MZ@ !L!This program cannot be run in DOS mode. $Rؕ3}3}3}H̴3}H̱3}Rich3}PEd!b"    G ` .rsrc  @@L00H `x      NR9` WEVT_TEMPLATEMUI4VS_VERSION_INFO%P%%P%?StringFileInfo040904B0LCompanyNameMicrosoft Corporation\FileDescriptionSecurity Audit Schema DLL1FileVersion6.3.9600.20517 (winblue_ltsb_escrow.220725-1737)<InternalNameadtschema.dll.LegalCopyright Microsoft Corporation. All rights reserved.DOriginalFilenameadtschema.dllj%ProductNameMicrosoft Windows Operating SystemBProductVersion6.3.9600.20517DVarFileInfo$Translation K   DLC̔P^ԡ`cxepr@$ &&(1l@I$&PZ,3\^|@`eDpytTT '00P@DFM(P\C_bSehHWkm0\aPPg0jxpdr 00pPP0p0p1p 1p2p 2p43p3p4p4p5p5p\6p6p7p7ph8p8p|ppH@..0005577PP 4  $%KLxL PP/Windows is starting up.%n%nThis event is logged when LSASS.EXE starts and the auditing subsystem is initialized. Windows is shutting down.%nAll logon sessions will be terminated by this shutdown. |An authentication package has been loaded by the Local Security Authority.%nThis authentication package will be used to authenticate logon attempts.%n%nAuthentication Package Name:%t%1 (A trusted logon process has been registered with the Local Security Authority.%nThis logon process will be trusted to submit logon requests.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Process Name:%t%t%5 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.%n%nNumber of audit messages discarded:%t%1%n%nThis event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped. dA notification package has been loaded by the Security Account Manager.%nThis package will be notified of any account or password changes.%n%nNotification Package Name:%t%1 Invalid use of LPC port.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tPID:%t%t%t%7%n%tName:%t%t%t%8%n%nInvalid Use:%t%t%5%n%nLPC Server Port Name:%t%6%n%nWindows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA's use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel. The system time was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tProcess ID:%t%7%n%tName:%t%t%8%n%nPrevious Time:%t%t%5%nNew Time:%t%t%6%n%nThis event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. A monitored security event pattern has occurred.%n%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%nAlert Information:%n%tComputer:%t%t%2%n%tEvent ID:%t%t%1%n%tNumber of Events:%t%7%n%tDuration:%t%t%8%n%nThis event is generated when Windows is configured to generate alerts in accordance with the Common Criteria Security Audit Analysis requirements (FAU_SAA) and an auditable event pattern occurs. <Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.%n%nValue of CrashOnAuditFail:%t%1%n%nThis event is logged after a system reboots following CrashOnAuditFail. A security package has been loaded by the Local Security Authority.%n%nSecurity Package Name:%t%1 An account was successfully logged on.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Type:%t%t%t%9%n%nImpersonation Level:%t%t%21%n%nNew Logon:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%tLogon GUID:%t%t%13%n%nProcess Information:%n%tProcess ID:%t%t%17%n%tProcess Name:%t%t%18%n%nNetwork Information:%n%tWorkstation Name:%t%12%n%tSource Network Address:%t%19%n%tSource Port:%t%t%20%n%nDetailed Authentication Information:%n%tLogon Process:%t%t%10%n%tAuthentication Package:%t%11%n%tTransited Services:%t%14%n%tPackage Name (NTLM only):%t%15%n%tKey Length:%t%t%16%n%nThis event is generated when a logon session is created. It is generated on the computer that was accessed.%n%nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.%n%nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).%n%nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.%n%nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.%n%nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.%n%nThe authentication information fields provide detailed information about this specific logon request.%n%t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.%n%t- Transited services indicate which intermediate services have participated in this logon request.%n%t- Package name indicates which sub-protocol was used among the NTLM protocols.%n%t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. dAn account failed to log on.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Type:%t%t%t%11%n%nAccount For Which Logon Failed:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%nFailure Information:%n%tFailure Reason:%t%t%9%n%tStatus:%t%t%t%8%n%tSub Status:%t%t%10%n%nProcess Information:%n%tCaller Process ID:%t%18%n%tCaller Process Name:%t%19%n%nNetwork Information:%n%tWorkstation Name:%t%14%n%tSource Network Address:%t%20%n%tSource Port:%t%t%21%n%nDetailed Authentication Information:%n%tLogon Process:%t%t%12%n%tAuthentication Package:%t%13%n%tTransited Services:%t%15%n%tPackage Name (NTLM only):%t%16%n%tKey Length:%t%t%17%n%nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.%n%nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.%n%nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).%n%nThe Process Information fields indicate which account and process on the system requested the logon.%n%nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.%n%nThe authentication information fields provide detailed information about this specific logon request.%n%t- Transited services indicate which intermediate services have participated in this logon request.%n%t- Package name indicates which sub-protocol was used among the NTLM protocols.%n%t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. User / Device claims information.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Type:%t%t%t%9%n%nNew Logon:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%nEvent in sequence:%t%t%10 of %11%n%nUser Claims:%t%t%t%12%n%nDevice Claims:%t%t%t%13%n%nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.%n%nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).%n%nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.%n%nThis event is generated when the Audit User/Device claims subcategory is configured and the user s logon token contains user/device claims information. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session. An account was logged off.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Type:%t%t%t%5%n%nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. %1%n ,User initiated logoff:%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nThis event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event. A logon was attempted using explicit credentials.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tLogon GUID:%t%t%5%n%nAccount Whose Credentials Were Used:%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon GUID:%t%t%8%n%nTarget Server:%n%tTarget Server Name:%t%9%n%tAdditional Information:%t%10%n%nProcess Information:%n%tProcess ID:%t%t%11%n%tProcess Name:%t%t%12%n%nNetwork Information:%n%tNetwork Address:%t%13%n%tPort:%t%t%t%14%n%nThis event is generated when a process attempts to log on an account by explicitly specifying that account s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. <A replay attack was detected.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCredentials Which Were Replayed:%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%nProcess Information:%n%tProcess ID:%t%t%12%n%tProcess Name:%t%t%13%n%nNetwork Information:%n%tWorkstation Name:%t%10%n%nDetailed Authentication Information:%n%tRequest Type:%t%t%7%n%tLogon Process:%t%t%8%n%tAuthentication Package:%t%9%n%tTransited Services:%t%11%n%nThis event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration. An IPsec main mode security association was established. Extended mode was not enabled. Certificate authentication was not used.%n%nLocal Endpoint:%n%tPrincipal Name:%t%1%n%tNetwork Address:%t%3%n%tKeying Module Port:%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%2%n%tNetwork Address:%t%5%n%tKeying Module Port:%t%6%n%nSecurity Association Information:%n%tLifetime (minutes):%t%12%n%tQuick Mode Limit:%t%13%n%tMain Mode SA ID:%t%17%n%nCryptographic Information:%n%tCipher Algorithm:%t%9%n%tIntegrity Algorithm:%t%10%n%tDiffie-Hellman Group:%t%11%n%nAdditional Information:%n%tKeying Module Name:%t%7%n%tAuthentication Method:%t%8%n%tRole:%t%14%n%tImpersonation State:%t%15%n%tMain Mode Filter ID:%t%16 An IPsec main mode security association was established. Extended mode was not enabled. A certificate was used for authentication.%n%nLocal Endpoint:%n%tPrincipal Name:%t%1%n%tNetwork Address:%t%9%n%tKeying Module Port:%t%10%n%nLocal Certificate:%n%tSHA Thumbprint:%t%2%n%tIssuing CA:%t%t%3%n%tRoot CA:%t%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%5%n%tNetwork Address:%t%11%n%tKeying Module Port:%t%12%n%nRemote Certificate:%n%tSHA thumbprint: %t%6%n%tIssuing CA:%t%t%7%n%tRoot CA:%t%t%8%n%nCryptographic Information:%n%tCipher Algorithm:%t%15%n%tIntegrity Algorithm:%t%16%n%tDiffie-Hellman Group:%t%17%n%nSecurity Association Information:%n%tLifetime (minutes):%t%18%n%tQuick Mode Limit:%t%19%n%tMain Mode SA ID:%t%23%n%nAdditional Information:%n%tKeying Module Name:%t%13%n%tAuthentication Method:%t%14%n%tRole:%t%20%n%tImpersonation State:%t%21%n%tMain Mode Filter ID:%t%22 An IPsec main mode negotiation failed.%n%n%nLocal Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%9%n%tKeying Module Port:%t%10%n%nLocal Certificate:%n%tSHA Thumbprint:%t%2%n%tIssuing CA:%t%t%3%n%tRoot CA:%t%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%5%n%tNetwork Address:%t%11%n%tKeying Module Port:%t%12%n%nRemote Certificate:%n%tSHA thumbprint:%t%t%6%n%tIssuing CA:%t%t%7%n%tRoot CA:%t%t%8%n%nAdditional Information:%n%tKeying Module Name:%t%13%n%tAuthentication Method:%t%16%n%tRole:%t%t%t%18%n%tImpersonation State:%t%19%n%tMain Mode Filter ID:%t%20%n%nFailure Information:%n%tFailure Point:%t%t%14%n%tFailure Reason:%t%t%15%n%tState:%t%t%t%17%n%tInitiator Cookie:%t%t%21%n%tResponder Cookie:%t%22 DAn IPsec main mode negotiation failed.%n%nLocal Endpoint:%n%tLocal Principal Name:%t%1%n%tNetwork Address:%t%3%n%tKeying Module Port:%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%2%n%tNetwork Address:%t%5%n%tKeying Module Port:%t%6%n%nAdditional Information:%n%tKeying Module Name:%t%7%n%tAuthentication Method:%t%10%n%tRole:%t%t%t%12%n%tImpersonation State:%t%13%n%tMain Mode Filter ID:%t%14%n%nFailure Information:%n%tFailure Point:%t%t%8%n%tFailure Reason:%t%t%9%n%tState:%t%t%t%11%n%tInitiator Cookie:%t%t%15%n%tResponder Cookie:%t%16 An IPsec quick mode negotiation failed.%n%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tNetwork Address mask:%t%2%n%tPort:%t%t%t%3%n%tTunnel Endpoint:%t%t%4%n%nRemote Endpoint:%n%tNetwork Address:%t%5%n%tAddress Mask:%t%t%6%n%tPort:%t%t%t%7%n%tTunnel Endpoint:%t%t%8%n%tPrivate Address:%t%t%10%n%nAdditional Information:%n%tProtocol:%t%t%9%n%tKeying Module Name:%t%11%n%tVirtual Interface Tunnel ID:%t%20%n%tTraffic Selector ID:%t%21%n%tMode:%t%t%t%14%n%tRole:%t%t%t%16%n%tQuick Mode Filter ID:%t%18%n%tMain Mode SA ID:%t%19%n%nFailure Information:%n%tState:%t%t%t%15%n%tMessage ID:%t%t%17%n%tFailure Point:%t%t%12%n%tFailure Reason:%t%t%13 HAn IPsec main mode security association ended.%n%nLocal Network Address:%t%t%1%nRemote Network Address:%t%2%nKeying Module Name:%t%t%3%nMain Mode SA ID:%t%t%4 4A handle to an object was requested.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tObject Type:%t%t%6%n%tObject Name:%t%t%7%n%tHandle ID:%t%t%8%n%tResource Attributes:%t%17%n%nProcess Information:%n%tProcess ID:%t%t%15%n%tProcess Name:%t%t%16%n%nAccess Request Information:%n%tTransaction ID:%t%t%9%n%tAccesses:%t%t%10%n%tAccess Reasons:%t%t%11%n%tAccess Mask:%t%t%12%n%tPrivileges Used for Access Check:%t%13%n%tRestricted SID Count:%t%14 TA registry value was modified.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Name:%t%t%5%n%tObject Value Name:%t%6%n%tHandle ID:%t%t%7%n%tOperation Type:%t%t%8%n%nProcess Information:%n%tProcess ID:%t%t%13%n%tProcess Name:%t%t%14%n%nChange Information:%n%tOld Value Type:%t%t%9%n%tOld Value:%t%t%10%n%tNew Value Type:%t%t%11%n%tNew Value:%t%t%12 The handle to an object was closed.%n%nSubject :%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tHandle ID:%t%t%6%n%nProcess Information:%n%tProcess ID:%t%t%7%n%tProcess Name:%t%t%8 dA handle to an object was requested with intent to delete.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%13%n%nAccess Request Information:%n%tTransaction ID:%t%9%n%tAccesses:%t%10%n%tAccess Mask:%t%11%n%tPrivileges Used for Access Check:%t%12 An object was deleted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tHandle ID:%t%6%n%nProcess Information:%n%tProcess ID:%t%7%n%tProcess Name:%t%8%n%tTransaction ID:%t%9 A handle to an object was requested.%n%nSubject :%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%16%n%tProcess Name:%t%17%n%nAccess Request Information:%n%tTransaction ID:%t%9%n%tAccesses:%t%10%n%tAccess Reasons:%t%t%11%n%tAccess Mask:%t%12%n%tPrivileges Used for Access Check:%t%13%n%tProperties:%t%14%n%tRestricted SID Count:%t%15 PAn operation was performed on an object.%n%nSubject :%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tObject Type:%t%t%6%n%tObject Name:%t%t%7%n%tHandle ID:%t%t%9%n%nOperation:%n%tOperation Type:%t%t%8%n%tAccesses:%t%t%10%n%tAccess Mask:%t%t%11%n%tProperties:%t%t%12%n%nAdditional Information:%n%tParameter 1:%t%t%13%n%tParameter 2:%t%t%14 DAn attempt was made to access an object.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tObject Type:%t%t%6%n%tObject Name:%t%t%7%n%tHandle ID:%t%t%8%n%tResource Attributes:%t%13%n%nProcess Information:%n%tProcess ID:%t%t%11%n%tProcess Name:%t%t%12%n%nAccess Request Information:%n%tAccesses:%t%t%9%n%tAccess Mask:%t%t%10 An attempt was made to create a hard link.%n%nSubject:%n%tAccount Name:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLink Information:%n%tFile Name:%t%5%n%tLink Name:%t%6%n%tTransaction ID:%t%7 An attempt was made to create an application client context.%n%nSubject:%n%tClient Name:%t%t%3%n%tClient Domain:%t%t%4%n%tClient Context ID:%t%5%n%nApplication Information:%n%tApplication Name:%t%1%n%tApplication Instance ID:%t%2%n%nStatus:%t%6 An application attempted an operation:%n%nSubject:%n%tClient Name:%t%t%5%n%tClient Domain:%t%t%6%n%tClient Context ID:%t%7%n%nObject:%n%tObject Name:%t%t%3%n%tScope Names:%t%t%4%n%nApplication Information:%n%tApplication Name:%t%1%n%tApplication Instance ID:%t%2%n%nAccess Request Information:%n%tRole:%t%t%t%8%n%tGroups:%t%t%t%9%n%tOperation Name:%t%10 (%11) An application client context was deleted.%n%nSubject:%n%tClient Name:%t%t%3%n%tClient Domain:%t%t%4%n%tClient Context ID:%t%5%n%nApplication Information:%n%tApplication Name:%t%1%n%tApplication Instance ID:%t%2 An application was initialized.%n%nSubject:%n%tClient Name:%t%3%n%tClient Domain:%t%4%n%tClient ID:%t%5%n%nApplication Information:%n%tApplication Name:%t%1%n%tApplication Instance ID:%t%2%n%nAdditional Information:%n%tPolicy Store URL:%t%6 Permissions on an object were changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nPermissions Change:%n%tOriginal Security Descriptor:%t%9%n%tNew Security Descriptor:%t%10 An application attempted to access a blocked ordinal through the TBS.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nOrdinal:%t%5 PSpecial privileges assigned to new logon.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nPrivileges:%t%t%5 HA privileged service was called.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nService:%n%tServer:%t%5%n%tService Name:%t%6%n%nProcess:%n%tProcess ID:%t%8%n%tProcess Name:%t%9%n%nService Request Information:%n%tPrivileges:%t%t%7 An operation was attempted on a privileged object.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tObject Handle:%t%8%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nRequested Operation:%n%tDesired Access:%t%9%n%tPrivileges:%t%t%10 SIDs were filtered.%n%nTarget Account:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%nTrust Information:%n%tTrust Direction:%t%4%n%tTrust Attributes:%t%5%n%tTrust Type:%t%6%n%tTDO Domain SID:%t%7%n%nFiltered SIDs:%t%8 A new process has been created.%n%nCreator Subject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTarget Subject:%n%tSecurity ID:%t%t%10%n%tAccount Name:%t%t%11%n%tAccount Domain:%t%t%12%n%tLogon ID:%t%t%13%n%nProcess Information:%n%tNew Process ID:%t%t%5%n%tNew Process Name:%t%6%n%tToken Elevation Type:%t%7%n%tCreator Process ID:%t%8%n%tProcess Command Line:%t%9%n%nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.%n%nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.%n%nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.%n%nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. A process has exited.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tProcess ID:%t%6%n%tProcess Name:%t%7%n%tExit Status:%t%5 An attempt was made to duplicate a handle to an object.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nSource Handle Information:%n%tSource Handle ID:%t%5%n%tSource Process ID:%t%6%n%nNew Handle Information:%n%tTarget Handle ID:%t%7%n%tTarget Process ID:%t%8 pIndirect access to an object was requested.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Type:%t%5%n%tObject Name:%t%6%n%nProcess Information:%n%tProcess ID:%t%9%n%nAccess Request Information:%n%tAccesses:%t%7%n%tAccess Mask:%t%8 HBackup of data protection master key was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nKey Information:%n%tKey Identifier:%t%5%n%tRecovery Server:%t%6%n%tRecovery Key ID:%t%7%n%nStatus Information:%n%tStatus Code:%t%8 |Recovery of data protection master key was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nKey Information:%n%tKey Identifier:%t%5%n%tRecovery Server:%t%6%n%tRecovery Key ID:%t%8%n%tRecovery Reason:%t%7%n%nStatus Information:%n%tStatus Code:%t%9 Protection of auditable protected data was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProtected Data:%n%tData Description:%t%6%n%tKey Identifier:%t%5%n%tProtected Data Flags:%t%7%n%tProtection Algorithms:%t%8%n%nStatus Information:%n%tStatus Code:%t%9 Unprotection of auditable protected data was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProtected Data:%n%tData Description:%t%6%n%tKey Identifier:%t%5%n%tProtected Data Flags:%t%7%n%tProtection Algorithms:%t%8%n%nStatus Information:%n%tStatus Code:%t%9 $A primary token was assigned to process.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nTarget Process:%n%tTarget Process ID:%t%9%n%tTarget Process Name:%t%10%n%nNew Token Information:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8 PA service was installed in the system.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nService Information:%n%tService Name: %t%t%5%n%tService File Name:%t%6%n%tService Type: %t%t%7%n%tService Start Type:%t%8%n%tService Account: %t%t%9 A scheduled task was created.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTask Information:%n%tTask Name: %t%t%5%n%tTask Content: %t%t%6%n%t A scheduled task was deleted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTask Information:%n%tTask Name: %t%t%5%n%tTask Content: %t%t%6%n%t A scheduled task was enabled.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTask Information:%n%tTask Name: %t%t%5%n%tTask Content: %t%t%6%n%t A scheduled task was disabled.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTask Information:%n%tTask Name: %t%t%5%n%tTask Content: %t%t%6%n%t A scheduled task was updated.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTask Information:%n%tTask Name: %t%t%5%n%tTask New Content: %t%t%6%n%t A user right was assigned.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTarget Account:%n%tAccount Name:%t%t%5%n%nNew Right:%n%tUser Right:%t%t%6 A user right was removed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTarget Account:%n%tAccount Name:%t%t%5%n%nRemoved Right:%n%tUser Right:%t%t%6 A new trust was created to a domain.%n%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%nTrusted Domain:%n%tDomain Name:%t%t%1%n%tDomain ID:%t%t%2%n%nTrust Information:%n%tTrust Type:%t%t%7%n%tTrust Direction:%t%t%8%n%tTrust Attributes:%t%t%9%n%tSID Filtering:%t%t%10 A trust to a domain was removed.%n%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%nDomain Information:%n%tDomain Name:%t%t%1%n%tDomain ID:%t%t%2 The IPsec Policy Agent service was started.%n%n%1%n%nPolicy Source: %t%2%n%n%3 xThe IPsec Policy Agent service was disabled.%n%n%1%n%2 %1 IPsec Policy Agent encountered a potentially serious failure.%n%1 Kerberos policy was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nChanges Made:%n('--' means no changes, otherwise each change is shown as:%n(Parameter Name):%t(new value) (old value))%n%5 Data Recovery Agent group policy for Encrypting File System (EFS) has changed. The new changes have been applied. The audit policy (SACL) on an object was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain: %t%3%n%tLogon ID: %t%t%4%n%nAudit Policy Change:%n%tOriginal Security Descriptor: %t%5%n%tNew Security Descriptor: %t%t%6 Trusted domain information was modified.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTrusted Domain:%n%tDomain Name:%t%t%5%n%tDomain ID:%t%t%6%n%nNew Trust Information:%n%tTrust Type:%t%t%7%n%tTrust Direction:%t%t%8%n%tTrust Attributes:%t%t%9%n%tSID Filtering:%t%t%10 System security access was granted to an account.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAccount Modified:%n%tAccount Name:%t%t%5%n%nAccess Granted:%n%tAccess Right:%t%t%6 System security access was removed from an account.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAccount Modified:%n%tAccount Name:%t%t%5%n%nAccess Removed:%n%tAccess Right:%t%t%6 System audit policy was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAudit Policy Change:%n%tCategory:%t%t%5%n%tSubcategory:%t%t%6%n%tSubcategory GUID:%t%7%n%tChanges:%t%t%8 A user account was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nNew Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tDisplay Name:%t%t%10%n%tUser Principal Name:%t%11%n%tHome Directory:%t%t%12%n%tHome Drive:%t%t%13%n%tScript Path:%t%t%14%n%tProfile Path:%t%t%15%n%tUser Workstations:%t%16%n%tPassword Last Set:%t%17%n%tAccount Expires:%t%t%18%n%tPrimary Group ID:%t%19%n%tAllowed To Delegate To:%t%20%n%tOld UAC Value:%t%t%21%n%tNew UAC Value:%t%t%22%n%tUser Account Control:%t%23%n%tUser Parameters:%t%24%n%tSID History:%t%t%25%n%tLogon Hours:%t%t%26%n%nAdditional Information:%n%tPrivileges%t%t%8 A user account was enabled.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2 LAn attempt was made to change an account's password.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges%t%t%8 An attempt was made to reset an account's password.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2 A user account was disabled.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2 A user account was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges%t%8 A security-enabled global group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nNew Group:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A member was added to a security-enabled global group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A member was removed from a security-enabled global group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 4A security-enabled global group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nDeleted Group:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-enabled local group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nNew Group:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A member was added to a security-enabled local group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A member was removed from a security-enabled local group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 $A security-enabled local group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-enabled local group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-enabled global group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A user account was changed.%n%nSubject:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%nTarget Account:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%nChanged Attributes:%n%tSAM Account Name:%t%10%n%tDisplay Name:%t%t%11%n%tUser Principal Name:%t%12%n%tHome Directory:%t%t%13%n%tHome Drive:%t%t%14%n%tScript Path:%t%t%15%n%tProfile Path:%t%t%16%n%tUser Workstations:%t%17%n%tPassword Last Set:%t%18%n%tAccount Expires:%t%t%19%n%tPrimary Group ID:%t%20%n%tAllowedToDelegateTo:%t%21%n%tOld UAC Value:%t%t%22%n%tNew UAC Value:%t%t%23%n%tUser Account Control:%t%24%n%tUser Parameters:%t%25%n%tSID History:%t%t%26%n%tLogon Hours:%t%t%27%n%nAdditional Information:%n%tPrivileges:%t%t%9 ,Domain Policy was changed.%n%nChange Type:%t%t%1 modified%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nDomain:%n%tDomain Name:%t%t%2%n%tDomain ID:%t%t%3%n%nChanged Attributes:%n%tMin. Password Age:%t%9%n%tMax. Password Age:%t%10%n%tForce Logoff:%t%t%11%n%tLockout Threshold:%t%12%n%tLockout Observation Window:%t%13%n%tLockout Duration:%t%14%n%tPassword Properties:%t%15%n%tMin. Password Length:%t%16%n%tPassword History Length:%t%17%n%tMachine Account Quota:%t%18%n%tMixed Domain Mode:%t%19%n%tDomain Behavior Version:%t%20%n%tOEM Information:%t%21%n%nAdditional Information:%n%tPrivileges:%t%t%8 A user account was locked out.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nAccount That Was Locked Out:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%nAdditional Information:%n%tCaller Computer Name:%t%2 XA computer account was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nNew Computer Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tDisplay Name:%t%t%10%n%tUser Principal Name:%t%11%n%tHome Directory:%t%t%12%n%tHome Drive:%t%t%13%n%tScript Path:%t%t%14%n%tProfile Path:%t%t%15%n%tUser Workstations:%t%16%n%tPassword Last Set:%t%17%n%tAccount Expires:%t%t%18%n%tPrimary Group ID:%t%19%n%tAllowedToDelegateTo:%t%20%n%tOld UAC Value:%t%t%21%n%tNew UAC Value:%t%t%22%n%tUser Account Control:%t%23%n%tUser Parameters:%t%24%n%tSID History:%t%t%25%n%tLogon Hours:%t%t%26%n%tDNS Host Name:%t%t%27%n%tService Principal Names:%t%28%n%nAdditional Information:%n%tPrivileges%t%t%8 A computer account was changed.%n%nSubject:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%nComputer Account That Was Changed:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%nChanged Attributes:%n%tSAM Account Name:%t%10%n%tDisplay Name:%t%t%11%n%tUser Principal Name:%t%12%n%tHome Directory:%t%t%13%n%tHome Drive:%t%t%14%n%tScript Path:%t%t%15%n%tProfile Path:%t%t%16%n%tUser Workstations:%t%17%n%tPassword Last Set:%t%18%n%tAccount Expires:%t%t%19%n%tPrimary Group ID:%t%20%n%tAllowedToDelegateTo:%t%21%n%tOld UAC Value:%t%t%22%n%tNew UAC Value:%t%t%23%n%tUser Account Control:%t%24%n%tUser Parameters:%t%25%n%tSID History:%t%t%26%n%tLogon Hours:%t%t%27%n%tDNS Host Name:%t%t%28%n%tService Principal Names:%t%29%n%nAdditional Information:%n%tPrivileges:%t%t%9 (A computer account was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Computer:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-disabled local group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nNew Group:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-disabled local group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A member was added to a security-disabled local group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A member was removed from a security-disabled local group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 $A security-disabled local group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-disabled global group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-disabled global group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A member was added to a security-disabled global group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A member was removed from a security-disabled global group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 (A security-disabled global group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-enabled universal group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-enabled universal group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A member was added to a security-enabled universal group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A member was removed from a security-enabled universal group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 ,A security-enabled universal group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-disabled universal group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-disabled universal group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A member was added to a security-disabled universal group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A member was removed from a security-disabled universal group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 ,A security-disabled universal group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 4A group s type was changed.%n%nSubject:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%nChange Type:%t%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%4%n%tGroup Name:%t%t%2%n%tGroup Domain:%t%t%3%n%nAdditional Information:%n%tPrivileges:%t%t%9 SID History was added to an account.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nTarget Account:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%nSource Account:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nAdditional Information:%n%tPrivileges:%t%t%10%n%tSID List:%t%t%t%11 An attempt to add SID History to an account failed.%n%nSubject:%n%tSecurity ID:%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%nSource Account%n%tAccount Name:%t%t%1%n%nAdditional Information:%n%tPrivileges:%t%t%8 A user account was unlocked.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2 A Kerberos authentication ticket (TGT) was requested.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tSupplied Realm Name:%t%2%n%tUser ID:%t%t%t%3%n%nService Information:%n%tService Name:%t%t%4%n%tService ID:%t%t%5%n%nNetwork Information:%n%tClient Address:%t%t%10%n%tClient Port:%t%t%11%n%nAdditional Information:%n%tTicket Options:%t%t%6%n%tResult Code:%t%t%7%n%tTicket Encryption Type:%t%8%n%tPre-Authentication Type:%t%9%n%nCertificate Information:%n%tCertificate Issuer Name:%t%t%12%n%tCertificate Serial Number:%t%13%n%tCertificate Thumbprint:%t%t%14%n%nCertificate information is only provided if a certificate was used for pre-authentication.%n%nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. TA Kerberos service ticket was requested.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%tLogon GUID:%t%t%10%n%nService Information:%n%tService Name:%t%t%3%n%tService ID:%t%t%4%n%nNetwork Information:%n%tClient Address:%t%t%7%n%tClient Port:%t%t%8%n%nAdditional Information:%n%tTicket Options:%t%t%5%n%tTicket Encryption Type:%t%6%n%tFailure Code:%t%t%9%n%tTransited Services:%t%11%n%nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.%n%nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.%n%nTicket options, encryption types, and failure codes are defined in RFC 4120. $A Kerberos service ticket was renewed.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nService Information:%n%tService Name:%t%t%3%n%tService ID:%t%t%4%n%nNetwork Information:%n%tClient Address:%t%t%7%n%tClient Port:%t%t%8%n%nAdditional Information:%n%tTicket Options:%t%t%5%n%tTicket Encryption Type:%t%6%n%nTicket options and encryption types are defined in RFC 4120. $Kerberos pre-authentication failed.%n%nAccount Information:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nService Information:%n%tService Name:%t%t%3%n%nNetwork Information:%n%tClient Address:%t%t%7%n%tClient Port:%t%t%8%n%nAdditional Information:%n%tTicket Options:%t%t%4%n%tFailure Code:%t%t%5%n%tPre-Authentication Type:%t%6%n%nCertificate Information:%n%tCertificate Issuer Name:%t%t%9%n%tCertificate Serial Number: %t%10%n%tCertificate Thumbprint:%t%t%11%n%nCertificate information is only provided if a certificate was used for pre-authentication.%n%nPre-authentication types, ticket options and failure codes are defined in RFC 4120.%n%nIf the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. A Kerberos authentication ticket request failed.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tSupplied Realm Name:%t%2%n%nService Information:%n%tService Name:%t%3%n%nNetwork Information:%n%tClient Address:%t%6%n%tClient Port:%t%7%n%nAdditional Information:%n%tTicket Options:%t%4%n%tFailure Code:%t%5%n%nTicket options and failure codes are defined in RFC 4120. A Kerberos service ticket request failed.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nService Information:%n%tService Name:%t%3%n%nNetwork Information:%n%tClient Address:%t%6%n%tClient Port:%t%7%n%nAdditional Information:%n%tTicket Options:%t%4%n%tFailure Code:%t%5%n%nTicket options and failure codes are defined in RFC 4120. An account was mapped for logon.%n%nAuthentication Package:%t%1%nAccount UPN:%t%2%nMapped Name:%t%3 An account could not be mapped for logon.%n%nAuthentication Package:%t%t%1%nAccount Name:%t%t%2 HThe computer attempted to validate the credentials for an account.%n%nAuthentication Package:%t%1%nLogon Account:%t%2%nSource Workstation:%t%3%nError Code:%t%4 TThe domain controller failed to validate the credentials for an account.%n%nAuthentication Package:%t%1%nLogon Account:%t%2%nSource Workstation:%t%3%nError Code:%t%4 ,A session was reconnected to a Window Station.%n%nSubject:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%tLogon ID:%t%t%3%n%nSession:%n%tSession Name:%t%t%4%n%nAdditional Information:%n%tClient Name:%t%t%5%n%tClient Address:%t%t%6%n%nThis event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching. HA session was disconnected from a Window Station.%n%nSubject:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%tLogon ID:%t%t%3%n%nSession:%n%tSession Name:%t%t%4%n%nAdditional Information:%n%tClient Name:%t%t%5%n%tClient Address:%t%t%6%n%n%nThis event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching. The ACL was set on accounts which are members of administrators groups.%n%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8%n%nEvery hour, the Windows domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the AdminSDHolder object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated. dThe name of an account was changed:%n%nSubject:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%nTarget Account:%n%tSecurity ID:%t%t%4%n%tAccount Domain:%t%t%3%n%tOld Account Name:%t%1%n%tNew Account Name:%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%9 The password hash an account was accessed.%n%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%nTarget Account:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2 A basic application group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A basic application group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A member was added to a basic application group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A member was removed from a basic application group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A non-member was added to a basic application group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10%n%nA non-member is an account that is explicitly excluded from membership in a basic application group. Even if the account is specified as a member of the application group, either explicitly or through nested group membership, the account will not be treated as a group member if it is listed as a non-member. (A non-member was removed from a basic application group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10%n%nA non-member is an account that is explicitly excluded from membership in a basic application group. Even if the account is specified as a member of the application group, either explicitly or through nested group membership, the account will not be treated as a group member if it is listed as a non-member. A basic application group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 An LDAP query group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A basic application group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 An LDAP query group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 The Password Policy Checking API was called.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAdditional Information:%n%tCaller Workstation:%t%5%n%tProvided Account Name (unauthenticated):%t%6%n%tStatus Code:%t%7 An attempt was made to set the Directory Services Restore Mode%nadministrator password.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAdditional Information:%n%tCaller Workstation:%t%5%n%tStatus Code:%t%6 PAn attempt was made to query the existence of a blank password for an account.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAdditional Information:%n%tCaller Workstation:%t%5%n%tTarget Account Name:%t%6%n%tTarget Account Domain:%t%7 0The workstation was locked.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tSession ID:%t%5 4The workstation was unlocked.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tSession ID:%t%5 4The screen saver was invoked.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tSession ID:%t%5 8The screen saver was dismissed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tSession ID:%t%5 RPC detected an integrity violation while decrypting an incoming message.%n%nPeer Name:%t%1%nProtocol Sequence:%t%2%nSecurity Error:%t%3 tAuditing settings on object were changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%nAuditing Settings:%n%tOriginal Security Descriptor:%t%8%n%tNew Security Descriptor:%t%t%9 Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tObject Type:%t%t%6%n%tObject Name:%t%t%7%n%tHandle ID:%t%t%8%n%nProcess Information:%n%tProcess ID:%t%t%9%n%tProcess Name:%t%t%10%n%nCurrent Central Access Policy results:%n%n%tAccess Reasons:%t%t%11%nProposed Central Access Policy results that differ from the current Central Access Policy results:%n%n%tAccess Reasons:%t%t%12 LCentral Access Policies on the machine have been changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tObject Type:%t%t%6%n%nCAPs Added:%7%n%nCAPs Deleted:%8%n%nCAPs Modified:%9%n%nCAPs As-Is:%10 A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tSupplied Realm Name:%t%2%n%tUser ID:%t%t%t%3%n%nAuthentication Policy Information:%n%tSilo Name:%t%t%16%n%tPolicy Name:%t%t%17%n%tTGT Lifetime:%t%t%18%n%nDevice Information:%n%tDevice Name:%t%t%4%n%nService Information:%n%tService Name:%t%t%5%n%tService ID:%t%t%6%n%nNetwork Information:%n%tClient Address:%t%t%11%n%tClient Port:%t%t%12%n%nAdditional Information:%n%tTicket Options:%t%t%7%n%tResult Code:%t%t%8%n%tTicket Encryption Type:%t%9%n%tPre-Authentication Type:%t%10%n%nCertificate Information:%n%tCertificate Issuer Name:%t%t%13%n%tCertificate Serial Number:%t%14%n%tCertificate Thumbprint:%t%t%15%n%nCertificate information is only provided if a certificate was used for pre-authentication.