Event ID:
528
Source:
Security
Message:
Successful Logon:
User Name: <user name>
Domain: <domain name>
Logon ID: <logon identifier>
Logon Type: <logon type>
Logon Process: <logon process>
Authentication Package: <package name>
Workstation Name: <computer name>

More information
Event ID:
592
Source:
Security
Message:
A new process has been created:
New Process ID: 860
Image File Name: calc.exe
Creator Process ID: 3492
User Name: MyUser
Domain: NETIKUS
Logon ID: (0x0,0x87F44D2)



More information
Event ID:
534
Source:
Security
Message:
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: %1
Domain: %2
Logon Type: %3
Logon Process: %4
Authentication Package: %5
Workstation Name: %6

More information
Event ID:
861
Source:
Security
Message:
The Windows Firewall has detected an application listening for incoming traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1160
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 68
Allowed: No
User notified: No


More information
Event ID:
560
Source:
Security
Message:
Object Open: Object Server: SC Manager Object Type: SERVICE OBJECT Object Name: RemoteAccess New Handle ID: - Operation ID: {0,840128961} Process ID: 416 Primary User Name: CLMTS001$ Primary Domain: ATSC Primary Logon ID: (0x0,0x3E7) Client User Name: e010421 Client Domain: ATSC Client Logon ID: (0x0,0x32125658) Accesses Query status of service Privileges -

More information
Event ID:
596
Source:
Security
Message:
Backup of data protection master key.
Key Identifier: ab7287ab-974d-4dc7-aaaa-91e0bc96642e
Recovery Server:
Recovery Key ID:
Failure Reason: 0x3A

More information
Event ID:
560
Source:
Security
Message:
Object Open: Object Server: Security Object Type: File Object Name: \Device\NetbiosSmb Handle ID: - Operation ID: {0,1502291133} Process ID: 1144 Image File Name: C:\WINDOWS\system32\svchost.exe Primary User Name: LOCAL SERVICE Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E5) Client User Name: - Client Domain: - Client Logon ID: - Accesses: SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) Privileges: - Restricted Sid Count: 0 Access Mask: 0x100003

More information
Event ID:
627
Source:
Security
Message:
Change Password Attempt:
Target Account Name: ingmar
Target Domain: NETIKUS
Target Account ID: NETIKUS\ingmar
Caller User Name: ingmar
Caller Domain: NETIKUS
Caller Logon ID: (0x0,0xA467822)
Privileges: -


More information
Event ID:
513
Source:
Security
Message:
Type: Success Audit

Description: Windows NT is shutting down.
All logon sessions will be terminated by this shutdown.

More information
Event ID:
512
Source:
Security
Message:
Type: Success Audit
Windows is starting up

More information
Event ID:
602
Source:
Security
Message:
Scheduled Task created:
File Name: C:\WINDOWS\Tasks\Calculator.job
Command: C:\WINDOWS\system32\calc.exe
Triggers: At 11:48 AM every day, starting 11/14/2006.
Time: 11/14/2006 11:48:00 AM
Flags: 0x18000C0
Target User: EVENTSENTRY\User1
By:
User: User1
Domain: EVENTSENTRY
Logon ID: (0x0,0x127F30A0)

More information
Event ID:
537
Source:
Security
Category:
Logon/Logoff
Message:
Logon Failure:
Reason: An error occurred during logon
User Name: TheUser
Domain: TheDomain
Logon Type: 11
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: WORKSTATION01
Status code: 0xC000005E
Substatus code: 0x0

More information
Event ID:
672
Source:
Security
Category:
Account Logon
Message:
Authentication Ticket Request:
User Name: computer$
Supplied Realm Name: DOMAIN.LOCAL
User ID: -
Service Name: krbtgt/DOMAIN.LOCAL
Service ID: -
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: -
Pre-Authentication Type: -
Client Address: 192.168.1.122
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

More information
Event ID:
673
Source:
Security
Category:
Account Logon
Message:
Type: Failure Audit
Source: Security
Event Category: Account Logon
Event ID: 677
User: NT AUTHORITY\SYSTEM
Description: Service Ticket Request Failed:
User Name: UserName
User Domain: DomainName
Service Name: ServiceName
Ticket Options: 0x40830000
Failure Code: 0xE
Client Address: IPAddress

More information
Event ID:
861
Source:
Security
Category:
Detailed Tracking
Message:
The Windows Firewall has detected an application listening for incoming traffic.

