Security Event Descriptions

View products that this article applies to.

This article was previously published under Q174074

SUMMARY

This article contains descriptions of various security-related and auditing- related events, and tips for interpreting them.

These events will all appear in the Security event log and will be logged with a source of "Security."

MORE INFORMATION

   Event ID: 512
       Type: Success Audit
Description: Windows NT is starting up.

   Event ID: 513
       Type: Success Audit
Description: Windows NT is shutting down. All logon sessions will be
             terminated by this shutdown.

   Event ID: 514
       Type: Success Audit
Description: An authentication package has been loaded by the Local
             Security Authority. This authentication package will be
             used to authenticate logon attempts.
             Authentication Package Name: %1

   Event ID: 515
       Type: Success Audit
Description: A trusted logon process has registered with the Local
             Security Authority. This logon process will be trusted to
             submit logon requests.
             Logon Process Name: %1

   Event ID: 516
       Type: Success Audit
Description: Internal resources allocated for the queuing of audit
             messages have been exhausted, leading to the loss of some
             audits.
             Number of audit messages discarded: %1

   Event ID: 517
       Type: Success Audit
Description: The audit log was cleared
             Primary User Name: %1      Primary Domain: %2
             Primary Logon ID: %3       Client User Name: %4
             Client Domain: %5          Client Logon ID: %6

   Event ID: 518
       Type: Success Audit
Description: A notification package has been loaded by the Security
             Account Manager. This package will be notified of any
             account or password changes.
             Notification Package Name: %1

   Event ID: 528
       Type: Success Audit
Description: Successful Logon:
             User Name: %1             Domain: %2
             Logon ID: %3              Logon Type: %4
             Logon Process: %5         Authentication Package: %6
             Workstation Name: %7

   Event ID: 529
       Type: Failure Audit
Description: Logon Failure:
             Reason: Unknown user name or bad password
             User Name: %1              Domain: %2
             Logon Type: %3             Logon Process: %4
             Authentication Package: %5 Workstation Name: %6

   Event ID: 530
       Type: Failure Audit
Description: Logon Failure:
             Reason: Account logon time restriction violation
             User Name: %1              Domain: %2
             Logon Type: %3             Logon Process: %4
             Authentication Package: %5 Workstation Name: %6

   Event ID: 531
       Type: Failure Audit
Description: Logon Failure:
             Reason: Account currently disabled
             User Name: %1              Domain: %2
             Logon Type: %3             Logon Process: %4
             Authentication Package: %5 Workstation Name: %6

   Event ID: 532
       Type: Failure Audit
Description: Logon Failure:
             Reason: The specified user account has expired
             User Name: %1              Domain: %2
             Logon Type: %3             Logon Process: %4
             Authentication Package: %5 Workstation Name: %6

   Event ID: 533
       Type: Failure Audit
Description: Logon Failure:
             Reason: User not allowed to logon at this computer
             User Name: %1              Domain: %2
             Logon Type: %3             Logon Process: %4
             Authentication Package: %5 Workstation Name: %6

   Event ID: 534
       Type: Failure Audit
Description: Logon Failure:
             Reason: The user has not been granted the requested logon
             type at this machine
             User Name: %1              Domain: %2
             Logon Type: %3             Logon Process: %4
             Authentication Package: %5 Workstation Name: %6

   Event ID: 535
       Type: Failure Audit
Description: Logon Failure:
             Reason: The specified account's password has expired
             User Name: %1              Domain: %2
             Logon Type: %3             Logon Process: %4
             Authentication Package: %5 Workstation Name: %6


   Event ID: 536
       Type: Failure Audit
Description: Logon Failure:
             Reason: The NetLogon component is not active
             User Name: %1              Domain: %2
             Logon Type: %3             Logon Process: %4
             Authentication Package: %5 Workstation Name: %6

   Event ID: 537
       Type: Failure Audit
Description: Logon Failure:
             Reason: An unexpected error occurred during logon
             User Name: %1              Domain: %2
             Logon Type: %3             Logon Process: %4
             Authentication Package: %5 Workstation Name: %6


   Event ID: 538
       Type: Success Audit
Description: User Logoff:
             User Name: %1             Domain: %2
             Logon ID: %3              Logon Type: %4

   Event ID: 539
       Type: Failure Audit
Description: Logon Failure:
             Reason: Account locked out
             User Name: %1              Domain: %2
             Logon Type: %3             Logon Process: %4
             Authentication Package: %5 Workstation Name: %6

   Event ID: 560
       Type: Success Audit
Description: Object Open:
             Object Server: %1          Object Type: %2
             Object Name: %3            New Handle ID: %4
             Operation ID: {%5,%6}
             Process ID: %7             Primary User Name: %8
             Primary Domain: %9         Primary Logon ID: %10
             Client User Name: %11      Client Domain: %12
             Client Logon ID: %13       Accesses %14
             Privileges %15

