MZ@ !L!This program cannot be run in DOS mode. $Rؕ3}3}3}H̴3}H̱3}Rich3}PEL!  @PX@$?.rsrc@@@@( @Xp   9dKMUI:OgxJ^f@0n⹜D MUI en-USK   DLC̔P^ԡ`cxepr@$ &&(1l@I$&PZ,3\^|@`eDpytTT '00P@DFM(P\C_bSehHWkm0\aPPg0jxpdr 00pPP0p0p1p 1p2p 2p43p3p4p4p5p5p\6p6p7p7ph8p8p|ppH@..0005577PP 4  $%KLxL PP/Windows is starting up.%n%nThis event is logged when LSASS.EXE starts and the auditing subsystem is initialized. Windows is shutting down.%nAll logon sessions will be terminated by this shutdown. |An authentication package has been loaded by the Local Security Authority.%nThis authentication package will be used to authenticate logon attempts.%n%nAuthentication Package Name:%t%1 (A trusted logon process has been registered with the Local Security Authority.%nThis logon process will be trusted to submit logon requests.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Process Name:%t%t%5 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.%n%nNumber of audit messages discarded:%t%1%n%nThis event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped. dA notification package has been loaded by the Security Account Manager.%nThis package will be notified of any account or password changes.%n%nNotification Package Name:%t%1 Invalid use of LPC port.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tPID:%t%t%t%7%n%tName:%t%t%t%8%n%nInvalid Use:%t%t%5%n%nLPC Server Port Name:%t%6%n%nWindows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA's use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel. The system time was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tProcess ID:%t%7%n%tName:%t%t%8%n%nPrevious Time:%t%t%5%nNew Time:%t%t%6%n%nThis event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. A monitored security event pattern has occurred.%n%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%nAlert Information:%n%tComputer:%t%t%2%n%tEvent ID:%t%t%1%n%tNumber of Events:%t%7%n%tDuration:%t%t%8%n%nThis event is generated when Windows is configured to generate alerts in accordance with the Common Criteria Security Audit Analysis requirements (FAU_SAA) and an auditable event pattern occurs. <Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.%n%nValue of CrashOnAuditFail:%t%1%n%nThis event is logged after a system reboots following CrashOnAuditFail. A security package has been loaded by the Local Security Authority.%n%nSecurity Package Name:%t%1 An account was successfully logged on.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Type:%t%t%t%9%n%nImpersonation Level:%t%t%21%n%nNew Logon:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%tLogon GUID:%t%t%13%n%nProcess Information:%n%tProcess ID:%t%t%17%n%tProcess Name:%t%t%18%n%nNetwork Information:%n%tWorkstation Name:%t%12%n%tSource Network Address:%t%19%n%tSource Port:%t%t%20%n%nDetailed Authentication Information:%n%tLogon Process:%t%t%10%n%tAuthentication Package:%t%11%n%tTransited Services:%t%14%n%tPackage Name (NTLM only):%t%15%n%tKey Length:%t%t%16%n%nThis event is generated when a logon session is created. It is generated on the computer that was accessed.%n%nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.%n%nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).%n%nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.%n%nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.%n%nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.%n%nThe authentication information fields provide detailed information about this specific logon request.%n%t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.%n%t- Transited services indicate which intermediate services have participated in this logon request.%n%t- Package name indicates which sub-protocol was used among the NTLM protocols.%n%t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. dAn account failed to log on.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Type:%t%t%t%11%n%nAccount For Which Logon Failed:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%nFailure Information:%n%tFailure Reason:%t%t%9%n%tStatus:%t%t%t%8%n%tSub Status:%t%t%10%n%nProcess Information:%n%tCaller Process ID:%t%18%n%tCaller Process Name:%t%19%n%nNetwork Information:%n%tWorkstation Name:%t%14%n%tSource Network Address:%t%20%n%tSource Port:%t%t%21%n%nDetailed Authentication Information:%n%tLogon Process:%t%t%12%n%tAuthentication Package:%t%13%n%tTransited Services:%t%15%n%tPackage Name (NTLM only):%t%16%n%tKey Length:%t%t%17%n%nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.%n%nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.%n%nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).%n%nThe Process Information fields indicate which account and process on the system requested the logon.%n%nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.%n%nThe authentication information fields provide detailed information about this specific logon request.%n%t- Transited services indicate which intermediate services have participated in this logon request.%n%t- Package name indicates which sub-protocol was used among the NTLM protocols.%n%t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. User / Device claims information.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Type:%t%t%t%9%n%nNew Logon:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%nEvent in sequence:%t%t%10 of %11%n%nUser Claims:%t%t%t%12%n%nDevice Claims:%t%t%t%13%n%nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.%n%nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).%n%nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.%n%nThis event is generated when the Audit User/Device claims subcategory is configured and the user s logon token contains user/device claims information. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session. An account was logged off.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Type:%t%t%t%5%n%nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. %1%n ,User initiated logoff:%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nThis event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event. A logon was attempted using explicit credentials.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tLogon GUID:%t%t%5%n%nAccount Whose Credentials Were Used:%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon GUID:%t%t%8%n%nTarget Server:%n%tTarget Server Name:%t%9%n%tAdditional Information:%t%10%n%nProcess Information:%n%tProcess ID:%t%t%11%n%tProcess Name:%t%t%12%n%nNetwork Information:%n%tNetwork Address:%t%13%n%tPort:%t%t%t%14%n%nThis event is generated when a process attempts to log on an account by explicitly specifying that account s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. <A replay attack was detected.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCredentials Which Were Replayed:%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%nProcess Information:%n%tProcess ID:%t%t%12%n%tProcess Name:%t%t%13%n%nNetwork Information:%n%tWorkstation Name:%t%10%n%nDetailed Authentication Information:%n%tRequest Type:%t%t%7%n%tLogon Process:%t%t%8%n%tAuthentication Package:%t%9%n%tTransited Services:%t%11%n%nThis event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration. An IPsec main mode security association was established. Extended mode was not enabled. Certificate authentication was not used.%n%nLocal Endpoint:%n%tPrincipal Name:%t%1%n%tNetwork Address:%t%3%n%tKeying Module Port:%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%2%n%tNetwork Address:%t%5%n%tKeying Module Port:%t%6%n%nSecurity Association Information:%n%tLifetime (minutes):%t%12%n%tQuick Mode Limit:%t%13%n%tMain Mode SA ID:%t%17%n%nCryptographic Information:%n%tCipher Algorithm:%t%9%n%tIntegrity Algorithm:%t%10%n%tDiffie-Hellman Group:%t%11%n%nAdditional Information:%n%tKeying Module Name:%t%7%n%tAuthentication Method:%t%8%n%tRole:%t%14%n%tImpersonation State:%t%15%n%tMain Mode Filter ID:%t%16 An IPsec main mode security association was established. Extended mode was not enabled. A certificate was used for authentication.%n%nLocal Endpoint:%n%tPrincipal Name:%t%1%n%tNetwork Address:%t%9%n%tKeying Module Port:%t%10%n%nLocal Certificate:%n%tSHA Thumbprint:%t%2%n%tIssuing CA:%t%t%3%n%tRoot CA:%t%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%5%n%tNetwork Address:%t%11%n%tKeying Module Port:%t%12%n%nRemote Certificate:%n%tSHA thumbprint: %t%6%n%tIssuing CA:%t%t%7%n%tRoot CA:%t%t%8%n%nCryptographic Information:%n%tCipher Algorithm:%t%15%n%tIntegrity Algorithm:%t%16%n%tDiffie-Hellman Group:%t%17%n%nSecurity Association Information:%n%tLifetime (minutes):%t%18%n%tQuick Mode Limit:%t%19%n%tMain Mode SA ID:%t%23%n%nAdditional Information:%n%tKeying Module Name:%t%13%n%tAuthentication Method:%t%14%n%tRole:%t%20%n%tImpersonation State:%t%21%n%tMain Mode Filter ID:%t%22 An IPsec main mode negotiation failed.%n%n%nLocal Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%9%n%tKeying Module Port:%t%10%n%nLocal Certificate:%n%tSHA Thumbprint:%t%2%n%tIssuing CA:%t%t%3%n%tRoot CA:%t%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%5%n%tNetwork Address:%t%11%n%tKeying Module Port:%t%12%n%nRemote Certificate:%n%tSHA thumbprint:%t%t%6%n%tIssuing CA:%t%t%7%n%tRoot CA:%t%t%8%n%nAdditional Information:%n%tKeying Module Name:%t%13%n%tAuthentication Method:%t%16%n%tRole:%t%t%t%18%n%tImpersonation State:%t%19%n%tMain Mode Filter ID:%t%20%n%nFailure Information:%n%tFailure Point:%t%t%14%n%tFailure Reason:%t%t%15%n%tState:%t%t%t%17%n%tInitiator Cookie:%t%t%21%n%tResponder Cookie:%t%22 DAn IPsec main mode negotiation failed.