Name: -
Path: C:\WINDOWS\system32\eventsentry_svc.exe
Process identifier: 4840
User account: es_svc
User domain: DMN
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 2594
Allowed: No
User notified: No

More information
Event ID:
628
Source:
Security
Message:
User Account password set:
Target Account Name: QA
Target Domain: WESTELL
Target Account ID: WESTELL\QA
Caller User Name: JHINT
Caller Domain: WESTELL
Caller Logon ID: (0x0,0x8F1A7AB5)

More information
Event ID:
675
Source:
Security
Category:
Account Logon
Message:
Pre-authentication failed:
User Name: WIN2008$
User ID: TESTGROUND\WIN2008$
Service Name: krbtgt/TESTGROUND.LOCAL
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 192.138.23.31

More information
Event ID:
567
Source:
Security
Category:
Object Access
Message:
Object Access Attempt:
Object Server: Security
Handle ID: 9780
Object Type: File
Process ID: 904
Image File Name: C:\WINDOWS\system32\svchost.exe
Accesses: WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)

Access Mask: 0x6

More information
Event ID:
599
Source:
Security
Category:
Detailed Tracking
Message:
Unprotection of auditable protected data.
Data Description:
Key Identifier: 575dfb1a-2f3a-4cdd-a08c-5e2bf47579ed
Protected Data Flags: 0x0
Protection Algorithms: 3DES-168 , SHA1-160
Failure Reason: 0x8009000B

More information
Event ID:
671
Source:
Security
Category:
Account Management
Message:
User Account Unlocked:
Target Account Name: gwashington
Target Domain: USA
Target Account ID: USA\gwashington
Caller User Name: sys.admin
Caller Domain: USA
Caller Logon ID: (0x0,0x41708D37)

More information
Event ID:
5032
Source:
Microsoft-Windows-Security-Auditing
Category:
Other System Events
Message:
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: 2

More information
Event ID:
529
Source:
Security
Category:
Logon/Logoff
Message:
Logon Failure:
Reason: Unknown user name or bad password
User Name: My Name
Domain: MYDOMAIN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: WORKSTATION

More information
Event ID:
861
Source:
Security
Category:
Detailed Tracking
Message:
The Windows Firewall has detected an application listening for incoming traffic.

Name: -
Path: C:\WINDOWS\system32\someprocess.exe
Process identifier: 3732
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 55751
Allowed: No
User notified: No

More information
Event ID:
680
Source:
Security
Category:
Account Logon
Message:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: johndoe
Source Workstation:
Error Code: 0xC0000071


More information
Event ID:
517
Source:
Security
Message:
The audit log was cleared Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E7) Client User Name: nsi Client Domain: NSISENTRYTBOH Client Logon ID: (0x0,0x2568E)

More information
Event ID:
529
Source:
Security
Message:
Logon Failure: Reason: Unknown user name or bad password User Name: lgreenle Domain: mlsnet.local Logon Type: 7 Logon Process: User32 Authentication Package: Negotiate Workstation Name: MLS-APPS Caller User Name: MLS-APPS$ Caller Domain: MLSNET Caller Logon ID: (0x0,0x3E7) Caller Process ID: 9204 Transited Services: - Source Network Address: 192.168.0.76 Source Port: 39647

More information
Event ID:
529
Source:
Security
Message:
Logon Failure: Reason: Unknown user name or bad password User Name: lward Domain: Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: MLS-APPS Caller User Name: MLS-APPS$ Caller Domain: MLSNET Caller Logon ID: (0x0,0x3E7) Caller Process ID: 15676 Transited Services: - Source Network Address: 192.168.0.85 Source Port: 2235

More information
Event ID:
540
Source:
Security
Message:
Category Logon/Logoff
Type: success A
NT AUTHORITY\ANONYMOUS LOGON
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x265B7)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: -

More information
Event ID:
4634
Source:
Microsoft-Windows-Security-Auditing
Category:
Logoff
Message:
An account was logged off.

