Event ID:
Source:
Security
Message:
Successful Logon:
User Name: <user name>
Domain: <domain name>
Logon ID: <logon identifier>
Logon Type: <logon type>
Logon Process: <logon process>
Authentication Package: <package name>
Workstation Name: <computer name>


Event ID:
Source:
Security
Message:
A new process has been created:
New Process ID: 860
Image File Name: calc.exe
Creator Process ID: 3492
User Name: MyUser
Domain: NETIKUS
Logon ID: (0x0,0x87F44D2)




Event ID:
Source:
Security
Message:
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: %1
Domain: %2
Logon Type: %3
Logon Process: %4
Authentication Package: %5
Workstation Name: %6


Event ID:
Source:
Security
Message:
The Windows Firewall has detected an application listening for incoming traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1160
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 68
Allowed: No
User notified: No



Event ID:
Source:
Security
Message:
Object Open: Object Server: SC Manager Object Type: SERVICE OBJECT Object Name: RemoteAccess New Handle ID: - Operation ID: {0,840128961} Process ID: 416 Primary User Name: CLMTS001$ Primary Domain: ATSC Primary Logon ID: (0x0,0x3E7) Client User Name: e010421 Client Domain: ATSC Client Logon ID: (0x0,0x32125658) Accesses Query status of service Privileges -


Event ID:
Source:
Security
Message:
Backup of data protection master key.
Key Identifier: ab7287ab-974d-4dc7-aaaa-91e0bc96642e
Recovery Server:
Recovery Key ID:
Failure Reason: 0x3A


Event ID:
Source:
Security
Message:
Object Open: Object Server: Security Object Type: File Object Name: \Device\NetbiosSmb Handle ID: - Operation ID: {0,1502291133} Process ID: 1144 Image File Name: C:\WINDOWS\system32\svchost.exe Primary User Name: LOCAL SERVICE Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E5) Client User Name: - Client Domain: - Client Logon ID: - Accesses: SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) Privileges: - Restricted Sid Count: 0 Access Mask: 0x100003


Event ID:
Source:
Security
Message:
Change Password Attempt:
Target Account Name: ingmar
Target Domain: NETIKUS
Target Account ID: NETIKUS\ingmar
Caller User Name: ingmar
Caller Domain: NETIKUS
Caller Logon ID: (0x0,0xA467822)
Privileges: -



Event ID:
Source:
Security
Message:
Type: Success Audit

Description: Windows NT is shutting down.
All logon sessions will be terminated by this shutdown.


Event ID:
Source:
Security
Message:
Type: Success Audit
Windows is starting up


Event ID:
Source:
Security
Message:
Scheduled Task created:
File Name: C:\WINDOWS\Tasks\Calculator.job
Command: C:\WINDOWS\system32\calc.exe
Triggers: At 11:48 AM every day, starting 11/14/2006.
Time: 11/14/2006 11:48:00 AM
Flags: 0x18000C0
Target User: EVENTSENTRY\User1
By:
User: User1
Domain: EVENTSENTRY
Logon ID: (0x0,0x127F30A0)


Event ID:
Source:
Security
Category:
Logon/Logoff
Message:
Logon Failure:
Reason: An error occurred during logon
User Name: TheUser
Domain: TheDomain
Logon Type: 11
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: WORKSTATION01
Status code: 0xC000005E
Substatus code: 0x0


Event ID:
Source:
Security
Category:
Account Logon
Message:
Authentication Ticket Request:
User Name: computer$
Supplied Realm Name: DOMAIN.LOCAL
User ID: -
Service Name: krbtgt/DOMAIN.LOCAL
Service ID: -
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: -
Pre-Authentication Type: -
Client Address: 192.168.1.122
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:


Event ID:
Source:
Security
Category:
Account Logon
Message:
Type: Failure Audit
Source: Security
Event Category: Account Logon
Event ID: 677
User: NT AUTHORITY\SYSTEM
Description: Service Ticket Request Failed:
User Name: UserName
User Domain: DomainName
Service Name: ServiceName
Ticket Options: 0x40830000
Failure Code: 0xE
Client Address: IPAddress


Event ID:
Source:
Security
Category:
Detailed Tracking
Message:
The Windows Firewall has detected an application listening for incoming traffic.

