Shulou(Shulou.com)06/03 Report--

Windows common security event log ID summary, for your reference, hope to help you.

ID security event information 1100 event logging service has been turned off 1101 audit event has been interrupted by transportation. 1102 audit log cleared 1104 security log is now full 1105 event log automatic backup 1108 event log logging service encountered error 4608Windows is starting 4609Windows is shutting down 4610 local security institutions have loaded authentication package 4611 has registered with the local security agency trusted login process 4612 internal resources allocated for audit messages queued have been exhausted, resulting in some audit loss. 4614 the Security account Manager has loaded the notification package. Invalid 4615LPC port usage 4616 system time has been changed. 4618 monitored security event mode 4621 administrator restored system 4622 local security agency loaded security package from CrashOnAuditFail. 4624 account successfully logged in 4625 account could not log in 4626 user / device declaration information 4627 group membership information. 4634 account has been logged out of 4646IKE

DoS protected mode activated 4647 user initiated logout 4648 attempted login 4649 detected replay * 4650 established IPsec main mode security association 4651 established IPsec main mode security association 4652IPsec main mode negotiation failed 4653IPsec main mode negotiation failed 4654IPsec main mode negotiation failed 4655IPsec main mode security association 4656 requested handle of object 4657 registry value modified 4658 handle of object Close the handle to the 4659 request delete object 4660 the object has been deleted 4661 the handle to the requested object 4662 performs an operation on the object 4663 attempts to access the object 4664 attempts to create a hard link 4665 attempts to create an application client context. 4666 application attempted an operation 4667 application client context deleted 4668 application initialized 4670 object permissions changed 4671 application attempted access blocked serial number 4672 assigned to newly logged in privileged 4673 privileged service summoned 4674 attempts to perform operations on privileged objects 4675SID has been filtered out 4688 has created a new process 4689 a process has been exited Handle to the trial replication object 4691 request indirect access object 4692 attempt to back up data protection master key 4693 attempt to restore data protection master key 4694 attempt to protect auditable protected data 4695 attempt unprotected auditable protected data 4696 Primary token has been installed in the process 4697 system a service 4698 has been created scheduled task 4699 scheduled task deleted 4700 scheduled task 4701 schedule has been enabled Task disabled 4702 scheduled task updated 4703 token right adjusted 4704 assigned user rights 4705 user rights deleted 4706 new trust for domain 4707 deleted trust 4709IPsec service disabled 4711PAStore engine (1) 4712IPsec service encountered potential serious failure 4713Kerberos policy changed 4714 encrypted data recovery policy changed 4715 object audit policy (SACL) has been changed Changed to 4716 trusted domain information has been modified 4717 system security access granted account 4718 system security access deleted from account 4719 system audit policy changed 4720 created user account 4722 user account enabled 4723 attempt to change account password 4725 user account disabled 4726 user account deleted 4727 created security-enabled global group 4725 has added members Add to security-enabled global groups 4729 members have been removed from security-enabled global groups 4730 security-enabled global groups 4731 have created security-enabled local groups 4732 members have been added to security-enabled local groups 4733 members have been removed from security-enabled local groups 4734 deleted security-enabled local groups 4735 security-enabled local groups have been changed 4737 Security global group changed 4738 user account changed 4739 domain policy changed 4740 user account locked 4741 created computer account 4742 computer account changed 4743 computer account deleted 4744 local group 4745 security disabled local group changed 4746 members added to security disabled local group 4747 from security disabled local group Delete member 4748 deleted security disabled local group 4749 created a security disabled global group 4750 security disabled global group changed 4751 added members to security disabled global group 4752 members deleted security disabled global group 4753 deleted security disabled global group 4754 created security enabled generic group 4755 Security enabled generic group Changed 4756 members have been added to security-enabled universal groups 4757 members have been removed from security-enabled universal groups 4758 security-enabled universal groups 4759 have created a security-disabled universal group 4760 security-disabled universal groups have changed 4761 members have been added to security-disabled universal groups 4762 members have been removed from security-disabled universal groups 4763 has been removed Universal group 4764 disabled universal group type changed 4765SID history added to account 4766 attempt to add SID history to account failed 4767 user account unlocked 4768 request Kerberos authentication ticket (TGT) 4769 request Kerberos service ticket 4770 updated Kerberos service ticket 4771Kerberos preauthentication failed 4772Kerberos authentication ticket request failed 4773Kerberos service ticket request failed 4774 mapped account to enter Line login 4775 could not map the account for login 4776 the domain controller attempted to verify the credentials of the account 4777 the domain controller could not verify the credentials of the account 4778 session reconnected to the Window