   Event ID: 561
       Type: Success Audit
Description: Handle Allocated:
             Handle ID: %1              Operation ID: {%2,%3}
             Process ID: %4

   Event ID: 562
       Type: Success Audit
Description: Handle Closed:
             Object Server: %1          Handle ID: %2
             Process ID: %3

   Event ID: 563
       Type: Success Audit
Description: Object Open for Delete:
             Object Server: %1          Object   Type: %2
             Object Name: %3            New Handle ID: %4
             Operation ID: {%5,%6}
             Process ID: %7             Primary User Name: %8
             Primary Domain: %9         Primary Logon ID: %10
             Client User Name: %11      Client Domain: %12
             Client Logon ID: %13       Accesses %14
             Privileges %15

   Event ID: 564
       Type: Success Audit
Description: Object Deleted:
             Object Server: %1          Handle ID: %2
             Process ID: %3

   Event ID: 576
       Type: Success Audit
Description: Special privileges assigned to new logon:
             User Name: %1             Domain: %2
             Logon ID: %3              Assigned: %4

   Event ID: 577
       Type: Success Audit
Description: Privileged Service Called:
             Server: %1              Service: %2
             Primary User Name: %3      Primary Domain: %4
             Primary Logon ID: %5       Client User Name: %6
             Client Domain: %7          Client Logon ID: %8
             Privileges: %9

   Event ID: 578
       Type: Failure Audit
Description: Privileged object operation:
             Object Server: %1          Object Handle: %2
             Process ID: %3             Primary User Name: %4
             Primary Domain: %5         Primary Logon ID: %6
             Client User Name: %7       Client Domain: %8
             Client Logon ID: %9        Privileges: %10

   Event ID: 592
       Type: Success Audit
Description: A new process has been created:
             New Process ID: %1         Image File Name: %2
             Creator Process ID: %3     User Name: %4
             Domain: %5                 Logon ID: %6

   Event ID: 593
       Type: Success Audit
Description: A process has exited:
             Process ID: %1             User Name: %2
             Domain: %3              Logon ID: %4

   Event ID: 594
       Type: Success Audit
Description: A handle to an object has been duplicated:
             Source Handle ID: %1       Source Process ID: %2
             Target Handle ID: %3       Target Process ID: %4

   Event ID: 595
       Type: Success Audit
Description: Indirect access to an object has been obtained:
             Object   Type: %1          Object Name: %2
             Process ID: %3             Primary User Name: %4
             Primary Domain: %5         Primary Logon ID: %6
             Client User Name: %7       Client Domain: %8
             Client Logon ID: %9        Accesses: %10

   Event ID: 608
       Type: Success Audit
Description: User Right Assigned:
             User Right: %1             Assigned To: %2
             Assigned By:
             User Name: %3              Domain: %4
             Logon ID: %5

   Event ID: 609
       Type: Success Audit
Description: User Right Removed:
             User Right: %1             Removed From: %2
             Removed By:
             User Name: %3              Domain: %4
             Logon ID: %5

   Event ID: 610
       Type: Success Audit
Description: New Trusted Domain:
             Domain Name: %1            Domain ID: %2
             Established By:
             User Name: %3              Domain: %4
             Logon ID: %5

   Event ID: 611
       Type: Success Audit
Description: Removing Trusted Domain:
             Domain Name: %1            Domain ID: %2
             Removed By:
             User Name: %3              Domain: %4
             Logon ID: %5

   Event ID: 612
       Type: Success Audit
Description: Audit Policy Change:
             New Policy:
             Success   Failure
               %1         %2    System
               %3         %4    Logon/Logoff
               %5         %6    Object Access
               %7         %8    Privilege Use
               %9        %10    Detailed Tracking
              %11        %12    Policy Change
              %13        %14    Account Management
             Changed By:
             User Name: %15             Domain Name: %16
             Logon ID: %17

   Event ID: 624
       Type: Success Audit
Description: User Account Created:
             New Account Name: %1       New Domain: %2
             New Account ID: %3         Caller User Name: %4
             Caller Domain: %5          Caller Logon ID: %6
             Privileges %7

   Event ID: 625
       Type: Success Audit
Description: User Account Type Change:
             Target Account Name: %1    Target Domain: %2
             Target Account ID: %3      New Type: %4
             Caller User Name: %5       Caller Domain: %6
             Caller Logon ID: %7

   Event ID: 626
       Type: Success Audit
Description: User Account Enabled:
             Target Account Name: %1    Target Domain: %2
             Target Account ID: %3      Caller User Name: %4
             Caller Domain: %5          Caller Logon ID: %6