%n%nLocal Endpoint:%n%tLocal Principal Name:%t%1%n%tNetwork Address:%t%3%n%tKeying Module Port:%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%2%n%tNetwork Address:%t%5%n%tKeying Module Port:%t%6%n%nAdditional Information:%n%tKeying Module Name:%t%7%n%tAuthentication Method:%t%10%n%tRole:%t%t%t%12%n%tImpersonation State:%t%13%n%tMain Mode Filter ID:%t%14%n%nFailure Information:%n%tFailure Point:%t%t%8%n%tFailure Reason:%t%t%9%n%tState:%t%t%t%11%n%tInitiator Cookie:%t%t%15%n%tResponder Cookie:%t%16 An IPsec quick mode negotiation failed.%n%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tNetwork Address mask:%t%2%n%tPort:%t%t%t%3%n%tTunnel Endpoint:%t%t%4%n%nRemote Endpoint:%n%tNetwork Address:%t%5%n%tAddress Mask:%t%t%6%n%tPort:%t%t%t%7%n%tTunnel Endpoint:%t%t%8%n%tPrivate Address:%t%t%10%n%nAdditional Information:%n%tProtocol:%t%t%9%n%tKeying Module Name:%t%11%n%tVirtual Interface Tunnel ID:%t%20%n%tTraffic Selector ID:%t%21%n%tMode:%t%t%t%14%n%tRole:%t%t%t%16%n%tQuick Mode Filter ID:%t%18%n%tMain Mode SA ID:%t%19%n%nFailure Information:%n%tState:%t%t%t%15%n%tMessage ID:%t%t%17%n%tFailure Point:%t%t%12%n%tFailure Reason:%t%t%13 HAn IPsec main mode security association ended.%n%nLocal Network Address:%t%t%1%nRemote Network Address:%t%2%nKeying Module Name:%t%t%3%nMain Mode SA ID:%t%t%4 4A handle to an object was requested.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tObject Type:%t%t%6%n%tObject Name:%t%t%7%n%tHandle ID:%t%t%8%n%tResource Attributes:%t%17%n%nProcess Information:%n%tProcess ID:%t%t%15%n%tProcess Name:%t%t%16%n%nAccess Request Information:%n%tTransaction ID:%t%t%9%n%tAccesses:%t%t%10%n%tAccess Reasons:%t%t%11%n%tAccess Mask:%t%t%12%n%tPrivileges Used for Access Check:%t%13%n%tRestricted SID Count:%t%14 TA registry value was modified.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Name:%t%t%5%n%tObject Value Name:%t%6%n%tHandle ID:%t%t%7%n%tOperation Type:%t%t%8%n%nProcess Information:%n%tProcess ID:%t%t%13%n%tProcess Name:%t%t%14%n%nChange Information:%n%tOld Value Type:%t%t%9%n%tOld Value:%t%t%10%n%tNew Value Type:%t%t%11%n%tNew Value:%t%t%12 The handle to an object was closed.%n%nSubject :%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tHandle ID:%t%t%6%n%nProcess Information:%n%tProcess ID:%t%t%7%n%tProcess Name:%t%t%8 dA handle to an object was requested with intent to delete.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%13%n%nAccess Request Information:%n%tTransaction ID:%t%9%n%tAccesses:%t%10%n%tAccess Mask:%t%11%n%tPrivileges Used for Access Check:%t%12 An object was deleted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tHandle ID:%t%6%n%nProcess Information:%n%tProcess ID:%t%7%n%tProcess Name:%t%8%n%tTransaction ID:%t%9 A handle to an object was requested.%n%nSubject :%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%16%n%tProcess Name:%t%17%n%nAccess Request Information:%n%tTransaction ID:%t%9%n%tAccesses:%t%10%n%tAccess Reasons:%t%t%11%n%tAccess Mask:%t%12%n%tPrivileges Used for Access Check:%t%13%n%tProperties:%t%14%n%tRestricted SID Count:%t%15 PAn operation was performed on an object.%n%nSubject :%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tObject Type:%t%t%6%n%tObject Name:%t%t%7%n%tHandle ID:%t%t%9%n%nOperation:%n%tOperation Type:%t%t%8%n%tAccesses:%t%t%10%n%tAccess Mask:%t%t%11%n%tProperties:%t%t%12%n%nAdditional Information:%n%tParameter 1:%t%t%13%n%tParameter 2:%t%t%14 DAn attempt was made to access an object.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tObject Type:%t%t%6%n%tObject Name:%t%t%7%n%tHandle ID:%t%t%8%n%tResource Attributes:%t%13%n%nProcess Information:%n%tProcess ID:%t%t%11%n%tProcess Name:%t%t%12%n%nAccess Request Information:%n%tAccesses:%t%t%9%n%tAccess Mask:%t%t%10 An attempt was made to create a hard link.%n%nSubject:%n%tAccount Name:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLink Information:%n%tFile Name:%t%5%n%tLink Name:%t%6%n%tTransaction ID:%t%7 An attempt was made to create an application client context.%n%nSubject:%n%tClient Name:%t%t%3%n%tClient Domain:%t%t%4%n%tClient Context ID:%t%5%n%nApplication Information:%n%tApplication Name:%t%1%n%tApplication Instance ID:%t%2%n%nStatus:%t%6 An application attempted an operation:%n%nSubject:%n%tClient Name:%t%t%5%n%tClient Domain:%t%t%6%n%tClient Context ID:%t%7%n%nObject:%n%tObject Name:%t%t%3%n%tScope Names:%t%t%4%n%nApplication Information:%n%tApplication Name:%t%1%n%tApplication Instance ID:%t%2%n%nAccess Request Information:%n%tRole:%t%t%t%8%n%tGroups:%t%t%t%9%n%tOperation Name:%t%10 (%11) An application client context was deleted.%n%nSubject:%n%tClient Name:%t%t%3%n%tClient Domain:%t%t%4%n%tClient Context ID:%t%5%n%nApplication Information:%n%tApplication Name:%t%1%n%tApplication Instance ID:%t%2 An application was initialized.%n%nSubject:%n%tClient Name:%t%3%n%tClient Domain:%t%4%n%tClient ID:%t%5%n%nApplication Information:%n%tApplication Name:%t%1%n%tApplication Instance ID:%t%2%n%nAdditional Information:%n%tPolicy Store URL:%t%6 Permissions on an object were changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nPermissions Change:%n%tOriginal Security Descriptor:%t%9%n%tNew Security Descriptor:%t%10 An application attempted to access a blocked ordinal through the TBS.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nOrdinal:%t%5 PSpecial privileges assigned to new logon.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nPrivileges:%t%t%5 HA privileged service was called.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nService:%n%tServer:%t%5%n%tService Name:%t%6%n%nProcess:%n%tProcess ID:%t%8%n%tProcess Name:%t%9%n%nService Request Information:%n%tPrivileges:%t%t%7 An operation was attempted on a privileged object.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tObject Handle:%t%8%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nRequested Operation:%n%tDesired Access:%t%9%n%tPrivileges:%t%t%10 SIDs were filtered.%n%nTarget Account:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%nTrust Information:%n%tTrust Direction:%t%4%n%tTrust Attributes:%t%5%n%tTrust Type:%t%6%n%tTDO Domain SID:%t%7%n%nFiltered SIDs:%t%8 A new process has been created.%n%nCreator Subject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTarget Subject:%n%tSecurity ID:%t%t%10%n%tAccount Name:%t%t%11%n%tAccount Domain:%t%t%12%n%tLogon ID:%t%t%13%n%nProcess Information:%n%tNew Process ID:%t%t%5%n%tNew Process Name:%t%6%n%tToken Elevation Type:%t%7%n%tCreator Process ID:%t%8%n%tProcess Command Line:%t%9%n%nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.%n%nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.%n%nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.%n%nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. A process has exited.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tProcess ID:%t%6%n%tProcess Name:%t%7%n%tExit Status:%t%5 An attempt was made to duplicate a handle to an object.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nSource Handle Information:%n%tSource Handle ID:%t%5%n%tSource Process ID:%t%6%n%nNew Handle Information:%n%tTarget Handle ID:%t%7%n%tTarget Process ID:%t%8 pIndirect access to an object was requested.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Type:%t%5%n%tObject Name:%t%6%n%nProcess Information:%n%tProcess ID:%t%9%n%nAccess Request Information:%n%tAccesses:%t%7%n%tAccess Mask:%t%8 HBackup of data protection master key was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nKey Information:%n%tKey Identifier:%t%5%n%tRecovery Server:%t%6%n%tRecovery Key ID:%t%7%n%nStatus Information:%n%tStatus Code:%t%8 |Recovery of data protection master key was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nKey Information:%n%tKey Identifier:%t%5%n%tRecovery Server:%t%6%n%tRecovery Key ID:%t%8%n%tRecovery Reason:%t%7%n%nStatus Information:%n%tStatus Code:%t%9 Protection of auditable protected data was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProtected Data:%n%tData Description:%t%6%n%tKey Identifier:%t%5%n%tProtected Data Flags:%t%7%n%tProtection Algorithms:%t%8%n%nStatus Information:%n%tStatus Code:%t%9 Unprotection of auditable protected data was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProtected Data:%n%tData Description:%t%6%n%tKey Identifier:%t%5%n%tProtected Data Flags:%t%7%n%tProtection Algorithms:%t%8%n%nStatus Information:%n%tStatus Code:%t%9 $A primary token was assigned to process.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nTarget Process:%n%tTarget Process ID:%t%9%n%tTarget Process Name:%t%10%n%nNew Token Information:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8 PA service was installed in the system.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nService Information:%n%tService Name: %t%t%5%n%tService File Name:%t%6%n%tService Type: %t%t%7%n%tService Start Type:%t%8%n%tService Account: %t%t%9 A scheduled task was created.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTask Information:%n%tTask Name: %t%t%5%n%tTask Content: %t%t%6%n%t A scheduled task was deleted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTask Information:%n%tTask Name: %t%t%5%n%tTask Content: %t%t%6%n%t A scheduled task was enabled.