Welcome to MSDN Blogs Sign in | Join | Help

Browse by Tags

All Tags » Descriptions   (RSS)

Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+

I've written twice ( here and here ) about the relationship between the "old" event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the "new" security event IDs (4xxx-5xxx) in Vista and beyond. In short, EventID(WS03) + 4096 = EventID(WS08) Read More...
Posted Wednesday, June 10, 2009 4:09 PM by Eric Fitzgerald | 1 Comments
Filed under: , ,

Windows Server 2008 Security Events Posted

Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference. Check it out in the Knowledge Base . Even better, they documented all the events in spreadsheet format, and that's Read More...
Posted Wednesday, April 16, 2008 11:09 PM by Eric Fitzgerald | 0 Comments
Filed under: ,

You learn something new every day- Logon Type 0

Today I encountered something new in the logon event- I thought that was old hat and I knew all there was to know about that but I guess I was wrong. The logon event ( 528/540 prior to Windows Vista, 4624 in Vista and Windows Server 2008) has a field Read More...
Posted Tuesday, February 26, 2008 12:49 PM by Eric Fitzgerald | 1 Comments
Filed under: ,

I always wondered who Björn was...

OK here's something I just remembered today. I may be the last person who remembers this so it's important that I record this somewhere. In the RTM bits of Windows NT 4.0, for the German language release only, someone snuck in a string resource into the Read More...
Posted Thursday, January 17, 2008 2:47 PM by Eric Fitzgerald | 1 Comments
Filed under:

Why does Windows XP generate so many logon failure events?

I got the question last week, why there are so many logon failure events on Windows XP when it is not domain joined. The short answer is, by design. (Yes, bad design.) The longer answer is that the shell team is working around the fact that there is no Read More...
Posted Friday, November 09, 2007 3:23 PM by Eric Fitzgerald | 3 Comments
Filed under: ,

List of Windows Server 2003 Events

So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published " Security Event Descriptions ". This article was the "schema" so to speak, for the Windows NT 4.0 security event log events. Technically Windows events Read More...
Posted Friday, October 12, 2007 11:45 AM by Eric Fitzgerald | 1 Comments
Filed under: , ,

Documentation on the Windows Vista and Windows Server 2008 Security Events

I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog post complaining that the " add 4096 " rule doesn't work because we collapsed the logon events into a single success event and failure event (from 2 success Read More...
Posted Tuesday, July 31, 2007 2:36 PM by Eric Fitzgerald | 2 Comments
Filed under: , , ,

The Trouble With Logoff Events

A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity without much of a second thought. I just thought I'd bring one problem to your attention. Logoff events are not strictly reliable. From an engineering sense Read More...
Posted Tuesday, May 08, 2007 1:37 PM by Eric Fitzgerald | 2 Comments
Filed under: , ,

How are object access events generated?

I wrote this as an answer for Tom, who emailed me, but I thought I'd share it with everyone. There are 7 events associated with object access auditing in Windows: 560 is the "open handle" event. It is logged when an app asks for access to an object (via Read More...
Posted Thursday, October 26, 2006 10:21 AM by Eric Fitzgerald | 3 Comments
Filed under: ,

Quick Overview of Object Access Auditing in Windows

A lot of people are unhappy with object access auditing on Windows, because what they want to know is "who touched the object and what did that person do", but what Windows auditing tells you is actually "who touched the object and what did they ask for Read More...
Posted Tuesday, March 07, 2006 2:16 PM by Eric Fitzgerald | 2 Comments
Filed under: , ,

Privilege Use- what do we audit, and when?

Odd thing today- I got two questions about the obscure " FullPrivilegeAuditing " registry setting- so I thought I'd post my answer. Some of this is not new, I posted on the Windows Server 2003 SP1 changes to auditing a while back. Events ID 577 and 578 Read More...
Posted Monday, December 05, 2005 4:06 PM by Eric Fitzgerald | 0 Comments
Filed under:

Why don't I see the workstation name in logon events?

Top reasons: 1. In NTLM logons, it's subject to spoofing. There exist hacking tools which improperly populate the workstation field of the logon request. I don't know if this is intentional or not. 2. There is no way to carry this information in LDAP Read More...
Posted Tuesday, August 09, 2005 1:19 PM by Eric Fitzgerald | 0 Comments
Filed under: ,

Deciphering Account Logon Events

One of the most common questions that I get about Windows Auditing is, how come you guys were so @#%! stupid that you put in two logon categories? The answer is actually pretty simple- we're bad at choosing names. "Account Logon" isn't really about logon, Read More...
Posted Thursday, August 04, 2005 6:03 PM by Eric Fitzgerald | 6 Comments
Filed under:

Events 528 and 540

Logon events. Event 528 and Event 540 are the Logon events. Event 528 is for all logons except "network" logons. "Network" logons are SMB/Microsoft-DS logons (i.e. connecting to a share). RDP, IIS, FTP logons, etc., are event 528 even though credentials Read More...
Posted Thursday, December 09, 2004 5:59 PM by Eric Fitzgerald | 5 Comments
Filed under:
 
Page view tracker