Windows Security Log Encyclopedia

Plain English explanations of Windows security log events.

Research the security log by Category or Event ID:

Event
OS: Title:
ID
512 All Versions Windows NT is starting up
513 XP, Win2003 Windows NT is shutting down
514 All Versions An authentication package has been loaded by the
Local Security Authority
515 All Versions A trusted logon process has registered with the Local
Security Authority
516 All Versions Internal resources allocated for the queuing of audit
messages have been exhausted, leading to the loss of
some audits
517 All Versions The audit log was cleared
518 All Versions An notification package has been loaded by the
Security Account Manager
519 Win2003 A process is using an invalid local procedure call (LPC)
port
520 Win2003 The system time was changed
528 All Versions Successful Logon
529 All Versions Logon Failure - Unknown user name or bad password
530 All Versions Logon Failure - Account logon time restriction violation
531 All Versions Logon Failure - Account currently disabled
532 All Versions Logon Failure - The specified user account has expired
533 All Versions Logon Failure - User not allowed to logon at this
computer
534 All Versions Logon Failure - The user has not been granted the
requested logon type at this machine
535 All Versions Logon Failure - The specified account's password has
expired
536 All Versions Logon Failure - The NetLogon component is not active
537 All Versions Logon failure - The logon attempt failed for other
reasons
538 All Versions User Logoff
539 All Versions Logon Failure - Account locked out
540 XP, Win2000, Successful Network Logon
Win2003
552 Win2003 Logon attempt using explicit credentials
560 All Versions Object Open
561 All Versions Handle Allocated
562 All Versions Handle Closed
563 All Versions Object Open for Delete
564 All Versions Object Deleted
565 Win2000 Object Open (Active Directory)
Win2003 Object Open (W3 Active Directory)
566 Win2003 Object Operation (W3 Active Directory)
567 Win2003 Object Access Attempt
576 All Versions Special privileges assigned to new logon
577 All Versions Privileged Service Called
578 All Versions Privileged object operation
592 All Versions A new process has been created
593 All Versions A process has exited
594 All Versions A handle to an object has been duplicated
595 All Versions Indirect access to an object has been obtained
600 All Versions A process was assigned a primary token
601 Win2003 Attempt to install service
602 Win2003 Scheduled Task created
608 Win2003 User Right Assigned
609 All Versions User Right Removed
610 Win2000 New Trusted Domain
Win2003 New Trusted Domain
611 Win2000 Removing Trusted Domain
Win2003 Trusted Domain Removed
612 All Versions Audit Policy Change
613 All Versions IPSec policy agent started
614 All Versions IPSec policy agent disabled
615 Win2000 IPSEC PolicyAgent Service
Win2003 IPSec Services
616 Win2000 IPSec policy agent encountered a potentially serious
failure
617 Win2000, Kerberos Policy Changed
Win2003, DC
618 XP, Win2000, Encrypted Data Recovery Policy Changed
Win2003
619 All Versions Quality of Service Policy Changed
620 Win2000 Trusted Domain Information Modified
Win2003 Trusted Domain Information Modified
621 Win2003 System Security Access Granted
622 Win2003 System Security Access Removed
623 Win2003 Per User Audit Policy was refreshed
624 Win2000, User Account Created
Win2003
625 Win2003 Per user auditing policy set for user
Win2000, DC User Account Type Change
626 Win2000, User Account Enabled
Win2003
627 Win2000, Change Password Attempt
Win2003
628 Win2000, User Account password set
Win2003
629 Win2003 User Account Disabled
630 Win2000, User Account Deleted
Win2003
631 Win2000, Group created
 Win2003, DC
632 Win2000, Group member added or removed
Win2003, DC
633 Win2000, Group member added or removed
Win2003, DC
634 Win2000, Group deleted
Win2003, DC
635 Win2000, Group created
Win2003
636 Win2000, Group member added or removed
Win2003
637 Win2000, Group member added or removed
Win2003
638 Win2000, Group deleted
Win2003
639 Win2000, Group changed
Win2003
640 All Versions General Account Database Change
641 Win2000, Group changed
Win2003, DC
642 Win2000, User Account Changed
Win2003
643 Win2000 Domain Policy Changed
Win2003 Domain Policy Changed
644 All Versions User Account Locked Out
645 Win2000, Computer Account Created
Win2003, DC
646 Win2000, Computer Account Changed
Win2003, DC
647 Win2000, Computer Account Deleted
Win2003, DC
648 Win2000, Group created
Win2003, DC
649 Win2000, Group changed
Win2003, DC
650 Win2000, Group member added or removed
Win2003, DC
651 Win2000, Group member added or removed
Win2003, DC
652 Win2000, Group deleted
Win2003, DC
653 Win2000, Group created
Win2003, DC
654 Win2000, Group changed
Win2003, DC
655 Win2000, Group member added or removed
Win2003, DC
656 Win2000, Group member added or removed
Win2003, DC
657 Win2000, Group deleted
Win2003, DC
658 Win2000, Group created
Win2003, DC
659 Win2000, Group changed
Win2003, DC
660 Win2000, Group member added or removed
Win2003, DC
661 Win2000, Group member added or removed
Win2003, DC
662 Win2000, Group deleted
Win2003, DC
663 Win2000, Group created
Win2003, DC
664 Win2000, Group changed
Win2003, DC
665 Win2000, Group member added or removed
Win2003, DC
666 Win2000, Group member added or removed
Win2003, DC
667 Win2000, Group deleted
Win2003, DC
668 Win2000, Group Type Changed
Win2003, DC
669 All Versions Add SID History
670 All Versions Add SID History
671 Win2003 User Account Unlocked
672 Win2000 Authentication Ticket Granted
Win2003 Authentication Ticket Request
673 Win2000 Service Ticket Granted
Win2003 Service Ticket Request
674 Win2000 Ticket Granted Renewed
Win2003 Service Ticket Renewed
675 Win2000, Pre-authentication failed
Win2003, DC
676 Win2000 Authentication Ticket Request Failed
Win2003 Authentication Ticket Request Failed
677 Win2000 Service Ticket Request Failed
Win2003 Service Ticket Request Failed
678 All Versions Account Mapped for Logon by
679 Win2000 The name: %2 could not be mapped for logon by: %1
680 Win2000 Account Used for Logon by
Win2003 Logon attempt
681 Win2000 The logon to account: %2 by: %1 from workstation: %3
failed
Win2003 The logon to account: %2 by: %1 from workstation: %3
failed
682 XP, Win2000, Session reconnected to winstation
Win2003
683 XP, Win2000, Session disconnected from winstation
Win2003
684 Win2003 Set the security descriptor of members of administrative
groups
685 Win2003 Account Name Changed
686 Win2003 Password of the following user accessed
687 All Versions Application group operation
688 Win2003 Application group operation
689 Win2003 Application group operation
690 Win2003 Application group operation
691 Win2003 Application group operation
692 All Versions Application group operation
693 Win2003 Application group operation
694 Win2003 Application group operation
695 Win2003 Application group operation
696 Win2003 Application group operation
806 Win2003 Per User Audit Policy was refreshed
807 Win2003 Per user auditing policy set for user