Subject:
Security ID: TESTGROUND\cacheduser
Account Name: cacheduser
Account Domain: TESTGROUND
Logon ID: 0xbed3f1

Logon Type: 2

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

More information
Event ID:
4647
Source:
Microsoft-Windows-Security-Auditing
Category:
Logoff
Message:
User initiated logoff:

Subject:
Security ID: TESTGROUND\cacheduser
Account Name: cacheduser
Account Domain: TESTGROUND
Logon ID: 0xbed3f1

This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed. No further user-initiated activity can occur. This event can be interpreted as a logoff event.

More information
Event ID:
10
Source:
Trend Micro Security Server
Category:
System
Message:
Threat Alert
OfficeScan detected Cryp_Neb-2 on COMPUTERNAME(user.name) in MyDomain domains.
File: C:\Software\Infected.zip (Infected.exe)
Detection date: 6/17/2009 21:45:17
Action: No action


More information
Event ID:
644
Source:
Security
Message:
User Account Locked Out

More information
Event ID:
6281
Source:
Microsoft-Windows-Security-Auditing
Category:
System Integrity
Message:
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\l3codeca.acm

More information
Event ID:
529
Source:
Security
Category:
Logon/Logoff
Message:
Logon Failure:
Reason: Unknown user name or bad password
User Name: FIRST LAST
Domain: USER-PC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: USER-PC
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 0.0.0.0
Source Port: 0


More information
Event ID:
6145
Source:
Microsoft-Windows-Security-Auditing
Category:
Other Policy Change Events
Message:
One or more errors occured while processing security policy in the group policy objects.

Error Code: 87
GPO List:
{F0DF8E32-7E0A-4B67-1234-9BD831BFE64C} Windows Audit & Event Log Settings
{AAC1786C-016F-11D2-9012-00C04fB984F9} Default Domain Controllers Policy
{91B2F340-016D-11D2-1234-00C04FB984F9} Default Domain Policy


More information
Event ID:
520
Source:
Security
Category:
System Event
Message:
The system time was changed.
Process ID: 1296
Process Name: C:\WINDOWS\system32\EVENTSENTRY\eventsentry_svc.exe
Primary User Name: WEBSERVER$
Primary Domain: MYDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: WEBSERVER$
Client Domain: MYDOMAIN
Client Logon ID: (0x0,0x3E7)
Previous Time: 8:57:01 PM 8/31/2011
New Time: 8:57:06 PM 8/31/2011

More information
Event ID:
621
Source:
Security
Category:
Policy Change
Message:
System Security Access Granted:
Access Granted: SeBatchLogonRight
Account Modified: DOMAINA\username
Assigned By:
User Name: SERVERNAME$
Domain: DOMAINA
Logon ID: (0x0,0x3E7)


More information
Event ID:
4951
Source:
Microsoft-Windows-Security-Auditing
Category:
MPSSVC Rule-Level Policy Change
Message:
Windows Firewall ignored a rule because its major version number is not recognized.

Profile: All

Ignored Rule:
ID: clr_optimization_v4.0.30319_32-1
Name: -

More information
Event ID:
521
Source:
Security
Category:
System Event
Message:
Unable to log events to security log:
Status code: 0xc0000008
Value of CrashOnAuditFail: 0
Number of failed audits: 103

More information
Event ID:
6281
Source:
Microsoft Windows security
Category:
System Integrity
Message:
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
File Name: \Device\HarddiskVolume3\Windows\System32\sysfer.dll

More information
Event ID:
4634
Source:
Microsoft-Windows-Security-Auditing
Category:
Logoff
Message:
An account was logged off.

Subject:
Security ID: Domain\ad2user
Account Name: ad1user
Account Domain: Domain
Logon ID: 0xbb55b23

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.


More information
Event ID:
4624
Source:
Security
Category:
Logon/Logoff
Message:
An account was successfully logged on.

Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WORKSTATION123$
Account Domain: CORPDOMAIN
Logon ID: 0x3e7

Logon Type: 7

New Logon:
Security ID: CORPDOMAIN\john.doe
Account Name: john.doe
Account Domain: CORPDOMAIN
Logon ID: 0xf3e668
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x314
Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Workstation Name: WORKSTATION123
Source Network Address: 127.0.0.1
Source Port: 0

Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

More information
Event ID:
4688
Source:
Security
Message:
A new process has been created.