%n%nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%tLogon GUID:%t%t%11%n%nAuthentication Policy Information:%n%tSilo Name:%t%t%13%n%tPolicy Name:%t%t%14%n%nDevice Information:%n%tDevice Name:%t%t%3%n%nService Information:%n%tService Name:%t%t%4%n%tService ID:%t%t%5%n%nNetwork Information:%n%tClient Address:%t%t%8%n%tClient Port:%t%t%9%n%nAdditional Information:%n%tTicket Options:%t%t%6%n%tTicket Encryption Type:%t%7%n%tFailure Code:%t%t%10%n%tTransited Services:%t%12%n%nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.%n%nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.%n%nTicket options, encryption types, and failure codes are defined in RFC 4120. ,NTLM authentication failed because the account was a member of the Protected User group.%n%nAccount Name:%t%1%nDevice Name:%t%2%nError Code:%t%3 NTLM authentication failed because access control restrictions are required.%n%nAccount Name:%t%1%nDevice Name:%t%2%nError Code:%t%3%n%nAuthentication Policy Information:%n%tSilo Name:%t%4%n%tPolicyName:%t%5 Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.%n%nAccount Information:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nService Information:%n%tService Name:%t%t%3%n%nNetwork Information:%n%tClient Address:%t%t%7%n%tClient Port:%t%t%8%n%nAdditional Information:%n%tTicket Options:%t%t%4%n%tFailure Code:%t%t%5%n%tPre-Authentication Type:%t%6%n%nCertificate Information:%n%tCertificate Issuer Name:%t%t%9%n%tCertificate Serial Number: %t%10%n%tCertificate Thumbprint:%t%t%11%n%nCertificate information is only provided if a certificate was used for pre-authentication.%n%nPre-authentication types, ticket options and failure codes are defined in RFC 4120.%n%nIf the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. |A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.%n%nSubject:%n%tUser Name:%t%1%n%tDomain:%t%t%2%n%tLogon ID:%t%3%n%nAdditional Information:%n%tClient Address:%t%4%n%n%nThis event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. xA namespace collision was detected.%n%nTarget Type:%t%1%nTarget Name:%t%2%nForest Root:%t%3%nTop Level Name:%t%4%nDNS Name:%t%5%nNetBIOS Name:%t%6%nSecurity ID:%t%t%7%nNew Flags:%t%8 A trusted forest information entry was added.%n%nSubject:%n%tSecurity ID:%t%t%10%n%tAccount Name:%t%t%11%n%tAccount Domain:%t%t%12%n%tLogon ID:%t%t%13%n%nTrust Information:%n%tForest Root:%t%1%n%tForest Root SID:%t%2%n%tOperation ID:%t%3%n%tEntry Type:%t%4%n%tFlags:%t%5%n%tTop Level Name:%t%6%n%tDNS Name:%t%7%n%tNetBIOS Name:%t%8%n%tDomain SID:%t%9 A trusted forest information entry was removed.%n%nSubject:%n%tSecurity ID:%t%t%10%n%tAccount Name:%t%t%11%n%tAccount Domain:%t%t%12%n%tLogon ID:%t%t%13%n%nTrust Information:%n%tForest Root:%t%1%n%tForest Root SID:%t%2%n%tOperation ID:%t%3%n%tEntry Type:%t%4%n%tFlags:%t%5%n%tTop Level Name:%t%6%n%tDNS Name:%t%7%n%tNetBIOS Name:%t%8%n%tDomain SID:%t%9 A trusted forest information entry was modified.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTrust Information:%n%tForest Root:%t%5%n%tForest Root SID:%t%6%n%tOperation ID:%t%7%n%tEntry Type:%t%8%n%tFlags:%t%9%n%tTop Level Name:%t%10%n%tDNS Name:%t%11%n%tNetBIOS Name:%t%12%n%tDomain SID:%t%13 The certificate manager denied a pending certificate request.%n%t%nRequest ID:%t%1 Certificate Services received a resubmitted certificate request.%n%t%nRequest ID:%t%1 Certificate Services revoked a certificate.%n%t%nSerial Number:%t%1%nReason:%t%2 8Certificate Services received a request to publish the certificate revocation list (CRL).%n%t%nNext Update:%t%1%nPublish Base:%t%2%nPublish Delta:%t%3 PCertificate Services published the certificate revocation list (CRL).%n%t%nBase CRL:%t%1%nCRL Number:%t%2%nKey Container:%t%3%nNext Publish:%t%4%nPublish URLs:%t%5 A certificate request extension changed.%n%t%nRequest ID:%t%1%nName:%t%2%nType:%t%3%nFlags:%t%4%nData:%t%5 One or more certificate request attributes changed.%n%t%nRequest ID:%t%1%nAttributes:%t%2 tCertificate Services received a request to shut down. |Certificate Services backup started.%n%nBackup Type:%t%1 XCertificate Services backup completed. TCertificate Services restore started. XCertificate Services restore completed. 0Certificate Services started.%n%t%nCertificate Database Hash:%t%1%nPrivate Key Usage Count:%t%2%nCA Certificate Hash:%t%3%nCA Public Key Hash:%t%4 0Certificate Services stopped.%n%t%nCertificate Database Hash:%t%1%nPrivate Key Usage Count:%t%2%nCA Certificate Hash:%t%3%nCA Public Key Hash:%t%4 The security permissions for Certificate Services changed.%n%t%n%1 Certificate Services retrieved an archived key.%n%t%nRequest ID:%t%1 Certificate Services imported a certificate into its database.%n%t%nCertificate:%t%1%nRequest ID:%t%2 The audit filter for Certificate Services changed.%n%t%nFilter:%t%1 Certificate Services received a certificate request.%n%t%nRequest ID:%t%1%nRequester:%t%2%nAttributes:%t%3 hCertificate Services approved a certificate request and issued a certificate.%n%t%nRequest ID:%t%1%nRequester:%t%2%nAttributes:%t%3%nDisposition:%t%4%nSKI:%t%t%5%nSubject:%t%6 4Certificate Services denied a certificate request.%n%t%nRequest ID:%t%1%nRequester:%t%2%nAttributes:%t%3%nDisposition:%t%4%nSKI:%t%t%5%nSubject:%t%6 `Certificate Services set the status of a certificate request to pending.%n%t%nRequest ID:%t%1%nRequester:%t%2%nAttributes:%t%3%nDisposition:%t%4%nSKI:%t%t%5%nSubject:%t%6 The certificate manager settings for Certificate Services changed.%n%t%nEnable:%t%1%n%n%2 A configuration entry changed in Certificate Services.%n%t%nNode:%t%1%nEntry:%t%2%nValue:%t%3 A property of Certificate Services changed.%n%t%nProperty:%t%1%nIndex:%t%2%nType:%t%3%nValue:%t%4 Certificate Services archived a key.%n%t%nRequest ID:%t%1%nRequester:%t%2%nKRA Hashes:%t%3 Certificate Services imported and archived a key.%n%t%nRequest ID:%t%1 0Certificate Services published the CA certificate to Active Directory Domain Services.%n%t%nCertificate Hash:%t%1%nValid From:%t%2%nValid To:%t%t%3 One or more rows have been deleted from the certificate database.%n%t%nTable ID:%t%1%nFilter:%t%2%nRows Deleted:%t%3 DRole separation enabled:%t%1 Certificate Services loaded a template.%n%n%1 v%2 (Schema V%3)%n%4%n%5%n%nTemplate Information:%n%tTemplate Content:%t%t%7%n%tSecurity Descriptor:%t%t%8%n%nAdditional Information:%n%tDomain Controller:%t%6 A Certificate Services template was updated.%n%n%1 v%2 (Schema V%3)%n%4%n%5%n%nTemplate Change Information:%n%tOld Template Content:%t%8%n%tNew Template Content:%t%t%7%n%nAdditional Information:%n%tDomain Controller:%t%6 \Certificate Services template security was updated.%n%n%1 v%2 (Schema V%3)%n%4%n%5%n%nTemplate Change Information:%n%tOld Template Content:%t%t%9%n%tNew Template Content:%t%7%n%tOld Security Descriptor:%t%t%10%n%tNew Security Descriptor:%t%t%8%n%nAdditional Information:%n%tDomain Controller:%t%6 The Per-user audit policy table was created.%n%nNumber of Elements:%t%1%nPolicy ID:%t%2 (An attempt was made to register a security event source.%n%nSubject :%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess:%n%tProcess ID:%t%7%n%tProcess Name:%t%8%n%nEvent Source:%n%tSource Name:%t%5%n%tEvent Source ID:%t%6 (An attempt was made to unregister a security event source.%n%nSubject%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess:%n%tProcess ID:%t%7%n%tProcess Name:%t%8%n%nEvent Source:%n%tSource Name:%t%5%n%tEvent Source ID:%t%6 The CrashOnAuditFail value has changed.%n%nNew Value of CrashOnAuditFail:%t%1 Auditing settings on object were changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nAuditing Settings:%n%tOriginal Security Descriptor:%t%9%n%tNew Security Descriptor:%t%t%10 Special Groups Logon table modified.%n%nSpecial Groups:%t%1%n%nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event. The local policy settings for the TBS were changed.%n%nOld Blocked Ordinals:%t%1%nNew Blocked Ordinals:%t%2 LThe group policy settings for the TBS were changed.%n%nGroup Policy Setting:%t%tIgnore Default Settings%n%tOld Value:%t%t%1%n%tNew Value:%t%t%2%n%nGroup Policy Setting:%t%tIgnore Local Settings%n%tOld Value:%t%t%3%n%tNew Value:%t%t%4%n%nOld Blocked Ordinals:%t%5%nNew Blocked Ordinals:%t%6 ,Resource attributes of the object were changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nResource Attributes:%n%tOriginal Security Descriptor:%t%9%n%tNew Security Descriptor:%t%t%10 DPer User Audit Policy was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nPolicy For Account:%n%tSecurity ID:%t%t%5%n%nPolicy Change Details:%n%tCategory:%t%6%n%tSubcategory:%t%7%n%tSubcategory GUID:%t%8%n%tChanges:%t%9 ,Central Access Policy on the object was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nCentral Policy ID:%n%tOriginal Security Descriptor:%t%9%n%tNew Security Descriptor:%t%t%10 xAn Active Directory replica source naming context was established.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nSource Address:%t%3%nNaming Context:%t%4%nOptions:%t%t%5%nStatus Code:%t%6 pAn Active Directory replica source naming context was removed.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nSource Address:%t%3%nNaming Context:%t%4%nOptions:%t%t%5%nStatus Code:%t%6 tAn Active Directory replica source naming context was modified.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nSource Address:%t%3%nNaming Context:%t%4%nOptions:%t%t%5%nStatus Code:%t%6 An Active Directory replica destination naming context was modified.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nDestination Address:%t%3%nNaming Context:%t%4%nOptions:%t%t%5%nStatus Code:%t%6 Synchronization of a replica of an Active Directory naming context has begun.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nNaming Context:%t%3%nOptions:%t%t%4%nSession ID:%t%5%nStart USN:%t%6 Synchronization of a replica of an Active Directory naming context has ended.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nNaming Context:%t%3%nOptions:%t%t%4%nSession ID:%t%5%nEnd USN:%t%6%nStatus Code:%t%7 hAttributes of an Active Directory object were replicated.%n%nSession ID:%t%1%nObject:%t%t%2%nAttribute:%t%3%nType of change:%t%4%nNew Value:%t%5%nUSN:%t%t%6%nStatus Code:%t%7 Replication failure begins.%n%nReplication Event:%t%1%nAudit Status Code:%t%2 Replication failure ends.%n%nReplication Event:%t%1%nAudit Status Code:%t%2%nReplication Status Code:%t%3 A lingering object was removed from a replica.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nObject:%t%3%nOptions:%t%4%nStatus Code:%t%5 The following policy was active when the Windows Firewall started.%n%nGroup Policy Applied:%t%1%nProfile Used:%t%2%nOperational mode:%t%3%nAllow Remote Administration:%t%4%nAllow Unicast Responses to Multicast/Broadcast Traffic:%t%5%nSecurity Logging:%n%tLog Dropped Packets:%t%6%n%tLog Successful Connections:%t%7 A rule was listed when the Windows Firewall started.%n%t%nProfile used:%t%1%n%nRule:%n%tRule ID:%t%2%n%tRule Name:%t%3 8A change was made to the Windows Firewall exception list. A rule was added.%n%t%nProfile Changed:%t%1%n%nAdded Rule:%n%tRule ID:%t%2%n%tRule Name:%t%3 DA change was made to the Windows Firewall exception list. A rule was modified.%n%t%nProfile Changed:%t%1%n%nModified Rule:%n%tRule ID:%t%2%n%tRule Name:%t%3 @A change was made to the Windows Firewall exception list. A rule was deleted.%n%t%nProfile Changed:%t%1%n%nDeleted Rule:%n%tRule ID:%t%2%n%tRule Name:%t%3 Windows Firewall settings were restored to the default values. A Windows Firewall setting was changed.%n%t%nChanged Profile:%t%1%n%nNew Setting:%n%tType:%t%2%n%tValue:%t%3 (Windows Firewall ignored a rule because its major version number is not recognized.%n%t%nProfile:%t%1%n%nIgnored Rule:%n%tID:%t%2%n%tName:%t%3 Windows Firewall ignored parts of a rule because its minor version number is not recognized. Other parts of the rule will be enforced.%n%t%nProfile:%t%1%n%nPartially Ignored Rule:%n%tID:%t%2%n%tName:%t%3 (Windows Firewall ignored a rule because it could not be parsed.%n%t%nProfile:%t%1%n%nReason for Rejection:%t%2%n%nRule:%n%tID:%t%3%n%tName:%t%4 Group Policy settings for Windows Firewall were changed, and the new settings were applied. Windows Firewall changed the active profile.%n%nNew Active Profile:%t%1 HWindows Firewall did not apply the following rule:%n%nRule Information:%n%tID:%t%1%n%tName:%t%2%n%nError Information:%n%tReason:%t%3 resolved to an empty set. Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:%n%nRule Information:%n%tID:%t%1%n%tName:%t%2%n%nError Information:%n%tError:%t%3%n%tReason:%t%4 pIPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.%n%nRemote Network Address:%t%1%nInbound SA SPI:%t%t%2 IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.%n%nRemote Network Address:%t%1%nInbound SA SPI:%t%t%2 IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.%n%nRemote Network Address:%t%1%nInbound SA SPI:%t%t%2 IPsec dropped an inbound clear text packet that should have been secured. If the remote computer is configured with a Request Outbound IPsec policy, this might be benign and expected. This can also be caused by the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.%n%nRemote Network Address:%t%1%nInbound SA SPI:%t%t%2 Special groups have been assigned to a new logon.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tLogon GUID:%t%5%n%nNew Logon:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%tLogon GUID:%t%10%n%tSpecial Groups Assigned:%t%11 (IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.%n%nRemote Network Address:%t%1%nInbound SA SPI:%t%t%2 (During main mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.%n%nLocal Network Address:%t%1%nRemote Network Address:%t%2%nKeying Module Name:%t%3 ,During quick mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.%n%nLocal Network Address:%t%1%nRemote Network Address:%t%2%nKeying Module Name:%t%3 0During extended mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.%n%nLocal Network Address:%t%1%nRemote Network Address:%t%2%nKeying Module Name:%t%3 IPsec main mode and extended mode security associations were established.%n%nMain Mode Local Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%3%n%tKeying Module Port:%t%4%n%nMain Mode Remote Endpoint:%n%tPrincipal Name:%t%2%n%tNetwork Address:%t%5%n%tKeying Module Port:%t%6%n%nMain Mode Cryptographic Information:%n%tCipher Algorithm:%t%8%n%tIntegrity Algorithm:%t%9%n%tDiffie-Hellman Group:%t%10%n%nMain Mode Security Association:%n%tLifetime (minutes):%t%11%n%tQuick Mode Limit:%t%12%n%tMain Mode SA ID:%t%16%n%t%nMain Mode Additional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%t%7%n%tRole:%t%t%t%13%n%tImpersonation State:%t%14%n%tMain Mode Filter ID:%t%15%n%nExtended Mode Information:%n%tLocal Principal Name:%t%17%n%tRemote Principal Name:%t%18%n%tAuthentication Method:%t%19%n%tImpersonation State:%t%20%n%tQuick Mode Filter ID:%t%21 IPsec main mode and extended mode security associations were established.%n%nMain Mode Local Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%3%n%tKeying Module Port:%t%4%n%nMain Mode Remote Endpoint:%n%tPrincipal Name:%t%2%n%tNetwork Address:%t%5%n%tKeying Module Port:%t%6%n%nMain Mode Cryptographic Information:%n%tCipher Algorithm:%t%8%n%tIntegrity Algorithm:%t%9%n%tDiffie-Hellman Group:%t%10%n%nMain Mode Security Association:%n%tLifetime (minutes):%t%11%n%tQuick Mode Limit:%t%12%n%tMain Mode SA ID:%t%16%n%t%nMain Mode Additional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%t%7%n%tRole:%t%t%t%13%n%tImpersonation State:%t%14%n%tMain Mode Filter ID:%t%15%n%nExtended Mode Local Endpoint:%n%tPrincipal Name:%t%17%n%tCertificate SHA Thumbprint:%t%18%n%tCertificate Issuing CA:%t%19%n%tCertificate Root CA:%t%20%n%nExtended Mode Remote Endpoint:%n%tPrincipal Name:%t%21%n%tCertificate SHA Thumbprint:%t%22%n%tCertificate Issuing CA:%t%23%n%tCertificate Root CA:%t%24%n%nExtended Mode Additional Information:%n%tAuthentication Method:%tSSL%n%tImpersonation State:%t%25%n%tQuick Mode Filter ID:%t%26 IPsec main mode and extended mode security associations were established.%n%nLocal Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%9%n%tKeying Module Port:%t%10%n%nLocal Certificate:%n%tSHA Thumbprint:%t%2%n%tIssuing CA:%t%t%3%n%tRoot CA:%t%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%5%n%tNetwork Address:%t%11%n%tKeying Module Port:%t%12%n%nRemote Certificate:%n%tSHA Thumbprint:%t%6%n%tIssuing CA:%t%t%7%n%tRoot CA:%t%t%8%n%nCryptographic Information:%n%tCipher Algorithm:%t%13%n%tIntegrity Algorithm:%t%14%n%tDiffie-Hellman Group:%t%15%n%nSecurity Association Information:%n%tLifetime (minutes):%t%16%n%tQuick Mode Limit:%t%17%n%tMain Mode SA ID:%t%21%n%nAdditional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%tSSL%n%tRole:%t%t%t%18%n%tImpersonation State:%t%19%n%tMain Mode Filter ID:%t%20%n%t%nExtended Mode Information:%n%tLocal Principal Name:%t%22%n%tRemote Principal Name:%t%23%n%tAuthentication Method:%t%24%n%tImpersonation State:%t%25%n%tQuick Mode Filter ID:%t%26 IPsec main mode and extended mode security associations were established.%n%nLocal Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%n%tKeying Module Port:%t%9%n%nLocal Certificate:%n%tSHA Thumbprint:%t%2%n%tIssuing CA:%t%t%3%n%tRoot CA:%t%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%5%n%tNetwork Address:%t%10%n%tKeying Module Port:%t%11%n%nRemote Certificate:%n%tSHA Thumbprint:%t%6%n%tIssuing CA:%t%t%7%n%tRoot CA:%t%t%8%n%nCryptographic Information:%n%tCipher Algorithm:%t%12%n%tIntegrity Algorithm:%t%13%n%tDiffie-Hellman Group:%t%14%n%nSecurity Association Information:%n%tLifetime (minutes):%t%15%n%tQuick Mode Limit:%t%16%n%tMain Mode SA ID:%t%20%n%nAdditional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%tSSL%n%tRole:%t%t%t%17%n%tImpersonation State:%t%18%n%tMain Mode Filter ID:%t%19%n%t%nExtended Mode Local Endpoint:%n%tPrincipal Name:%t%t%21%n%tCertificate SHA Thumbprint:%t%22%n%tCertificate Issuing CA:%t%23%n%tCertificate Root CA:%t%24%n%nExtended Mode Remote Endpoint:%n%tPrincipal Name:%t%t%25%n%tCertificate SHA Thumbprint:%t%26%n%tCertificate Issuing CA:%t%27%n%tCertificate Root CA:%t%28%nExtended Mode Additional Information:%n%tAuthentication Method:%tSSL%n%tImpersonation State:%t%29%n%tQuick Mode Filter ID:%t%30 An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.