NT Gatekeeper: Interpreting Authentication Event IDs

I'm preparing a course to help our Windows NT administrators with common NT troubleshooting scenarios. I'm going to cover interpreting NT Event Viewer log entries. One area in which I'm particularly interested is NT user authentication events—for example, event ID 528 (successful logon) or event ID 531 (logon failure: account currently disabled). Can you provide a short explanation of NT authentication-event fields?

Figure 1 shows the event details for a successful logon event. Figure 2 shows the event details for a logon failure event. Table 1 describes all the event detail fields.

The Logon Type field can have one of the following values: 2 (interactive logon), 3 (network logon), 4 (batch logon), 5 (service logon), 6 (proxy logon), or 7 (unlock workstation). The most frequently occurring Logon Type values are 2 and 3. When you see a Logon Type 2 in the Event Viewer logs, you know that somebody logged on interactively to your machine. When you see a Logon Type 3, you know that somebody tried to access a resource on your computer from the network. When you see a Logon Type 4, you know that the NT Scheduler service ran a script or program in batch. When you see a Logon Type 5, you know that an NT service has started using a specific user account.

The Logon ID field uniquely identifies a logon session on a particular machine. Because both a logon session's logon and logoff events refer to the same Logon ID, you can use the Logon ID to find the logoff event that corresponds to a particular logon event. A logoff event has event ID 538.

The Logon Process field shows the name of the process that initiated the logon. Table 2 shows some of the possible values for this field and their meaning.

In NT 4.0, the Authentication Package field typically has the value MICROSOFT_AUTHENTICATION_PACKAGE_V1_0. This authentication package, also known as MSV1_0, authenticates users against the SAM database. MSV1_0 supports the NT LAN Manager (NTLM) authentication protocol and NTLM-based pass-through authentication.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.