Skip navigation

JSI Tip 5478. How do I interpret security auditing events related to user authentication?


Tip 4108 and links contains Windows 2000 Security Event Descriptions.

The security auditing events related to user authentication appear in the Security event log. The relevant Event IDs are:

EventID   Description
   514     An authentication package has been loaded by the LSA.
   515     A trusted logon process has registered with the LSA.
   518     A notification package has been loaded by the Security Account Manager.
   528     Successful Logon.
   529     Logon Failure: Unknown user name or bad password.
   530     Logon Failure: Account logon time restriction violation.
   531     Logon Failure: Account currently disabled.
   532     Logon Failure: The specified user account has expired.
   533     Logon Failure: User not allowed to logon at this computer.
   534     Logon Failure: The user has not been granted the requested logon type at this machine.
   535     Logon Failure: The specified account's password has expired.
   536     Logon Failure: The NetLogon component is not active.
   537     Logon Failure: An unexpected error occurred during logon.
   538     User Logoff.
   539     Logon Failure: Account locked out.
   644     User Account Locked Out.
Some security events report a SID instead of a user name. Use the SidToName freeware to decode a SID into a user-friendly username.

The reported Logon Type will be one of the following:

   2  Interactive
   3  Network
   4  Batch
   5  Service
   6  Proxy
   7  Unlock Workstation
The Logon Process will be one the following:
  "msv1_0" or "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0":
     msv1_0.dll, the default authentication package

  "KSecDD":
     ksecdd.sys, the security device driver

  "User32" or "WinLogon\MSGina":
     winlogon.exe & msgina.dll, the authentication user interface

  "SCMgr":
     The Service Control Manager

  "LAN Manager Workstation Service"

  "advapi"
   API call to LogonUser

  "MS.RADIU":
    The RADIUS authentication package; a part of the Microsoft Internet
    Authentication Services (IAS).


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish