W2K and NT Security Event Log Descriptions

All successful logons are Event ID 528 entries in the security log, assuming auditing is turned on and you are auditing successful logons. Unsuccessful logons have various event ids which categorize the type of logon failure.

Event ID 528 entries list the:

user name
domain
logon id
logon type
logon process
authenication package
workstation name

The types of successful logon types:

Type 2 : Console logon – interactive from the computer console
Type 3 : Network logon – network mapping (net use/net view)
Type 4 : Batch logon – scheduler
Type 5 : Service logon – service uses an account
Type 7 : Unlock Workstation

Type 0 & 1 are not used and Type 6 is listed as a proxy logon but I don’t know what that is. The Logon Type 3 events indicate a network logon event. A successful Net Use or File Manager connection or a successful Net View to a share generates Event ID 528. An event is generated by the initial connection from a particular user. Later Net Uses or Net Views by that a user from the same computer do not generate additional events unless the user has been disconnected. Auditing User Authentication gives additional information.

The unsuccessful logon events are:

Event ID 529 : Unknown user name or bad password
Event ID 530 : Logon time restriction violation
Event ID 531 : Account disabled
Event ID 532 : Account expired
Event ID 533 : Workstation restriction – not allowed to logon at this computer
Event ID 534 : Inadequate rights – as in user account attempting console login to server
Event ID 535 : Password expired
Event ID 536 : NetLogon service down
Event ID 537 : unexpected error – the who knows ??? factor
Event ID 539 : Logon Failure: Account locked out
Event ID 627 : NT AUTHORITY\ANONYMOUS is trying to change a password
Event ID 644 : User account Locked out

Event ID 538 is not an unsuccessful event but rather a successful logoff. Event ID 540 is not an unsuccessful event but rather a successful network logon as in mapping a network drive. Some Windows 2000 only events are:

Event ID 541 : IPSec security association established
Event ID 542 : IPSec security association ended (mode data protection)
Event ID 543 : IPSec security association ended (key exchange)
Event ID 544 : IPSec security association establishment failed because peer could not authenicate
Event ID 545 : IPSec peer authenication failed
Event ID 546 : IPSec security association establishment failed because peer sent invalid proposal
Event ID 547 : IPSec secuirty association negotiation failed
Event ID 672 : Authenication Ticket Granted
Event ID 673 : Service Ticket Granted
Event ID 674 : Ticket Granted Renewed
Event ID 675 : Pre-authenication failed
Event ID 676 : Authenication Ticket Request Failed
Event ID 677 : Service Ticket Request failed
Event ID 678 : Account mapped for logon
Event ID 679 : Account could not be mapped for logon
Event ID 680 : Account used for logon
Event ID 681 : Logon failed. There error code was:
Event ID 682 : Session reconnected to winstation
Event ID 683 : Session disconnected from winstation

You may get calls about the strange 627s, is someone breaking in? What is NT AUTHORITY \ ANONYMOUS? This event is logged when a the password is expired and the user tries to change it during logon. Thus you get no User Name but NT AUTHORITY \ ANONYMOUS written in the log. This error generates calls from Security Admins when they don’t understand the meaning of the error. On the surface, it sounds ominous. Event ID 642 records the PDCs change of secure channel passwords .

Some common event sequences:

Event ID 560 (Object Open), 561 (Handle Allocated), 562 (Handle Closed) : NT is doing internal checks, such as checking to see if the file exists and checking to see that there is no sharing violation

Event ID 592 (A New Process Has Been Created), 560 (Object Open), 561 (Handle Allocated), 562 (Handle Closed), 593 (Process Has Exited) : An executable starts, an audited object is opened and closed, executable exits.

Microsoft has recently published Windows 2000 Security Event Descriptions part 1 and Windows 2000 Security Event Descriptions part 2. A nice coverage for W2K. Related Tips: