System32
Events
Compliance
Validator
TLS/SSL
PingSentry
GeoIP
Tools
Audit Category
Account Management
(63)
Policy Change
(31)
Logon/Logoff
(29)
System
(11)
Object Access
(10)
Detailed Tracking
(8)
Privilege Use
(3)
Audit Subcategory
Operating Systems
Windows 2003
(165)
Windows XP
(165)
Windows Server 2000
(51)
Tags
Auditing
Volume
EventSentry
All events
ID
Event Description
512
Windows NT is starting up
513
Windows is shutting down
514
An authentication package has been loaded by the Local Security Authority
515
A trusted logon process has registered with the Local Security Authority
516
Queuing of audit messages have been exhausted, leading to the loss of some audits
517
The audit log was cleared
518
A notification package has been loaded by the Security Account Manager
519
A process is using an invalid local procedure call (LPC) port
520
The system time was changed
521
Unable to log events to security log
523
The security log is full
528
Successful Logon
529
Logon Failure : Unknown username or bad password
530
Logon Failure : Account logon time restriction violation
531
Logon Failure : Account currently disabled
532
Logon Failure : The specified user account has expired
533
Logon Failure : User not allowed to logon at this computer
534
Logon Failure : The user has note been granted the requested logon type at this machine
535
Logon Failure : The specified account's password has expired
536
Logon Failure : The NetLogon component is not active
537
The logon attempt failed for other reasons
538
The user has logged off
539
Logon Failure : Account locked out
540
Successful Network Logon
548
Logon Failure : Domain SID inconsistent
549
Logon Failure : All SIDs were filtered out
551
User initiated logoff
552
Logon attempt using explicit credentials
560
Object Open
561
Handle Allocated
562
Handle Closed
563
Object Open for Delete
564
Object Deleted
565
Object Open
566
Object Operation
567
Object Access Attempt
568
Hard link creation attempt
569
Application client context creation attempt
570
Application operation attempt
571
Application client context deletion
572
Application Initialized
574
Security on object changed
576
Special privileges assigned to new logon
577
Privileged Service Called
578
Privileged object operation
592
A new process has been created
593
A process has exited
594
A handle to an object has been duplicated
595
Indirect access to an object has been obtained
596
Backup of data protection master key
600
A process was assigned a primary token
601
Attempt to install service
602
Scheduled Task created
608
User Right Assigned
609
User Right Removed
610
New Trusted Domain
611
Trusted Domain Removed
612
Audit Policy Change
613
IPSec Services started
614
IPSec Services disabled
616
IPSec Services encountered a potentially serious failure
617
Kerberos Policy Changed
618
Encrypted Data Recovery Policy Changed
619
Audit Security Object changed
620
Trusted Domain Information Modified
621
System Security Access Granted
622
System Security Access Removed
623
System Audit Policy Change
624
User Account Created
626
User Account Enabled
627
Change Password Attempt
628
User Account password set
629
User Account Disabled
630
User Account Deleted
631
Security Enabled Global Group Created
632
Security Enabled Global Group Member Added
633
Security Enabled Global Group Member Removed
634
Security Enabled Global Group Deleted
635
Security Enabled Local Group Created
636
Security Enabled Local Group Member Added
637
Security Enabled Local Group Member Removed
638
Security Enabled Local Group Deleted
639
Security Enabled Local Group Changed
640
General Account Database Change
641
Security Enabled Global Group Changed
642
User Account Changed
643
Domain Policy Changed
644
User Account Locked Out
645
Computer Account Created
646
Computer Account Changed
647
Computer Account Deleted
648
Security Disabled Local Group Created
649
Security Disabled Local Group Changed
650
Security Disabled Local Group Member Added
651
Security Disabled Local Group Member Removed
652
Security Disabled Local Group Deleted
653
Security Disabled Global Group Created
654
Security Disabled Global Group Changed
655
Security Disabled Global Group Member Added
656
Security Disabled Global Group Member Removed
657
Security Disabled Global Group Deleted
658
Security Enabled Universal Group Created
659
Security Enabled Universal Group Changed
660
Security Enabled Universal Group Member Added
661
Security Enabled Universal Group Member Removed
662
Security Enabled Universal Group Deleted
663
Security Disabled Universal Group Created
664
Security Disabled Universal Group Changed
665
Security Disabled Universal Group Member Added
666
Security Disabled Universal Group Member Removed
667
Security Disabled Universal Group Deleted
668
Group Type Changed
669
Add SID History
670
Add SID History
671
User Account Unlocked
672
Authentication Ticket Request
673
Service Ticket Request
674
Service Ticket Renewed
675
Pre-authentication failed
676
Authentication Ticket Request Failed
677
Service Ticket Request Failed
678
Account Mapped for Logon
679
The name could not be mapped for logon
680
Logon attempt
681
The logon to account from workstation
682
Session reconnected to winstation
683
Session disconnected from winstation
684
Set ACLs of members in administrators groups
685
Account Name Changed
686
Password of the following user accessed
687
Basic Application Group Created
688
Basic Application Group Changed
689
Basic Application Group Member Added
690
Basic Application Group Member Removed
691
Basic Application Group Non-Member Added
692
Basic Application Group Non-Member Removed
693
Basic Application Group Deleted
694
LDAP Query Group Created
695
LDAP Query Group Changed
696
LDAP Query Group Deleted
697
Password Policy Checking API is called
698
An attempt to set the Directory Services Restore Mode administrator password has been made
699
RODC SpecifiC Local Group Member Added
800
One or more rows have been deleted from the certificate database
801
Role separation enabled
802
Certificate Services template
803
Certificate Services template updated
804
Certificate Services template security updated
805
Configuration of security log for this session
806
Per User Audit Policy table created
807
Per user auditing policy set for user
808
A security event source has attempted to register
809
A security event source has attempted to unregister
848
The following policy was active when the Windows Firewall started
849
A rule was listed when the Windows Firewall started
850
A change has been made to Windows Firewall exception list
851
A change has been made to Windows Firewall exception list. A rule was modified
852
A change has been made to Windows Firewall exception list. A rule was deleted
853
A change has been made to Windows Firewall settings. Settings restored to factory defaults.
854
A Windows Firewall setting has changed
855
A rule has been ignored because its major version number was not recognized by Windows Firewall
856
A rule has been partially ignored because its minor version number was not recognized by Windows Firewall
857
A rule has been rejected by Windows Firewall
858
Windows Firewall group policy settings have been applied
859
The Windows Firewall group policy settings have been removed.