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTask Information:%n%tTask Name: %t%t%5%n%tTask Content: %t%t%6%n%t A scheduled task was disabled.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTask Information:%n%tTask Name: %t%t%5%n%tTask Content: %t%t%6%n%t A scheduled task was updated.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTask Information:%n%tTask Name: %t%t%5%n%tTask New Content: %t%t%6%n%t A user right was assigned.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTarget Account:%n%tAccount Name:%t%t%5%n%nNew Right:%n%tUser Right:%t%t%6 A user right was removed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTarget Account:%n%tAccount Name:%t%t%5%n%nRemoved Right:%n%tUser Right:%t%t%6 A new trust was created to a domain.%n%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%nTrusted Domain:%n%tDomain Name:%t%t%1%n%tDomain ID:%t%t%2%n%nTrust Information:%n%tTrust Type:%t%t%7%n%tTrust Direction:%t%t%8%n%tTrust Attributes:%t%t%9%n%tSID Filtering:%t%t%10 A trust to a domain was removed.%n%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%nDomain Information:%n%tDomain Name:%t%t%1%n%tDomain ID:%t%t%2 The IPsec Policy Agent service was started.%n%n%1%n%nPolicy Source: %t%2%n%n%3 xThe IPsec Policy Agent service was disabled.%n%n%1%n%2 %1 IPsec Policy Agent encountered a potentially serious failure.%n%1 Kerberos policy was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nChanges Made:%n('--' means no changes, otherwise each change is shown as:%n(Parameter Name):%t(new value) (old value))%n%5 Data Recovery Agent group policy for Encrypting File System (EFS) has changed. The new changes have been applied. The audit policy (SACL) on an object was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain: %t%3%n%tLogon ID: %t%t%4%n%nAudit Policy Change:%n%tOriginal Security Descriptor: %t%5%n%tNew Security Descriptor: %t%t%6 Trusted domain information was modified.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTrusted Domain:%n%tDomain Name:%t%t%5%n%tDomain ID:%t%t%6%n%nNew Trust Information:%n%tTrust Type:%t%t%7%n%tTrust Direction:%t%t%8%n%tTrust Attributes:%t%t%9%n%tSID Filtering:%t%t%10 System security access was granted to an account.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAccount Modified:%n%tAccount Name:%t%t%5%n%nAccess Granted:%n%tAccess Right:%t%t%6 System security access was removed from an account.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAccount Modified:%n%tAccount Name:%t%t%5%n%nAccess Removed:%n%tAccess Right:%t%t%6 System audit policy was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAudit Policy Change:%n%tCategory:%t%t%5%n%tSubcategory:%t%t%6%n%tSubcategory GUID:%t%7%n%tChanges:%t%t%8 A user account was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nNew Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tDisplay Name:%t%t%10%n%tUser Principal Name:%t%11%n%tHome Directory:%t%t%12%n%tHome Drive:%t%t%13%n%tScript Path:%t%t%14%n%tProfile Path:%t%t%15%n%tUser Workstations:%t%16%n%tPassword Last Set:%t%17%n%tAccount Expires:%t%t%18%n%tPrimary Group ID:%t%19%n%tAllowed To Delegate To:%t%20%n%tOld UAC Value:%t%t%21%n%tNew UAC Value:%t%t%22%n%tUser Account Control:%t%23%n%tUser Parameters:%t%24%n%tSID History:%t%t%25%n%tLogon Hours:%t%t%26%n%nAdditional Information:%n%tPrivileges%t%t%8 A user account was enabled.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2 LAn attempt was made to change an account's password.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges%t%t%8 An attempt was made to reset an account's password.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2 A user account was disabled.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2 A user account was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges%t%8 A security-enabled global group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nNew Group:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A member was added to a security-enabled global group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A member was removed from a security-enabled global group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 4A security-enabled global group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nDeleted Group:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-enabled local group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nNew Group:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A member was added to a security-enabled local group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A member was removed from a security-enabled local group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 $A security-enabled local group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-enabled local group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-enabled global group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A user account was changed.%n%nSubject:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%nTarget Account:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%nChanged Attributes:%n%tSAM Account Name:%t%10%n%tDisplay Name:%t%t%11%n%tUser Principal Name:%t%12%n%tHome Directory:%t%t%13%n%tHome Drive:%t%t%14%n%tScript Path:%t%t%15%n%tProfile Path:%t%t%16%n%tUser Workstations:%t%17%n%tPassword Last Set:%t%18%n%tAccount Expires:%t%t%19%n%tPrimary Group ID:%t%20%n%tAllowedToDelegateTo:%t%21%n%tOld UAC Value:%t%t%22%n%tNew UAC Value:%t%t%23%n%tUser Account Control:%t%24%n%tUser Parameters:%t%25%n%tSID History:%t%t%26%n%tLogon Hours:%t%t%27%n%nAdditional Information:%n%tPrivileges:%t%t%9 ,Domain Policy was changed.%n%nChange Type:%t%t%1 modified%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nDomain:%n%tDomain Name:%t%t%2%n%tDomain ID:%t%t%3%n%nChanged Attributes:%n%tMin. Password Age:%t%9%n%tMax. Password Age:%t%10%n%tForce Logoff:%t%t%11%n%tLockout Threshold:%t%12%n%tLockout Observation Window:%t%13%n%tLockout Duration:%t%14%n%tPassword Properties:%t%15%n%tMin. Password Length:%t%16%n%tPassword History Length:%t%17%n%tMachine Account Quota:%t%18%n%tMixed Domain Mode:%t%19%n%tDomain Behavior Version:%t%20%n%tOEM Information:%t%21%n%nAdditional Information:%n%tPrivileges:%t%t%8 A user account was locked out.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nAccount That Was Locked Out:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%nAdditional Information:%n%tCaller Computer Name:%t%2 XA computer account was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nNew Computer Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tDisplay Name:%t%t%10%n%tUser Principal Name:%t%11%n%tHome Directory:%t%t%12%n%tHome Drive:%t%t%13%n%tScript Path:%t%t%14%n%tProfile Path:%t%t%15%n%tUser Workstations:%t%16%n%tPassword Last Set:%t%17%n%tAccount Expires:%t%t%18%n%tPrimary Group ID:%t%19%n%tAllowedToDelegateTo:%t%20%n%tOld UAC Value:%t%t%21%n%tNew UAC Value:%t%t%22%n%tUser Account Control:%t%23%n%tUser Parameters:%t%24%n%tSID History:%t%t%25%n%tLogon Hours:%t%t%26%n%tDNS Host Name:%t%t%27%n%tService Principal Names:%t%28%n%nAdditional Information:%n%tPrivileges%t%t%8 A computer account was changed.%n%nSubject:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%nComputer Account That Was Changed:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%nChanged Attributes:%n%tSAM Account Name:%t%10%n%tDisplay Name:%t%t%11%n%tUser Principal Name:%t%12%n%tHome Directory:%t%t%13%n%tHome Drive:%t%t%14%n%tScript Path:%t%t%15%n%tProfile Path:%t%t%16%n%tUser Workstations:%t%17%n%tPassword Last Set:%t%18%n%tAccount Expires:%t%t%19%n%tPrimary Group ID:%t%20%n%tAllowedToDelegateTo:%t%21%n%tOld UAC Value:%t%t%22%n%tNew UAC Value:%t%t%23%n%tUser Account Control:%t%24%n%tUser Parameters:%t%25%n%tSID History:%t%t%26%n%tLogon Hours:%t%t%27%n%tDNS Host Name:%t%t%28%n%tService Principal Names:%t%29%n%nAdditional Information:%n%tPrivileges:%t%t%9 (A computer account was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Computer:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-disabled local group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nNew Group:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-disabled local group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A member was added to a security-disabled local group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A member was removed from a security-disabled local group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 $A security-disabled local group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-disabled global group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-disabled global group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A member was added to a security-disabled global group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A member was removed from a security-disabled global group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 (A security-disabled global group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-enabled universal group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-enabled universal group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A member was added to a security-enabled universal group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A member was removed from a security-enabled universal group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 ,A security-enabled universal group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-disabled universal group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A security-disabled universal group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A member was added to a security-disabled universal group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A member was removed from a security-disabled universal group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 ,A security-disabled universal group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 4A group s type was changed.