%n%n%nLocal Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%9%n%tKeying Module Port:%t%10%n%nLocal Certificate:%n%tSHA Thumbprint:%t%2%n%tIssuing CA:%t%t%3%n%tRoot CA:%t%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%5%n%tNetwork Address:%t%11%n%tKeying Module Port:%t%12%n%nRemote Certificate:%n%tSHA Thumbprint:%t%6%n%tIssuing CA:%t%t%7%n%tRoot CA:%t%t%8%n%nAdditional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%tSSL%n%tRole:%t%t%t%16%n%tImpersonation State:%t%17%n%tQuick Mode Filter ID:%t%18%n%nFailure Information:%n%tFailure Point:%t%t%13%n%tFailure Reason:%t%t%14%n%tState:%t%t%t%15 dAn IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.%n%nLocal Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%3%n%tKeying Module Port:%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%2%n%tNetwork Address:%t%5%n%tKeying Module Port:%t%6%n%nAdditional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%t%9%n%tRole:%t%t%t%11%n%tImpersonation State:%t%12%n%tQuick Mode Filter ID:%t%13%n%nFailure Information:%n%tFailure Point:%t%t%7%n%tFailure Reason:%t%t%8%n%tState:%t%t%t%10 pThe state of a transaction has changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTransaction Information:%n%tRM Transaction ID:%t%5%n%tNew State:%t%t%6%n%tResource Manager:%t%7%n%nProcess Information:%n%tProcess ID:%t%t%8%n%tProcess Name:%t%t%9 pThe Windows Firewall service started successfully. \The Windows Firewall service was stopped. lThe Windows Firewall service was unable to retrieve the security policy from the local storage. Windows Firewall will continue to enforce the current policy.%n%nError Code:%t%1 (Windows Firewall was unable to parse the new security policy. Windows Firewall will continue to enforce the current policy.%n%nError Code:%t%1 (The Windows Firewall service failed to initialize the driver. Windows Firewall will continue to enforce the current policy.%n%nError Code:%t%1 The Windows Firewall service failed to start.%n%nError Code:%t%1 Windows Firewall blocked an application from accepting incoming connections on the network.%n%nProfiles:%t%t%1%nApplication:%t%t%2 4Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.%n%nError Code:%t%1 lThe Windows Firewall Driver started successfully. \The Windows Firewall Driver was stopped. The Windows Firewall Driver failed to start.%n%nError Code:%t%1 The Windows Firewall Driver detected a critical runtime error, terminating.%n%nError Code:%t%1 Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.%n%nFile Name:%t%1%t A registry key was virtualized.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tKey Name:%t%t%5%n%tVirtual Key Name:%t%t%6%n%nProcess Information:%n%tProcess ID:%t%t%7%n%tProcess Name:%t%t%8 HA change was made to IPsec settings. An authentication set was added.%n%t%nProfile Changed:%t%t%1%n%nAdded Authentication Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 TA change was made to IPsec settings. An authentication set was modified.%n%t%nProfile Changed:%t%t%1%n%nModified Authentication Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 PA change was made to IPsec settings. An authentication set was deleted.%n%t%nProfile Changed:%t%t%1%n%nDeleted Authentication Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 \A change was made to IPsec settings. A connection security rule was added.%n%t%nProfile Changed:%t%t%1%n%nAdded Connection Security Rule:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 dA change was made to IPsec settings. A connection security rule was modified.%n%t%nProfile Changed:%t%1%n%nModified Connection Security Rule:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 `A change was made to IPsec settings. A connection security rule was deleted.%n%t%nProfile Changed:%t%1%n%nDeleted Connection Security Rule:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 A change was made to IPsec settings. A crypto set was added.%n%t%nProfile Changed:%t%1%n%nAdded Crypto Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 ,A change was made to IPsec settings. A crypto set was modified.%n%t%nProfile Changed:%t%1%n%nModified Crypto Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 (A change was made to IPsec settings. A crypto set was deleted.%n%t%nProfile Changed:%t%1%n%nDeleted Crypto Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 An IPsec security association was deleted.%n%t%nProfile Changed:%t%1%n%nDeleted SA:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 An attempt to programmatically disable Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected because this API is not supported on this version of Windows. This is most likely due to a program that is incompatible with this version of Windows. Please contact the program's manufacturer to make sure you have a compatible program version.%n%nError Code:%t%tE_NOTIMPL%nCaller Process Name:%t%t%1%nProcess Id:%t%t%2%nPublisher:%t%t%3 A file was virtualized.%n%nSubject:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%t%4%n%nObject:%n%tFile Name:%t%t%t%5%n%tVirtual File Name:%t%6%n%nProcess Information:%n%tProcess ID:%t%t%t%7%n%tProcess Name:%t%t%t%8 pA cryptographic self test was performed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nModule:%t%t%5%n%nReturn Code:%t%6 DA cryptographic primitive operation failed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Parameters:%n%tProvider Name:%t%t%5%n%tAlgorithm Name:%t%6%n%nFailure Information:%n%tReason:%t%t%t%7%n%tReturn Code:%t%t%8 Key file operation.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Parameters:%n%tProvider Name:%t%5%n%tAlgorithm Name:%t%6%n%tKey Name:%t%7%n%tKey Type:%t%8%n%nKey File Operation Information:%n%tFile Path:%t%9%n%tOperation:%t%10%n%tReturn Code:%t%11 `Key migration operation.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Parameters:%n%tProvider Name:%t%5%n%tAlgorithm Name:%t%6%n%tKey Name:%t%7%n%tKey Type:%t%8%n%nAdditional Information:%n%tOperation:%t%9%n%tReturn Code:%t%10 `Verification operation failed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Parameters:%n%tProvider Name:%t%5%n%tAlgorithm Name:%t%6%n%tKey Name:%t%7%n%tKey Type:%t%8%n%nFailure Information:%n%tReason:%t%9%n%tReturn Code:%t%10 dCryptographic operation.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Parameters:%n%tProvider Name:%t%5%n%tAlgorithm Name:%t%6%n%tKey Name:%t%7%n%tKey Type:%t%8%n%nCryptographic Operation:%n%tOperation:%t%9%n%tReturn Code:%t%10 A kernel-mode cryptographic self test was performed.%n%nModule:%t%1%n%nReturn Code:%t%2 A cryptographic provider operation was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Provider:%n%tName:%t%5%n%tModule:%t%6%n%nOperation:%t%7%n%nReturn Code:%t%8 A cryptographic context operation was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%nOperation:%t%7%n%nReturn Code:%t%8 PA cryptographic context modification was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%nChange Information:%n%tOld Value:%t%7%n%tNew Value:%t%8%n%nReturn Code:%t%9 dA cryptographic function operation was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%tInterface:%t%7%n%tFunction:%t%8%n%tPosition:%t%9%n%nOperation:%t%10%n%nReturn Code:%t%11 A cryptographic function modification was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%tInterface:%t%7%n%tFunction:%t%8%n%nChange Information:%n%tOld Value:%t%9%n%tNew Value:%t%10%n%nReturn Code:%t%11 A cryptographic function provider operation was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%tInterface:%t%7%n%tFunction:%t%8%n%tProvider:%t%9%n%tPosition:%t%10%n%nOperation:%t%11%n%nReturn Code:%t%12 A cryptographic function property operation was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%tInterface:%t%7%n%tFunction:%t%8%n%tProperty:%t%9%n%nOperation:%t%10%n%nValue:%t%11%n%nReturn Code:%t%12 A cryptographic function property modification was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%tInterface:%t%7%n%tFunction:%t%8%n%tProperty:%t%9%n%nChange Information:%n%tOld Value:%t%10%n%tNew Value:%t%11%n%nReturn Code:%t%12 |Key access denied by Microsoft key distribution service.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nSecurity Descriptor:%t%5 HOCSP Responder Service Started. HOCSP Responder Service Stopped. A Configuration entry changed in the OCSP Responder Service.%n%nCA Configuration ID:%t%t%1%nNew Value:%t%t%2 A configuration entry changed in the OCSP Responder Service.%n%nProperty Name:%t%t%1%nNew Value:%t%t%2 A security setting was updated on OCSP Responder Service.%n%nNew Value:%t%1 A request was submitted to OCSP Responder Service. %n%nCertificate Serial Number: %1%nIssuer CA Name: %2%nRevocation Status: %3 (Signing Certificate was automatically updated by the OCSP Responder Service.%n%nCA Configuration ID:%t%t%1%nNew Signing Certificate Hash:%t%t%2 LThe OCSP Revocation Provider successfully updated the revocation information.%n%nCA Configuration ID:%t%t%1%nBase CRL Number:%t%t%2%nBase CRL This Update:%t%t%3%nBase CRL Hash:%t%t%4%nDelta CRL Number:%t%t%5%nDelta CRL Indicator:%t%t%6%nDelta CRL This Update:%t%t%7%nDelta CRL Hash:%t%t%8 DA directory service object was modified.%n%t%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%nDirectory Service:%n%tName:%t%7%n%tType:%t%8%n%t%nObject:%n%tDN:%t%9%n%tGUID:%t%10%n%tClass:%t%11%n%t%nAttribute:%n%tLDAP Display Name:%t%12%n%tSyntax (OID):%t%13%n%tValue:%t%14%n%t%nOperation:%n%tType:%t%15%n%tCorrelation ID:%t%1%n%tApplication Correlation ID:%t%2 A directory service object was created.%n%t%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%t%nDirectory Service:%n%tName:%t%7%n%tType:%t%8%n%t%nObject:%n%tDN:%t%9%n%tGUID:%t%10%n%tClass:%t%11%n%t%nOperation:%n%tCorrelation ID:%t%1%n%tApplication Correlation ID:%t%2 A directory service object was undeleted.%n%t%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%t%nDirectory Service:%n%tName:%t%7%n%tType:%t%8%n%t%nObject:%n%tOld DN:%t%9%n%tNew DN:%t%10%n%tGUID:%t%11%n%tClass:%t%12%n%t%nOperation:%n%tCorrelation ID:%t%1%n%tApplication Correlation ID:%t%2 A directory service object was moved.%n%t%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%t%nDirectory Service:%n%tName:%t%t%7%n%tType:%t%t%8%n%t%nObject:%n%tOld DN:%t%t%9%n%tNew DN:%t%10%n%tGUID:%t%t%11%n%tClass:%t%t%12%n%t%nOperation:%n%tCorrelation ID:%t%t%t%1%n%tApplication Correlation ID:%t%2 A network share object was accessed.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nNetwork Information:%t%n%tObject Type:%t%t%5%n%tSource Address:%t%t%6%n%tSource Port:%t%t%7%n%t%nShare Information:%n%tShare Name:%t%t%8%n%tShare Path:%t%t%9%n%nAccess Request Information:%n%tAccess Mask:%t%t%10%n%tAccesses:%t%t%11%n A directory service object was deleted.%n%t%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%t%nDirectory Service:%n%tName:%t%7%n%tType:%t%8%n%t%nObject:%n%tDN:%t%9%n%tGUID:%t%10%n%tClass:%t%11%n%t%nOperation:%n%tTree Delete:%t%12%n%tCorrelation ID:%t%1%n%tApplication Correlation ID:%t%2 A network share object was added.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nShare Information:%t%n%tShare Name:%t%t%5%n%tShare Path:%t%t%6 <A network share object was modified.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nShare Information:%n%tObject Type:%t%t%5%n%tShare Name:%t%t%6%n%tShare Path:%t%t%7%n%tOld Remark:%t%t%8%n%tNew Remark:%t%t%9%n%tOld MaxUsers:%t%t%10%n%tNew Maxusers:%t%t%11%n%tOld ShareFlags:%t%t%12%n%tNew ShareFlags:%t%t%13%n%tOld SD:%t%t%t%14%n%tNew SD:%t%t%t%15%n A network share object was deleted.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nShare Information:%t%n%tShare Name:%t%t%5%n%tShare Path:%t%t%6 A network share object was checked to see whether client can be granted desired access.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nNetwork Information:%t%n%tObject Type:%t%t%5%n%tSource Address:%t%t%6%n%tSource Port:%t%t%7%n%t%nShare Information:%n%tShare Name:%t%t%8%n%tShare Path:%t%t%9%n%tRelative Target Name:%t%10%n%nAccess Request Information:%n%tAccess Mask:%t%t%11%n%tAccesses:%t%t%12%nAccess Check Results:%n%t%13%n The Windows Filtering Platform has blocked a packet.%n%nNetwork Information:%n%tDirection:%t%t%1%n%tSource Address:%t%2%n%tDestination Address:%t%3%n%tEtherType:%t%t%4%n%tVlanTag:%t%t%5%n%tvSwitchId:%t%t%6%n%tSource vSwitch Port:%t%t%7%n%tDestination vSwitch Port:%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 A more restrictive Windows Filtering Platform filter has blocked a packet.%n%nNetwork Information:%n%tDirection:%t%t%1%n%tSource Address:%t%2%n%tDestination Address:%t%3%n%tEtherType:%t%t%4%n%tVlanTag:%t%t%5%n%tvSwitchId:%t%t%6%n%tSource vSwitch Port:%t%t%7%n%tDestination vSwitch Port:%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 tThe Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.%n%nNetwork Information:%n%tType:%t%t%1 The DoS attack has subsided and normal processing is being resumed.%n%nNetwork Information:%n%tType:%t%t%1%n%tPackets Discarded:%t%t%t%2 The Windows Filtering Platform has blocked a packet.%n%nNetwork Information:%n%tDirection:%t%t%1%n%tSource Address:%t%t%2%n%tDestination Address:%t%3%n%tEtherType:%t%t%4%n%tMediaType:%t%t%5%n%tInterfaceType:%t%t%6%n%tVlanTag:%t%t%t%7%n%nFilter Information:%n%tFilter Run-Time ID:%t%8%n%tLayer Name:%t%t%9%n%tLayer Run-Time ID:%t%10 A more restrictive Windows Filtering Platform filter has blocked a packet.%n%nNetwork Information:%n%tDirection:%t%t%1%n%tSource Address:%t%t%t%2%n%tDestination Address:%t%3%n%tEtherType:%t%t%4%n%tMediaType:%t%t%5%n%tInterfaceType:%t%t%6%n%tVlanTag:%t%t%t%7%n%nFilter Information:%n%tFilter Run-Time ID:%t%8%n%tLayer Name:%t%t%9%n%tLayer Run-Time ID:%t%10 The Windows Filtering Platform has blocked a packet.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 DA more restrictive Windows Filtering Platform filter has blocked a packet.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tSource Address:%t%t%3%n%tSource Port:%t%t%4%n%tProtocol:%t%t%5%n%nFilter Information:%n%tFilter Run-Time ID:%t%6%n%tLayer Name:%t%t%7%n%tLayer Run-Time ID:%t%8 The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tSource Address:%t%t%3%n%tSource Port:%t%t%4%n%tProtocol:%t%t%5%n%nFilter Information:%n%tFilter Run-Time ID:%t%6%n%tLayer Name:%t%t%7%n%tLayer Run-Time ID:%t%8 $The Windows Filtering Platform has permitted a connection.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 The Windows Filtering Platform has blocked a connection.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 The Windows Filtering Platform has permitted a bind to a local port.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tSource Address:%t%t%3%n%tSource Port:%t%t%4%n%tProtocol:%t%t%5%n%nFilter Information:%n%tFilter Run-Time ID:%t%6%n%tLayer Name:%t%t%7%n%tLayer Run-Time ID:%t%8 The Windows Filtering Platform has blocked a bind to a local port.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tSource Address:%t%t%3%n%tSource Port:%t%t%4%n%tProtocol:%t%t%5%n%nFilter Information:%n%tFilter Run-Time ID:%t%6%n%tLayer Name:%t%t%7%n%tLayer Run-Time ID:%t%8 8Spn check for SMB/SMB2 fails.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nSPN:%t%n%tSPN Name:%t%t%5%n%tError Code:%t%t%6%n%nServer Information:%n%tServer Names:%t%t%7%n%tConfigured Names:%t%t%8%n%tIP Addresses:%t%t%9 Credential Manager credentials were backed up.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nThis event occurs when a user backs up their own Credential Manager credentials. A user (even an Administrator) cannot back up the credentials of an account other than his own. Credential Manager credentials were restored from a backup.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nThis event occurs when a user restores his Credential Manager credentials from a backup. A user (even an Administrator) cannot restore the credentials of an account other than his own. PThe requested credentials delegation was disallowed by policy.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCredential Delegation Information:%n%tSecurity Package:%t%5%n%tUser's UPN:%t%6%n%tTarget Server:%t%7%n%tCredential Type:%t%8 |The following callout was present when the Windows Filtering Platform Base Filtering Engine started.%n%nProvider Information:%t%n%tID:%t%t%1%n%tName:%t%t%2%n%nCallout Information:%n%tID:%t%t%3%n%tName:%t%t%4%n%tType:%t%t%5%n%tRun-Time ID:%t%6%n%nLayer Information:%n%tID:%t%t%7%n%tName:%t%t%8%n%tRun-Time ID:%t%9 The following filter was present when the Windows Filtering Platform Base Filtering Engine started.%n%nProvider Information:%t%n%tID:%t%t%1%n%tName:%t%t%2%n%nFilter Information:%n%tID:%t%t%3%n%tName:%t%t%4%n%tType:%t%t%5%n%tRun-Time ID:%t%6%n%nLayer Information:%n%tID:%t%t%7%n%tName:%t%t%8%n%tRun-Time ID:%t%9%n%tWeight:%t%t%10%n%t%nAdditional Information:%n%tConditions:%t%11%n%tFilter Action:%t%12%n%tCallout ID:%t%13%n%tCallout Name:%t%14 PThe following provider was present when the Windows Filtering Platform Base Filtering Engine started.%n%t%nProvider ID:%t%1%nProvider Name:%t%2%nProvider Type:%t%3 The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.%n%t%nProvider ID:%t%1%nProvider Name:%t%2%nProvider Context ID:%t%3%nProvider Context Name:%t%4%nProvider Context Type:%t%5 The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.%n%t%nProvider ID:%t%1%nProvider Name:%t%2%nSub-layer ID:%t%3%nSub-layer Name:%t%4%nSub-layer Type:%t%5%nWeight:%t%t%6 DA Windows Filtering Platform callout has been changed.%n%t%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%nProcess Information:%n%tProcess ID:%t%1%n%nProvider Information:%n%tID:%t%t%4%n%tName:%t%t%5%n%nChange Information:%n%tChange Type:%t%6%n%nCallout Information:%n%tID:%t%t%7%n%tName:%t%t%8%n%tType:%t%t%9%n%tRun-Time ID:%t%10%n%nLayer Information:%n%tID:%t%t%11%n%tName:%t%t%12%n%tRun-Time ID:%t%13 \A Windows Filtering Platform filter has been changed.%n%t%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%nProcess Information:%n%tProcess ID:%t%1%n%nProvider Information:%n%tID:%t%t%4%n%tName:%t%t%5%n%nChange Information:%n%tChange Type:%t%6%n%nFilter Information:%n%tID:%t%t%7%n%tName:%t%t%8%n%tType:%t%t%9%n%tRun-Time ID:%t%10%n%nLayer Information:%n%tID:%t%t%11%n%tName:%t%t%12%n%tRun-Time ID:%t%13%n%nCallout Information:%n%tID:%t%t%17%n%tName:%t%t%18%n%nAdditional Information:%n%tWeight:%t%14%t%n%tConditions:%t%15%n%tFilter Action:%t%16 $A Windows Filtering Platform provider has been changed.%n%t%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%nProcess Information:%n%tProcess ID:%t%1%n%nChange Information:%n%tChange Type:%t%4%n%nProvider Information:%n%tID:%t%t%5%n%tName:%t%t%6%n%tType:%t%t%7 A Windows Filtering Platform provider context has been changed.%n%t%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%nProcess Information:%n%tProcess ID:%t%1%n%nProvider Information:%n%tProvider ID:%t%4%n%tProvider Name:%t%5%n%nChange Information:%n%tChange Type:%t%6%n%nProvider Context:%n%tID:%t%7%n%tName:%t%8%n%tType:%t%9 4A Windows Filtering Platform sub-layer has been changed.%n%t%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%nProcess Information:%n%tProcess ID:%t%1%n%nProvider Information:%n%tProvider ID:%t%4%n%tProvider Name:%t%5%n%nChange Information:%n%tChange Type:%t%6%n%nSub-layer Information:%n%tSub-layer ID:%t%7%n%tSub-layer Name:%t%8%n%tSub-layer Type:%t%9%n%nAdditional Information:%n%tWeight:%t%10 An IPsec quick mode security association was established.