Subject:
Security ID: CORPDOMAIN\jack.doe
Account Name: jack.doe
Account Domain: CORPDOMAIN
Logon ID: 0xc2b4c

Process Information:
New Process ID: 0xcec0
New Process Name: C:\Windows\System32\PING.EXE
Token Elevation Type: TokenElevationTypeLimited (2)
Creator Process ID: 0x116c

More information
Event ID:
4800
Source:
Security
Category:
Other Logon/Logoff Events
Message:
The workstation was locked.

Subject:
Security ID: GOTHAM\bat.man
Account Name: bat.man
Account Domain: GOTHAM
Logon ID: 0x19a2e6
Session ID: 1

More information
Event ID:
4801
Source:
Security
Category:
Other Logon/Logoff Events
Message:
The workstation was unlocked.

Subject:
Security ID: GOTHAM\bat.man
Account Name: bat.man
Account Domain: GOTHAM
Logon ID: 0x19a2e6
Session ID: 1

More information
Event ID:
4740
Source:
Security
Category:
User Account Management
Message:
A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: CORPDC1$
Account Domain: CORPDOMAIN
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: S-1-5-21-1179352123-210183264333-1239653321-8754
Account Name: beth.jackson
Additional Information:
Caller Computer Name: CORPDC1

More information
Event ID:
4656
Source:
Microsoft-Windows-Security-Auditing
Category:
File System
Message:
A handle to an object was requested.

Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: COMPUTER$
Account Domain: DOMAIN
Logon ID: 0x3E7

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.9200.16384_none_8325ae6a331660a6\GdiPlus.dll
Handle ID: 0x0
Resource Attributes: -

Process Information:
Process ID: 0x354
Process Name: C:\Windows\System32\svchost.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes

Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA)
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA)
ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BA)
ReadEA: Granted by D:(A;;0x1200a9;;;BA)
ReadAttributes: Granted by ACE on parent folder D:(A;;0x1200a9;;;BA)
WriteAttributes: Not granted

Access Mask: 0x120189
Privileges Used for Access Check: -
Restricted SID Count: 0

More information
Event ID:
16
Source:
SecurityCenter
Message:
windows security center service could not stop windows defender

More information
Event ID:
4779
Source:
Microsoft-Windows-Security-Auditing
Category:
Other Logon/Logoff Events
Message:
A session was disconnected from a Window Station.

Subject:
Account Name: some.user
Account Domain: SOMEDOMAIN
Logon ID: 0x2335b249

Session:
Session Name: RDP-Tcp#0

Additional Information:
Client Name: wksclient04.lo
Client Address: 192.168.1.6

More information
Event ID:
4689
Source:
Microsoft-Windows-Security-Auditing
Category:
Process Termination
Message:
A process has exited.

Subject:
Security ID: MYDOMAIN\some.user
Account Name: some.user
Account Domain: MYDOMAIN
Logon ID: 0x5E006051

Process Information:
Process ID: 0x5ec4
Process Name: C:\Windows\System32\dllhost.exe
Exit Status: 0x0

More information
Event ID:
8198
Source:
Security-SPP
Category:
None
Message:
License Activation (slui.exe) failed with the following error code: hr=0x803F7001
Command-line arguments: RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=UserLogon;SessionId=2

More information
Event ID:
5156
Source:
Microsoft Windows security auditing.
Message:
The Windows Filtering Platform has permitted a connection.

Application Information:
Process ID: 4320
Application Name: \device\harddiskvolume2\windows\system32\svchost.exe

Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 167.196.121.75
Destination Port: 60070
Protocol: 17

Filter Information:
Filter Run-Time ID: 83103
Layer Name: Receive/Accept
Layer Run-Time ID: 44

More information
Event ID:
4720
Source:
Microsoft Windows security
Category:
User Account Management
Message:
A user account was created.

More information
Event ID:
4738
Source:
Security
Category:
Audit User Account Management
Message:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4738</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T16:22:02.792454100Z" />
<EventRecordID>175413</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="Dummy">-</Data>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x15</Data>
<Data Name="NewUacValue">0x211</Data>
<Data Name="UserAccountControl">%%2050 %%2089</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">-</Data>
</EventData>
</Event>

More information
Found 54 records