%n%nSubject:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%nChange Type:%t%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%4%n%tGroup Name:%t%t%2%n%tGroup Domain:%t%t%3%n%nAdditional Information:%n%tPrivileges:%t%t%9 SID History was added to an account.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nTarget Account:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%nSource Account:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nAdditional Information:%n%tPrivileges:%t%t%10%n%tSID List:%t%t%t%11 An attempt to add SID History to an account failed.%n%nSubject:%n%tSecurity ID:%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%nSource Account%n%tAccount Name:%t%t%1%n%nAdditional Information:%n%tPrivileges:%t%t%8 A user account was unlocked.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2 A Kerberos authentication ticket (TGT) was requested.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tSupplied Realm Name:%t%2%n%tUser ID:%t%t%t%3%n%nService Information:%n%tService Name:%t%t%4%n%tService ID:%t%t%5%n%nNetwork Information:%n%tClient Address:%t%t%10%n%tClient Port:%t%t%11%n%nAdditional Information:%n%tTicket Options:%t%t%6%n%tResult Code:%t%t%7%n%tTicket Encryption Type:%t%8%n%tPre-Authentication Type:%t%9%n%nCertificate Information:%n%tCertificate Issuer Name:%t%t%12%n%tCertificate Serial Number:%t%13%n%tCertificate Thumbprint:%t%t%14%n%nCertificate information is only provided if a certificate was used for pre-authentication.%n%nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. TA Kerberos service ticket was requested.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%tLogon GUID:%t%t%10%n%nService Information:%n%tService Name:%t%t%3%n%tService ID:%t%t%4%n%nNetwork Information:%n%tClient Address:%t%t%7%n%tClient Port:%t%t%8%n%nAdditional Information:%n%tTicket Options:%t%t%5%n%tTicket Encryption Type:%t%6%n%tFailure Code:%t%t%9%n%tTransited Services:%t%11%n%nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.%n%nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.%n%nTicket options, encryption types, and failure codes are defined in RFC 4120. $A Kerberos service ticket was renewed.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nService Information:%n%tService Name:%t%t%3%n%tService ID:%t%t%4%n%nNetwork Information:%n%tClient Address:%t%t%7%n%tClient Port:%t%t%8%n%nAdditional Information:%n%tTicket Options:%t%t%5%n%tTicket Encryption Type:%t%6%n%nTicket options and encryption types are defined in RFC 4120. $Kerberos pre-authentication failed.%n%nAccount Information:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nService Information:%n%tService Name:%t%t%3%n%nNetwork Information:%n%tClient Address:%t%t%7%n%tClient Port:%t%t%8%n%nAdditional Information:%n%tTicket Options:%t%t%4%n%tFailure Code:%t%t%5%n%tPre-Authentication Type:%t%6%n%nCertificate Information:%n%tCertificate Issuer Name:%t%t%9%n%tCertificate Serial Number: %t%10%n%tCertificate Thumbprint:%t%t%11%n%nCertificate information is only provided if a certificate was used for pre-authentication.%n%nPre-authentication types, ticket options and failure codes are defined in RFC 4120.%n%nIf the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. A Kerberos authentication ticket request failed.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tSupplied Realm Name:%t%2%n%nService Information:%n%tService Name:%t%3%n%nNetwork Information:%n%tClient Address:%t%6%n%tClient Port:%t%7%n%nAdditional Information:%n%tTicket Options:%t%4%n%tFailure Code:%t%5%n%nTicket options and failure codes are defined in RFC 4120. A Kerberos service ticket request failed.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nService Information:%n%tService Name:%t%3%n%nNetwork Information:%n%tClient Address:%t%6%n%tClient Port:%t%7%n%nAdditional Information:%n%tTicket Options:%t%4%n%tFailure Code:%t%5%n%nTicket options and failure codes are defined in RFC 4120. An account was mapped for logon.%n%nAuthentication Package:%t%1%nAccount UPN:%t%2%nMapped Name:%t%3 An account could not be mapped for logon.%n%nAuthentication Package:%t%t%1%nAccount Name:%t%t%2 HThe computer attempted to validate the credentials for an account.%n%nAuthentication Package:%t%1%nLogon Account:%t%2%nSource Workstation:%t%3%nError Code:%t%4 TThe domain controller failed to validate the credentials for an account.%n%nAuthentication Package:%t%1%nLogon Account:%t%2%nSource Workstation:%t%3%nError Code:%t%4 ,A session was reconnected to a Window Station.%n%nSubject:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%tLogon ID:%t%t%3%n%nSession:%n%tSession Name:%t%t%4%n%nAdditional Information:%n%tClient Name:%t%t%5%n%tClient Address:%t%t%6%n%nThis event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching. HA session was disconnected from a Window Station.%n%nSubject:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%tLogon ID:%t%t%3%n%nSession:%n%tSession Name:%t%t%4%n%nAdditional Information:%n%tClient Name:%t%t%5%n%tClient Address:%t%t%6%n%n%nThis event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching. The ACL was set on accounts which are members of administrators groups.%n%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8%n%nEvery hour, the Windows domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the AdminSDHolder object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated. dThe name of an account was changed:%n%nSubject:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%nTarget Account:%n%tSecurity ID:%t%t%4%n%tAccount Domain:%t%t%3%n%tOld Account Name:%t%1%n%tNew Account Name:%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%9 The password hash an account was accessed.%n%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%nTarget Account:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2 A basic application group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A basic application group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A member was added to a basic application group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A member was removed from a basic application group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10 A non-member was added to a basic application group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10%n%nA non-member is an account that is explicitly excluded from membership in a basic application group. Even if the account is specified as a member of the application group, either explicitly or through nested group membership, the account will not be treated as a group member if it is listed as a non-member. (A non-member was removed from a basic application group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10%n%nA non-member is an account that is explicitly excluded from membership in a basic application group. Even if the account is specified as a member of the application group, either explicitly or through nested group membership, the account will not be treated as a group member if it is listed as a non-member. A basic application group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 An LDAP query group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 A basic application group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8 An LDAP query group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8 The Password Policy Checking API was called.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAdditional Information:%n%tCaller Workstation:%t%5%n%tProvided Account Name (unauthenticated):%t%6%n%tStatus Code:%t%7 An attempt was made to set the Directory Services Restore Mode%nadministrator password.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAdditional Information:%n%tCaller Workstation:%t%5%n%tStatus Code:%t%6 PAn attempt was made to query the existence of a blank password for an account.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAdditional Information:%n%tCaller Workstation:%t%5%n%tTarget Account Name:%t%6%n%tTarget Account Domain:%t%7 0The workstation was locked.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tSession ID:%t%5 4The workstation was unlocked.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tSession ID:%t%5 4The screen saver was invoked.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tSession ID:%t%5 8The screen saver was dismissed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tSession ID:%t%5 RPC detected an integrity violation while decrypting an incoming message.