%n%t%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tNetwork Address mask:%t%2%n%tPort:%t%t%t%3%n%tTunnel Endpoint:%t%t%4%n%nRemote Endpoint:%n%tNetwork Address:%t%5%n%tNetwork Address Mask:%t%6%n%tPort:%t%t%t%7%n%tPrivate Address:%t%t%8%n%tTunnel Endpoint:%t%t%9%n%n%tProtocol:%t%t%10%n%tKeying Module Name:%t%11%n%nCryptographic Information:%n%tIntegrity Algorithm - AH:%t%12%n%tIntegrity Algorithm - ESP:%t%13%n%tEncryption Algorithm:%t%14%n%nSecurity Association Information:%n%tLifetime - seconds:%t%15%n%tLifetime - data:%t%t%16%n%tLifetime - packets:%t%17%n%tMode:%t%t%t%18%n%tRole:%t%t%t%19%n%tQuick Mode Filter ID:%t%20%n%tMain Mode SA ID:%t%21%n%tQuick Mode SA ID:%t%22%n%nAdditional Information:%n%tInbound SPI:%t%t%23%n%tOutbound SPI:%t%t%24%n%tVirtual Interface Tunnel ID:%t%t%25%n%tTraffic Selector ID:%t%t%26 XAn IPsec quick mode security association ended.%n%t%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tNetwork Address mask:%t%2%n%tPort:%t%t%t%3%n%tTunnel Endpoint:%t%t%4%n%nRemote Endpoint:%n%tNetwork Address:%t%5%n%tNetwork Address mask:%t%6%n%tPort:%t%t%t%7%n%tTunnel Endpoint:%t%t%8%n%nAdditional Information:%n%tProtocol:%t%t%9%n%tQuick Mode SA ID:%t%10%n%tVirtual Interface Tunnel ID:%t%t%11%n%tTraffic Selector ID:%t%t%12 An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. IPsec Policy Agent applied Active Directory storage IPsec policy on the computer.%n%nPolicy:%t%t%1 IPsec Policy Agent failed to apply Active Directory storage IPsec policy on the computer.%n%nDN:%t%t%1%nError code:%t%t%2 IPsec Policy Agent applied locally cached copy of Active Directory storage IPsec policy on the computer.%n%nPolicy:%t%t%1 4IPsec Policy Agent failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.%n%nPolicy:%t%t%1%nError Code:%t%t%2 IPsec Policy Agent applied local registry storage IPsec policy on the computer.%n%nPolicy:%t%t%1 IPsec Policy Agent failed to apply local registry storage IPsec policy on the computer.%n%nPolicy:%t%t%1%nError Code:%t%t%2 IPsec Policy Agent failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.%n%nPolicy:%t%t%1%nError Code:%t%t%2 IPsec Policy Agent polled for changes to the active IPsec policy and detected no changes. IPsec Policy Agent polled for changes to the active IPsec policy, detected changes, and applied them. IPsec Policy Agent received a control for forced reloading of IPsec policy and processed the control successfully. `IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied. IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used. IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used. IPsec Policy Agent loaded local storage IPsec policy on the computer.%n%nPolicy:%t%t%1 IPsec Policy Agent failed to load local storage IPsec policy on the computer.%n%nPolicy:%t%t%1%nError Code:%t%t%2 IPsec Policy Agent loaded directory storage IPsec policy on the computer.%n%nPolicy:%t%t%1 IPsec Policy Agent failed to load directory storage IPsec policy on the computer.%n%nPolicy:%t%t%1%nError Code:%t%t%2 IPsec Policy Agent failed to add quick mode filter.%n%nQuick Mode Filter:%t%t%1%nError Code:%t%t%2 `The IPsec Policy Agent service was started. dThe IPsec Policy Agent service was stopped. Stopping this service can put the computer at greater risk of network attack or expose the computer to potential security risks. TIPsec Policy Agent failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. The IPsec Policy Agent service failed to initialize its RPC server. The service could not be started.%n%nError Code:%t%t%1 The IPsec Policy Agent service experienced a critical failure and has shut down. The shutdown of this service can put the computer at greater risk of network attack or expose the computer to potential security risks.%n%nError Code:%t%t%1 pIPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. xA request was made to authenticate to a wireless network.%n%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%tLogon ID:%t%t%5%n%nNetwork Information:%n%tName (SSID):%t%t%1%n%tInterface GUID:%t%t%8%n%tLocal MAC Address:%t%7%n%tPeer MAC Address:%t%6%n%nAdditional Information:%n%tReason Code:%t%t%10 (%9)%n%tError Code:%t%t%11%n%tEAP Reason Code:%t%12%n%tEAP Root Cause String:%t%13%n%tEAP Error Code:%t%t%14 A request was made to authenticate to a wired network.%n%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%tLogon ID:%t%t%5%n%nInterface:%n%tName:%t%t%t%1%n%nAdditional Information%n%tReason Code:%t%t%7 (%6)%n%tError Code:%t%t%8 A Remote Procedure Call (RPC) was attempted.%n%nSubject:%n%tSID:%t%t%t%1%n%tName:%t%t%t%2%n%tAccount Domain:%t%t%3%n%tLogonId:%t%t%4%n%nProcess Information:%n%tPID:%t%t%t%5%n%tName:%t%t%t%6%n%nNetwork Information:%n%tRemote IP Address:%t%7%n%tRemote Port:%t%t%8%n%nRPC Attributes:%n%tInterface UUID:%t%t%9%n%tProtocol Sequence:%t%10%n%tAuthentication Service:%t%11%n%tAuthentication Level:%t%12 An object in the COM+ Catalog was modified.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tCOM+ Catalog Collection:%t%5%n%tObject Name:%t%t%t%6%n%tObject Properties Modified:%t%7 pAn object was deleted from the COM+ Catalog.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tCOM+ Catalog Collection:%t%5%n%tObject Name:%t%t%t%6%n%tObject Details:%t%t%t%7%nThis event occurs when an object is deleted from the COM+ catalog. An object was added to the COM+ Catalog.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tCOM+ Catalog Collection:%t%5%n%tObject Name:%t%t%t%6%n%tObject Details:%t%t%t%7 Security policy in the group policy objects has been applied successfully. %n%nReturn Code:%t%1%n%nGPO List:%n%2 One or more errors occured while processing security policy in the group policy objects.%n%nError Code:%t%1%nGPO List:%n%2 Network Policy Server granted access to a user.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%tLogging Results:%t%t%t%27%n%nQuarantine Information:%n%tResult:%t%t%t%t%25%n%tSession Identifier:%t%t%t%26%n Network Policy Server denied access to a user.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%tLogging Results:%t%t%t%27%n%tReason Code:%t%t%t%25%n%tReason:%t%t%t%t%26%n Network Policy Server discarded the request for a user.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%tReason Code:%t%t%t%25%n%tReason:%t%t%t%t%26%n Network Policy Server discarded the accounting request for a user.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%tReason Code:%t%t%t%25%n%tReason:%t%t%t%t%26%n Network Policy Server quarantined a user.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%nQuarantine Information:%n%tResult:%t%t%t%t%25%n%tExtended-Result:%t%t%t%26%n%tSession Identifier:%t%t%t%27%n%tHelp URL:%t%t%t%28%n%tSystem Health Validator Result(s):%t%29%n Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%nQuarantine Information:%n%tResult:%t%t%t%t%25%n%tExtended-Result:%t%t%t%26%n%tSession Identifier:%t%t%t%27%n%tHelp URL:%t%t%t%28%n%tSystem Health Validator Result(s):%t%29%n%tQuarantine Grace Time:%t%t%30%n xNetwork Policy Server granted full access to a user because the host met the defined health policy.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%nQuarantine Information:%n%tResult:%t%t%t%t%25%n%tExtended-Result:%t%t%t%26%n%tSession Identifier:%t%t%t%27%n%tHelp URL:%t%t%t%28%n%tSystem Health Validator Result(s):%t%29%n Network Policy Server locked the user account due to repeated failed authentication attempts.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n dNetwork Policy Server unlocked the user account.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.%n%nFile Name:%t%1%t XBranchCache: Received an incorrectly formatted response while discovering availability of content. %n%nIP address of the client that sent this response:%t%t%t%1%n%t%n BranchCache: Received invalid data from a peer. Data discarded. %n%nIP address of the client that sent this data:%t%t%t%1%n%t%n @BranchCache: The message to the hosted cache offering it data is incorrectly formatted. %n%nIP address of the client that sent this message: %t%t%t%1%n%t%n TBranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data. %n%nDomain name of the hosted cache is:%t%t%t%1%n%t%n XBranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. %n%nDomain name of the hosted cache:%t%t%t%1%n%t%nError Code:%t%t%t%2%n%t%n xBranchCache: %2 instance(s) of event id %1 occurred.%n %1 registered to Windows Firewall to control filtering for the following: %n%2. %1 Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. BranchCache: A service connection point object could not be parsed. %n%nSCP object GUID: %1 Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues.%n%nFile Name:%t%1%t dA new external device was recognized by the system.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nDevice ID:%t%5%n%nDevice Name:%t%6%n%nClass ID:%t%t%7%n%nClass Name:%t%8%n%nVendor IDs:%t%9%n%nCompatible IDs:%t%10%n%nLocation Information:%t%11 PA request was made to disable a device.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nDevice ID:%t%5%n%nDevice Name:%t%6%n%nClass ID:%t%t%7%n%nClass Name:%t%8%n%nHardware IDs:%t%9%n%nCompatible IDs:%t%10%n%nLocation Information:%t%11 0A device was disabled.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nDevice ID:%t%5%n%nDevice Name:%t%6%n%nClass ID:%t%t%7%n%nClass Name:%t%8%n%nHardware IDs:%t%9%n%nCompatible IDs:%t%10%n%nLocation Information:%t%11 PA request was made to enable a device.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nDevice ID:%t%5%n%nDevice Name:%t%6%n%nClass ID:%t%t%7%n%nClass Name:%t%8%n%nHardware IDs:%t%9%n%nCompatible IDs:%t%10%n%nLocation Information:%t%11 ,A device was enabled.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nDevice ID:%t%5%n%nDevice Name:%t%6%n%nClass ID:%t%t%7%n%nClass Name:%t%8%n%nHardware IDs:%t%9%n%nCompatible IDs:%t%10%n%nLocation Information:%t%11 The installation of this device is forbidden by system policy.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nDevice ID:%t%5%n%nDevice Name:%t%6%n%nClass ID:%t%t%7%n%nClass Name:%t%8%n%nHardware IDs:%t%9%n%nCompatible IDs:%t%10%n%nLocation Information:%t%11 The installation of this device was allowed, after having previously been forbidden by policy.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nDevice ID:%t%5%n%nDevice Name:%t%6%n%nClass ID:%t%t%7%n%nClass Name:%t%8%n%nHardware IDs:%t%9%n%nCompatible IDs:%t%10%n%nLocation Information:%t%11 A network client used a legacy RPC method to modify authentication information on a trusted domain object. The authentication information was encrypted with a legacy encryption algorithm. Consider upgrading the client operating system or application to use the latest and more secure version of this method.%n%nTrusted Domain:%n%tDomain Name:%t%t%5%n%tDomain ID:%t%t%6%n%nModified By:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nClient Network Address:%t%t%7%nRPC Method Name:%t%t%8%n%nFor more information please see https://go.microsoft.com/fwlink/?linkid=2161080. `Highest System-Defined Audit Message Value. Info Information 4Security State Change <Security System Extension ,System Integrity $IPsec Driver 0Other System Events Logon Logoff (Account Lockout (IPsec Main Mode $Special Logon ,IPsec Quick Mode 0IPsec Extended Mode <Other Logon/Logoff Events 4Network Policy Server 4User / Device Claims File System Registry $Kernel Object SAM @Other Object Access Events 8Certification Services 4Application Generated 0Handle Manipulation File Share HFiltering Platform Packet Drop DFiltering Platform Connection 0Detailed File Share ,Removable Storage DCentral Access Policy Staging 8Sensitive Privilege Use @Non Sensitive Privilege Use @Other Privilege Use Events ,Process Creation 0Process Termination (DPAPI Activity RPC Events 4Plug and Play Events 0Audit Policy Change DAuthentication Policy Change @Authorization Policy Change HMPSSVC Rule-Level Policy Change LFiltering Platform Policy Change @Other Policy Change Events 8User Account Management @Computer Account Management <Security Group Management DDistribution Group Management DApplication Group Management HOther Account Management Events <Directory Service Access <Directory Service Changes DDirectory Service Replication XDetailed Directory Service Replication 4Credential Validation PKerberos Service Ticket Operations @Other Account Logon Events HKerberos Authentication Service PSubcategory could not be determined TMicrosoft Windows security auditing. Security The system time was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tProcess ID:%t%9%n%tName:%t%t%10%n%nPrevious Time:%t%t%6 %5%nNew Time:%t%t%8 %7%n%nThis event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. lAn account was successfully logged on.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Type:%t%t%t%9%n%nNew Logon:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%tLogon GUID:%t%t%13%n%nProcess Information:%n%tProcess ID:%t%t%17%n%tProcess Name:%t%t%18%n%nNetwork Information:%n%tWorkstation Name:%t%12%n%tSource Network Address:%t%19%n%tSource Port:%t%t%20%n%nDetailed Authentication Information:%n%tLogon Process:%t%t%10%n%tAuthentication Package:%t%11%n%tTransited Services:%t%14%n%tPackage Name (NTLM only):%t%15%n%tKey Length:%t%t%16%n%nThis event is generated when a logon session is created. It is generated on the computer that was accessed.%n%nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.%n%nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).%n%nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.%n%nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.%n%nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.%n%nThe authentication information fields provide detailed information about this specific logon request.%n%t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.%n%t- Transited services indicate which intermediate services have participated in this logon request.%n%t- Package name indicates which sub-protocol was used among the NTLM protocols.%n%t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. An IPsec quick mode negotiation failed.%n%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tNetwork Address mask:%t%2%n%tPort:%t%t%t%3%n%tTunnel Endpoint:%t%t%4%n%nRemote Endpoint:%n%tNetwork Address:%t%5%n%tAddress Mask:%t%t%6%n%tPort:%t%t%t%7%n%tTunnel Endpoint:%t%t%8%n%tPrivate Address:%t%t%10%n%nAdditional Information:%n%tProtocol:%t%t%9%n%tKeying Module Name:%t%11%n%tMode:%t%t%t%14%n%tRole:%t%t%t%16%n%tQuick Mode Filter ID:%t%18%n%tMain Mode SA ID:%t%19%n%nFailure Information:%n%tState:%t%t%t%15%n%tMessage ID:%t%t%17%n%tFailure Point:%t%t%12%n%tFailure Reason:%t%t%13 A handle to an object was requested.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tObject Type:%t%t%6%n%tObject Name:%t%t%7%n%tHandle ID:%t%t%8%n%nProcess Information:%n%tProcess ID:%t%t%14%n%tProcess Name:%t%t%15%n%nAccess Request Information:%n%tTransaction ID:%t%t%9%n%tAccesses:%t%t%10%n%tAccess Mask:%t%t%11%n%tPrivileges Used for Access Check:%t%12%n%tRestricted SID Count:%t%13 A handle to an object was requested.%n%nSubject :%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%15%n%tProcess Name:%t%16%n%nAccess Request Information:%n%tTransaction ID:%t%9%n%tAccesses:%t%10%n%tAccess Mask:%t%11%n%tPrivileges Used for Access Check:%t%12%n%tProperties:%t%13%n%tRestricted SID Count:%t%14 An attempt was made to access an object.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nAccess Request Information:%n%tAccesses:%t%9%n%tAccess Mask:%t%10 p A new process has been created.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tNew Process ID:%t%t%5%n%tNew Process Name:%t%6%n%tToken Elevation Type:%t%7%n%tCreator Process ID:%t%8%n%nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.%n%nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.%n%nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.%n%nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. RPC detected an integrity violation while decrypting an incoming message.%n%nPeer Name:%t%1%nProtocol Sequence:%t%2%nSecurity Error:%t%3 pA request was submitted to OCSP Responder Service. A network share object was accessed.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nNetwork Information:%t%n%tSource Address:%t%t%5%n%tSource Port:%t%t%6%n%t%nShare Name:%t%t%t%7 $The Windows Filtering Platform has permitted a connection.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 The Windows Filtering Platform has blocked a connection.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 XAn IPsec quick mode security association was established.%n%t%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tNetwork Address mask:%t%2%n%tPort:%t%t%t%3%n%tTunnel Endpoint:%t%t%4%n%nRemote Endpoint:%n%tNetwork Address:%t%5%n%tNetwork Address Mask:%t%6%n%tPort:%t%t%t%7%n%tPrivate Address:%t%t%8%n%tTunnel Endpoint:%t%t%9%n%n%tProtocol:%t%t%10%n%tKeying Module Name:%t%11%n%nCryptographic Information:%n%tIntegrity Algorithm - AH:%t%12%n%tIntegrity Algorithm - ESP:%t%13%n%tEncryption Algorithm:%t%14%n%nSecurity Association Information:%n%tLifetime - seconds:%t%15%n%tLifetime - data:%t%t%16%n%tLifetime - packets:%t%17%n%tMode:%t%t%t%18%n%tRole:%t%t%t%19%n%tQuick Mode Filter ID:%t%20%n%tMain Mode SA ID:%t%21%n%tQuick Mode SA ID:%t%22%n%nAdditional Information:%n%tInbound SPI:%t%t%23%n%tOutbound SPI:%t%t%24 TAn IPsec quick mode security association ended.%n%t%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tPort:%t%t%t%2%n%tTunnel Endpoint:%t%t%3%n%nRemote Endpoint:%n%tNetwork Address:%t%4%n%tPort:%t%t%t%5%n%tTunnel Endpoint:%t%t%6%n%nAdditional Information:%n%tProtocol:%t%t%7%n%tQuick Mode SA ID:%t%8 A request was made to authenticate to a wireless network.%n%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%tLogon ID:%t%t%5%n%nNetwork Information:%n%tName (SSID):%t%t%1%n%tInterface GUID:%t%t%8%n%tLocal MAC Address:%t%7%n%tPeer MAC Address:%t%6%n%nAdditional Information:%n%tReason Code:%t%t%10 (%9)%n%tError Code:%t%t%11 @Network Policy Server granted access to a user.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tProxy Policy Name:%t%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%nQuarantine Information:%n%tResult:%t%t%t%t%25%n%tSession Identifier:%t%t%t%26%n Network Policy Server denied access to a user.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tProxy Policy Name:%t%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%tReason Code:%t%t%t%25%n%tReason:%t%t%t%t%26%n A new process has been created.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tNew Process ID:%t%t%5%n%tNew Process Name:%t%6%n%tToken Elevation Type:%t%7%n%tCreator Process ID:%t%8%n%tProcess Command Line:%t%9%n%nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.%n%nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.%n%nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.%n%nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. CRIMR%TxTI>;( $WEVTR`CHAN4 SecurityTTBLTEMP-p"@#!Ո~D EventDataA]oDataEKNameAuthenticationPackageName 8AuthenticationPackageNameTEMP>D}.