   Event ID: 627
       Type: Success Audit
Description: Change Password Attempt:
             Target Account Name: %1    Target Domain: %2
             Target Account ID: %3      Caller User Name: %4
             Caller Domain: %5          Caller Logon ID: %6
             Privileges: %7

   Event ID: 628
       Type: Success Audit
Description: User Account password set:
             Target Account Name: %1    Target Domain: %2
             Target Account ID: %3      Caller User Name: %4
             Caller Domain: %5          Caller Logon ID: %6

   Event ID: 629
       Type: Success Audit
Description: User Account Disabled:
             Target Account Name: %1    Target Domain: %2
             Target Account ID: %3      Caller User Name: %4
             Caller Domain: %5          Caller Logon ID: %6

   Event ID: 630
       Type: Success Audit
Description: User Account Deleted:
             Target Account Name: %1    Target Domain: %2
             Target Account ID: %3      Caller User Name: %4
             Caller Domain: %5          Caller Logon ID: %6
             Privileges: %7

   Event ID: 631
       Type: Success Audit
Description: Global Group Created:
             New Account Name: %1       New Domain: %2
             New Account ID: %3         Caller User Name: %4
             Caller Domain: %5          Caller Logon ID: %6
             Privileges: %7

   Event ID: 632
       Type: Success Audit
Description: Global Group Member Added:
             Member: %1                 Target Account Name: %2
             Target Domain: %3          Target Account ID: %4
             Caller User Name: %5       Caller Domain: %6
             Caller Logon ID: %7        Privileges: %8

   Event ID: 633
       Type: Success Audit
Description: Global Group Member Removed:
             Member: %1                 Target Account Name: %2
             Target Domain: %3          Target Account ID: %4
             Caller User Name: %5       Caller Domain: %6
             Caller Logon ID: %7        Privileges: %8

   Event ID: 634
       Type: Success Audit
Description: Global Group Deleted:
             Target Account Name: %1    Target Domain: %2
             Target Account ID: %3      Caller User Name: %4
             Caller Domain: %5          Caller Logon ID: %6
             Privileges: %7

   Event ID: 635
       Type: Success Audit
Description: Local Group Created:
             New Account Name: %1       New Domain: %2
             New Account ID: %3         Caller User Name: %4
             Caller Domain: %5          Caller Logon ID: %6
             Privileges: %7

   Event ID: 636
       Type: Success Audit
Description: Local Group Member Added:
             Member: %1                 Target Account Name: %2
             Target Domain: %3          Target Account ID: %4
             Caller User Name: %5       Caller Domain: %6
             Caller Logon ID: %7        Privileges: %8

   Event ID: 637
       Type: Success Audit
Description: Local Group Member Removed:
             Member: %1                 Target Account Name: %2
             Target Domain: %3          Target Account ID: %4
             Caller User Name: %5       Caller Domain: %6
             Caller Logon ID: %7        Privileges: %8

   Event ID: 638
       Type: Success Audit
Description: Local Group Deleted:
             Target Account Name: %1    Target Domain: %2
             Target Account ID: %3      Caller User Name: %4
             Caller Domain: %5          Caller Logon ID: %6
             Privileges: %7

   Event ID: 639
       Type: Success Audit
Description: Local Group Changed:
             Target Account Name: %1    Target Domain: %2
             Target Account ID: %3      Caller User Name: %4
             Caller Domain: %5          Caller Logon ID: %6
             Privileges: %7

   Event ID: 640
       Type: Success Audit
Description: General Account Database Change:
             Type of change: %1         Object Type: %2
             Object Name: %3            Object ID: %4
             Caller User Name: %5       Caller Domain: %6
             Caller Logon ID: %7

   Event ID: 641
       Type: Success Audit
Description: Global Group Changed:
             Target Account Name: %1    Target Domain: %2
             Target Account ID: %3      Caller User Name: %4
             Caller Domain: %5          Caller Logon ID: %6
             Privileges: %7

   Event ID: 642
       Type: Success Audit
Description: User Account Changed:
             Target Account Name: %1    Target Domain: %2
             Target Account ID: %3      Caller User Name: %4
             Caller Domain: %5          Caller Logon ID: %6
             Privileges: %7

   Event ID: 643
       Type: Success Audit
Description: Domain Policy Changed:
             Domain: %1                 Domain ID: %2
             Caller User Name: %3       Caller Domain: %4
             Caller Logon ID: %5        Privileges: %6

   Event ID: 644
 Event Type: Success Audit
Description: User Account Locked Out
Target Account Name:  %1   Target Account ID: %2
Caller Machine Name:  %3    Caller User Name:  %4
Caller Domain:      %5        Caller Logon ID:  %6