Anda di halaman 1dari 10

Content-Type: text/x-zim-wiki

Wiki-Format: zim 0.4


Creation-Date: 2015-06-23T11:58:44-04:00

====== Windows Events ======


Created Tuesday 23 June 2015

Event ID: 512


Type: Success Audit
Description: Windows NT is starting up.

Event ID: 513


Type: Success Audit
Description: Windows NT is shutting down. All logon sessions will be
terminated by this shutdown.

Event ID: 514


Type: Success Audit
Description: An authentication package has been loaded by the Local
Security Authority. This authentication package will be
used to authenticate logon attempts.
Authentication Package Name: %1

Event ID: 515


Type: Success Audit
Description: A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.
Logon Process Name: %1

Event ID: 516


Type: Success Audit
Description: Internal resources allocated for the queuing of audit
messages have been exhausted, leading to the loss of some
audits.
Number of audit messages discarded: %1

Event ID: 517


Type: Success Audit
Description: The audit log was cleared
Primary User Name: %1 Primary Domain: %2
Primary Logon ID: %3 Client User Name: %4
Client Domain: %5 Client Logon ID: %6

Event ID: 518


Type: Success Audit
Description: A notification package has been loaded by the Security
Account Manager. This package will be notified of any
account or password changes.
Notification Package Name: %1

Event ID: 528


Type: Success Audit
Description: Successful Logon:
User Name: %1 Domain: %2
Logon ID: %3 Logon Type: %4
Logon Process: %5 Authentication Package: %6
Workstation Name: %7
Type 0 = System Only
Type 1 = unknown
Type 2 = Interactive Logon
Type 3 = Network
Type 4 = Batch
Type 5 = Service
Type 6 = (proxy logon)
Type 7 = Unlock Workstation
Type 8 = Network Clear Text
Type 9 = New Credentials
Type 10 = Remote Interactive
Type 11 = Cached Interactive
Type 12 = CachedRemoteInteractive
Type 13 = CachedUnlock

Event ID: 529


Type: Failure Audit
Description: Logon Failure:
Reason: Unknown user name or bad password
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 530


Type: Failure Audit
Description: Logon Failure:
Reason: Account logon time restriction violation
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 531


Type: Failure Audit
Description: Logon Failure:
Reason: Account currently disabled
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 532


Type: Failure Audit
Description: Logon Failure:
Reason: The specified user account has expired
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 533


Type: Failure Audit
Description: Logon Failure:
Reason: User not allowed to logon at this computer
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 534


Type: Failure Audit
Description: Logon Failure:
Reason: The user has not been granted the requested logon
type at this machine
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 535


Type: Failure Audit
Description: Logon Failure:
Reason: The specified account's password has expired
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 536


Type: Failure Audit
Description: Logon Failure:
Reason: The NetLogon component is not active
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 537


Type: Failure Audit
Description: Logon Failure:
Reason: An unexpected error occurred during logon
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 538


Type: Success Audit
Description: User Logoff:
User Name: %1 Domain: %2
Logon ID: %3 Logon Type: %4

Event ID: 539


Type: Failure Audit
Description: Logon Failure:
Reason: Account locked out
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 560


Type: Success Audit
Description: Object Open:
Object Server: %1 Object Type: %2
Object Name: %3 New Handle ID: %4
Operation ID: {%5,%6}
Process ID: %7 Primary User Name: %8
Primary Domain: %9 Primary Logon ID: %10
Client User Name: %11 Client Domain: %12
Client Logon ID: %13 Accesses %14
Privileges %15

Event ID: 561


Type: Success Audit
Description: Handle Allocated:
Handle ID: %1 Operation ID: {%2,%3}
Process ID: %4

Event ID: 562


Type: Success Audit
Description: Handle Closed:
Object Server: %1 Handle ID: %2
Process ID: %3