%n%nPeer Name:%t%1%nProtocol Sequence:%t%2%nSecurity Error:%t%3 tAuditing settings on object were changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%nAuditing Settings:%n%tOriginal Security Descriptor:%t%8%n%tNew Security Descriptor:%t%t%9 Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tObject Type:%t%t%6%n%tObject Name:%t%t%7%n%tHandle ID:%t%t%8%n%nProcess Information:%n%tProcess ID:%t%t%9%n%tProcess Name:%t%t%10%n%nCurrent Central Access Policy results:%n%n%tAccess Reasons:%t%t%11%nProposed Central Access Policy results that differ from the current Central Access Policy results:%n%n%tAccess Reasons:%t%t%12 LCentral Access Policies on the machine have been changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tObject Type:%t%t%6%n%nCAPs Added:%7%n%nCAPs Deleted:%8%n%nCAPs Modified:%9%n%nCAPs As-Is:%10 A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tSupplied Realm Name:%t%2%n%tUser ID:%t%t%t%3%n%nAuthentication Policy Information:%n%tSilo Name:%t%t%16%n%tPolicy Name:%t%t%17%n%tTGT Lifetime:%t%t%18%n%nDevice Information:%n%tDevice Name:%t%t%4%n%nService Information:%n%tService Name:%t%t%5%n%tService ID:%t%t%6%n%nNetwork Information:%n%tClient Address:%t%t%11%n%tClient Port:%t%t%12%n%nAdditional Information:%n%tTicket Options:%t%t%7%n%tResult Code:%t%t%8%n%tTicket Encryption Type:%t%9%n%tPre-Authentication Type:%t%10%n%nCertificate Information:%n%tCertificate Issuer Name:%t%t%13%n%tCertificate Serial Number:%t%14%n%tCertificate Thumbprint:%t%t%15%n%nCertificate information is only provided if a certificate was used for pre-authentication.%n%nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%tLogon GUID:%t%t%11%n%nAuthentication Policy Information:%n%tSilo Name:%t%t%13%n%tPolicy Name:%t%t%14%n%nDevice Information:%n%tDevice Name:%t%t%3%n%nService Information:%n%tService Name:%t%t%4%n%tService ID:%t%t%5%n%nNetwork Information:%n%tClient Address:%t%t%8%n%tClient Port:%t%t%9%n%nAdditional Information:%n%tTicket Options:%t%t%6%n%tTicket Encryption Type:%t%7%n%tFailure Code:%t%t%10%n%tTransited Services:%t%12%n%nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.%n%nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.%n%nTicket options, encryption types, and failure codes are defined in RFC 4120. ,NTLM authentication failed because the account was a member of the Protected User group.%n%nAccount Name:%t%1%nDevice Name:%t%2%nError Code:%t%3 NTLM authentication failed because access control restrictions are required.%n%nAccount Name:%t%1%nDevice Name:%t%2%nError Code:%t%3%n%nAuthentication Policy Information:%n%tSilo Name:%t%4%n%tPolicyName:%t%5 Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.%n%nAccount Information:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nService Information:%n%tService Name:%t%t%3%n%nNetwork Information:%n%tClient Address:%t%t%7%n%tClient Port:%t%t%8%n%nAdditional Information:%n%tTicket Options:%t%t%4%n%tFailure Code:%t%t%5%n%tPre-Authentication Type:%t%6%n%nCertificate Information:%n%tCertificate Issuer Name:%t%t%9%n%tCertificate Serial Number: %t%10%n%tCertificate Thumbprint:%t%t%11%n%nCertificate information is only provided if a certificate was used for pre-authentication.%n%nPre-authentication types, ticket options and failure codes are defined in RFC 4120.%n%nIf the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. |A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.%n%nSubject:%n%tUser Name:%t%1%n%tDomain:%t%t%2%n%tLogon ID:%t%3%n%nAdditional Information:%n%tClient Address:%t%4%n%n%nThis event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. xA namespace collision was detected.%n%nTarget Type:%t%1%nTarget Name:%t%2%nForest Root:%t%3%nTop Level Name:%t%4%nDNS Name:%t%5%nNetBIOS Name:%t%6%nSecurity ID:%t%t%7%nNew Flags:%t%8 A trusted forest information entry was added.%n%nSubject:%n%tSecurity ID:%t%t%10%n%tAccount Name:%t%t%11%n%tAccount Domain:%t%t%12%n%tLogon ID:%t%t%13%n%nTrust Information:%n%tForest Root:%t%1%n%tForest Root SID:%t%2%n%tOperation ID:%t%3%n%tEntry Type:%t%4%n%tFlags:%t%5%n%tTop Level Name:%t%6%n%tDNS Name:%t%7%n%tNetBIOS Name:%t%8%n%tDomain SID:%t%9 A trusted forest information entry was removed.%n%nSubject:%n%tSecurity ID:%t%t%10%n%tAccount Name:%t%t%11%n%tAccount Domain:%t%t%12%n%tLogon ID:%t%t%13%n%nTrust Information:%n%tForest Root:%t%1%n%tForest Root SID:%t%2%n%tOperation ID:%t%3%n%tEntry Type:%t%4%n%tFlags:%t%5%n%tTop Level Name:%t%6%n%tDNS Name:%t%7%n%tNetBIOS Name:%t%8%n%tDomain SID:%t%9 A trusted forest information entry was modified.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTrust Information:%n%tForest Root:%t%5%n%tForest Root SID:%t%6%n%tOperation ID:%t%7%n%tEntry Type:%t%8%n%tFlags:%t%9%n%tTop Level Name:%t%10%n%tDNS Name:%t%11%n%tNetBIOS Name:%t%12%n%tDomain SID:%t%13 The certificate manager denied a pending certificate request.%n%t%nRequest ID:%t%1 Certificate Services received a resubmitted certificate request.%n%t%nRequest ID:%t%1 Certificate Services revoked a certificate.%n%t%nSerial Number:%t%1%nReason:%t%2 8Certificate Services received a request to publish the certificate revocation list (CRL).%n%t%nNext Update:%t%1%nPublish Base:%t%2%nPublish Delta:%t%3 PCertificate Services published the certificate revocation list (CRL).%n%t%nBase CRL:%t%1%nCRL Number:%t%2%nKey Container:%t%3%nNext Publish:%t%4%nPublish URLs:%t%5 A certificate request extension changed.%n%t%nRequest ID:%t%1%nName:%t%2%nType:%t%3%nFlags:%t%4%nData:%t%5 One or more certificate request attributes changed.%n%t%nRequest ID:%t%1%nAttributes:%t%2 tCertificate Services received a request to shut down. |Certificate Services backup started.%n%nBackup Type:%t%1 XCertificate Services backup completed. TCertificate Services restore started. XCertificate Services restore completed. 0Certificate Services started.%n%t%nCertificate Database Hash:%t%1%nPrivate Key Usage Count:%t%2%nCA Certificate Hash:%t%3%nCA Public Key Hash:%t%4 0Certificate Services stopped.%n%t%nCertificate Database Hash:%t%1%nPrivate Key Usage Count:%t%2%nCA Certificate Hash:%t%3%nCA Public Key Hash:%t%4 The security permissions for Certificate Services changed.%n%t%n%1 Certificate Services retrieved an archived key.%n%t%nRequest ID:%t%1 Certificate Services imported a certificate into its database.%n%t%nCertificate:%t%1%nRequest ID:%t%2 The audit filter for Certificate Services changed.%n%t%nFilter:%t%1 Certificate Services received a certificate request.%n%t%nRequest ID:%t%1%nRequester:%t%2%nAttributes:%t%3 hCertificate Services approved a certificate request and issued a certificate.%n%t%nRequest ID:%t%1%nRequester:%t%2%nAttributes:%t%3%nDisposition:%t%4%nSKI:%t%t%5%nSubject:%t%6 4Certificate Services denied a certificate request.%n%t%nRequest ID:%t%1%nRequester:%t%2%nAttributes:%t%3%nDisposition:%t%4%nSKI:%t%t%5%nSubject:%t%6 `Certificate Services set the status of a certificate request to pending.%n%t%nRequest ID:%t%1%nRequester:%t%2%nAttributes:%t%3%nDisposition:%t%4%nSKI:%t%t%5%nSubject:%t%6 The certificate manager settings for Certificate Services changed.%n%t%nEnable:%t%1%n%n%2 A configuration entry changed in Certificate Services.%n%t%nNode:%t%1%nEntry:%t%2%nValue:%t%3 A property of Certificate Services changed.%n%t%nProperty:%t%1%nIndex:%t%2%nType:%t%3%nValue:%t%4 Certificate Services archived a key.%n%t%nRequest ID:%t%1%nRequester:%t%2%nKRA Hashes:%t%3 Certificate Services imported and archived a key.%n%t%nRequest ID:%t%1 0Certificate Services published the CA certificate to Active Directory Domain Services.%n%t%nCertificate Hash:%t%1%nValid From:%t%2%nValid To:%t%t%3 One or more rows have been deleted from the certificate database.%n%t%nTable ID:%t%1%nFilter:%t%2%nRows Deleted:%t%3 DRole separation enabled:%t%1 Certificate Services loaded a template.%n%n%1 v%2 (Schema V%3)%n%4%n%5%n%nTemplate Information:%n%tTemplate Content:%t%t%7%n%tSecurity Descriptor:%t%t%8%n%nAdditional Information:%n%tDomain Controller:%t%6 A Certificate Services template was updated.%n%n%1 v%2 (Schema V%3)%n%4%n%5%n%nTemplate Change Information:%n%tOld Template Content:%t%8%n%tNew Template Content:%t%t%7%n%nAdditional Information:%n%tDomain Controller:%t%6 \Certificate Services template security was updated.%n%n%1 v%2 (Schema V%3)%n%4%n%5%n%nTemplate Change Information:%n%tOld Template Content:%t%t%9%n%tNew Template Content:%t%7%n%tOld Security Descriptor:%t%t%10%n%tNew Security Descriptor:%t%t%8%n%nAdditional Information:%n%tDomain Controller:%t%6 The Per-user audit policy table was created.%n%nNumber of Elements:%t%1%nPolicy ID:%t%2 (An attempt was made to register a security event source.%n%nSubject :%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess:%n%tProcess ID:%t%7%n%tProcess Name:%t%8%n%nEvent Source:%n%tSource Name:%t%5%n%tEvent Source ID:%t%6 (An attempt was made to unregister a security event source.%n%nSubject%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess:%n%tProcess ID:%t%7%n%tProcess Name:%t%8%n%nEvent Source:%n%tSource Name:%t%5%n%tEvent Source ID:%t%6 The CrashOnAuditFail value has changed.%n%nNew Value of CrashOnAuditFail:%t%1 Auditing settings on object were changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nAuditing Settings:%n%tOriginal Security Descriptor:%t%9%n%tNew Security Descriptor:%t%t%10 Special Groups Logon table modified.%n%nSpecial Groups:%t%1%n%nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event. The local policy settings for the TBS were changed.%n%nOld Blocked Ordinals:%t%1%nNew Blocked Ordinals:%t%2 LThe group policy settings for the TBS were changed.