Station4779 session with Window

Station disconnect 4780ACL is set on an account that is a member of the administrators group 4781 account name has changed 4782 password hash account has been accessed 4783 created a basic application group 4784 basic application group 4785 members have been added to the basic application group 4786 members have been removed from the basic application group 4787 non-members have been added to the basic application group 4788 removed non-members from the basic application group. 4789 basic application group deleted 4790 created LDAP query group 4791 basic application group changed 4792LDAP query group deleted 4793 password policy check API has been called 4794 attempts to set directory service restore mode administrator password 4797 attempts to query account whether there is a blank password 4798 enumerates the user's local group membership. 4799 Security-enabled local group membership 4800 workstation locked 4801 workstation unlocked 4802 screen saver called 4803 screen saver fired 4816RPC detected integrity violation 4817 object audit settings changed while decrypting incoming messages. 4818 the recommended central access policy does not grant the same access as the current central access policy 4819 the central access policy on the computer has changed the 4820Kerberos ticket grant ticket (TGT) is denied because the device does not comply with access control restrictions 4821Kerberos service tickets are denied because the user, device, or both do not meet access control restrictions 4822NTLM authentication failed because the account is a member of a protected user group 4823NTLM authentication failed Kerberos preauthentication failed because access control restriction 4824 uses DES or RC4 because the account is a member of a protected user group 4825 users are denied access to remote desktops. By default, only if the user is Remote

Desktop Users group or members of Administrators group only allow users to connect 4826 load boot configuration data 4830SID history removed from account 4864 detected namespace conflict 4865 added trusted forest information entry 4866 deleted trusted forest information entry 4867 modified trusted forest information entry 4868 Certificate Manager rejected pending certificate request 4869 Certificate Service received resubmitted certificate request Request 4870 Certificate Services revoked Certificate 4871 Certificate Services received request to publish Certificate revocation list (CRL) 4872 Certificate Services published Certificate revocation list (CRL) 4873 Certificate request extension has changed 4874 one or more certificate request properties have changed. 4875 Certificate Services received shutdown request 4876 Certificate Services backup started 4877 Certificate Services backup completed 4878 Certificate Services restore started 4879 Certificate Services recovery completed 4880 Certificate Services started 4881 Certificate Services stopped Security permissions of Certificate Services changed 4883 Certificate Services retrieved Archiving key 4884 Certificate Services imported certificates into its database 4884 audit filter for certificate services has changed 4886 Certificate Service received Certificate request 4887 Certificate Service approved and issued Certificate 4888 Certificate Service rejected Certificate request 4889 Certificate Service set the status of the certificate request to suspend 4890 Certificate Service's Certificate Manager settings have been changed. 4891 the configuration entry in Certificate Services has changed the properties of 4892 Certificate Services have changed 4893 Certificate Services Archiving key 4894 Certificate Services imported and archived a key 4895 Certificate Services published CA certificates to Active

Directory Domain Service 4896 has deleted one or more lines from the certificate database 4897 enabled role separation 4898 Certificate Services loaded a template 4899 Certificate Services template updated 4900 Certificate Services template security updated 4902 created per user audit policy table 4904 attempted to register security event source 4905 attempted to unregister security event source 4906CrashOnAuditFailvalue changed 4907 object audit settings changed 4908 special group login table has been changed Modify 4909TBS local policy settings have changed 4910TBS group policy settings have changed resource properties of 4911 objects have changed 4912 per user audit policy has changed central access policy of 4913 objects has changed 4928 has established Active

Directory replica source naming context 4929 Active has been deleted

Directory replica source naming context 4930 Active has been modified

Directory replica source naming context 4931 Active has been modified

Directory replica target naming context 4932 has started to synchronize Active

A copy of the Directory naming context 4933Active

Synchronization of copies of the Directory naming context has ended 4934 replicated Active

Properties of Directory object 4935 replication failure start 4936 replication failure end 4937 A delay object was removed from the replica when 4944Windows Firewall startup, the following policy is active when 4945Windows Firewall startup lists rule 4946 that has made changes to the Windows Firewall exception list. An additional rule 4947 has been added to the Windows Firewall exception list. The rule has been modified 4948 and the Windows Firewall exception list has been changed. Rules deleted 4949Windows Firewall Settings restored to default 4950Windows Firewall Settings changed 4951 rules are ignored because Windows Firewall cannot recognize some parts of its major version number 4952 ignored rules because Windows Firewall does not recognize minor version numbers 4953Windows Firewall ignored rules because it cannot resolve rules 4954Windows Firewall Group Policy settings have changed. New settings applied 4956Windows Firewall changed active profile 4957Windows Firewall did not apply the following rules 4958Windows Firewall did not apply the following rules Because this rule refers to an item that is not configured on this computer, 4960IPsec discards inbound packets that fail integrity checks, 4961IPsec discards inbound packets that fail replay checks, 4962IPsec discards inbound packets that fail replay checks, 4963IPsec discards inbound plaintext packets that should be protected, a special group has been assigned to a new login 4965IPsec to receive a packet containing an incorrect security parameter index (SPI) from a remote computer. 4976 during the main mode negotiation, IPsec received an invalid negotiation packet. 4977 during Quick Mode negotiation, IPsec received an invalid negotiation packet. 4978 during extended mode negotiation, IPsec received an invalid negotiation packet. 4979 established the security association of IPsec main mode and extended mode. 4980 established IPsec main mode and extended mode security association 4981 established IPsec main mode and extended mode security association 4982 established IPsec main mode and extended mode security association 4983IPsec extended mode negotiation failed 4984IPsec extended mode negotiation failed 4985 transaction state has changed 5024Windows firewall service successfully started 5025Windows firewall service stopped 5027Windows firewall service unable to retrieve security policy 5028Windows from local storage The firewall service was unable to resolve the new security policy. The 5029Windows Firewall service could not initialize the driver 5030Windows Firewall service could not start the 5031Windows Firewall service to prevent the application from accepting incoming connections on the network. 5032Windows Firewall could not notify the user that it prevented the application from accepting incoming connections on the network. The 5033Windows Firewall driver successfully started the 5034Windows Firewall driver stopped the 5035Windows Firewall driver failed to start the 5037Windows Firewall driver could not start the 5037Windows Firewall driver detected a serious runtime error terminating 5038 code integrity determined that the image hash invalid 5039 registry key of the file was virtualized. 5040 changes have been made to the IPsec settings. Authentication set has been added. 5041 changes have been made to the IPsec settings. The authentication set has been modified 5042 and the IPsec settings have been changed. The authentication set has been deleted 5043 and the IPsec settings have been changed. The IPsec setting has been changed with the addition of connection security rule 5044. The connection security rules have been modified 5045 and the IPsec settings have been changed. The connection security rules have been removed 5046 and the IPsec settings have been changed. The IPsec setting has been changed with the addition of dense 5047. Encryption has been modified 5048 changes have been made to the IPsec settings. Dense deleted 5049IPsec Security Association deleted 5050 attempted to disable Windows Firewall programmatically using a call to INetFwProfile.FirewallEnabled (FALSE5051 file has been virtualized 5056 has performed a password self-test 5057 encryption primitive operation failed 5058 key file operation 5059 key migration operation 5060 failed encryption operation 5062 Kernel mode encryption self-test 5063 attempted encryption provider operation 5063 attempted encryption up and down Text operation 5065 attempted encryption context modification 5066 attempted encryption function operation 5067 attempted encryption function modification 5068 attempted encryption function provider operation 5069 attempted encryption function property operation 5070 attempted encryption function property operation 5071Microsoft key distribution service denied key access 5120OCSP responder service started 5121OCSP responder service stopped 5122OCSP responder service configuration entry has been changed Change the configuration entry in the 5123OCSP Responder service has been changed 5124 in OCSP

Security settings updated on Responder Service 5125 request has been submitted to OCSP

The Responder Service5126 signing certificate is signed by OCSP

Responder Service automatic update 5127OCSP revocation provider successfully updated revocation information 5136 directory service object modified 5137 created directory service object 5138 directory service object cancelled 5139 moved directory service object 5140 accessed network sharing object 5141 directory service object deleted 5142 added network sharing object. 5143 the network shared object has been modified 5144 the network shared object has been deleted. 5145 check the network shared object to see if the required access can be granted to the client. The 5146Windows filtering platform has blocked packets 5147 the more restrictive Windows filtering platform filter has prevented the packet 5148Windows filtering platform from detecting DoS*** and entering defense mode; packets related to this will be discarded. 5149DoSystroke has subsided and normal processing is resuming. The 5150Windows filtering platform has blocked packets. 5151 the more restrictive Windows filtering platform filter blocks packets. 5152Windows filtering platform blocks packets 5153 more restrictive Windows filtering platform filters block packet 5154Windows filtering platforms allow applications or services to listen for incoming connections on ports 5155Windows filtering platforms have blocked applications or services listening on ports incoming connections 5156Windows filtering platforms have blocked connections 5157Windows filtering platforms have blocked connections 5158Windows filtering platforms have allowed binding to local ports 5159Windows filtering platforms have blocked binding to local ports

The Spn check for / SMB2 failed. 5169 directory service object modified 5170 directory service object 5376 backed up credential manager credential 5377Credential during background cleanup task

