Scribd
Upload
1K views1 page

Windows Logs Events Quick References

The document provides a quick reference for important Windows security events on domain controllers. It lists various security event IDs, their categories and explanations. It also includes Kerberos and NTLM error codes with explanations of common logon failures.

Uploaded by

pmedinacu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views1 page

Windows Logs Events Quick References

The document provides a quick reference for important Windows security events on domain controllers. It lists various security event IDs, their categories and explanations. It also includes Kerberos and NTLM error codes with explanations of common logon failures.

Uploaded by

pmedinacu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Security Log Quick Reference

Courtesy of

Randy Franklin Smiths

Ultimate Windows
Security.com
Important Windows Security Events
(Domain Controllers)
Event ID Category
Audit account
logon events

675

Explanation
Event 675 on a domain controller indicates a
failed initial attempt to logon via Kerberos at a
workstation with a domain account usually due
to a bad password but the failure code indicates
exactly why authentication failed. See Kerberos
failure codes below.

676 or
Failed 672

Audit
account logon
events

Event 676 gets logged for other types of failed


authentication. See Kerberos failure codes below.
NOTE: Windows 2003 Server logs a failed event
672 instead of 676.

681 or
Failed 680

Audit account
logon events

Event 675 on a domain controller indicates a


failed logon via NTLM with a domain account.
Error code indicates exactly why authentication
failed. See NTLM error codes below. NOTE:
Windows 2003 Server logs a failed event 680
instead of 681.

Audit account
management

642

Event 642 indicates a change to the specified user


account such as a reset password or a disabled
account being re-enabled. The events description specifies the type of change.

632, 636,
660

Audit account
management

All 3 events indicate the specified user was added


to the specified group. Group scopes Global,
Local and Universal correspond to the 3 event IDs.

624

Audit account
management

New user account was created.

644

Audit account
management

Specified user account was locked out after


repeated logon failures.

517

Audit system
events

The specified user cleared the security log.

Error Code

Cause

The username doesnt exist.

12

Workstation restriction; logon time restriction.

18

Account disabled, expired, or locked out.

23

The users password has expired.

24

Pre-authentication failed; usually means bad password

32

Ticket expired. This is a normal event that get frequently logged


by computer accounts.

37

The workstations clock is too far out of synchronization with


the DCs clock.

For other Kerberos Codes see http://www.ietf.org/rfc/rfc1510.txt

NTLM Error Codes


Error Code Error Code
(Decimal) (Hex)

Explanation

3221225572

C0000064

user name does not exist

3221225578

C000006A

user name is correct but the password is wrong

3221226036

C0000234

user is currently locked out

3221225586

C0000072

account is currently disabled

3221225583

C000006F

user tried to logon outside his day of week or


time of day restrictions

3221225584

C0000070

workstation restriction

3221225875

C0000193

account expiration

3221225585

C0000071

expired password

3221226020

C0000224

user is required to change password at next logon

Logon Types

Logon/Logoff
Event ID

Kerberos Failure Codes

Title:

Logon Type

Description

Interactive (logon at keyboard and screen of system)

Network (i.e. connection to shared folder on this computer


from elsewhere on network or IIS logon - Never logged by
528 on W2k and forward. See event 540)

528

Successful Logon

529

Logon Failure - Unknown user name or bad password

530

Logon Failure - Account logon time restriction violation

Batch (i.e. scheduled task)

531

Logon Failure - Account currently disabled

Service (Service startup)

532

Logon Failure - The specified user account has expired

Unlock (i.e. unnattended workstation with password protected


screen saver)

533

Logon Failure - User not allowed to logon at this computer

534

Logon Failure - The user has not been granted the requested
logon type at this machine

NetworkCleartext (Logon with credentials sent in the clear


text. Most often indicates a logon to IIS with basic authentication) See this article for more information.

535

Logon Failure - The specified accounts password has expired

NewCredentials

10

RemoteInteractive (Terminal Services, Remote Desktop or


Remote Assistance)

11

CachedInteractive (logon with cached domain credentials


such as when logging on to a laptop when away from the
network)

539

Logon Failure - Account locked out

540

Successful Network Logon (Windows 2000, XP, 2003 Only)

Get the Bigger and Better 18x24 Windows Security Log Poster Free at freelogposter.com
Browse to

UltimateWindowsSecurity.com for the latest information and resources


2006 Monterey Technology Group, Inc.

You might also like