%n%nGroup Policy Setting:%t%tIgnore Default Settings%n%tOld Value:%t%t%1%n%tNew Value:%t%t%2%n%nGroup Policy Setting:%t%tIgnore Local Settings%n%tOld Value:%t%t%3%n%tNew Value:%t%t%4%n%nOld Blocked Ordinals:%t%5%nNew Blocked Ordinals:%t%6 ,Resource attributes of the object were changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nResource Attributes:%n%tOriginal Security Descriptor:%t%9%n%tNew Security Descriptor:%t%t%10 DPer User Audit Policy was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nPolicy For Account:%n%tSecurity ID:%t%t%5%n%nPolicy Change Details:%n%tCategory:%t%6%n%tSubcategory:%t%7%n%tSubcategory GUID:%t%8%n%tChanges:%t%9 ,Central Access Policy on the object was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nCentral Policy ID:%n%tOriginal Security Descriptor:%t%9%n%tNew Security Descriptor:%t%t%10 xAn Active Directory replica source naming context was established.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nSource Address:%t%3%nNaming Context:%t%4%nOptions:%t%t%5%nStatus Code:%t%6 pAn Active Directory replica source naming context was removed.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nSource Address:%t%3%nNaming Context:%t%4%nOptions:%t%t%5%nStatus Code:%t%6 tAn Active Directory replica source naming context was modified.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nSource Address:%t%3%nNaming Context:%t%4%nOptions:%t%t%5%nStatus Code:%t%6 An Active Directory replica destination naming context was modified.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nDestination Address:%t%3%nNaming Context:%t%4%nOptions:%t%t%5%nStatus Code:%t%6 Synchronization of a replica of an Active Directory naming context has begun.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nNaming Context:%t%3%nOptions:%t%t%4%nSession ID:%t%5%nStart USN:%t%6 Synchronization of a replica of an Active Directory naming context has ended.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nNaming Context:%t%3%nOptions:%t%t%4%nSession ID:%t%5%nEnd USN:%t%6%nStatus Code:%t%7 hAttributes of an Active Directory object were replicated.%n%nSession ID:%t%1%nObject:%t%t%2%nAttribute:%t%3%nType of change:%t%4%nNew Value:%t%5%nUSN:%t%t%6%nStatus Code:%t%7 Replication failure begins.%n%nReplication Event:%t%1%nAudit Status Code:%t%2 Replication failure ends.%n%nReplication Event:%t%1%nAudit Status Code:%t%2%nReplication Status Code:%t%3 A lingering object was removed from a replica.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nObject:%t%3%nOptions:%t%4%nStatus Code:%t%5 The following policy was active when the Windows Firewall started.%n%nGroup Policy Applied:%t%1%nProfile Used:%t%2%nOperational mode:%t%3%nAllow Remote Administration:%t%4%nAllow Unicast Responses to Multicast/Broadcast Traffic:%t%5%nSecurity Logging:%n%tLog Dropped Packets:%t%6%n%tLog Successful Connections:%t%7 A rule was listed when the Windows Firewall started.%n%t%nProfile used:%t%1%n%nRule:%n%tRule ID:%t%2%n%tRule Name:%t%3 8A change was made to the Windows Firewall exception list. A rule was added.%n%t%nProfile Changed:%t%1%n%nAdded Rule:%n%tRule ID:%t%2%n%tRule Name:%t%3 DA change was made to the Windows Firewall exception list. A rule was modified.%n%t%nProfile Changed:%t%1%n%nModified Rule:%n%tRule ID:%t%2%n%tRule Name:%t%3 @A change was made to the Windows Firewall exception list. A rule was deleted.%n%t%nProfile Changed:%t%1%n%nDeleted Rule:%n%tRule ID:%t%2%n%tRule Name:%t%3 Windows Firewall settings were restored to the default values. A Windows Firewall setting was changed.%n%t%nChanged Profile:%t%1%n%nNew Setting:%n%tType:%t%2%n%tValue:%t%3 (Windows Firewall ignored a rule because its major version number is not recognized.%n%t%nProfile:%t%1%n%nIgnored Rule:%n%tID:%t%2%n%tName:%t%3 Windows Firewall ignored parts of a rule because its minor version number is not recognized. Other parts of the rule will be enforced.%n%t%nProfile:%t%1%n%nPartially Ignored Rule:%n%tID:%t%2%n%tName:%t%3 (Windows Firewall ignored a rule because it could not be parsed.%n%t%nProfile:%t%1%n%nReason for Rejection:%t%2%n%nRule:%n%tID:%t%3%n%tName:%t%4 Group Policy settings for Windows Firewall were changed, and the new settings were applied. Windows Firewall changed the active profile.%n%nNew Active Profile:%t%1 HWindows Firewall did not apply the following rule:%n%nRule Information:%n%tID:%t%1%n%tName:%t%2%n%nError Information:%n%tReason:%t%3 resolved to an empty set. Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:%n%nRule Information:%n%tID:%t%1%n%tName:%t%2%n%nError Information:%n%tError:%t%3%n%tReason:%t%4 pIPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.%n%nRemote Network Address:%t%1%nInbound SA SPI:%t%t%2 IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.%n%nRemote Network Address:%t%1%nInbound SA SPI:%t%t%2 IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.%n%nRemote Network Address:%t%1%nInbound SA SPI:%t%t%2 IPsec dropped an inbound clear text packet that should have been secured. If the remote computer is configured with a Request Outbound IPsec policy, this might be benign and expected. This can also be caused by the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.%n%nRemote Network Address:%t%1%nInbound SA SPI:%t%t%2 Special groups have been assigned to a new logon.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tLogon GUID:%t%5%n%nNew Logon:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%tLogon GUID:%t%10%n%tSpecial Groups Assigned:%t%11 (IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.%n%nRemote Network Address:%t%1%nInbound SA SPI:%t%t%2 (During main mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.%n%nLocal Network Address:%t%1%nRemote Network Address:%t%2%nKeying Module Name:%t%3 ,During quick mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.%n%nLocal Network Address:%t%1%nRemote Network Address:%t%2%nKeying Module Name:%t%3 0During extended mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.%n%nLocal Network Address:%t%1%nRemote Network Address:%t%2%nKeying Module Name:%t%3 IPsec main mode and extended mode security associations were established.%n%nMain Mode Local Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%3%n%tKeying Module Port:%t%4%n%nMain Mode Remote Endpoint:%n%tPrincipal Name:%t%2%n%tNetwork Address:%t%5%n%tKeying Module Port:%t%6%n%nMain Mode Cryptographic Information:%n%tCipher Algorithm:%t%8%n%tIntegrity Algorithm:%t%9%n%tDiffie-Hellman Group:%t%10%n%nMain Mode Security Association:%n%tLifetime (minutes):%t%11%n%tQuick Mode Limit:%t%12%n%tMain Mode SA ID:%t%16%n%t%nMain Mode Additional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%t%7%n%tRole:%t%t%t%13%n%tImpersonation State:%t%14%n%tMain Mode Filter ID:%t%15%n%nExtended Mode Information:%n%tLocal Principal Name:%t%17%n%tRemote Principal Name:%t%18%n%tAuthentication Method:%t%19%n%tImpersonation State:%t%20%n%tQuick Mode Filter ID:%t%21 IPsec main mode and extended mode security associations were established.%n%nMain Mode Local Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%3%n%tKeying Module Port:%t%4%n%nMain Mode Remote Endpoint:%n%tPrincipal Name:%t%2%n%tNetwork Address:%t%5%n%tKeying Module Port:%t%6%n%nMain Mode Cryptographic Information:%n%tCipher Algorithm:%t%8%n%tIntegrity Algorithm:%t%9%n%tDiffie-Hellman Group:%t%10%n%nMain Mode Security Association:%n%tLifetime (minutes):%t%11%n%tQuick Mode Limit:%t%12%n%tMain Mode SA ID:%t%16%n%t%nMain Mode Additional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%t%7%n%tRole:%t%t%t%13%n%tImpersonation State:%t%14%n%tMain Mode Filter ID:%t%15%n%nExtended Mode Local Endpoint:%n%tPrincipal Name:%t%17%n%tCertificate SHA Thumbprint:%t%18%n%tCertificate Issuing CA:%t%19%n%tCertificate Root CA:%t%20%n%nExtended Mode Remote Endpoint:%n%tPrincipal Name:%t%21%n%tCertificate SHA Thumbprint:%t%22%n%tCertificate Issuing CA:%t%23%n%tCertificate Root CA:%t%24%n%nExtended Mode Additional Information:%n%tAuthentication Method:%tSSL%n%tImpersonation State:%t%25%n%tQuick Mode Filter ID:%t%26 IPsec main mode and extended mode security associations were established.%n%nLocal Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%9%n%tKeying Module Port:%t%10%n%nLocal Certificate:%n%tSHA Thumbprint:%t%2%n%tIssuing CA:%t%t%3%n%tRoot CA:%t%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%5%n%tNetwork Address:%t%11%n%tKeying Module Port:%t%12%n%nRemote Certificate:%n%tSHA Thumbprint:%t%6%n%tIssuing CA:%t%t%7%n%tRoot CA:%t%t%8%n%nCryptographic Information:%n%tCipher Algorithm:%t%13%n%tIntegrity Algorithm:%t%14%n%tDiffie-Hellman Group:%t%15%n%nSecurity Association Information:%n%tLifetime (minutes):%t%16%n%tQuick Mode Limit:%t%17%n%tMain Mode SA ID:%t%21%n%nAdditional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%tSSL%n%tRole:%t%t%t%18%n%tImpersonation State:%t%19%n%tMain Mode Filter ID:%t%20%n%t%nExtended Mode Information:%n%tLocal Principal Name:%t%22%n%tRemote Principal Name:%t%23%n%tAuthentication Method:%t%24%n%tImpersonation State:%t%25%n%tQuick Mode Filter ID:%t%26 IPsec main mode and extended mode security associations were established.