(D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AKoData3KNameLogonProcessName 4X$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId(LogonProcessNameTEMPlB}7yˎY29GjD EventDataAIoData1KNameAuditsDiscarded $AuditsDiscardedTEMPT+e՗Yw"@3MxzD EventDataAYoDataAKNameNotificationPackageName h4NotificationPackageNameTEMPhT ;w`>D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AIoData1KNameInvalidCallName AGoData/KNameServerPortName A=oData%KName ProcessId AAoData)KName ProcessName   < d     $SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId$InvalidCallName$ServerPortNameProcessIdProcessNameTEMP( 4>p:?3üI'~D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName PreviousDate ACoData+KName PreviousTime A9oData!KNameNewDate A9oData!KNameNewTime A=oData%KName ProcessId AAoData)KName ProcessName  Dl$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PreviousDate PreviousTimeNewDateNewTimeProcessIdProcessNameTEMP@ C^9|>pD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName PreviousTime A9oData!KNameNewTime A=oData%KName ProcessId AAoData)KName ProcessName p$8P$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PreviousTimeNewTimeProcessIdProcessNameTEMP,9pj'$nfZƘdD EventDataA9oData!KNameEventId ACoData+KName ComputerName AEoData-KName TargetUserSid AGoData/KNameTargetUserName AKoData3KNameTargetUserDomain AEoData-KName TargetLogonId A?oData'KName EventCount A;oData#KNameDuration DdEventId ComputerName TargetUserSid$TargetUserName(TargetUserDomain TargetLogonIdEventCountDurationTEMPDlW?=vD EventDataAUoData=KNameCrashOnAuditFailValue X0CrashOnAuditFailValueTEMP09eI牀CfrD EventDataAQoData9KNameSecurityPackageName D,SecurityPackageNameTEMPt  :Ǭrf8(D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName TargetUserSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName AEoData-KName TargetLogonId A=oData%KName LogonType AKoData3KNameLogonProcessName A]oDataEKNameAuthenticationPackageName AIoData1KNameWorkstationName A=oData%KName LogonGuid AQoData9KNameTransmittedServices AEoData-KName LmPackageName A=oData%KName KeyLength A=oData%KName ProcessId AAoData)KName ProcessName A=oData%KName IpAddress A7oDataKNameIpPort L"p""""#$#L#l####$ $L$l$$$$$$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdLogonType(LogonProcessName8AuthenticationPackageName$WorkstationNameLogonGuid,TransmittedServices LmPackageNameKeyLengthProcessIdProcessNameIpAddressIpPortTEMP +eO`ްrlD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName TargetUserSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName AEoData-KName TargetLogonId A=oData%KName LogonType AKoData3KNameLogonProcessName A]oDataEKNameAuthenticationPackageName AIoData1KNameWorkstationName A=oData%KName LogonGuid AQoData9KNameTransmittedServices AEoData-KName LmPackageName A=oData%KName KeyLength A=oData%KName ProcessId AAoData)KName ProcessName A=oData%KName IpAddress A7oDataKNameIpPort AOoData7KNameImpersonationLevel (-L-p----.(.H.`.....(/H/`/x////$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdLogonType(LogonProcessName8AuthenticationPackageName$WorkstationNameLogonGuid,TransmittedServices LmPackageNameKeyLengthProcessIdProcessNameIpAddressIpPort,ImpersonationLevelTEMP t6zG~6_ TD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName TargetUserSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName A7oDataKNameStatus AEoData-KName FailureReason A=oData%KName SubStatus A=oData%KName LogonType AKoData3KNameLogonProcessName A]oDataEKNameAuthenticationPackageName AIoData1KNameWorkstationName AQoData9KNameTransmittedServices AEoData-KName LmPackageName A=oData%KName KeyLength A=oData%KName ProcessId AAoData)KName ProcessName A=oData%KName IpAddress A7oDataKNameIpPort 8<8`888889,9L9d9|999:,:L:d:|:::$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId TargetUserSid$TargetUserName(TargetDomainNameStatus FailureReasonSubStatusLogonType(LogonProcessName8AuthenticationPackageName$WorkstationName,TransmittedServices LmPackageNameKeyLengthProcessIdProcessNameIpAddressIpPortTEMP >Ϧ+ZEbD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName TargetUserSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName AEoData-KName TargetLogonId A=oData%KName LogonType A;oData#KNameEventIdx AIoData1KNameEventCountTotal A?oData'KName UserClaims ACoData+KName DeviceClaims ?@<@d@@@@@A,ADAhAA$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdLogonTypeEventIdx$EventCountTotalUserClaims DeviceClaimsTEMPpCgjn-PvD EventDataAEoData-KName TargetUserSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName AEoData-KName TargetLogonId A=oData%KName LogonType CCD@D`D TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdLogonTypeTEMPE/e)<F~=ЗRdD EventDataACoData+KName notification $E notificationTEMPdF-{NEĕ34RD EventDataAEoData-KName TargetUserSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName AEoData-KName TargetLogonId GEDD5e:PD EventDataACoData+KName LocalAddress AKoData3KNameLocalAddressMask A=oData%KName LocalPort AQoData9KNameLocalTunnelEndpoint AEoData-KName RemoteAddress AMoData5KNameRemoteAddressMask A?oData'KName RemotePort ASoData;KNameRemoteTunnelEndpoint A;oData#KNameProtocol ASoData;KNameRemotePrivateAddress A?oData'KName KeyModName ACoData+KName FailurePoint AEoData-KName FailureReason A3oDataKNameMode A5oDataKNameState A3oDataKNameRole A=oData%KName MessageID A?oData'KName QMFilterID  A7oDataKNameMMSAID  0Xp0Hxԇ  8 LocalAddress(LocalAddressMaskLocalPort,LocalTunnelEndpoint RemoteAddress(RemoteAddressMaskRemotePort0RemoteTunnelEndpointProtocol0RemotePrivateAddressKeyModName FailurePoint FailureReasonModeStateRoleMessageIDQMFilterIDMMSAIDTEMPl 9 /ni`|#D EventDataACoData+KName LocalAddress AKoData3KNameLocalAddressMask A=oData%KName LocalPort AQoData9KNameLocalTunnelEndpoint AEoData-KName RemoteAddress AMoData5KNameRemoteAddressMask A?oData'KName RemotePort ASoData;KNameRemoteTunnelEndpoint A;oData#KNameProtocol ASoData;KNameRemotePrivateAddress A?oData'KName KeyModName ACoData+KName FailurePoint AEoData-KName FailureReason A3oDataKNameMode A5oDataKNameState A3oDataKNameRole A=oData%KName MessageID A?oData'KName QMFilterID  A7oDataKNameMMSAID  A;oData#KNameTunnelId  AMoData5KNameTrafficSelectorId  <\Ȑ,\t 0 H d x LocalAddress(LocalAddressMaskLocalPort,LocalTunnelEndpoint RemoteAddress(RemoteAddressMaskRemotePort0RemoteTunnelEndpointProtocol0RemotePrivateAddressKeyModName FailurePoint FailureReasonModeStateRoleMessageIDQMFilterIDMMSAIDTunnelId(TrafficSelectorIdTEMP( :e>!χ4D EventDataACoData+KName LocalAddress AEoData-KName RemoteAddress A?oData'KName KeyModName A7oDataKNameMMSAID  p ̔ LocalAddress RemoteAddressKeyModNameMMSAIDTEMP+tiRMT(F1xD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A?oData'KName ObjectType A?oData'KName ObjectName A;oData#KNameHandleId AEoData-KName TransactionId A?oData'KName AccessList A?oData'KName AccessMask AEoData-KName PrivilegeList AOoData7KNameRestrictedSidCount A=oData%KName ProcessId AAoData)KName ProcessName ܚ(Llܛ4`x$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleId TransactionIdAccessListAccessMask PrivilegeList,RestrictedSidCountProcessIdProcessNameTEMPp^298iD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A?oData'KName ObjectType A?oData'KName ObjectName A;oData#KNameHandleId AEoData-KName TransactionId A?oData'KName AccessList ACoData+KName AccessReason A?oData'KName AccessMask AEoData-KName PrivilegeList AOoData7KNameRestrictedSidCount A=oData%KName ProcessId AAoData)KName ProcessName AOoData7KNameResourceAttributes 4X|ȣ 8XtФ0$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleId TransactionIdAccessList AccessReasonAccessMask PrivilegeList,RestrictedSidCountProcessIdProcessName,ResourceAttributesTEMP (SͿ%"D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId A?oData'KName ObjectName AIoData1KNameObjectValueName A;oData#KNameHandleId AEoData-KName OperationType ACoData+KName OldValueType A;oData#KNameOldValue ACoData+KName NewValueType A;oData#KNameNewValue A=oData%KName ProcessId AAoData)KName ProcessName ̪<`|ث0H`$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdObjectName$ObjectValueNameHandleId OperationType OldValueTypeOldValue NewValueTypeNewValueProcessIdProcessNameTEMPH$cJx}ES]rD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A;oData#KNameHandleId A=oData%KName ProcessId AAoData)KName ProcessName į 4Xx$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerHandleIdProcessIdProcessNameTEMP ԴH谬`I!nFD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A?oData'KName ObjectType A?oData'KName ObjectName A;oData#KNameHandleId AEoData-KName TransactionId A?oData'KName AccessList A?oData'KName AccessMask AEoData-KName PrivilegeList A=oData%KName ProcessId ص HlĶܶ4T$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleId TransactionIdAccessListAccessMask PrivilegeListProcessIdTEMP `G;kV߭D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A;oData#KNameHandleId A=oData%KName ProcessId AAoData)KName ProcessName AEoData-KName TransactionId 8\Ȼ$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerHandleIdProcessIdProcessName TransactionIdTEMP,(t+dvs#D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A?oData'KName ObjectType A?oData'KName ObjectName A;oData#KNameHandleId AEoData-KName TransactionId A?oData'KName AccessList A?oData'KName AccessMask AEoData-KName PrivilegeList A?oData'KName Properties AOoData7KNameRestrictedSidCount A=oData%KName ProcessId AAoData)KName ProcessName h8Tl,D$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleId TransactionIdAccessListAccessMask PrivilegeListProperties,RestrictedSidCountProcessIdProcessNameTEMPHapw<D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A?oData'KName ObjectType A?oData'KName ObjectName A;oData#KNameHandleId AEoData-KName TransactionId A?oData'KName AccessList ACoData+KName AccessReason A?oData'KName AccessMask AEoData-KName PrivilegeList A?oData'KName Properties AOoData7KNameRestrictedSidCount A=oData%KName ProcessId AAoData)KName ProcessName 8`0Pl$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleId TransactionIdAccessList AccessReasonAccessMask PrivilegeListProperties,RestrictedSidCountProcessIdProcessNameTEMP<lkm<zI[A5x .D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A?oData'KName ObjectType A?oData'KName ObjectName AEoData-KName OperationType A;oData#KNameHandleId A?oData'KName AccessList A?oData'KName AccessMask A?oData'KName Properties AGoData/KNameAdditionalInfo AIoData1KNameAdditionalInfo2 8Tp $SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectName OperationTypeHandleIdAccessListAccessMaskProperties$AdditionalInfo$AdditionalInfo2TEMP  T- FʙX4-UpD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A?oData'KName ObjectType A?oData'KName ObjectName A;oData#KNameHandleId A?oData'KName AccessList A?oData'KName AccessMask A=oData%KName ProcessId AAoData)KName ProcessName <d0H$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleIdAccessListAccessMaskProcessIdProcessNameTEMP xz@BL׳>kkD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A?oData'KName ObjectType A?oData'KName ObjectName A;oData#KNameHandleId A?oData'KName AccessList A?oData'KName AccessMask A=oData%KName ProcessId AAoData)KName ProcessName AOoData7KNameResourceAttributes |0Lh$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleIdAccessListAccessMaskProcessIdProcessName,ResourceAttributesTEMPx^DF*D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId A;oData#KNameFileName A;oData#KNameLinkName AEoData-KName TransactionId (Lt$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdFileNameLinkName TransactionIdTEMPjxv SJ(\ʼnD EventDataA9oData!KNameAppName AAoData)KName AppInstance  A?oData'KName ClientName ACoData+KName ClientDomain AEoData-KName ClientLogonId  A7oDataKNameStatus P d AppNameAppInstanceClientName ClientDomain ClientLogonIdStatusTEMP@ 8/^(!7iD EventDataA9oData!KNameAppName AAoData)KName AppInstance  A?oData'KName ObjectName A=oData%KName ScopeName A?oData'KName ClientName ACoData+KName ClientDomain AEoData-KName ClientLogonId  A3oDataKNameRole A5oDataKNameGroup AEoData-KName OperationName AAoData)KName OperationId  (D`x AppNameAppInstanceObjectNameScopeNameClientName ClientDomain ClientLogonIdRoleGroup OperationNameOperationIdTEMPPu5~D EventDataA9oData!KNameAppName AAoData)KName AppInstance  A?oData'KName ClientName ACoData+KName ClientDomain AEoData-KName ClientLogonId  H \x AppNameAppInstanceClientName ClientDomain ClientLogonIdTEMP0 q2neD EventDataA9oData!KNameAppName AAoData)KName AppInstance  A?oData'KName ClientName ACoData+KName ClientDomain AEoData-KName ClientLogonId  A;oData#KNameStoreUrl @ Tp AppNameAppInstanceClientName ClientDomain ClientLogonIdStoreUrlTEMP Tخbb]h˺vD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A?oData'KName ObjectType A?oData'KName ObjectName A;oData#KNameHandleId A5oDataKNameOldSd A5oDataKNameNewSd A=oData%KName ProcessId AAoData)KName ProcessName 4Pl$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleIdOldSdNewSdProcessIdProcessNameTEMPxCœ-D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList <`$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP l38Pְ`H?LD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A9oData!KNameService AEoData-KName PrivilegeList A=oData%KName ProcessId AAoData)KName ProcessName p$8Xp$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerService PrivilegeListProcessIdProcessNameTEMP( PЧ1پ6(]6D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A?oData'KName ObjectType A?oData'KName ObjectName A;oData#KNameHandleId A?oData'KName AccessMask AEoData-KName PrivilegeList A=oData%KName ProcessId AAoData)KName ProcessName @d,D`$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleIdAccessMask PrivilegeListProcessIdProcessNameTEMPD D [ä=ZD EventDataAEoData-KName TargetUserSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName ACoData+KName TdoDirection AEoData-KName TdoAttributes A9oData!KNameTdoType A7oDataKNameTdoSid A9oData!KNameSidList   ( P p     TargetUserSid$TargetUserName(TargetDomainName TdoDirection TdoAttributesTdoTypeTdoSidSidListTEMP| ?:[5ہ6YD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName NewProcessId AGoData/KNameNewProcessName AOoData7KNameTokenElevationType A=oData%KName ProcessId ,Pt0$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId NewProcessId$NewProcessName,TokenElevationTypeProcessIdTEMP P|{{eo[D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName NewProcessId AGoData/KNameNewProcessName AOoData7KNameTokenElevationType A=oData%KName ProcessId AAoData)KName CommandLine (Lt $SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId NewProcessId$NewProcessName,TokenElevationTypeProcessIdCommandLineTEMP |fvju!*mکt D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName NewProcessId AGoData/KNameNewProcessName AOoData7KNameTokenElevationType A=oData%KName ProcessId AAoData)KName CommandLine AEoData-KName TargetUserSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName AEoData-KName TargetLogonId 4X$$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId NewProcessId$NewProcessName,TokenElevationTypeProcessIdCommandLine TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdTEMPT(F4?Y$D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId A7oDataKNameStatus A=oData%KName ProcessId AAoData)KName ProcessName (Lp$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdStatusProcessIdProcessNameTEMP!>1&tjp`?HD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AGoData/KNameSourceHandleId AIoData1KNameSourceProcessId AGoData/KNameTargetHandleId AIoData1KNameTargetProcessId p""""#(#L#p#$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId$SourceHandleId$SourceProcessId$TargetHandleId$TargetProcessIdTEMP &T=PD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId A?oData'KName ObjectType A?oData'KName ObjectName A?oData'KName AccessList A?oData'KName AccessMask A=oData%KName ProcessId 4'X'|''''((8($SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdObjectTypeObjectNameAccessListAccessMaskProcessIdTEMPp += e_6i1D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AAoData)KName MasterKeyId AGoData/KNameRecoveryServer AEoData-KName RecoveryKeyId AEoData-KName FailureReason +++,@,\,,,$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdMasterKeyId$RecoveryServer RecoveryKeyId FailureReasonTEMP /h`Efܼo9D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AAoData)KName MasterKeyId AGoData/KNameRecoveryReason AGoData/KNameRecoveryServer AEoData-KName RecoveryKeyId A=oData%KName FailureId x0000 1(1L1p11$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdMasterKeyId$RecoveryReason$RecoveryServer RecoveryKeyIdFailureIdTEMP 4>i\RD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AIoData1KNameDataDescription AAoData)KName MasterKeyId AOoData7KNameProtectedDataFlags AKoData3KNameCryptoAlgorithms AEoData-KName FailureReason x5555 606L6x66$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId$DataDescriptionMasterKeyId,ProtectedDataFlags(CryptoAlgorithms FailureReasonTEMP 9>i\RD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AIoData1KNameDataDescription AAoData)KName MasterKeyId AOoData7KNameProtectedDataFlags AKoData3KNameCryptoAlgorithms AEoData-KName FailureReason :::;$;H;d;;;$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId$DataDescriptionMasterKeyId,ProtectedDataFlags(CryptoAlgorithms FailureReasonTEMP ?Pt7.|a#ǕvD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName TargetUserSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName AEoData-KName TargetLogonId AIoData1KNameTargetProcessId AMoData5KNameTargetProcessName A=oData%KName ProcessId AAoData)KName ProcessName @@A0ATAtAAAAB,BDB$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId TargetUserSid$TargetUserName(TargetDomainName TargetLogonId$TargetProcessId(TargetProcessNameProcessIdProcessNameTEMP pE\;=ʳP4{D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AAoData)KName ServiceName AIoData1KNameServiceFileName AAoData)KName ServiceType AKoData3KNameServiceStartType AGoData/KNameServiceAccount $FHFlFFFFFGD EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId  Dl̖$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPxؙNsMlsD EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList xĚܚ$Lp$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPp!ˆ }9w>D EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ܞ<d$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPp!ˆ }9w>D EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId Ԣ4\$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPx@NsMlsD EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList ,Dhا$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPt L;2 @0'WcZ!D EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList AGoData/KNameSamAccountName A?oData'KName SidHistory 8`x ,P$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMP\ 8+L $B)KD EventDataA?oData'KName MemberName A=oData%KName MemberSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList |Ա8\MemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP\ 8+L $B)KD EventDataA?oData'KName MemberName A=oData%KName MemberSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList ض 0XpMemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPxNsMlsD EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList л 0X|$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPt ;2 @0'WcZ!D EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList AGoData/KNameSamAccountName A?oData'KName SidHistory @d$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMP\ X8+L $B)KD EventDataA?oData'KName MemberName A=oData%KName MemberSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList  <Tx(LMemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP\ 8+L $B)KD EventDataA?oData'KName MemberName A=oData%KName MemberSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList |8\MemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPxNsMlsD EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList (Lt $TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPt ;2 @0'WcZ!D EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList AGoData/KNameSamAccountName A?oData'KName SidHistory \0Tt$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMPt ;2 @0'WcZ!D EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList AGoData/KNameSamAccountName A?oData'KName SidHistory 4X| $TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMP xaus>#rBC"D EventDataA5oDataKNameDummy AGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList AGoData/KNameSamAccountName AAoData)KName DisplayName AMoData5KNameUserPrincipalName AEoData-KName HomeDirectory A;oData#KNameHomePath A?oData'KName ScriptPath AAoData)KName ProfilePath AKoData3KNameUserWorkstations AIoData1KNamePasswordLastSet AGoData/KNameAccountExpires AGoData/KNamePrimaryGroupId AQoData9KNameAllowedToDelegateTo AAoData)KName OldUacValue AAoData)KName NewUacValue AOoData7KNameUserAccountControl AGoData/KNameUserParameters A?oData'KName SidHistory A?oData'KName LogonHours 4X,Ld 0\xDummy$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameDisplayName(UserPrincipalName HomeDirectoryHomePathScriptPathProfilePath(UserWorkstations$PasswordLastSet$AccountExpires$PrimaryGroupId,AllowedToDelegateToOldUacValueNewUacValue,UserAccountControl$UserParametersSidHistoryLogonHoursTEMP ӣ 11<D EventDataAQoData9KNameDomainPolicyChanged A?oData'KName DomainName A=oData%KName DomainSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList AGoData/KNameMinPasswordAge AGoData/KNameMaxPasswordAge AAoData)KName ForceLogoff AKoData3KNameLockoutThreshold A[oDataCKNameLockoutObservationWindow AIoData1KNameLockoutDuration AOoData7KNamePasswordProperties AMoData5KNameMinPasswordLength AUoData=KNamePasswordHistoryLength AQoData9KNameMachineAccountQuota AIoData1KNameMixedDomainMode AUoData=KNameDomainBehaviorVersion AGoData/KNameOemInformation @d4\ <h,DomainPolicyChangedDomainNameDomainSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$MinPasswordAge$MaxPasswordAgeForceLogoff(LockoutThreshold8LockoutObservationWindow$LockoutDuration,PasswordProperties(MinPasswordLength0PasswordHistoryLength,MachineAccountQuota$MixedDomainMode0DomainBehaviorVersion$OemInformationTEMPTp!ˆ }9w>D EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ,Dh$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPsrD EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId @X|ȗ$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP,H*?|5:_uFw(D EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AAoData)KName ServiceName A?oData'KName ServiceSid AEoData-KName TicketOptions A7oDataKNameStatus ASoData;KNameTicketEncryptionType AAoData)KName PreAuthType A=oData%KName IpAddress A7oDataKNameIpPort AGoData/KNameCertIssuerName AKoData3KNameCertSerialNumber AGoData/KNameCertThumbprint `ĝ0`|̞$TargetUserName(TargetDomainNameTargetSidServiceNameServiceSid TicketOptionsStatus0TicketEncryptionTypePreAuthTypeIpAddressIpPort$CertIssuerName(CertSerialNumber$CertThumbprintTEMP pܢl;@d@D EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid A?oData'KName DeviceName AAoData)KName ServiceName A?oData'KName ServiceSid AEoData-KName TicketOptions A7oDataKNameStatus ASoData;KNameTicketEncryptionType AAoData)KName PreAuthType A=oData%KName IpAddress A7oDataKNameIpPort AGoData/KNameCertIssuerName AKoData3KNameCertSerialNumber AGoData/KNameCertThumbprint A;oData#KNameSiloName A?oData'KName PolicyName ACoData+KName TGT Lifetime @Xț,DX|ȧ$TargetUserName(TargetDomainNameTargetSidDeviceNameServiceNameServiceSid TicketOptionsStatus0TicketEncryptionTypePreAuthTypeIpAddressIpPort$CertIssuerName(CertSerialNumber$CertThumbprintSiloNamePolicyName TGT LifetimeTEMP /Y8[)JD EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName AAoData)KName ServiceName A?oData'KName ServiceSid AEoData-KName TicketOptions ASoData;KNameTicketEncryptionType A=oData%KName IpAddress A7oDataKNameIpPort A7oDataKNameStatus A=oData%KName LogonGuid AQoData9KNameTransmittedServices xĬLdx$TargetUserName(TargetDomainNameServiceNameServiceSid TicketOptions0TicketEncryptionTypeIpAddressIpPortStatusLogonGuid,TransmittedServicesTEMP]aB|ťD EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A?oData'KName DeviceName AAoData)KName ServiceName A?oData'KName ServiceSid AEoData-KName TicketOptions ASoData;KNameTicketEncryptionType A=oData%KName IpAddress A7oDataKNameIpPort A7oDataKNameStatus A=oData%KName LogonGuid AMoData5KNameTransitedServices A;oData#KNameSiloName A?oData'KName PolicyName 0T|г 8L`x$TargetUserName(TargetDomainNameDeviceNameServiceNameServiceSid TicketOptions0TicketEncryptionTypeIpAddressIpPortStatusLogonGuid(TransitedServicesSiloNamePolicyNameTEMPDxsRI/SApD EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName AAoData)KName ServiceName A?oData'KName ServiceSid AEoData-KName TicketOptions ASoData;KNameTicketEncryptionType A=oData%KName IpAddress A7oDataKNameIpPort <d$TargetUserName(TargetDomainNameServiceNameServiceSid TicketOptions0TicketEncryptionTypeIpAddressIpPortTEMP %A9K*<6D EventDataAGoData/KNameTargetUserName A=oData%KName TargetSid AAoData)KName ServiceName AEoData-KName TicketOptions A7oDataKNameStatus AAoData)KName PreAuthType A=oData%KName IpAddress A7oDataKNameIpPort AGoData/KNameCertIssuerName AKoData3KNameCertSerialNumber AGoData/KNameCertThumbprint `ؽ 4X$TargetUserNameTargetSidServiceName TicketOptionsStatusPreAuthTypeIpAddressIpPort$CertIssuerName(CertSerialNumber$CertThumbprintTEMP %A9K*<6D EventDataAGoData/KNameTargetUserName A=oData%KName TargetSid AAoData)KName ServiceName AEoData-KName TicketOptions A7oDataKNameStatus AAoData)KName PreAuthType A=oData%KName IpAddress A7oDataKNameIpPort AGoData/KNameCertIssuerName AKoData3KNameCertSerialNumber AGoData/KNameCertThumbprint (Ddx $TargetUserNameTargetSidServiceName TicketOptionsStatusPreAuthTypeIpAddressIpPort$CertIssuerName(CertSerialNumber$CertThumbprintTEMP|x͕TݲLZD EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName AAoData)KName ServiceName AEoData-KName TicketOptions AAoData)KName FailureCode A=oData%KName IpAddress A7oDataKNameIpPort ,Tp$TargetUserName(TargetDomainNameServiceName TicketOptionsFailureCodeIpAddressIpPortTEMP$x͕TݲLZD EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName AAoData)KName ServiceName AEoData-KName TicketOptions AAoData)KName FailureCode A=oData%KName IpAddress A7oDataKNameIpPort 8Tl$TargetUserName(TargetDomainNameServiceName TicketOptionsFailureCodeIpAddressIpPortTEMPcKU7'w5D EventDataA=oData%KName MappingBy AGoData/KNameClientUserName A?oData'KName MappedName  MappingBy$ClientUserNameMappedNameTEMPDP<zw\D EventDataAGoData/KNameClientUserName A=oData%KName MappingBy Dh$ClientUserNameMappingByTEMP,,hk&`c6D EventDataAAoData)KName PackageName AGoData/KNameTargetUserName AAoData)KName Workstation A7oDataKNameStatus <X|PackageName$TargetUserNameWorkstationStatusTEMP/B-/Xb D EventDataAAoData)KName AccountName A?oData'KName DeviceName A7oDataKNameStatus  <AccountNameDeviceNameStatusTEMPO.E2ys4Q1_4nD EventDataAAoData)KName AccountName A?oData'KName DeviceName A7oDataKNameStatus A;oData#KNameSiloName A?oData'KName PolicyName XtAccountNameDeviceNameStatusSiloNamePolicyNameTEMP8H$=it>@<D EventDataAGoData/KNameClientUserName AGoData/KNameTargetUserName AAoData)KName Workstation A7oDataKNameStatus $ClientUserName$TargetUserNameWorkstationStatusTEMP >tڍnFD EventDataAAoData)KName AccountName AEoData-KName AccountDomain A9oData!KNameLogonID AAoData)KName SessionName A?oData'KName ClientName AEoData-KName ClientAddress  AccountName AccountDomainLogonIDSessionNameClientName ClientAddressTEMP(>tڍnFD EventDataAAoData)KName AccountName AEoData-KName AccountDomain A9oData!KNameLogonID AAoData)KName SessionName A?oData'KName ClientName AEoData-KName ClientAddress  (AccountName AccountDomainLogonIDSessionNameClientName ClientAddressTEMP07]U =1@":D EventDataAAoData)KName AccountName AEoData-KName AccountDomain A9oData!KNameLogonID AEoData-KName ClientAddress $DXAccountName AccountDomainLogonID ClientAddressTEMPx8NsMlsD EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList $<`$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP x8q0}:D EventDataAMoData5KNameOldTargetUserName AMoData5KNameNewTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList  4Lp(OldTargetUserName(NewTargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP0ոk0'Bd`JD EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId <d$TargetUserName(TargetDomainName$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPt ;2 @0'WcZ!D EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList AGoData/KNameSamAccountName A?oData'KName SidHistory ,Px$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMPt P;2 @0'WcZ!D EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList AGoData/KNameSamAccountName A?oData'KName SidHistory <d|0T$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMP\ 8+L $B)KD EventDataA?oData'KName MemberName A=oData%KName MemberSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList <`MemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP\ 8+L $B)KD EventDataA?oData'KName MemberName A=oData%KName MemberSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList 4\tMemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP\ p8+L $B)KD EventDataA?oData'KName MemberName A=oData%KName MemberSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList 8Tl@dMemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP\ 8+L $B)KD EventDataA?oData'KName MemberName A=oData%KName MemberSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList      , P t   MemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPxNsMlsD EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList @d8$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPt ;2 @0'WcZ!D EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList AGoData/KNameSamAccountName A?oData'KName SidHistory t Hl$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMPt ;2 @0'WcZ!D EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList AGoData/KNameSamAccountName A?oData'KName SidHistory  4Lp$$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMPxNsMlsD EventDataAGoData/KNameTargetUserName AKoData3KNameTargetDomainName A=oData%KName TargetSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AEoData-KName PrivilegeList  ( L t  $TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP#beB('c'Ƞd.D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AAoData)KName Workstation AGoData/KNameTargetUserName A7oDataKNameStatus ###$<$X$|$$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdWorkstation$TargetUserNameStatusTEMPP&cȸӠ1~gD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AAoData)KName Workstation A7oDataKNameStatus '@'d''''$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdWorkstationStatusTEMPX*'5L;; (BD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId AAoData)KName Workstation AGoData/KNameTargetUserName AKoData3KNameTargetDomainName *+,+T+x+++$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdWorkstation$TargetUserName(TargetDomainNameTEMP-{5uD EventDataAEoData-KName TargetUserSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName AEoData-KName TargetLogonId A=oData%KName SessionId .0.T.|.. TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdSessionIdTEMP0{5uD EventDataAEoData-KName TargetUserSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName AEoData-KName TargetLogonId A=oData%KName SessionId 01(1P1p1 TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdSessionIdTEMPT3{5uD EventDataAEoData-KName TargetUserSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName AEoData-KName TargetLogonId A=oData%KName SessionId 333$4D4 TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdSessionIdTEMP(6{5uD EventDataAEoData-KName TargetUserSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName AEoData-KName TargetLogonId A=oData%KName SessionId 66667 TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdSessionIdTEMP88{vE`Qi^_D EventDataA7oDataKNameparam1 A7oDataKNameparam2 A7oDataKNameparam3 t888param1param2param3TEMP9#2:Ծ~R bD EventDataA;oData#KNamePeerName AKoData3KNameProtocolSequence AEoData-KName SecurityError :4:\:PeerName(ProtocolSequence SecurityErrorTEMP X=YWUfD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A?oData'KName ObjectType A?oData'KName ObjectName A5oDataKNameOldSd A5oDataKNameNewSd  >0>T>|>>>>>?$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameOldSdNewSdTEMP0 B[ p\ yQd#D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A?oData'KName ObjectType A?oData'KName ObjectName A;oData#KNameHandleId A=oData%KName ProcessId AAoData)KName ProcessName ACoData+KName AccessReason AEoData-KName StagingReason CCD@DdDDDDDDE(E$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleIdProcessIdProcessName AccessReason StagingReasonTEMP< HsOo%mD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ObjectServer A?oData'KName ObjectType A=oData%KName AddedCAPs AAoData)KName DeletedCAPs ACoData+KName ModifiedCAPs A;oData#KNameAsIsCAPs HIlIIIIIJ0JLJlJ$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeAddedCAPsDeletedCAPs ModifiedCAPsAsIsCAPsTEMP$M"x /bD EventDataAQoData9KNameCollisionTargetType AQoData9KNameCollisionTargetName A?oData'KName ForestRoot ACoData+KName TopLevelName A9oData!KNameDnsName AAoData)KName NetbiosName A=oData%KName DomainSid A5oDataKNameFlags MMN0NPNdNNN,CollisionTargetType,CollisionTargetNameForestRoot TopLevelNameDnsNameNetbiosNameDomainSidFlagsTEMP R\\zFZD EventDataA?oData'KName ForestRoot AEoData-KName ForestRootSid AAoData)KName OperationId A=oData%KName EntryType A5oDataKNameFlags ACoData+KName TopLevelName A9oData!KNameDnsName AAoData)KName NetbiosName A=oData%KName DomainSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId SSSTT,TLT`T|TTTTUForestRoot ForestRootSidOperationIdEntryTypeFlags TopLevelNameDnsNameNetbiosNameDomainSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP (Y\\zFZD EventDataA?oData'KName ForestRoot AEoData-KName ForestRootSid AAoData)KName OperationId A=oData%KName EntryType A5oDataKNameFlags ACoData+KName TopLevelName A9oData!KNameDnsName AAoData)KName NetbiosName A=oData%KName DomainSid AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ,ZHZhZZZZZZZ[8[\[[ForestRoot ForestRootSidOperationIdEntryTypeFlags TopLevelNameDnsNameNetbiosNameDomainSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP _qҘ+@RD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId A?oData'KName ForestRoot AEoData-KName ForestRootSid AAoData)KName OperationId A=oData%KName EntryType A5oDataKNameFlags ACoData+KName TopLevelName A9oData!KNameDnsName AAoData)KName NetbiosName A=oData%KName DomainSid ```a@a\a|aaaaaab$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdForestRoot ForestRootSidOperationIdEntryTypeFlags TopLevelNameDnsNameNetbiosNameDomainSidTEMPckt mc}<D EventDataA=oData%KName RequestId AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId `dxddddRequestId$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPfkt mc}<D EventDataA=oData%KName RequestId AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId Dg\ggggRequestId$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP0j(oS=Q/d D EventDataAYoDataAKNameCertificateSerialNumber AKoData3KNameRevocationReason AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId jjk(kLktk4CertificateSerialNumber(RevocationReason$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP0(n@6FKZD EventDataA?oData'KName NextUpdate AUoData=KNameNextPublishForBaseCRL AWoData?KNameNextPublishForDeltaCRL AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId nno4oXo|ooNextUpdate0NextPublishForBaseCRL4NextPublishForDeltaCRL$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPxq;Yt7Ъ&E%|D EventDataA=oData%KName IsBaseCRL A=oData%KName CRLNumber ACoData+KName KeyContainer AAoData)KName NextPublish AAoData)KName PublishURLs qq r,rHrIsBaseCRLCRLNumber KeyContainerNextPublishPublishURLsTEMP |u-z!yx{\--D EventDataA=oData%KName RequestId AEoData-KName ExtensionName AMoData5KNameExtensionDataType ASoData;KNameExtensionPolicyFlags AEoData-KName ExtensionData AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId 0vHvhvvvvw(wPwRequestId ExtensionName(ExtensionDataType0ExtensionPolicyFlags ExtensionData$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPXy8NVT%D EventDataA=oData%KName RequestId A?oData'KName Attributes AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId zz8z\zzzRequestIdAttributes$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP|p#Y4flUG8+D EventDataA?oData'KName BackupType AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId } }D}h}}BackupType$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPtD%( H!AZD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId $SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPԁ'"!4B'h xD EventDataAYoDataAKNameCertificateDatabaseHash ASoData;KNamePrivateKeyUsageCount AMoData5KNameCACertificateHash AIoData1KNameCAPublicKeyHash $X4CertificateDatabaseHash0PrivateKeyUsageCount(CACertificateHash$CAPublicKeyHashTEMP'"!4B'h xD EventDataAYoDataAKNameCertificateDatabaseHash ASoData;KNamePrivateKeyUsageCount AMoData5KNameCACertificateHash AIoData1KNameCAPublicKeyHash Є4\4CertificateDatabaseHash0PrivateKeyUsageCount(CACertificateHash$CAPublicKeyHashTEMPt%( H!AZD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId `Ї$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPԉ$~9wD EventDataAKoData3KNameSecuritySettings AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId 8`Њ(SecuritySettings$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPȌkt mc}<D EventDataA=oData%KName RequestId AGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ,DhRequestId$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP\gXw0D EventDataA9oData!KNameProfile AOoData7KNameReasonForRejection A7oDataKNameRuleId A;oData#KNameRuleName Profile,ReasonForRejectionRuleIdRuleNameTEMP&i 0ϗHfD EventDataAEoData-KName ActiveProfile  ActiveProfileTEMPJϟ^i?ޔ#D EventDataA7oDataKNameRuleId A;oData#KNameRuleName A;oData#KNameRuleAttr 8LdRuleIdRuleNameRuleAttrTEMP5Y$_yb D EventDataA7oDataKNameRuleId A;oData#KNameRuleName A5oDataKNameError A7oDataKNameReason (@PRuleIdRuleNameErrorReasonTEMP@I FVD EventDataAMoData5KNameCallerProcessName A=oData%KName ProcessId A=oData%KName Publisher  (CallerProcessNameProcessIdPublisherTEMP(. 6SlMD EventDataAEoData-KName RemoteAddress A1oDataKNameSPI  @ RemoteAddress SPITEMP( . 6SlMD EventDataAEoData-KName RemoteAddress A1oDataKNameSPI Hh RemoteAddress SPITEMP(H. 6SlMD EventDataAEoData-KName RemoteAddress A1oDataKNameSPI p RemoteAddress SPITEMP(p . 6SlMD EventDataAEoData-KName RemoteAddress A1oDataKNameSPI    RemoteAddress SPITEMP(!. 