You are currently offline, waiting for your internet to reconnect

Security Event for Associating Service Account Logon Events

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article was previously published under Q274176
SUMMARY
In Windows 2000 and earlier versions of Windows, it was not possible to associate an account logon event (security event ID 528) with a process creation event for many processes, such as services. However, an administrator can use security event ID 600 (included with Windows XP) to make this association. This article describes how to interpret the security event log so you can understand these events.
MORE INFORMATION
If you are auditing account logon events, logon events, and process tracking, the following five events are logged when a service is started with a user account:
  • Kerberos Ticket Request
    (672 Account Logon)
  • Kerberos Ticket Granted
    (673 Account Logon)
  • Account Logs on
    (528 Logon/Logoff)
  • Service Process starts
    (592 Detailed Tracking)
  • Account that started service logged
    (600 Detailed Tracking)
The following sample events occur where the License Logging service is started by using a domain account.

Kerberos Ticket Request

Event Type:  Success AuditEvent Source:  SecurityEvent Category:  Account Logon Event ID:         672Date:    08/14/2000Time:    05:13:02User:    NT AUTHORITY\SYSTEMComputer:         <computer name>Description:Authentication Ticket Request:   User Name:    <user name>   Supplied Realm Name:  <realm name>   User ID:                  <realm name>\<user name>   Service Name:    <service name>   Service ID:    <realm name>\<service name>   Ticket Options:    0x40810010   Result Code:    -   Ticket Encryption Type:  0x17   Pre-Authentication Type:  2   Client Address:    127.0.0.1				

Kerberos Ticket Granted

Event Type:  Success AuditEvent Source:  SecurityEvent Category:  Account Logon Event ID:         673Date:    08/14/2000Time:    05:13:02User:    NT AUTHORITY\SYSTEMComputer:         <computer name>Description:Service Ticket Granted:   User Name:    <user name>   User Domain:    <user domain name>   Service Name:    <computer name>$   Service ID:    <user domain name>\<computer name>$   Ticket Options:    0x40810010   Ticket Encryption Type:  0x17   Client Address:    127.0.0.1				

Account Logs On

Event Type:  Success AuditEvent Source:  SecurityEvent Category:  Logon/Logoff Event ID:         528Date:    08/14/2000Time:    05:13:02User:    <user domain name>\<user name>Computer:         <computer name>Description:Successful Logon:   User Name:  <user name>   Domain:    <domain name>   Logon ID:    (0x0,0x1CBC6A)   Logon Type:  5   Logon Process:  Advapi     Authentication Package:  Negotiate   Workstation Name:  <computer name>				

Service Process Starts

Event Type:  Success AuditEvent Source:  SecurityEvent Category:  Detailed Tracking Event ID:         592Date:    08/14/2000Time:    05:13:02User:    NT AUTHORITY\SYSTEMComputer:         <computer name>Description:A new process has been created:   New Process ID:  2064   Image File Name:  C:\WINDOWS\system32\llssrv.exe   Creator Process ID:  264   User Name:  <computer name>$   Domain:    <domain name>   Logon ID:    (0x0,0x3E7)				

Account That Started Service Logged

Event Type:  Success AuditEvent Source:  SecurityEvent Category:  Detailed Tracking Event ID:         600Date:    08/14/2000Time:    05:13:02User:    NT AUTHORITY\SYSTEMComputer:         <computer name>Description:A process was assigned a primary token.    Process ID:  2064   Image File Name:  C:\WINDOWS\system32\llssrv.exe   User Name:  <user name>   Domain:    <domain name>   Logon ID:    (0x0,0x1CBC6A)				
Properties

Article ID: 274176 - Last Review: 03/04/2004 18:38:08 - Revision: 1.2

  • Microsoft Windows XP Professional
  • kbinfo KB274176
Feedback