Below follows a table of security events in Windows NT/2000.
Event
ID |
Description |
Short Description |
| 0 |
Unused message ID |
Unused message ID |
| 1 |
System Event |
System Event |
| 2 |
Logon/Logoff |
Logon/Logoff |
| 3 |
Object Access |
Object Access |
| 4 |
Privilege Use |
Privilege Use |
| 5 |
Detailed Tracking |
Detailed Tracking |
| 6 |
Policy Change |
Policy Change |
| 7 |
Account Management |
Account Management |
| 8 |
Directory Service Access |
Directory Service Access |
| 9 |
Account Logon |
Account Logon |
| 512 |
Windows NT is starting up. |
OS is starting up |
| 513 |
Windows NT is shutting down. |
OS is shutting down |
| 514 |
An authentication package has been loaded by the Local Security Authority. |
Authentication Pack loaded |
| 515 |
A trusted logon process has registered with the Local Security Authority. |
Trusted logon process registered |
| 516 |
Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. |
System Resources exhausted |
| 517 |
The audit log was cleared |
The audit log was cleared |
| 518 |
An notification package has been loaded by the Security Account Manager. |
Notification package loaded |
| 528 |
Successful Logon |
Successful Logon |
| 529 |
Logon Failure: Unknown user name or bad password |
LF: Bad user name/password |
| 530 |
Logon Failure: Account logon time restriction violation |
LF: Logon Time Restriction |
| 531 |
Logon Failure: Account currently disabled |
LF: Account Disabled |
| 532 |
Logon Failure: The specified user account has expired |
LF: Account Expired |
| 533 |
Logon Failure: User not allowed to logon at this computer |
LF: No Logon Permissions |
| 534 |
Logon Failure: The user has not been granted the requested logon type at this machine |
LF: Logon Type Rejected |
| 535 |
The specified account's password has expired |
LF: Password Expired |
| 536 |
Logon Failure: The NetLogon component is not active |
LF: NetLogon inactive |
| 537 |
Logon Failure: An unexpected error occurred during logon |
LF: Unexpected error |
| 538 |
User Logoff |
User Logoff |
| 539 |
Logon Failure: |
LF: Account locked out |
| 540 |
Successful Network Logon |
Successful Network Logon |
| 541 |
IKE security association established. |
IKE sec. association established |
| 542 |
IKE security association ended : Data Protection |
IKE security association ended : DP |
| 543 |
IKE security association ended : Key Exchange |
IKE security association ended : KE |
| 544 |
IKE security association establishment failed because peer could not authenticate : The certificate trust could not be established. |
IKE sec. assoc. failed – could not establish cert. |
| 545 |
IKE peer authentication failed |
IKE peer authentication failed |
| 546 |
IKE security association establishment failed because peer sent invalid proposal.
|
IKE sec. assoc. failed – invalid proposal. |
| 547 |
IKE security association negotiation failed. |
IKE sec. association failed |
| 560 |
Object Open |
Object Open |
| 561 |
Handle Allocated |
Handle Allocated |
| 562 |
Handle Closed |
Handle Closed |
| 563 |
Object Open for Delete |
Object Open for Delete |
| 564 |
Object Deleted |
Object Deleted |
| 565 |
Object Open |
Object Open |
| 566 |
Object Operation |
Object Operation |
| 576 |
Special privileges assigned to new logon |
Special privileges assigned |
| 577 |
Privileged Service Called |
Privileged Service Called |
| 578 |
Privileged object operation |
Privileged object operation |
| 592 |
A new process has been created |
A new process has been created |
| 593 |
A process has exited |
A process has exited |
| 594 |
A handle to an object has been duplicated |
Object Handle Duplicated |
| 595 |
Indirect access to an object has been obtained |
Indirect object access |
| 608 |
User Right Assigned |
User Right Assigned |
| 609 |
User Right Removed |
User Right Removed |
| 610 |
New Trusted Domain |
New Trusted Domain |
| 611 |
Removing Trusted Domain |
Removing Trusted Domain |
| 612 |
Audit Policy Change |
Audit Policy Change |
| 613 |
IPSec policy agent started |
IPSec policy agent started |
| 614 |
IPSec policy agent disabled |
IPSec policy agent disabled |
| 615 |
IPSec PolicyAgent Service |
IPSec PolicyAgent Service |
| 616 |
IPSec policy agent encountered a potentially serious failure. |
IPSec policy agent failure |
| 617 |
Kerberos Policy Changed |
Kerberos Policy Changed |
| 618 |
Encrypted Data Recovery policy Changed |
Encr. Data Rec. policy Changed |
| 619 |
Quality of Service Policy Changed |
Q.O.S. Policy Changed |