%n%nLocal Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%n%tKeying Module Port:%t%9%n%nLocal Certificate:%n%tSHA Thumbprint:%t%2%n%tIssuing CA:%t%t%3%n%tRoot CA:%t%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%5%n%tNetwork Address:%t%10%n%tKeying Module Port:%t%11%n%nRemote Certificate:%n%tSHA Thumbprint:%t%6%n%tIssuing CA:%t%t%7%n%tRoot CA:%t%t%8%n%nCryptographic Information:%n%tCipher Algorithm:%t%12%n%tIntegrity Algorithm:%t%13%n%tDiffie-Hellman Group:%t%14%n%nSecurity Association Information:%n%tLifetime (minutes):%t%15%n%tQuick Mode Limit:%t%16%n%tMain Mode SA ID:%t%20%n%nAdditional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%tSSL%n%tRole:%t%t%t%17%n%tImpersonation State:%t%18%n%tMain Mode Filter ID:%t%19%n%t%nExtended Mode Local Endpoint:%n%tPrincipal Name:%t%t%21%n%tCertificate SHA Thumbprint:%t%22%n%tCertificate Issuing CA:%t%23%n%tCertificate Root CA:%t%24%n%nExtended Mode Remote Endpoint:%n%tPrincipal Name:%t%t%25%n%tCertificate SHA Thumbprint:%t%26%n%tCertificate Issuing CA:%t%27%n%tCertificate Root CA:%t%28%nExtended Mode Additional Information:%n%tAuthentication Method:%tSSL%n%tImpersonation State:%t%29%n%tQuick Mode Filter ID:%t%30 An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.%n%n%nLocal Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%9%n%tKeying Module Port:%t%10%n%nLocal Certificate:%n%tSHA Thumbprint:%t%2%n%tIssuing CA:%t%t%3%n%tRoot CA:%t%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%5%n%tNetwork Address:%t%11%n%tKeying Module Port:%t%12%n%nRemote Certificate:%n%tSHA Thumbprint:%t%6%n%tIssuing CA:%t%t%7%n%tRoot CA:%t%t%8%n%nAdditional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%tSSL%n%tRole:%t%t%t%16%n%tImpersonation State:%t%17%n%tQuick Mode Filter ID:%t%18%n%nFailure Information:%n%tFailure Point:%t%t%13%n%tFailure Reason:%t%t%14%n%tState:%t%t%t%15 dAn IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.%n%nLocal Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%3%n%tKeying Module Port:%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%2%n%tNetwork Address:%t%5%n%tKeying Module Port:%t%6%n%nAdditional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%t%9%n%tRole:%t%t%t%11%n%tImpersonation State:%t%12%n%tQuick Mode Filter ID:%t%13%n%nFailure Information:%n%tFailure Point:%t%t%7%n%tFailure Reason:%t%t%8%n%tState:%t%t%t%10 pThe state of a transaction has changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTransaction Information:%n%tRM Transaction ID:%t%5%n%tNew State:%t%t%6%n%tResource Manager:%t%7%n%nProcess Information:%n%tProcess ID:%t%t%8%n%tProcess Name:%t%t%9 pThe Windows Firewall service started successfully. \The Windows Firewall service was stopped. lThe Windows Firewall service was unable to retrieve the security policy from the local storage. Windows Firewall will continue to enforce the current policy.%n%nError Code:%t%1 (Windows Firewall was unable to parse the new security policy. Windows Firewall will continue to enforce the current policy.%n%nError Code:%t%1 (The Windows Firewall service failed to initialize the driver. Windows Firewall will continue to enforce the current policy.%n%nError Code:%t%1 The Windows Firewall service failed to start.%n%nError Code:%t%1 Windows Firewall blocked an application from accepting incoming connections on the network.%n%nProfiles:%t%t%1%nApplication:%t%t%2 4Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.%n%nError Code:%t%1 lThe Windows Firewall Driver started successfully. \The Windows Firewall Driver was stopped. The Windows Firewall Driver failed to start.%n%nError Code:%t%1 The Windows Firewall Driver detected a critical runtime error, terminating.%n%nError Code:%t%1 Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.%n%nFile Name:%t%1%t A registry key was virtualized.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tKey Name:%t%t%5%n%tVirtual Key Name:%t%t%6%n%nProcess Information:%n%tProcess ID:%t%t%7%n%tProcess Name:%t%t%8 HA change was made to IPsec settings. An authentication set was added.%n%t%nProfile Changed:%t%t%1%n%nAdded Authentication Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 TA change was made to IPsec settings. An authentication set was modified.%n%t%nProfile Changed:%t%t%1%n%nModified Authentication Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 PA change was made to IPsec settings. An authentication set was deleted.%n%t%nProfile Changed:%t%t%1%n%nDeleted Authentication Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 \A change was made to IPsec settings. A connection security rule was added.%n%t%nProfile Changed:%t%t%1%n%nAdded Connection Security Rule:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 dA change was made to IPsec settings. A connection security rule was modified.%n%t%nProfile Changed:%t%1%n%nModified Connection Security Rule:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 `A change was made to IPsec settings. A connection security rule was deleted.%n%t%nProfile Changed:%t%1%n%nDeleted Connection Security Rule:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 A change was made to IPsec settings. A crypto set was added.%n%t%nProfile Changed:%t%1%n%nAdded Crypto Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 ,A change was made to IPsec settings. A crypto set was modified.%n%t%nProfile Changed:%t%1%n%nModified Crypto Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 (A change was made to IPsec settings. A crypto set was deleted.%n%t%nProfile Changed:%t%1%n%nDeleted Crypto Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 An IPsec security association was deleted.%n%t%nProfile Changed:%t%1%n%nDeleted SA:%n%tID:%t%t%t%2%n%tName:%t%t%t%3 An attempt to programmatically disable Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected because this API is not supported on this version of Windows. This is most likely due to a program that is incompatible with this version of Windows. Please contact the program's manufacturer to make sure you have a compatible program version.%n%nError Code:%t%tE_NOTIMPL%nCaller Process Name:%t%t%1%nProcess Id:%t%t%2%nPublisher:%t%t%3 A file was virtualized.%n%nSubject:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%t%4%n%nObject:%n%tFile Name:%t%t%t%5%n%tVirtual File Name:%t%6%n%nProcess Information:%n%tProcess ID:%t%t%t%7%n%tProcess Name:%t%t%t%8 pA cryptographic self test was performed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nModule:%t%t%5%n%nReturn Code:%t%6 DA cryptographic primitive operation failed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Parameters:%n%tProvider Name:%t%t%5%n%tAlgorithm Name:%t%6%n%nFailure Information:%n%tReason:%t%t%t%7%n%tReturn Code:%t%t%8 Key file operation.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Parameters:%n%tProvider Name:%t%5%n%tAlgorithm Name:%t%6%n%tKey Name:%t%7%n%tKey Type:%t%8%n%nKey File Operation Information:%n%tFile Path:%t%9%n%tOperation:%t%10%n%tReturn Code:%t%11 `Key migration operation.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Parameters:%n%tProvider Name:%t%5%n%tAlgorithm Name:%t%6%n%tKey Name:%t%7%n%tKey Type:%t%8%n%nAdditional Information:%n%tOperation:%t%9%n%tReturn Code:%t%10 `Verification operation failed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Parameters:%n%tProvider Name:%t%5%n%tAlgorithm Name:%t%6%n%tKey Name:%t%7%n%tKey Type:%t%8%n%nFailure Information:%n%tReason:%t%9%n%tReturn Code:%t%10 dCryptographic operation.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Parameters:%n%tProvider Name:%t%5%n%tAlgorithm Name:%t%6%n%tKey Name:%t%7%n%tKey Type:%t%8%n%nCryptographic Operation:%n%tOperation:%t%9%n%tReturn Code:%t%10 A kernel-mode cryptographic self test was performed.%n%nModule:%t%1%n%nReturn Code:%t%2 A cryptographic provider operation was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Provider:%n%tName:%t%5%n%tModule:%t%6%n%nOperation:%t%7%n%nReturn Code:%t%8 A cryptographic context operation was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%nOperation:%t%7%n%nReturn Code:%t%8 PA cryptographic context modification was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%nChange Information:%n%tOld Value:%t%7%n%tNew Value:%t%8%n%nReturn Code:%t%9 dA cryptographic function operation was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%tInterface:%t%7%n%tFunction:%t%8%n%tPosition:%t%9%n%nOperation:%t%10%n%nReturn Code:%t%11 A cryptographic function modification was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%tInterface:%t%7%n%tFunction:%t%8%n%nChange Information:%n%tOld Value:%t%9%n%tNew Value:%t%10%n%nReturn Code:%t%11 A cryptographic function provider operation was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%tInterface:%t%7%n%tFunction:%t%8%n%tProvider:%t%9%n%tPosition:%t%10%n%nOperation:%t%11%n%nReturn Code:%t%12 A cryptographic function property operation was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%tInterface:%t%7%n%tFunction:%t%8%n%tProperty:%t%9%n%nOperation:%t%10%n%nValue:%t%11%n%nReturn Code:%t%12 A cryptographic function property modification was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%tInterface:%t%7%n%tFunction:%t%8%n%tProperty:%t%9%n%nChange Information:%n%tOld Value:%t%10%n%tNew Value:%t%11%n%nReturn Code:%t%12 |Key access denied by Microsoft key distribution service.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nSecurity Descriptor:%t%5 HOCSP Responder Service Started. HOCSP Responder Service Stopped. A Configuration entry changed in the OCSP Responder Service.