Microsoft Windows XP Professional Resource Kit 2003

Windows XP Professional and Windows 2000 Server generate logon-related events when a user logs on interactively or remotely. These events are generated on the computer to which the logon attempt was made. For more information about the different types of logons and the logon process, see Logon and Authentication in this book.

528 A user successfully logged on to a computer.

Parameters: User name, domain, or workstation involved in the logon attempt, logon ID, logon type, source of the logon attempt, authentication package (NTLM, Kerberos V5, or negotiate) involved in the logon attempt, workstation name.

Configurable Information: Success

Formal names: SE_AUDITID_SUCCESSFUL_LOGON SE_AUDITID_ NETWORK_LOGON

This event is identical to event 528.

529 The logon attempt was made with an unknown user name or a known user name with a bad password.

Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.

Configurable Information: Failure

Formal name: SE_AUDITID_UNKNOWN_USER_OR_PWD

530 The user account tried to log on outside of the allowed time.

Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.

Configurable Information: Failure

Formal name: SE_AUDITID_ACCOUNT_TIME_RESTR

Logon time restrictions can only be configured for domain accounts. However, for non-domain accounts, it is still possible to configure logon time restrictions programmatically.

531 A logon attempt was made by using a disabled account.

Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.

Configurable Information: Failure

Formal name: SE_AUDITID_ACCOUNT_DISABLED

532 A logon attempt was made by using an expired account.

Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.

Configurable Information: Failure

Formal name: SE_AUDITID_ACCOUNT_EXPIRED

533 The user is not allowed to log on at this computer.

Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.

Configurable Information: Failure

Formal name: SE_AUDITID_WORKSTATION_RESTR

534 The user attempted to log on with a type (such as network, interactive, batch, service, or remote interactive) that is not allowed.

Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.

Configurable Information: Failure

Formal name: SE_AUDITID_LOGON_TYPE_RESTR

535 The password for the specified account has expired.

Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.

Configurable Information: Failure

Formal name: SE_AUDITID_PASSWORD_EXPIRED

536 The Net Logon service is not active.

Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.

Configurable Information: Failure

Formal name: SE_AUDITID_NETLOGON_NOT_STARTED

The Net Logon service is needed for domain-style logon attempts or logon attempts to an account that does not exist on the workstation at which the logon attempt is occurring.

537 The logon attempt failed for other reasons.

Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation from which the logon attempt was made, one or two status codes indicating why the logon failed.

Configurable Information: Failure

Formal name: SE_AUDITID_UNSUCCESSFUL_LOGON

In some cases, the reason for the logon failure might not be known. To find the individual status codes, search for the files Ntstatus.h or Winerror.h, and then open them by using a text editor such as Notepad.

538 A user logged off.

Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation at which the logon attempt was made.

Configurable Information: Success

Formal name: SE_AUDITID_LOGOFF

The logoff message can be caused by any type of logoff attempt.

539 The account was locked out at the time the logon attempt was made.

Parameters: User name, domain, or workstation that controls the user account, logon type, source of the logon attempt, authentication package used for the logon attempt, name of the workstation from which the logon attempt was made.

Configurable Information: Failure

Formal name: SE_AUDITID_ACCOUNT_LOCKED

540 A user successfully logged on to a computer.

Parameters: User name, domain, or workstation involved in the logon attempt, logon ID, logon type, source of the logon attempt, authentication package (NTLM, Kerberos V5, or negotiate) involved in the logon attempt, workstation name.

Configurable Information: Success

Formal names: SE_AUDITID_SUCCESSFUL_LOGON SE_AUDITID_ NETWORK_LOGON

This event is identical to event 528.

541 Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel.

Parameters: Mode (main or quick), the IP address and name of the other host involved in the authentication, a filter specifying source and destination addresses (address can be either specific IP, IP subnet, or all computers), an encryption algorithm, hashing algorithm, and timeout for the security association.

Configurable Information: Success

Formal name: SE_AUDITID_IPSEC_LOGON_SUCCESS

542 A data channel was terminated.

Parameters: Mode (main or quick), a filter indicating a subnet, a particular host, or all computers, the inbound Service Parameters Index (SPI) or local host, the outbound SPI (the other peer in the connection).

Configurable Information: Success

Formal name: SE_AUDITID_IPSEC_LOGOFF_QM

543 Main mode was terminated.

Parameters: A filter indicating a subnet, a particular host, or all computers.

Configurable Information: Success

Formal name: SE_AUDITID_IPSEC_LOGOFF_MM

This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, peer termination, and so on.

544 Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.

Parameters: Peer identity (the other host involved in the authentication), a filter indicating a subnet, a particular host, or all computers.

Configurable Information: Failure

Formal name: SE_AUDITID_IPSEC_AUTH_FAIL_CERT_TRUST

545 Main mode authentication failed because of a Kerberos failure or a password that is not valid.

Parameters: Peer identity (the other host involved in the authentication), filter indicating a subnet, a particular host, or all computers.

Configurable Information: Failure

Formal name: SE_AUDITID_IPSEC_AUTH_FAIL

546 IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.

Parameters: Mode (main or quick, depending when the error occurred), a filter indicating a subnet, a particular host, or all computers), incorrect attribute, expected value, received value.

Configurable Information: Failure

Formal name: SE_AUDITID_IPSEC_ATTRIB_FAIL

547 A failure occurred during an IKE handshake.

Parameters: Mode (indicates when the failure occurred), a filter indicating a subnet, particular host, or all computers, the point of failure, and the reason for the failure.

Configurable Information: Failure

Formal name: SE_AUDITID_IPSEC_NEGOTIATION_FAIL

548 The security ID (SID) from a trusted domain does not match the home domain SID of the client.

Parameters: User name, domain name, logon type, logon process, authentication package, workstation name, impersonated domain.

Configurable Information: Failure

Formal name: SE_AUDITID_DOMAIN_TRUST_INCONSISTENT

549 All SIDs were filtered out during a cross-forest authentication.

Parameters: User name, domain name, logon type, logon process, authentication package, workstation name.

Configurable Information: Failure

Formal name: SE_AUDITID_ALL_SIDS_FILTERED

During cross-forest authentication, all SIDs corresponding to untrusted namespaces are filtered out. This event is triggered when this filtering action removes all SIDs.

550 Indicates a possible denial-of-service attack.

Parameters: No parameters, other than the above text describing the beginning or ending of a denial-of-service attack.

Configurable Information: Success or Failure

Formal name: SE_AUDITID_IPSEC_IKE_NOTIFICATION

This event message is generated when IKE has a large number of pending requests to establish security associations and is beginning denial-of-service prevention mode. This might be normal if caused by high computer loads or a large number of client connection attempts. It also might be the result of a denial-of-service attack against IKE. If this is a denial-of-service attack, there is usually many audits for failed IKE negotiations to spoofed IP addresses. Otherwise, the computer is only extremely heavily loaded.

682 A user has reconnected to a disconnected terminal server session.

Parameters: User name, domain name, logon ID, session name, client name, client address.

Configurable Information: Success

Formal name: SE_AUDITID_SESSION_RECONNECTED

This event message is generated on a terminal server.

683 A user disconnected a terminal server session without logging off.

Parameters: User name, domain, logon ID, session name, client name, client address.

Configurable Information: Success or Failure.

Formal name: SE_AUDITID_SESSION_DISCONNECTED

This event message is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.