| 620 |
Trusted Domain Information Modified |
Trusted Domain Information Modified |
| 624 |
User Account Created |
User Account Created |
| 625 |
User Account Type Change |
User Account Type Change |
| 626 |
User Account Enabled |
User Account Enabled |
| 627 |
Change Password Attempt |
Change Password Attempt |
| 628 |
User Account password set |
User Account password set |
| 629 |
User Account Disabled |
User Account Disabled |
| 630 |
User Account Deleted |
User Account Deleted |
| 631 |
Security Enabled Global Group Created |
Security G.Group Created. |
| 632 |
Security Enabled Global Group Member Added |
Security G.Group member added. |
| 633 |
Security Enabled Global Group Member Removed |
Security G.Group member removed. |
| 634 |
Security Enabled Global Group Deleted |
Security G.Group Deleted. |
| 635 |
Security Enabled Local Group Created |
Security L.Group Created. |
| 636 |
Security Enabled Local Group Member Added |
Security L.Group member added |
| 637 |
Security Enabled Local Group Member Removed |
Security L.Group member removed |
| 638 |
Security Enabled Local Group Deleted |
Security L.Group Deleted |
| 639 |
Security Enabled Local Group Changed |
Security L.Group Changed |
| 640 |
General Account Database Change |
General Account Database Change |
| 641 |
Security Enabled Global Group Changed |
Security G.Group Changed |
| 642 |
User Account Changed |
User Account Changed |
| 643 |
Domain Policy Changed |
Domain Policy Changed |
| 644 |
User Account Locked Out |
User Account Locked Out |
| 645 |
Computer Account Created |
Computer Account Created |
| 646 |
Computer Account Changed |
Computer Account Changed |
| 647 |
Computer Account Deleted |
Computer Account Deleted |
| 648 |
Security Disabled Local Group Created |
Security Disabled L.Group Created |
| 649 |
Security Disabled Local Group Changed |
Security Disabled L.Group Changed |
| 650 |
Security Disabled Local Group Member Added |
Security Disabled L.Group Member Added |
| 651 |
Security Disabled Local Group Member Removed |
Security Disabled L.Group Member Removed |
| 652 |
Security Disabled Local Group Deleted |
Security Disabled L.Group Deleted |
| 653 |
Security Disabled Global Group Created |
Security Disabled G.Group Created |
| 654 |
Security Disabled Global Group Changed |
Security Disabled G.Group Changed |
| 655 |
Security Disabled Global Group Member Added |
Security Disabled G.Group Member Added |
| 656 |
Security Disabled Global Group Member Removed |
Security Disabled G.Group Member Removed |
| 657 |
Security Disabled Global Group Deleted |
Security Disabled G.Group Deleted |
| 658 |
Security Enabled Universal Group Created |
Security Enabled U.Group Created |
| 659 |
Security Enabled Universal Group Changed |
Security Enabled U.Group Changed |
| 660 |
Security Enabled Universal Group Member Added |
Security Enabled U.Group Member Added |
| 661 |
Security Enabled Universal Group Member Removed |
Security Enabled U.Group Member Removed |
| 662 |
Security Enabled Universal Group Deleted |
Security Enabled U.Group Deleted |
| 663 |
Security Disabled Universal Group Created |
Security Disabled U.Group Created |
| 664 |
Security Disabled Universal Group Changed |
Security Disabled U.Group Changed |
| 665 |
Security Disabled Universal Group Member Added |
Security Disabled U.Group Member Added |
| 666 |
Security Disabled Universal Group Member Removed |
Security Disabled U.Group Member Removed |
| 667 |
Security Disabled Universal Group Deleted |
Security Disabled U.Group Deleted |
| 668 |
Group Type Changed |
Group Type Changed |
| 669 |
Add SID History |
SID History Added |
| 670 |
Add SID History |
SID History Added |
| 672 |
Authentication Ticket Granted |
Authentication Ticket Granted |
| 673 |
Service Ticket Granted |
Service Ticket Granted |
| 674 |
Ticket Granted Renewed |
Ticket Granted Renewed |
| 675 |
Pre - authentication failed |
Pre - authentication failed |
| 676 |
Authentication Ticket Request Failed |
Authentication Ticket Request Failed |
| 677 |
Service Ticket Request Failed |
Service Ticket Request Failed |
| 678 |
Account Mapped for Logon |
Account Mapped for Logon |
| 679 |
Account Mapping for Logon failure |
Account Mapping for Logon failure |
| 680 |
Account Used for Logon |
Account Used for Logon |
| 681 |
Logon to account failure |
Logon to account failure |
| 682 |
Session reconnected to winstation |
Winstation session connection |
| 683 |
Session disconnected from winstation |
Winstation session dis-connection |