Name: -
Path: C:\WINDOWS\system32\eventsentry_svc.exe
Process identifier: 4840
User account: es_svc
User domain: DMN
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 2594
Allowed: No
User notified: No


Event ID:
Source:
Security
Message:
User Account password set:
Target Account Name: QA
Target Domain: WESTELL
Target Account ID: WESTELL\QA
Caller User Name: JHINT
Caller Domain: WESTELL
Caller Logon ID: (0x0,0x8F1A7AB5)


Event ID:
Source:
Security
Category:
Account Logon
Message:
Pre-authentication failed:
User Name: WIN2008$
User ID: TESTGROUND\WIN2008$
Service Name: krbtgt/TESTGROUND.LOCAL
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 192.138.23.31


Event ID:
Source:
Security
Category:
Object Access
Message:
Object Access Attempt:
Object Server: Security
Handle ID: 9780
Object Type: File
Process ID: 904
Image File Name: C:\WINDOWS\system32\svchost.exe
Accesses: WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)

Access Mask: 0x6


Event ID:
Source:
Security
Category:
Detailed Tracking
Message:
Unprotection of auditable protected data.
Data Description:
Key Identifier: 575dfb1a-2f3a-4cdd-a08c-5e2bf47579ed
Protected Data Flags: 0x0
Protection Algorithms: 3DES-168 , SHA1-160
Failure Reason: 0x8009000B


Event ID:
Source:
Security
Category:
Account Management
Message:
User Account Unlocked:
Target Account Name: gwashington
Target Domain: USA
Target Account ID: USA\gwashington
Caller User Name: sys.admin
Caller Domain: USA
Caller Logon ID: (0x0,0x41708D37)


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
Other System Events
Message:
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: 2


Event ID:
Source:
Security
Category:
Logon/Logoff
Message:
Logon Failure:
Reason: Unknown user name or bad password
User Name: My Name
Domain: MYDOMAIN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: WORKSTATION


Event ID:
Source:
Security
Category:
Detailed Tracking
Message:
The Windows Firewall has detected an application listening for incoming traffic.

Name: -
Path: C:\WINDOWS\system32\someprocess.exe
Process identifier: 3732
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 55751
Allowed: No
User notified: No


Event ID:
Source:
Security
Category:
Account Logon
Message:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: johndoe
Source Workstation:
Error Code: 0xC0000071



Event ID:
Source:
Security
Message:
The audit log was cleared Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E7) Client User Name: nsi Client Domain: NSISENTRYTBOH Client Logon ID: (0x0,0x2568E)


Event ID:
Source:
Security
Message:
Logon Failure: Reason: Unknown user name or bad password User Name: lgreenle Domain: mlsnet.local Logon Type: 7 Logon Process: User32 Authentication Package: Negotiate Workstation Name: MLS-APPS Caller User Name: MLS-APPS$ Caller Domain: MLSNET Caller Logon ID: (0x0,0x3E7) Caller Process ID: 9204 Transited Services: - Source Network Address: 192.168.0.76 Source Port: 39647


Event ID:
Source:
Security
Message:
Logon Failure: Reason: Unknown user name or bad password User Name: lward Domain: Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: MLS-APPS Caller User Name: MLS-APPS$ Caller Domain: MLSNET Caller Logon ID: (0x0,0x3E7) Caller Process ID: 15676 Transited Services: - Source Network Address: 192.168.0.85 Source Port: 2235


Event ID:
Source:
Security
Message:
Category Logon/Logoff
Type: success A
NT AUTHORITY\ANONYMOUS LOGON
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x265B7)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: -


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
Logoff
Message:
An account was logged off.

Subject:
Security ID: TESTGROUND\cacheduser
Account Name: cacheduser
Account Domain: TESTGROUND
Logon ID: 0xbed3f1

Logon Type: 2

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
Logoff
Message:
User initiated logoff:

Subject:
Security ID: TESTGROUND\cacheduser
Account Name: cacheduser
Account Domain: TESTGROUND
Logon ID: 0xbed3f1

This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed. No further user-initiated activity can occur. This event can be interpreted as a logoff event.


Event ID:
Source:
Trend Micro Security Server
Category:
System
Message:
Threat Alert
OfficeScan detected Cryp_Neb-2 on COMPUTERNAME(user.name) in MyDomain domains.
File: C:\Software\Infected.zip (Infected.exe)
Detection date: 6/17/2009 21:45:17
Action: No action



Event ID:
Source:
Security
Message:
User Account Locked Out


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
System Integrity
Message:
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\l3codeca.acm


Event ID:
Source:
Security
Category:
Logon/Logoff
Message:
Logon Failure:
Reason: Unknown user name or bad password
User Name: FIRST LAST
Domain: USER-PC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: USER-PC
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 0.0.0.0
Source Port: 0



Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
Other Policy Change Events
Message:
One or more errors occured while processing security policy in the group policy objects.