Manager credentials have been restored from backup 5378 policies do not allow requested credentials delegated 5440Windows filtering platform basic filtering engine startup the following filters exist when the callout5441Windows filtering platform basic filtering engine starts the following filters exist when the 5442Windows filtering platform basic filtering engine starts, the following providers exist when the 5443Windows filtering platform basic filtering engine starts, the following provider context exists when the 5444Windows filtering platform basic filtering engine starts There are the following sublayers: 5446Windows filtering platform tagging changed 5447Windows filtering platform filter changed 5448Windows filtering platform provider context changed 5449Windows filtering platform provider context changed 5450Windows filtering platform sublayer changed 5451 established IPsec Quick Mode Security Association 5452IPsec Quick Mode Security association ended 5453 IPsec negotiation with the remote computer failed because IKE and AuthIP were not started

IPsec key Module (IKEEXT) Service 5456PAStore engine applies Active on computers

Directory Storage IPsec Policy 5457PAStore engine failed to apply Active on the computer

Directory Storage IPsec Policy 5458PAStore engine applies Active on the computer

Directory stores local cached copies of IPsec policies the 5459PAStore engine cannot apply Active on the computer

Directory stores local cache copy of IPsec policy 5460PAStore engine applies local registry storage IPsec policy 5461PAStore engine cannot apply local registry storage IPsec policy 5462PAStore engine cannot apply some active IPsec policy rules 5463PAStore engine polls active IPsec policy changes and does not detect any change 5464PAStore engine polls active IPsec policy changes, detects the change and applies it to the IPsec service 5465PAStore

Engine receives a control that forces a reload of the IPsec policy and successfully processes the control 5466PAStore engine to poll Active

Change in Directory IPsec policy to determine that Active Directory cannot be accessed and that Active Directory will be used

Cached copy of IPsec policy 5467PAStore engine polls Active

Changes to the Directory IPsec policy, making sure that Active Directory can be accessed, and no changes to the policy found 5468PAStore engine polling Active

Changes to Directory IPsec policy to make sure that Active Directory can be accessed Find policy changes and apply these changes 5471PAStore engine loaded local storage IPsec policy 5472PAStore engine failed to load local storage IPsec policy 5473PAStore engine loaded directory storage IPsec policy 5474PAStore engine failed to load directory storage IPsec policy 5477PAStore engine failed to add Quick Mode filter 5478IPsec service successfully started 5479IPsec service successfully shut down 5480IPsec service Unable to get the complete list of network interfaces on the computer the 5483IPsec service was unable to initialize the RPC server. Unable to start the IPsec service 5484IPsec service encountered a serious failure and shut down the 5485IPsec service cannot handle some IPsec filters on plug and play events on the network interface 5632 has requested authentication to the wireless network 5633 has requested authentication to the wired network 5712 attempted a remote procedure call (RPC) 5888COM

The objects in the + directory have been modified 5889 from COM

An object 5890 has been removed from the + directory and an object has been added to the COM

The security policy in the 6144 group policy object in the + directory has been successfully applied when 6145 processes the security policy in the group policy object. One or more errors occurred 6272 network policy server granted user access 6273 network policy server denied access to user 6274 network policy server abandoned user request 6275 network policy server abandoned user accounting request 6276 network policy server isolation User 6277 network policy server granted user access However, because the host does not meet the defined health policy, it is placed in the trial period 6278 the network policy server grants the user full access, because the host conforms to the defined health policy 6279 due to repeated failed authentication attempts The network policy server locked the user account 6280 the network policy server unlocked the user account 6281 code integrity determined that the page hash of the image file was invalid. 6400 BranchCache: received a malformed response when content availability was found. 6401BranchCache: invalid data received from the peer. The data is discarded. 6402BranchCache: the message that provides the managed cache of data is not in the correct format. 6403BranchCache: the managed cache sends an improperly formatted response to the client message to provide data. 6404BranchCache: the managed cache cannot be authenticated using the configured SSL certificate. 6405BranchCache:% 2 instances of event ID%1 occurred. 6406% 1 registered with Windows Firewall to control the following filtering: 64071% 6408 registered product% 1 failed, and Windows Firewall is now controlling the filtering of% 2. 6409BranchCache: unable to parse service connection point object 6410 code integrity determines that the file does not meet the security requirements loaded into the process. This may be due to the use of shared parts or other problems 6416 the system to identify new external devices. 6417FIPS mode encryption self-test successful 6418FIPS mode encryption self-test failed 6419 disabled device request 6420 device disabled 6421 issued request to enable device 6422 device enabled 6423 system policy forbids installation of this device 6424 allows installation of this device 8191 maximum system-defined audit message value after prior prohibition by policy

Welcome to the official account of Wechat: Xiao Wen study Society.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.