你目前正处于脱机状态,正在等待 Internet 重新连接

关联服务帐户登录事件的安全事件

针对 Windows XP 的支持已终止

Microsoft 已于 2014 年 4 月 8 日终止了针对 Windows XP 的支持。该更改已影响到您的软件更新和安全选项。 了解这一措施对于您的含义以及如何继续保持受保护状态。

本文的发布号曾为 CHS274176
概要
在 Windows 2000 和更早的 Windows 版本中,对于许多进程(如服务)来说,不可能将一个帐户登录事件(安全事件 ID 528)与一个进程创建事件关联起来。不过,管理员可以用安全事件 ID 600(包括在 Windows XP 中)来进行此关联。本文讲述如何解读安全事件日志,以便您可以理解这些事件。
更多信息
如果您在审核帐户登录事件、登录事件和进程跟踪,那么在用一个用户帐户启动一个服务时,会记录下列五个事件:
  • Kerberos 票证请求
    (672 帐户登录)
  •  Kerberos 票证的授予
    (673 帐户登录)
  • 帐户登录
    (528 登录/注销)
  • 服务进程启动
    (592 详细跟踪)
  • 启动服务的帐户被记录
    (600 详细跟踪)
当用一个域帐户启动许可证记录服务时,会出现下列示例事件。

Kerberos 票证请求



Event Type:  Success AuditEvent Source:  SecurityEvent Category:  Account Logon Event ID:         672Date:    08/14/2000Time:    05:13:02User:    NT AUTHORITY\SYSTEMComputer:         <computer name>Description:Authentication Ticket Request:   User Name:    <user name>   Supplied Realm Name:  <realm name>   User ID:                  <realm name>\<user name>   Service Name:    <service name>   Service ID:    <realm name>\<service name>   Ticket Options:    0x40810010   Result Code:    -   Ticket Encryption Type:  0x17   Pre-Authentication Type:  2   Client Address:    127.0.0.1

 Kerberos 票证的授予



Event Type:  Success AuditEvent Source:  SecurityEvent Category:  Account Logon Event ID:         673Date:    08/14/2000Time:    05:13:02User:    NT AUTHORITY\SYSTEMComputer:         <computer name>Description:Service Ticket Granted:   User Name:    <user name>   User Domain:    <user domain name>   Service Name:    <computer name>$   Service ID:    <user domain name>\<computer name>$   Ticket Options:    0x40810010   Ticket Encryption Type:  0x17   Client Address:    127.0.0.1

帐户登录



Event Type:  Success AuditEvent Source:  SecurityEvent Category:  Logon/Logoff Event ID:         528Date:    08/14/2000Time:    05:13:02User:    <user domain name>\<user name>Computer:         <computer name>Description:Successful Logon:   User Name:  <user name>   Domain:    <domain name>   Logon ID:    (0x0,0x1CBC6A)   Logon Type:  5   Logon Process:  Advapi     Authentication Package:  Negotiate   Workstation Name:  <computer name>

服务进程启动



Event Type:  Success AuditEvent Source:  SecurityEvent Category:  Detailed Tracking Event ID:         592Date:    08/14/2000Time:    05:13:02User:    NT AUTHORITY\SYSTEMComputer:         <computer name>Description:A new process has been created:   New Process ID:  2064   Image File Name:  C:\WINDOWS\system32\llssrv.exe   Creator Process ID:  264   User Name:  <computer name>$   Domain:    <domain name>   Logon ID:    (0x0,0x3E7)

启动服务的帐户被记录



Event Type:  Success AuditEvent Source:  SecurityEvent Category:  Detailed Tracking Event ID:         600Date:    08/14/2000Time:    05:13:02User:    NT AUTHORITY\SYSTEMComputer:         <computer name>Description:A process was assigned a primary token.    Process ID:  2064   Image File Name:  C:\WINDOWS\system32\llssrv.exe   User Name:  <user name>   Domain:    <domain name>   Logon ID:    (0x0,0x1CBC6A)
属性

文章 ID:274176 - 上次审阅时间:08/28/2001 13:16:00 - 修订版本: 1.0

  • Microsoft Windows XP Professional Edition
  • kbinfo kbtool KB274176
反馈