Event ID: 563


Type: Success Audit
Description: Object Open for Delete:
Object Server: %1 Object Type: %2
Object Name: %3 New Handle ID: %4
Operation ID: {%5,%6}
Process ID: %7 Primary User Name: %8
Primary Domain: %9 Primary Logon ID: %10
Client User Name: %11 Client Domain: %12
Client Logon ID: %13 Accesses %14
Privileges %15

Event ID: 564


Type: Success Audit
Description: Object Deleted:
Object Server: %1 Handle ID: %2
Process ID: %3

Event ID: 576


Type: Success Audit
Description: Special privileges assigned to new logon:
User Name: %1 Domain: %2
Logon ID: %3 Assigned: %4

Event ID: 577


Type: Success Audit
Description: Privileged Service Called:
Server: %1 Service: %2
Primary User Name: %3 Primary Domain: %4
Primary Logon ID: %5 Client User Name: %6
Client Domain: %7 Client Logon ID: %8
Privileges: %9

Event ID: 578


Type: Failure Audit
Description: Privileged object operation:
Object Server: %1 Object Handle: %2
Process ID: %3 Primary User Name: %4
Primary Domain: %5 Primary Logon ID: %6
Client User Name: %7 Client Domain: %8
Client Logon ID: %9 Privileges: %10

Event ID: 592


Type: Success Audit
Description: A new process has been created:
New Process ID: %1 Image File Name: %2
Creator Process ID: %3 User Name: %4
Domain: %5 Logon ID: %6
Event ID: 593
Type: Success Audit
Description: A process has exited:
Process ID: %1 User Name: %2
Domain: %3 Logon ID: %4

Event ID: 594


Type: Success Audit
Description: A handle to an object has been duplicated:
Source Handle ID: %1 Source Process ID: %2
Target Handle ID: %3 Target Process ID: %4

Event ID: 595


Type: Success Audit
Description: Indirect access to an object has been obtained:
Object Type: %1 Object Name: %2
Process ID: %3 Primary User Name: %4
Primary Domain: %5 Primary Logon ID: %6
Client User Name: %7 Client Domain: %8
Client Logon ID: %9 Accesses: %10

Event ID: 608


Type: Success Audit
Description: User Right Assigned:
User Right: %1 Assigned To: %2
Assigned By:
User Name: %3 Domain: %4
Logon ID: %5

Event ID: 609


Type: Success Audit
Description: User Right Removed:
User Right: %1 Removed From: %2
Removed By:
User Name: %3 Domain: %4
Logon ID: %5

Event ID: 610


Type: Success Audit
Description: New Trusted Domain:
Domain Name: %1 Domain ID: %2
Established By:
User Name: %3 Domain: %4
Logon ID: %5

Event ID: 611


Type: Success Audit
Description: Removing Trusted Domain:
Domain Name: %1 Domain ID: %2
Removed By:
User Name: %3 Domain: %4
Logon ID: %5

Event ID: 612


Type: Success Audit
Description: Audit Policy Change:
New Policy:
Success Failure
%1 %2 System
%3 %4 Logon/Logoff
%5 %6 Object Access
%7 %8 Privilege Use
%9 %10 Detailed Tracking
%11 %12 Policy Change
%13 %14 Account Management
Changed By:
User Name: %15 Domain Name: %16
Logon ID: %17

Event ID: 624


Type: Success Audit
Description: User Account Created:
New Account Name: %1 New Domain: %2
New Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges %7

Event ID: 625


Type: Success Audit
Description: User Account Type Change:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 New Type: %4
Caller User Name: %5 Caller Domain: %6
Caller Logon ID: %7

Event ID: 626


Type: Success Audit
Description: User Account Enabled:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6

Event ID: 627


Type: Success Audit
Description: Change Password Attempt:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges: %7

Event ID: 628


Type: Success Audit
Description: User Account password set:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6

Event ID: 629


Type: Success Audit
Description: User Account Disabled:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6

Event ID: 630


Type: Success Audit
Description: User Account Deleted:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges: %7

