Account currently disabled (1331)
■ The specified user account has expired (1793)

■ User not allowed to log on at this computer (1329)
■ The user has not been granted the requested logon type at this computer (1327)
■ The specified account’s password has expired (1330)
■ The Net Logon service is not active (1792)
In each of these events, descriptive text gives detailed information about each specific logon
attempt. Also, on Windows XP Professional you can enable success and failure auditing of the
Account Logon category of events, which enables the following events:
■ Authentication ticket granted

■ Service ticket granted
■ Ticket renewed
■ Preauthentication failed
■ Authentication ticket request failed
■ Service ticket request failed
■ Account mapped for logon
■ Account could not be mapped for logging on
■ Account used for logging on
The following account logon events are included in “Logon Events” earlier in this appendix:
682 A user has reconnected to a disconnected terminal server session.
683 A user disconnected a terminal server session without logging off.
Directory Service Access Events

The only directory service access event is also included in “Object Access Events” earlier in
this appendix.
566 A generic object operation took place.

Parameters: Object operation, operation type, object type, object name, handle ID, primary
user name, primary domain, primary logon ID, client user name, client domain, client logon
ID, accesses, properties.
Formal name: SE_AUDITID_OBJECT_OPERATION

Security Event Messages

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Event Messages

Uploaded by

Copyright:

Available Formats

Appendix E

Security Event Messages

Viewing Security Event Messages

To view security event messages

The following information is provided for each event:

■ Event number and title.

System Event Messages

512 Windows is starting up.

513 Windows is shutting down.

514 An authentication package was loaded by the Local Security

516 Internal resources allocated for the queuing of security event

517 The audit log was cleared.

518 A notification package was loaded by the Security Accounts

519 A process is using an invalid local procedure call (LPC) port in an

520 The system time was changed.

528 A user successfully logged on to a computer.

Configurable Information: Success

Formal names: SE_AUDITID_SUCCESSFUL_LOGON SE_AUDITID_ NETWORK_LOGON

This event is identical to event 528.

Configurable Information: Failure

Formal name: SE_AUDITID_UNKNOWN_USER_OR_PWD

Configurable Information: Failure

Formal name: SE_AUDITID_ACCOUNT_TIME_RESTR

531 A logon attempt was made by using a disabled account.

Configurable Information: Failure

Formal name: SE_AUDITID_ACCOUNT_DISABLED

532 A logon attempt was made by using an expired account.

Configurable Information: Failure

Formal name: SE_AUDITID_ACCOUNT_EXPIRED

533 The user is not allowed to log on at this computer.

Configurable Information: Failure

Formal name: SE_AUDITID_WORKSTATION_RESTR

534 The user attempted to log on with a type (such as network,

Configurable Information: Failure

Formal name: SE_AUDITID_LOGON_TYPE_RESTR

535 The password for the specified account has expired.

Configurable Information: Failure

Formal name: SE_AUDITID_PASSWORD_EXPIRED

536 The Net Logon service is not active.

Configurable Information: Failure

Formal name: SE_AUDITID_NETLOGON_NOT_STARTED

537 The logon attempt failed for other reasons.

Configurable Information: Failure

Formal name: SE_AUDITID_UNSUCCESSFUL_LOGON

538 A user logged off.

Configurable Information: Success

Formal name: SE_AUDITID_LOGOFF

The logoff message can be caused by any type of logoff attempt.

Configurable Information: Failure

Formal name: SE_AUDITID_ACCOUNT_LOCKED

540 A user successfully logged on to a computer.

541 Main mode Internet Key Exchange (IKE) authentication was

542 A data channel was terminated.

Note Data transfer mode is the same as quick mode (QM).

Configurable Information: Success

543 Main mode was terminated.

Configurable Information: Failure

Formal name: SE_AUDITID_IPSEC_AUTH_FAIL_CERT_TRUST

545 Main mode authentication failed because of a Kerberos failure or a

Configurable Information: Failure

Formal name: SE_AUDITID_IPSEC_AUTH_FAIL

Configurable Information: Failure

Formal name: SE_AUDITID_IPSEC_ATTRIB_FAIL