Error Code: 87
GPO List:
{F0DF8E32-7E0A-4B67-1234-9BD831BFE64C} Windows Audit & Event Log Settings
{AAC1786C-016F-11D2-9012-00C04fB984F9} Default Domain Controllers Policy
{91B2F340-016D-11D2-1234-00C04FB984F9} Default Domain Policy



Event ID:
Source:
Security
Category:
System Event
Message:
The system time was changed.
Process ID: 1296
Process Name: C:\WINDOWS\system32\EVENTSENTRY\eventsentry_svc.exe
Primary User Name: WEBSERVER$
Primary Domain: MYDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: WEBSERVER$
Client Domain: MYDOMAIN
Client Logon ID: (0x0,0x3E7)
Previous Time: 8:57:01 PM 8/31/2011
New Time: 8:57:06 PM 8/31/2011


Event ID:
Source:
Security
Category:
Policy Change
Message:
System Security Access Granted:
Access Granted: SeBatchLogonRight
Account Modified: DOMAINA\username
Assigned By:
User Name: SERVERNAME$
Domain: DOMAINA
Logon ID: (0x0,0x3E7)



Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
MPSSVC Rule-Level Policy Change
Message:
Windows Firewall ignored a rule because its major version number is not recognized.

Profile: All

Ignored Rule:
ID: clr_optimization_v4.0.30319_32-1
Name: -


Event ID:
Source:
Security
Category:
System Event
Message:
Unable to log events to security log:
Status code: 0xc0000008
Value of CrashOnAuditFail: 0
Number of failed audits: 103


Event ID:
Source:
Microsoft Windows security
Category:
System Integrity
Message:
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
File Name: \Device\HarddiskVolume3\Windows\System32\sysfer.dll


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
Logoff
Message:
An account was logged off.

Subject:
Security ID: Domain\ad2user
Account Name: ad1user
Account Domain: Domain
Logon ID: 0xbb55b23

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.



Event ID:
Source:
Security
Category:
Logon/Logoff
Message:
An account was successfully logged on.

Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WORKSTATION123$
Account Domain: CORPDOMAIN
Logon ID: 0x3e7

Logon Type: 7

New Logon:
Security ID: CORPDOMAIN\john.doe
Account Name: john.doe
Account Domain: CORPDOMAIN
Logon ID: 0xf3e668
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x314
Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Workstation Name: WORKSTATION123
Source Network Address: 127.0.0.1
Source Port: 0

Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0


Event ID:
Source:
Security
Message:
A new process has been created.

Subject:
Security ID: CORPDOMAIN\jack.doe
Account Name: jack.doe
Account Domain: CORPDOMAIN
Logon ID: 0xc2b4c

Process Information:
New Process ID: 0xcec0
New Process Name: C:\Windows\System32\PING.EXE
Token Elevation Type: TokenElevationTypeLimited (2)
Creator Process ID: 0x116c


Event ID:
Source:
Security
Category:
Other Logon/Logoff Events
Message:
The workstation was locked.

Subject:
Security ID: GOTHAM\bat.man
Account Name: bat.man
Account Domain: GOTHAM
Logon ID: 0x19a2e6
Session ID: 1


Event ID:
Source:
Security
Category:
Other Logon/Logoff Events
Message:
The workstation was unlocked.

Subject:
Security ID: GOTHAM\bat.man
Account Name: bat.man
Account Domain: GOTHAM
Logon ID: 0x19a2e6
Session ID: 1


Event ID:
Source:
Security
Category:
User Account Management
Message:
A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: CORPDC1$
Account Domain: CORPDOMAIN
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: S-1-5-21-1179352123-210183264333-1239653321-8754
Account Name: beth.jackson
Additional Information:
Caller Computer Name: CORPDC1


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
File System
Message:
A handle to an object was requested.

Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: COMPUTER$
Account Domain: DOMAIN
Logon ID: 0x3E7

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.9200.16384_none_8325ae6a331660a6\GdiPlus.dll
Handle ID: 0x0
Resource Attributes: -

Process Information:
Process ID: 0x354
Process Name: C:\Windows\System32\svchost.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes

Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA)
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA)
ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BA)
ReadEA: Granted by D:(A;;0x1200a9;;;BA)
ReadAttributes: Granted by ACE on parent folder D:(A;;0x1200a9;;;BA)
WriteAttributes: Not granted

Access Mask: 0x120189
Privileges Used for Access Check: -
Restricted SID Count: 0


Event ID:
Source:
SecurityCenter
Message:
windows security center service could not stop windows defender


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
Other Logon/Logoff Events
Message:
A session was disconnected from a Window Station.

Subject:
Account Name: some.user
Account Domain: SOMEDOMAIN
Logon ID: 0x2335b249

Session:
Session Name: RDP-Tcp#0

Additional Information:
Client Name: wksclient04.lo
Client Address: 192.168.1.6


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
Process Termination
Message:
A process has exited.

Subject:
Security ID: MYDOMAIN\some.user
Account Name: some.user
Account Domain: MYDOMAIN
Logon ID: 0x5E006051

Process Information:
Process ID: 0x5ec4
Process Name: C:\Windows\System32\dllhost.exe
Exit Status: 0x0


Found 50 records