6SlMD EventDataAEoData-KName RemoteAddress A1oDataKNameSPI !! RemoteAddress SPITEMP %M-ʜ& 4fD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId A=oData%KName LogonGuid AEoData-KName TargetUserSid AGoData/KNameTargetUserName AKoData3KNameTargetDomainName AEoData-KName TargetLogonId AIoData1KNameTargetLogonGuid A9oData!KNameSidList d&&&&&'0'T'|'''$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdLogonGuid TargetUserSid$TargetUserName(TargetDomainName TargetLogonId$TargetLogonGuidSidListTEMP)Sܸs@D EventDataACoData+KName LocalAddress AEoData-KName RemoteAddress A?oData'KName KeyModName <)\)|) LocalAddress RemoteAddressKeyModNameTEMP*Sܸs@D EventDataACoData+KName LocalAddress AEoData-KName RemoteAddress A?oData'KName KeyModName + +@+ LocalAddress RemoteAddressKeyModNameTEMP,Sܸs@D EventDataACoData+KName LocalAddress AEoData-KName RemoteAddress A?oData'KName KeyModName ,,- LocalAddress RemoteAddressKeyModNameTEMP 3mׯ }=ܑ fD EventDataASoData;KNameLocalMMPrincipalName AUoData=KNameRemoteMMPrincipalName ACoData+KName LocalAddress AIoData1KNameLocalKeyModPort AEoData-KName RemoteAddress AKoData3KNameRemoteKeyModPort ACoData+KName MMAuthMethod AAoData)KName MMCipherAlg AGoData/KNameMMIntegrityAlg A9oData!KNameDHGroup A?oData'KName MMLifetime A9oData!KNameQMLimit A3oDataKNameRole ASoData;KNameMMImpersonationState A?oData'KName MMFilterID  A7oDataKNameMMSAID  ASoData;KNameLocalEMPrincipalName AUoData=KNameRemoteEMPrincipalName ACoData+KName EMAuthMethod ASoData;KNameEMImpersonationState A?oData'KName QMFilterID  `55556$6L6l6666667 07 L7`7777 80LocalMMPrincipalName0RemoteMMPrincipalName LocalAddress$LocalKeyModPort RemoteAddress(RemoteKeyModPort MMAuthMethodMMCipherAlg$MMIntegrityAlgDHGroupMMLifetimeQMLimitRole0MMImpersonationStateMMFilterIDMMSAID0LocalEMPrincipalName0RemoteEMPrincipalName EMAuthMethod0EMImpersonationStateQMFilterIDTEMP `@tɐ-w7D EventDataASoData;KNameLocalMMPrincipalName AUoData=KNameRemoteMMPrincipalName ACoData+KName LocalAddress AIoData1KNameLocalKeyModPort AEoData-KName RemoteAddress AKoData3KNameRemoteKeyModPort ACoData+KName MMAuthMethod AAoData)KName MMCipherAlg AGoData/KNameMMIntegrityAlg A9oData!KNameDHGroup A?oData'KName MMLifetime A9oData!KNameQMLimit A3oDataKNameRole ASoData;KNameMMImpersonationState A?oData'KName MMFilterID  A7oDataKNameMMSAID  ASoData;KNameLocalEMPrincipalName AIoData1KNameLocalEMCertHash AKoData3KNameLocalEMIssuingCA AEoData-KName LocalEMRootCA AUoData=KNameRemoteEMPrincipalName AKoData3KNameRemoteEMCertHash AMoData5KNameRemoteEMIssuingCA AGoData/KNameRemoteEMRootCA ASoData;KNameEMImpersonationState A?oData'KName QMFilterID  hBBBB C,CTCtCCCCCCD 8D TDhDDDDE4E\EEE E0LocalMMPrincipalName0RemoteMMPrincipalName LocalAddress$LocalKeyModPort RemoteAddress(RemoteKeyModPort MMAuthMethodMMCipherAlg$MMIntegrityAlgDHGroupMMLifetimeQMLimitRole0MMImpersonationStateMMFilterIDMMSAID0LocalEMPrincipalName$LocalEMCertHash(LocalEMIssuingCA LocalEMRootCA0RemoteEMPrincipalName(RemoteEMCertHash(RemoteEMIssuingCA$RemoteEMRootCA0EMImpersonationStateQMFilterIDTEMP (N} JP7d$@D EventDataASoData;KNameLocalMMPrincipalName AIoData1KNameLocalMMCertHash AKoData3KNameLocalMMIssuingCA AEoData-KName LocalMMRootCA AUoData=KNameRemoteMMPrincipalName AKoData3KNameRemoteMMCertHash AMoData5KNameRemoteMMIssuingCA AGoData/KNameRemoteMMRootCA ACoData+KName LocalAddress AIoData1KNameLocalKeyModPort AEoData-KName RemoteAddress AKoData3KNameRemoteKeyModPort AAoData)KName MMCipherAlg AGoData/KNameMMIntegrityAlg A9oData!KNameDHGroup A?oData'KName MMLifetime A9oData!KNameQMLimit A3oDataKNameRole ASoData;KNameMMImpersonationState A?oData'KName MMFilterID  A7oDataKNameMMSAID  ASoData;KNameLocalEMPrincipalName AUoData=KNameRemoteEMPrincipalName ACoData+KName EMAuthMethod ASoData;KNameEMImpersonationState A?oData'KName QMFilterID  0P`PPPPP$QLQpQQQQQRX5D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId A?oData'KName ObjectPath AMoData5KNameObjectVirtualPath A=oData%KName ProcessId AAoData)KName ProcessName ؓ HlȔ$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdObjectPath(ObjectVirtualPathProcessIdProcessNameTEMP 4FW1 ,ND EventDataAGoData/KNameProfileChanged AQoData9KNameAuthenticationSetId AUoData=KNameAuthenticationSetName p$ProfileChanged,AuthenticationSetId0AuthenticationSetNameTEMP @FW1 ,ND EventDataAGoData/KNameProfileChanged AQoData9KNameAuthenticationSetId AUoData=KNameAuthenticationSetName |̘$ProfileChanged,AuthenticationSetId0AuthenticationSetNameTEMP LFW1 ,ND EventDataAGoData/KNameProfileChanged AQoData9KNameAuthenticationSetId AUoData=KNameAuthenticationSetName ؚ$ProfileChanged,AuthenticationSetId0AuthenticationSetNameTEMP8l##y`T]W0D EventDataAGoData/KNameProfileChanged A[oDataCKNameConnectionSecurityRuleId A_oDataGKNameConnectionSecurityRuleName ̜$ProfileChanged8ConnectionSecurityRuleId<ConnectionSecurityRuleNameTEMP8##y`T]W0D EventDataAGoData/KNameProfileChanged A[oDataCKNameConnectionSecurityRuleId A_oDataGKNameConnectionSecurityRuleName <$ProfileChanged8ConnectionSecurityRuleId<ConnectionSecurityRuleNameTEMP8ܠ##y`T]W0D EventDataAGoData/KNameProfileChanged A[oDataCKNameConnectionSecurityRuleId A_oDataGKNameConnectionSecurityRuleName <t$ProfileChanged8ConnectionSecurityRuleId<ConnectionSecurityRuleNameTEMPAX '}-D EventDataAGoData/KNameProfileChanged AOoData7KNameCryptographicSetId ASoData;KNameCryptographicSetName 8\$ProfileChanged,CryptographicSetId0CryptographicSetNameTEMPAX '}-D EventDataAGoData/KNameProfileChanged AOoData7KNameCryptographicSetId ASoData;KNameCryptographicSetName @d$ProfileChanged,CryptographicSetId0CryptographicSetNameTEMP AX '}-D EventDataAGoData/KNameProfileChanged AOoData7KNameCryptographicSetId ASoData;KNameCryptographicSetName Hl$ProfileChanged,CryptographicSetId0CryptographicSetNameTEMPH4&% yXoL8D EventDataAGoData/KNameProfileChanged A_oDataGKNameIpSecSecurityAssociationId AcoDataKKNameIpSecSecurityAssociationName pЩ$ProfileChanged<IpSecSecurityAssociationId@IpSecSecurityAssociationNameTEMPPE@nﶻ%YxD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId A;oData#KNameFileName AIoData1KNameVirtualFileName A=oData%KName ProcessId AAoData)KName ProcessName \̭,D$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdFileName$VirtualFileNameProcessIdProcessNameTEMPPt=7-M-ۿXD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId A7oDataKNameModule A?oData'KName ReturnCode 4\$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdModuleReturnCodeTEMPLXV|K8{XtD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ProviderName AEoData-KName AlgorithmName A7oDataKNameReason A?oData'KName ReturnCode @h̵$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ProviderName AlgorithmNameReasonReturnCodeTEMP t"x{ hBD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AGoData/KNameSubjectLogonId ACoData+KName ProviderName AEoData-KName AlgorithmName A9oData!KNameKeyName A9oData!KNameKeyType AAoData)KName KeyFilePath A=oData%KName Operation A?oData'KName ReturnCode Pt$8Lh$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ProviderName AlgorithmNameKeyNameKeyTypeKeyFilePathOperationReturnCodeTEMP( ̾ؑ>ד8nד8n >ProcessIDApplicationDirection SourceAddressSourcePortDestAddressDestPortProtocolFilterRTIDLayerNameLayerRTIDTEMPL BI _MR3;CPD EventDataA=oData%KName ProcessID AAoData)KName Application A=oData%KName Direction AEoData-KName SourceAddress A?oData'KName SourcePort AAoData)KName DestAddress A;oData#KNameDestPort A;oData#KNameProtocol A?oData'KName FilterRTID  A=oData%KName LayerName A=oData%KName LayerRTID ACoData+KName RemoteUserID AIoData1KNameRemoteMachineID  C8CTClCCCCC CD (D@D`DProcessIDApplicationDirection SourceAddressSourcePortDestAddressDestPortProtocolFilterRTIDLayerNameLayerRTID RemoteUserID$RemoteMachineIDTEMPH Gz v$!LV @D EventDataA=oData%KName ProcessID AAoData)KName Application A=oData%KName Direction AEoData-KName SourceAddress A?oData'KName SourcePort AAoData)KName DestAddress A;oData#KNameDestPort A;oData#KNameProtocol A?oData'KName FilterRTID  A=oData%KName LayerName A=oData%KName LayerRTID  HHHHI4IPIhI II IProcessIDApplicationDirection SourceAddressSourcePortDestAddressDestPortProtocolFilterRTIDLayerNameLayerRTIDTEMPL MI _MR3;CPD EventDataA=oData%KName ProcessID AAoData)KName Application A=oData%KName Direction AEoData-KName SourceAddress A?oData'KName SourcePort AAoData)KName DestAddress A;oData#KNameDestPort A;oData#KNameProtocol A?oData'KName FilterRTID  A=oData%KName LayerName A=oData%KName LayerRTID ACoData+KName RemoteUserID AIoData1KNameRemoteMachineID  NNNO O <D EventDataA=oData%KName ProcessId A9oData!KNameUserSid A;oData#KNameUserName AAoData)KName ProviderKey ACoData+KName ProviderName A?oData'KName ChangeType A?oData'KName CalloutKey AAoData)KName CalloutName AAoData)KName CalloutType A=oData%KName CalloutId A;oData#KNameLayerKey A=oData%KName LayerName A9oData!KNameLayerId 0Ll $ProcessIdUserSidUserNameProviderKey ProviderNameChangeTypeCalloutKeyCalloutNameCalloutTypeCalloutIdLayerKeyLayerNameLayerIdTEMP@L2%6I#rD EventDataA=oData%KName ProcessId A9oData!KNameUserSid A;oData#KNameUserName AAoData)KName ProviderKey ACoData+KName ProviderName A?oData'KName ChangeType A=oData%KName FilterKey A?oData'KName FilterName A?oData'KName FilterType A;oData#KNameFilterId A;oData#KNameLayerKey A=oData%KName LayerName A9oData!KNameLayerId A7oDataKNameWeight A?oData'KName Conditions A7oDataKNameAction A?oData'KName CalloutKey AAoData)KName CalloutName 4Ph  ,@\ProcessIdUserSidUserNameProviderKey ProviderNameChangeTypeFilterKeyFilterNameFilterTypeFilterIdLayerKeyLayerNameLayerIdWeightConditionsActionCalloutKeyCalloutNameTEMP6}P{GCD EventDataA=oData%KName ProcessId A9oData!KNameUserSid A;oData#KNameUserName A?oData'KName ChangeType AAoData)KName ProviderKey ACoData+KName ProviderName ACoData+KName ProviderType <ThProcessIdUserSidUserNameChangeTypeProviderKey ProviderName ProviderTypeTEMP Cl "D EventDataA=oData%KName ProcessId A9oData!KNameUserSid A;oData#KNameUserName AAoData)KName ProviderKey ACoData+KName ProviderName A?oData'KName ChangeType AOoData7KNameProviderContextKey AQoData9KNameProviderContextName AQoData9KNameProviderContextType  <hProcessIdUserSidUserNameProviderKey ProviderNameChangeType,ProviderContextKey,ProviderContextName,ProviderContextTypeTEMP e:9 ms/D EventDataA=oData%KName ProcessId A9oData!KNameUserSid A;oData#KNameUserName AAoData)KName ProviderKey ACoData+KName ProviderName A?oData'KName ChangeType AAoData)KName SubLayerKey ACoData+KName SubLayerName ACoData+KName SubLayerType A7oDataKNameWeight ,HhProcessIdUserSidUserNameProviderKey ProviderNameChangeTypeSubLayerKey SubLayerName SubLayerTypeWeightTEMP\ (_ٌ>4D EventDataACoData+KName LocalAddress AKoData3KNameLocalAddressMask A=oData%KName LocalPort AQoData9KNameLocalTunnelEndpoint AEoData-KName RemoteAddress AMoData5KNameRemoteAddressMask A?oData'KName RemotePort AOoData7KNamePeerPrivateAddress ASoData;KNameRemoteTunnelEndpoint A?oData'KName IpProtocol AKoData3KNameKeyingModuleName A?oData'KName AhAuthType AAoData)KName EspAuthType A?oData'KName CipherType AIoData1KNameLifetimeSeconds AMoData5KNameLifetimeKilobytes AIoData1KNameLifetimePackets A3oDataKNameMode A3oDataKNameRole AMoData5KNameTransportFilterId  ACoData+KName MainModeSaId  AEoData-KName QuickModeSaId  A?oData'KName InboundSpi  AAoData)KName OutboundSpi  ,Dp0Lt8H X     LocalAddress(LocalAddressMaskLocalPort,LocalTunnelEndpoint RemoteAddress(RemoteAddressMaskRemotePort,PeerPrivateAddress0RemoteTunnelEndpointIpProtocol(KeyingModuleNameAhAuthTypeEspAuthTypeCipherType$LifetimeSeconds(LifetimeKilobytes$LifetimePacketsModeRole(TransportFilterId MainModeSaId QuickModeSaIdInboundSpiOutboundSpiTEMP\ `ZH`!LD EventDataACoData+KName LocalAddress AKoData3KNameLocalAddressMask A=oData%KName LocalPort AQoData9KNameLocalTunnelEndpoint AEoData-KName RemoteAddress AMoData5KNameRemoteAddressMask A?oData'KName RemotePort AOoData7KNamePeerPrivateAddress ASoData;KNameRemoteTunnelEndpoint A?oData'KName IpProtocol AKoData3KNameKeyingModuleName A?oData'KName AhAuthType AAoData)KName EspAuthType A?oData'KName CipherType AIoData1KNameLifetimeSeconds AMoData5KNameLifetimeKilobytes AIoData1KNameLifetimePackets A3oDataKNameMode A3oDataKNameRole AMoData5KNameTransportFilterId  ACoData+KName MainModeSaId  AEoData-KName QuickModeSaId  A?oData'KName InboundSpi  AAoData)KName OutboundSpi  A;oData#KNameTunnelId  AMoData5KNameTrafficSelectorId   H`Lh0Td t      , LocalAddress(LocalAddressMaskLocalPort,LocalTunnelEndpoint RemoteAddress(RemoteAddressMaskRemotePort,PeerPrivateAddress0RemoteTunnelEndpointIpProtocol(KeyingModuleNameAhAuthTypeEspAuthTypeCipherType$LifetimeSeconds(LifetimeKilobytes$LifetimePacketsModeRole(TransportFilterId MainModeSaId QuickModeSaIdInboundSpiOutboundSpiTunnelId(TrafficSelectorIdTEMP`  H$d~D EventDataACoData+KName LocalAddress A=oData%KName LocalPort AQoData9KNameLocalTunnelEndpoint AEoData-KName RemoteAddress A?oData'KName RemotePort ASoData;KNameRemoteTunnelEndpoint A?oData'KName IpProtocol AEoData-KName QuickModeSaId      , H x   LocalAddressLocalPort,LocalTunnelEndpoint RemoteAddressRemotePort0RemoteTunnelEndpointIpProtocol QuickModeSaIdTEMP| zd3E=ZdD EventDataACoData+KName LocalAddress AKoData3KNameLocalAddressMask A=oData%KName LocalPort AQoData9KNameLocalTunnelEndpoint AEoData-KName RemoteAddress AMoData5KNameRemoteAddressMask A?oData'KName RemotePort ASoData;KNameRemoteTunnelEndpoint A?oData'KName IpProtocol AEoData-KName QuickModeSaId A;oData#KNameTunnelId AMoData5KNameTrafficSelectorId  @h    LocalAddress(LocalAddressMaskLocalPort,LocalTunnelEndpoint RemoteAddress(RemoteAddressMaskRemotePort0RemoteTunnelEndpointIpProtocol QuickModeSaIdTunnelId(TrafficSelectorIdTEMPPygػ$<[7J.D EventDataTEMP<1lĭ`mКYD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AUoData=KNameSubjectUserDomainName AGoData/KNameSubjectLogonId  ASoData;KNameObjectCollectionName AaoDataIKNameObjectIdentifyingProperties A[oDataCKNameModifiedObjectProperties  @d$SubjectUserSid$SubjectUserName0SubjectUserDomainName$SubjectLogonId0ObjectCollectionName<ObjectIdentifyingProperties8ModifiedObjectPropertiesTEMPh8CqyV&1HK#|/vD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AUoData=KNameSubjectUserDomainName AGoData/KNameSubjectLogonId  ASoData;KNameObjectCollectionName AaoDataIKNameObjectIdentifyingProperties AKoData3KNameObjectProperties @d  H$SubjectUserSid$SubjectUserName0SubjectUserDomainName$SubjectLogonId0ObjectCollectionName<ObjectIdentifyingProperties(ObjectPropertiesTEMPh8CqyV&1HK#|/vD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AUoData=KNameSubjectUserDomainName AGoData/KNameSubjectLogonId  ASoData;KNameObjectCollectionName AaoDataIKNameObjectIdentifyingProperties AKoData3KNameObjectProperties   D t  $SubjectUserSid$SubjectUserName0SubjectUserDomainName$SubjectLogonId0ObjectCollectionName<ObjectIdentifyingProperties(ObjectPropertiesTEMP(!rwgO 줕D EventDataA=oData%KName ErrorCode A9oData!KNameGPOList !!ErrorCodeGPOListTEMP("rwgO 줕D EventDataA=oData%KName ErrorCode A9oData!KNameGPOList "#ErrorCodeGPOListTEMP+fK  M4gd_D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AeoDataMKNameFullyQualifiedSubjectUserName AMoData5KNameSubjectMachineSID AOoData7KNameSubjectMachineName AkoDataSKName FullyQualifiedSubjectMachineName AKoData3KNameMachineInventory AIoData1KNameCalledStationID AKoData3KNameCallingStationID AGoData/KNameNASIPv4Address AGoData/KNameNASIPv6Address AEoData-KName NASIdentifier AAoData)KName NASPortType A9oData!KNameNASPort A?oData'KName ClientName AIoData1KNameClientIPAddress AIoData1KNameProxyPolicyName AMoData5KNameNetworkPolicyName AWoData?KNameAuthenticationProvider ASoData;KNameAuthenticationServer AOoData7KNameAuthenticationType A9oData!KNameEAPType A[oDataCKNameAccountSessionIdentifier AIoData1KNameQuarantineState AaoDataIKNameQuarantineSessionIdentifier .$.H.p.../L/t////0(0D0X0t00001H1t1111$SubjectUserSid$SubjectUserName(SubjectDomainName@FullyQualifiedSubjectUserName(SubjectMachineSID,SubjectMachineNameHFullyQualifiedSubjectMachineName(MachineInventory$CalledStationID(CallingStationID$NASIPv4Address$NASIPv6Address NASIdentifierNASPortTypeNASPortClientName$ClientIPAddress$ProxyPolicyName(NetworkPolicyName4AuthenticationProvider0AuthenticationServer,AuthenticationTypeEAPType8AccountSessionIdentifier$QuarantineState<QuarantineSessionIdentifierTEMPx<;OSM|naNُD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AeoDataMKNameFullyQualifiedSubjectUserName AMoData5KNameSubjectMachineSID AOoData7KNameSubjectMachineName AkoDataSKName FullyQualifiedSubjectMachineName AKoData3KNameMachineInventory AIoData1KNameCalledStationID AKoData3KNameCallingStationID AGoData/KNameNASIPv4Address AGoData/KNameNASIPv6Address AEoData-KName NASIdentifier AAoData)KName NASPortType A9oData!KNameNASPort A?oData'KName ClientName AIoData1KNameClientIPAddress AIoData1KNameProxyPolicyName AMoData5KNameNetworkPolicyName AWoData?KNameAuthenticationProvider ASoData;KNameAuthenticationServer AOoData7KNameAuthenticationType A9oData!KNameEAPType A[oDataCKNameAccountSessionIdentifier AIoData1KNameQuarantineState AaoDataIKNameQuarantineSessionIdentifier AEoData-KName LoggingResult X=|===>0>\>>>>?J]C0! [{D EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AeoDataMKNameFullyQualifiedSubjectUserName AMoData5KNameSubjectMachineSID AOoData7KNameSubjectMachineName AkoDataSKName FullyQualifiedSubjectMachineName AKoData3KNameMachineInventory AIoData1KNameCalledStationID AKoData3KNameCallingStationID AGoData/KNameNASIPv4Address AGoData/KNameNASIPv6Address AEoData-KName NASIdentifier AAoData)KName NASPortType A9oData!KNameNASPort A?oData'KName ClientName AIoData1KNameClientIPAddress AIoData1KNameProxyPolicyName AMoData5KNameNetworkPolicyName AWoData?KNameAuthenticationProvider ASoData;KNameAuthenticationServer AOoData7KNameAuthenticationType A9oData!KNameEAPType A[oDataCKNameAccountSessionIdentifier A?oData'KName ReasonCode A7oDataKNameReason AEoData-KName LoggingResult 0[T[x[[[\4\|\\\\]8]X]t]]]]]^H^x^^^^ _ _$SubjectUserSid$SubjectUserName(SubjectDomainName@FullyQualifiedSubjectUserName(SubjectMachineSID,SubjectMachineNameHFullyQualifiedSubjectMachineName(MachineInventory$CalledStationID(CallingStationID$NASIPv4Address$NASIPv6Address NASIdentifierNASPortTypeNASPortClientName$ClientIPAddress$ProxyPolicyName(NetworkPolicyName4AuthenticationProvider0AuthenticationServer,AuthenticationTypeEAPType8AccountSessionIdentifierReasonCodeReason LoggingResultTEMPgb{sn4KfD EventDataAGoData/KNameSubjectUserSid AIoData1KNameSubjectUserName AMoData5KNameSubjectDomainName AeoDataMKNameFullyQualifiedSubjectUserName AMoData5KNameSubjectMachineSID AOoData7KNameSubjectMachineName AkoDataSKName FullyQualifiedSubjectMachineName AKoData3KNameMachineInventory AIoData1KNameCalledStationID AKoData3KNameCallingStationID AGoData/KNameNASIPv4Address AGoData/KNameNASIPv6Address AEoData-KName NASIdentifier AAoData)KName NASPortType A9oData!KNameNASPort A?oData'KName ClientName AIoData1KNameClientIPAddress AIoData1KNameProxyPolicyName AMoData5KNameNetworkPolicyName AWoData?KNameAuthenticationProvider ASoData;KNameAuthenticationServer AOoData7KNameAuthenticationType A9oData!KNameEAPType A[oDataCKNameAccountSessionIdentifier A?oData'KName ReasonCode A7oDataKNameReason ij,jTjjjj0kXk|kkkk l(l >l? ?l@ @lA AlB BlC ClP P lP PHlP P<lQ QDlR RlS S#lT TP(lU U,lV V1lW W6lX X;lY Y`BlZ Z`Gl[ [Jl\ \Nl] ]hQl^ ^Tl` `(Xla a[lb b^lc cHdle eglf f ilg gl% %Dl% %Il& &Pl' 'Tl0 0l Dl l ,l@ @HlA AlB B,lC ClD DlF FlG G8lH HxlI IlJ JlK KlK KlL LTlL L lM M0lP P\tlQ QulR R$vlS SvlT TwlU UxlV VylW WlX XlY YlZ Zl[ [l\ \l_ _zl` `|{la a|lb bD}le eX~lf flg glh hlk kll l@lm ml ̯l $l lP P,l l l pl  l "l (#l  2l Al ,Pl @_l ml h|l 4l l dl l l pl Hl  l l иl l 0l ll $l   `l    l l l hl @l l l l l l:OgxJ^f@0n⹜D* WEVT_TEMPLATEMUI MUI en-US