Select the product you need help with
Windows 2000 Security Event Descriptions (Part 1 of 2)Article ID: 299475 - View products that this article applies to. This article was previously published under Q299475 NoticeThis article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center
(http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000)
is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle
Policy
(http://support.microsoft.com/lifecycle/)
.SUMMARY
This article contains descriptions of various security-related and auditing-related events, and information about how to interpret these events. These events will all appear in the Security event log and will be logged with a source of "Security." The following article in the Microsoft Knowledge Base is Part 2 of 2:
301677
(http://support.microsoft.com/kb/301677/EN-US/
)
Windows 2000 Security Event Descriptions (Part 2 of 2)
MORE INFORMATION
Event ID: 512 (0x0200)
Type: Success Audit
Description: Windows NT is starting up.
Event ID: 513 (0x0201)
Type: Success Audit
Description: Windows NT is shutting down.
All logon sessions will be terminated by this shutdown.
Event ID: 514 (0x0202)
Type: Success Audit
Description: An authentication package has been loaded by the Local Security Authority.
This authentication package will be used to authenticate logon attempts.
Authentication Package Name: %1
Event ID: 515 (0x0203)
Type: Success Audit
Description: A trusted logon process has registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.
Logon Process Name: %1
Event ID: 516 (0x0204)
Type: Success Audit
Description: Internal resources allocated for the queuing of audit messages have been
exhausted, leading to the loss of some audits.
Number of audit messages discarded: %1
Event ID: 517 (0x0205)
Type: Success Audit
Description: The audit log was cleared
Primary User Name: %1 Primary Domain: %2
Primary Logon ID: %3 Client User Name: %4
Client Domain: %5 Client Logon ID: %6
Event ID: 518 (0x0206)
Type: Success Audit
Description: An notification package has been loaded by the Security Account Manager.
This package will be notified of any account or password changes.
Notification Package Name: %1
Event ID: 528 (0x0210)
Type: Success Audit
Description: Successful Logon:
User Name: %1 Domain: %2
Logon ID: %3 Logon Type: %4
Logon Process: %5 Authentication Package: %6
Workstation Name: %7
Event ID: 529 (0x0211)
Type: Failure Audit
Description: Logon Failure
Reason: Unknown user name or bad password
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 530 (0x0212)
Type: Failure Audit
Description: Logon Failure
Reason: Account logon time restriction violation
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 531 (0x0213)
Type: Failure Audit
Description: Logon Failure
Reason: Account currently disabled
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 532 (0x0214)
Type: Failure Audit
Description: Logon Failure
Reason: The specified user account has expired
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 533 (0x0215)
Type: Failure Audit
Description: Logon Failure
Reason: User not allowed to logon at this computer
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 534 (0x0216)
Type: Failure Audit
Description: Logon Failure
Reason:The user has not been granted the requested
logon type at this machine
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 535 (0x0217)
Type: Failure Audit
Description: Logon Failure
Reason: The specified account's password has expired
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 536 (0x0218)
Type: Failure Audit
Description: Logon Failure
Reason: The NetLogon component is not active
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 537 (0x0219)
Type: Failure Audit
Description: Logon Failure
Reason: An unexpected error occurred during logon
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 538 (0x021A)
Type: Success Audit
Description: User Logoff
User Name: %1 Domain: %2
Logon ID: %3 Logon Type: %4.
Event ID: 539 (0x021B)
Type: Failure Audit
Description: Logon Failure
Reason: Account locked out
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 540 (0x021c)
Type: Success Audit
Description: Successful Network Logon
User Name: %1 Domain: %2
Logon ID: %3 Logon Type: %4
Logon Process: %5 Authentication Package: %6
Workstation Name: %7
Event ID: 541 (0x021d)
Type: Success Audit
Description: IKE security association established.
Mode: %1 Peer Identity: %2
Filter: %3 Parameters: %4
Event ID: 542 (0x021e)
Type: Success Audit
Description: IKE security association ended.
Mode: Data Protection (Quick mode)
Filter: %1 Inbound SPI: %2
Outbound SPI: %3
Event ID: 543 (0x021f)
Type: Success Audit
Description: IKE security association ended.
Mode: Key Exchange (Main mode)
Filter: %1
Event ID: 544 (0x0220)
Type: Failure Audit
Description: IKE security association establishment failed because peer could not
authenticate. The certificate trust could not be established.
Peer Identity: %1 Filter: %2
Event ID: 545 (0x0221)
Type: Failure Audit
Description: IKE peer authentication failed.