Event ID: 631


Type: Success Audit
Description: Global Group Created:
New Account Name: %1 New Domain: %2
New Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges: %7

Event ID: 632


Type: Success Audit
Description: Global Group Member Added:
Member: %1 Target Account Name: %2
Target Domain: %3 Target Account ID: %4
Caller User Name: %5 Caller Domain: %6
Caller Logon ID: %7 Privileges: %8

Event ID: 633


Type: Success Audit
Description: Global Group Member Removed:
Member: %1 Target Account Name: %2
Target Domain: %3 Target Account ID: %4
Caller User Name: %5 Caller Domain: %6
Caller Logon ID: %7 Privileges: %8

Event ID: 634


Type: Success Audit
Description: Global Group Deleted:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges: %7

Event ID: 635


Type: Success Audit
Description: Local Group Created:
New Account Name: %1 New Domain: %2
New Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges: %7

Event ID: 636


Type: Success Audit
Description: Local Group Member Added:
Member: %1 Target Account Name: %2
Target Domain: %3 Target Account ID: %4
Caller User Name: %5 Caller Domain: %6
Caller Logon ID: %7 Privileges: %8

Event ID: 637


Type: Success Audit
Description: Local Group Member Removed:
Member: %1 Target Account Name: %2
Target Domain: %3 Target Account ID: %4
Caller User Name: %5 Caller Domain: %6
Caller Logon ID: %7 Privileges: %8
Event ID: 638
Type: Success Audit
Description: Local Group Deleted:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges: %7

Event ID: 639


Type: Success Audit
Description: Local Group Changed:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges: %7

Event ID: 640


Type: Success Audit
Description: General Account Database Change:
Type of change: %1 Object Type: %2
Object Name: %3 Object ID: %4
Caller User Name: %5 Caller Domain: %6
Caller Logon ID: %7

Event ID: 641


Type: Success Audit
Description: Global Group Changed:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges: %7

Event ID: 642


Type: Success Audit
Description: User Account Changed:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges: %7

Event ID: 643


Type: Success Audit
Description: Domain Policy Changed:
Domain: %1 Domain ID: %2
Caller User Name: %3 Caller Domain: %4
Caller Logon ID: %5 Privileges: %6

Event ID: 644


Event Type: Success Audit
Description: User Account Locked Out
Target Account Name: %1 Target Account ID: %2
Caller Machine Name: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6

Event IDs 528 and 540 signify a successful logon, event ID 538 a logoff and all the
other events in this category identify different reasons for a logon failure.
However, just knowing about a successful or failed logon attempt doesnt fill in
the whole picture. Because of all the services Windows offers, there are many
different ways you can logon to a computer such as interactively at the computers
local keyboard and screen, over the network through a drive mapping or through
terminal services (aka remote desktop) or through IIS. Thankfully, logon/logoff
events specify the Logon Type code which reveals the type of logon that prompted
the event.

Logon Type 2 Interactive: This is what occurs to you first when you think of
logons, that is, a logon at the console of a computer. Youll see type 2 logons
when a user attempts to log on at the local keyboard and screen whether with a
domain account or a local account from the computers local SAM. To tell the
difference between an attempt to logon with a local or domain account look for the
domain or computer name preceding the user name in the events description. Dont
forget that logons through an KVM over IP component or a servers proprietary
lights-out remote KVM feature are still interactive logons from the standpoint of
Windows and will be logged as such.

Logon Type 3 Network: Windows logs logon type 3 in most cases when you access a
computer from elsewhere on the network. One of the most common sources of logon
events with logon type 3 is connections to shared folders or printers. But other
over-the-network logons are classed as logon type 3 as well such as most logons to
IIS. (The exception is basic authentication which is explained in Logon Type 8
below.)