Peer Identity: %1 Filter: %2
Event ID: 546 (0x0222)
Type: Failure Audit
Description: IKE security association establishment failed because peer
sent invalid proposal.
Mode: %1 Filter: %2
Attribute: %3 Expected value: %4
Received value: %5
Event ID: 547 (0x0223)
Type: Failure Audit
Description: IKE security association negotiation failed.
Mode: %1 Filter: %2
Failure Point: %3 Failure Reason: %4
Event ID: 560 (0x0230)
Type: Success Audit
Description: Object Open
Object Server: %1 Object Type: %2
Object Name: %3 New Handle ID: %4
Operation ID:{%5,%6} Process ID: %7
Primary User Name: %8 Primary Domain: %9
Primary Logon ID: %10 Client User Name: %11
Client Domain: %12 Client Logon ID: %13
Accesses %14 Privileges %15
Event ID: 561 (0x0231)
Type: Success Audit
Description: Handle Allocated
Handle ID: %1 Operation ID:{%2,%3}
Process ID: %4
Event ID: 562 (0x0232)
Type: Success Audit
Description: Handle Closed
Object Server: %1 Handle ID: %2
Process ID: %3
Event ID: 563 (0x0233)
Type: Success Audit
Description: Object Open for Delete
Object Server: %1 Object Type: %2
Object Name: %3 New Handle ID: %4
Operation ID:{%5,%6} Process ID: %7
Primary User Name: %8 Primary Domain: %9
Primary Logon ID: %10 Client User Name: %11
Client Domain: %12 Client Logon ID: %13
Accesses %14 Privileges %15
Event ID: 564 (0x0234)
Type: Success Audit
Description: Object Deleted
Object Server: %1 Handle ID: %2
Process ID: %3
Event ID: 565 (0x0235)
Type: Success Audit
Description: Object Open
Object Server: %1 Object Type: %2
Object Name: %3 New Handle ID: %4
Operation ID:{%5,%6} Process ID: %7
Primary User Name: %8 Primary Domain: %9
Primary Logon ID: %10 Client User Name: %11
Client Domain: %12 Client Logon ID: %13
Accesses %14 Privileges %15
Properties:%16%17%18%19%20%21%22%23%24%25
Event ID: 566 (0x0236)
Type: Success Audit
Description: Object Operation
Operation Type %1 Object Type: %2
Object Name: %3 Handle ID: %4
Operation ID:{%5,%6} Primary User Name: %7
Primary Domain: %8 Primary Logon ID: %9
Client User Name: %10 Client Domain: %11
Client Logon ID: %12 Requested Accesses %13
Event ID: 576 (0x0240)
Type: Success Audit
Description: Special privileges assigned to new logon:
User Name: %1 Domain: %2
Logon ID: %3 Assigned: %4
Event ID: 577 (0x0241)
Type: Success Audit
Description: Privileged Service Called
Server: %1 Service: %2
Primary User Name: %3 Primary Domain: %4
Primary Logon ID: %5 Client User Name: %6
Client Domain: %7 Client Logon ID: %8
Privileges: %9
Event ID: 578 (0x0242)
Type: Success Audit
Description: Privileged object operation
Object Server: %1 Object Handle: %2
Process ID: %3 Primary User Name: %4
Primary Domain: %5 Primary Logon ID: %6
Client User Name: %7 Client Domain: %8
Client Logon ID: %9 Privileges: %10
Event ID: 592 (0x0250)
Type: Success Audit
Description: A new process has been created
New Process ID: %1 Image File Name: %2
Creator Process ID: %3 User Name: %4
Domain: %5 Logon ID: %6
Event ID: 593 (0x0251)
Type: Success Audit
Description: A process has exited
Process ID: %1 User Name: %2
Domain: %3 Logon ID: %4
Event ID: 594 (0x0252)
Type: Success Audit
Description: A handle to an object has been duplicated
Source Handle ID: %1 Source Process ID: %2
Target Handle ID: %3 Target Process ID: %4
Event ID: 595 (0x0253)
Type: Success Audit
Description: Indirect access to an object has been obtained
Object Type: %1 Object Name: %2
Process ID: %3 Primary User Name: %4
Primary Domain: %5 Primary Logon ID: %6
Client User Name: %7 Client Domain: %8
Client Logon ID: %9 Accesses: %10
PropertiesArticle ID: 299475 - Last Review: January 31, 2007 - Revision: 3.5 APPLIES TO
| Article Translations
 |
Back to the top