Logon Type 4 Batch: When Windows executes a scheduled task, the Scheduled Task
service first creates a new logon session for the task so that it can run under the
authority of the user account specified when the task was created. When this logon
attempt occurs, Windows logs it as logon type 4. Other job scheduling systems,
depending on their design, may also generate logon events with logon type 4 when
starting jobs. Logon type 4 events are usually just innocent scheduled tasks
startups but a malicious user could try to subvert security by trying to guess the
password of an account through scheduled tasks. Such attempts would generate a
logon failure event where logon type is 4. But logon failures associated with
scheduled tasks can also result from an administrator entering the wrong password
for the account at the time of task creation or from the password of an account
being changed without modifying the scheduled task to use the new password.

Logon Type 5 Service: Similar to Scheduled Tasks, each service is configured to


run as a specified user account. When a service starts, Windows first creates a
logon session for the specified user account which results in a Logon/Logoff event
with logon type 5. Failed logon events with logon type 5 usually indicate the
password of an account has been changed without updating the service but theres
always the possibility of malicious users at work too. However this is less likely
because creating a new service or editing an existing service by default requires
membership in Administrators or Server Operators and such a user, if malicious,
will likely already have enough authority to perpetrate his desired goal.

Logon Type 7 Unlock: Hopefully the workstations on your network automatically


start a password protected screen saver when a user leaves their computer so that
unattended workstations are protected from malicious use. When a user returns to
their workstation and unlocks the console, Windows treats this as a logon and logs
the appropriate Logon/Logoff event but in this case the logon type will be 7
identifying the event as a workstation unlock attempt. Failed logons with logon
type 7 indicate either a user entering the wrong password or a malicious user
trying to unlock the computer by guessing the password.

Logon Type 8 NetworkCleartext: This logon type indicates a network logon like
logon type 3 but where the password was sent over the network in the clear text.
Windows server doesnt allow connection to shared file or printers with clear text
authentication. The only situation Im aware of are logons from within an ASP
script using the ADVAPI or when a user logs on to IIS using IISs basic
authentication mode. In both cases the logon process in the events description
will list advapi. Basic authentication is only dangerous if it isnt wrapped inside
an SSL session (i.e. https). As far as logons generated by an ASP, script remember
that embedding passwords in source code is a bad practice for maintenance purposes
as well as the risk that someone malicious will view the source code and thereby
gain the password.

Logon Type 9 NewCredentials: If you use the RunAs command to start a program
under a different user account and specify the /netonly switch, Windows records a
logon/logoff event with logon type 9. When you start a program with RunAs using
/netonly, the program executes on your local computer as the user you are currently
logged on as but for any connections to other computers on the network, Windows
connects you to those computers using the account specified on the RunAs command.
Without /netonly Windows runs the program on the local computer and on the network
as the specified user and records the logon event with logon type 2.

Logon Type 10 RemoteInteractive: When you access a computer through Terminal


Services, Remote Desktop or Remote Assistance windows logs the logon attempt with
logon type 10 which makes it easy to distinguish true console logons from a remote
desktop session. Note however that prior to XP, Windows 2000 doesnt use logon type
10 and terminal services logons are reported as logon type 2.

Logon Type 11 CachedInteractive: Windows supports a feature called Cached Logons


which facilitate mobile users. When you are not connected to the your
organizations network and attempt to logon to your laptop with a domain account
theres no domain controller available to the laptop with which to verify your
identity. To solve this problem, Windows caches a hash of the credentials of the
last 10 interactive domain logons. Later when no domain controller is available,
Windows uses these hashes to verify your identity when you attempt to logon with a
domain account.

Logon Events (interactive):

A successful logon event generates Event ID 528, Logon Type 2. A logoff event
generates Event ID 538, Logon Type 2.

Connection Events (network):

A successful Net Use or File Manager connection or a successful Net View generates
Event ID 528, Logon Type 3.

Connection events are sessions at the server level and are generated only by the
initial connection from a particular user. Later Net Views or Net Uses from the
same user to the same computer do not generate logged events unless the user has
disconnected (or has been autodisconnected) from all shares.