%n%nCA Configuration ID:%t%t%1%nNew Value:%t%t%2 A configuration entry changed in the OCSP Responder Service.%n%nProperty Name:%t%t%1%nNew Value:%t%t%2 A security setting was updated on OCSP Responder Service.%n%nNew Value:%t%1 A request was submitted to OCSP Responder Service. %n%nCertificate Serial Number: %1%nIssuer CA Name: %2%nRevocation Status: %3 (Signing Certificate was automatically updated by the OCSP Responder Service.%n%nCA Configuration ID:%t%t%1%nNew Signing Certificate Hash:%t%t%2 LThe OCSP Revocation Provider successfully updated the revocation information.%n%nCA Configuration ID:%t%t%1%nBase CRL Number:%t%t%2%nBase CRL This Update:%t%t%3%nBase CRL Hash:%t%t%4%nDelta CRL Number:%t%t%5%nDelta CRL Indicator:%t%t%6%nDelta CRL This Update:%t%t%7%nDelta CRL Hash:%t%t%8 DA directory service object was modified.%n%t%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%nDirectory Service:%n%tName:%t%7%n%tType:%t%8%n%t%nObject:%n%tDN:%t%9%n%tGUID:%t%10%n%tClass:%t%11%n%t%nAttribute:%n%tLDAP Display Name:%t%12%n%tSyntax (OID):%t%13%n%tValue:%t%14%n%t%nOperation:%n%tType:%t%15%n%tCorrelation ID:%t%1%n%tApplication Correlation ID:%t%2 A directory service object was created.%n%t%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%t%nDirectory Service:%n%tName:%t%7%n%tType:%t%8%n%t%nObject:%n%tDN:%t%9%n%tGUID:%t%10%n%tClass:%t%11%n%t%nOperation:%n%tCorrelation ID:%t%1%n%tApplication Correlation ID:%t%2 A directory service object was undeleted.%n%t%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%t%nDirectory Service:%n%tName:%t%7%n%tType:%t%8%n%t%nObject:%n%tOld DN:%t%9%n%tNew DN:%t%10%n%tGUID:%t%11%n%tClass:%t%12%n%t%nOperation:%n%tCorrelation ID:%t%1%n%tApplication Correlation ID:%t%2 A directory service object was moved.%n%t%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%t%nDirectory Service:%n%tName:%t%t%7%n%tType:%t%t%8%n%t%nObject:%n%tOld DN:%t%t%9%n%tNew DN:%t%10%n%tGUID:%t%t%11%n%tClass:%t%t%12%n%t%nOperation:%n%tCorrelation ID:%t%t%t%1%n%tApplication Correlation ID:%t%2 A network share object was accessed.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nNetwork Information:%t%n%tObject Type:%t%t%5%n%tSource Address:%t%t%6%n%tSource Port:%t%t%7%n%t%nShare Information:%n%tShare Name:%t%t%8%n%tShare Path:%t%t%9%n%nAccess Request Information:%n%tAccess Mask:%t%t%10%n%tAccesses:%t%t%11%n A directory service object was deleted.%n%t%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%t%nDirectory Service:%n%tName:%t%7%n%tType:%t%8%n%t%nObject:%n%tDN:%t%9%n%tGUID:%t%10%n%tClass:%t%11%n%t%nOperation:%n%tTree Delete:%t%12%n%tCorrelation ID:%t%1%n%tApplication Correlation ID:%t%2 A network share object was added.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nShare Information:%t%n%tShare Name:%t%t%5%n%tShare Path:%t%t%6 <A network share object was modified.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nShare Information:%n%tObject Type:%t%t%5%n%tShare Name:%t%t%6%n%tShare Path:%t%t%7%n%tOld Remark:%t%t%8%n%tNew Remark:%t%t%9%n%tOld MaxUsers:%t%t%10%n%tNew Maxusers:%t%t%11%n%tOld ShareFlags:%t%t%12%n%tNew ShareFlags:%t%t%13%n%tOld SD:%t%t%t%14%n%tNew SD:%t%t%t%15%n A network share object was deleted.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nShare Information:%t%n%tShare Name:%t%t%5%n%tShare Path:%t%t%6 A network share object was checked to see whether client can be granted desired access.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nNetwork Information:%t%n%tObject Type:%t%t%5%n%tSource Address:%t%t%6%n%tSource Port:%t%t%7%n%t%nShare Information:%n%tShare Name:%t%t%8%n%tShare Path:%t%t%9%n%tRelative Target Name:%t%10%n%nAccess Request Information:%n%tAccess Mask:%t%t%11%n%tAccesses:%t%t%12%nAccess Check Results:%n%t%13%n The Windows Filtering Platform has blocked a packet.%n%nNetwork Information:%n%tDirection:%t%t%1%n%tSource Address:%t%2%n%tDestination Address:%t%3%n%tEtherType:%t%t%4%n%tVlanTag:%t%t%5%n%tvSwitchId:%t%t%6%n%tSource vSwitch Port:%t%t%7%n%tDestination vSwitch Port:%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 A more restrictive Windows Filtering Platform filter has blocked a packet.%n%nNetwork Information:%n%tDirection:%t%t%1%n%tSource Address:%t%2%n%tDestination Address:%t%3%n%tEtherType:%t%t%4%n%tVlanTag:%t%t%5%n%tvSwitchId:%t%t%6%n%tSource vSwitch Port:%t%t%7%n%tDestination vSwitch Port:%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 tThe Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.%n%nNetwork Information:%n%tType:%t%t%1 The DoS attack has subsided and normal processing is being resumed.%n%nNetwork Information:%n%tType:%t%t%1%n%tPackets Discarded:%t%t%t%2 The Windows Filtering Platform has blocked a packet.%n%nNetwork Information:%n%tDirection:%t%t%1%n%tSource Address:%t%t%2%n%tDestination Address:%t%3%n%tEtherType:%t%t%4%n%tMediaType:%t%t%5%n%tInterfaceType:%t%t%6%n%tVlanTag:%t%t%t%7%n%nFilter Information:%n%tFilter Run-Time ID:%t%8%n%tLayer Name:%t%t%9%n%tLayer Run-Time ID:%t%10 A more restrictive Windows Filtering Platform filter has blocked a packet.%n%nNetwork Information:%n%tDirection:%t%t%1%n%tSource Address:%t%t%t%2%n%tDestination Address:%t%3%n%tEtherType:%t%t%4%n%tMediaType:%t%t%5%n%tInterfaceType:%t%t%6%n%tVlanTag:%t%t%t%7%n%nFilter Information:%n%tFilter Run-Time ID:%t%8%n%tLayer Name:%t%t%9%n%tLayer Run-Time ID:%t%10 The Windows Filtering Platform has blocked a packet.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 DA more restrictive Windows Filtering Platform filter has blocked a packet.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tSource Address:%t%t%3%n%tSource Port:%t%t%4%n%tProtocol:%t%t%5%n%nFilter Information:%n%tFilter Run-Time ID:%t%6%n%tLayer Name:%t%t%7%n%tLayer Run-Time ID:%t%8 The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tSource Address:%t%t%3%n%tSource Port:%t%t%4%n%tProtocol:%t%t%5%n%nFilter Information:%n%tFilter Run-Time ID:%t%6%n%tLayer Name:%t%t%7%n%tLayer Run-Time ID:%t%8 $The Windows Filtering Platform has permitted a connection.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 The Windows Filtering Platform has blocked a connection.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 The Windows Filtering Platform has permitted a bind to a local port.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tSource Address:%t%t%3%n%tSource Port:%t%t%4%n%tProtocol:%t%t%5%n%nFilter Information:%n%tFilter Run-Time ID:%t%6%n%tLayer Name:%t%t%7%n%tLayer Run-Time ID:%t%8 The Windows Filtering Platform has blocked a bind to a local port.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tSource Address:%t%t%3%n%tSource Port:%t%t%4%n%tProtocol:%t%t%5%n%nFilter Information:%n%tFilter Run-Time ID:%t%6%n%tLayer Name:%t%t%7%n%tLayer Run-Time ID:%t%8 8Spn check for SMB/SMB2 fails.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nSPN:%t%n%tSPN Name:%t%t%5%n%tError Code:%t%t%6%n%nServer Information:%n%tServer Names:%t%t%7%n%tConfigured Names:%t%t%8%n%tIP Addresses:%t%t%9 Credential Manager credentials were backed up.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nThis event occurs when a user backs up their own Credential Manager credentials. A user (even an Administrator) cannot back up the credentials of an account other than his own. Credential Manager credentials were restored from a backup.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nThis event occurs when a user restores his Credential Manager credentials from a backup. A user (even an Administrator) cannot restore the credentials of an account other than his own. PThe requested credentials delegation was disallowed by policy.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCredential Delegation Information:%n%tSecurity Package:%t%5%n%tUser's UPN:%t%6%n%tTarget Server:%t%7%n%tCredential Type:%t%8 |The following callout was present when the Windows Filtering Platform Base Filtering Engine started.%n%nProvider Information:%t%n%tID:%t%t%1%n%tName:%t%t%2%n%nCallout Information:%n%tID:%t%t%3%n%tName:%t%t%4%n%tType:%t%t%5%n%tRun-Time ID:%t%6%n%nLayer Information:%n%tID:%t%t%7%n%tName:%t%t%8%n%tRun-Time ID:%t%9 The following filter was present when the Windows Filtering Platform Base Filtering Engine started.%n%nProvider Information:%t%n%tID:%t%t%1%n%tName:%t%t%2%n%nFilter Information:%n%tID:%t%t%3%n%tName:%t%t%4%n%tType:%t%t%5%n%tRun-Time ID:%t%6%n%nLayer Information:%n%tID:%t%t%7%n%tName:%t%t%8%n%tRun-Time ID:%t%9%n%tWeight:%t%t%10%n%t%nAdditional Information:%n%tConditions:%t%11%n%tFilter Action:%t%12%n%tCallout ID:%t%13%n%tCallout Name:%t%14 PThe following provider was present when the Windows Filtering Platform Base Filtering Engine started.%n%t%nProvider ID:%t%1%nProvider Name:%t%2%nProvider Type:%t%3 The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.%n%t%nProvider ID:%t%1%nProvider Name:%t%2%nProvider Context ID:%t%3%nProvider Context Name:%t%4%nProvider Context Type:%t%5 The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.%n%t%nProvider ID:%t%1%nProvider Name:%t%2%nSub-layer ID:%t%3%nSub-layer Name:%t%4%nSub-layer Type:%t%5%nWeight:%t%t%6 DA Windows Filtering Platform callout has been changed.%n%t%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%nProcess Information:%n%tProcess ID:%t%1%n%nProvider Information:%n%tID:%t%t%4%n%tName:%t%t%5%n%nChange Information:%n%tChange Type:%t%6%n%nCallout Information:%n%tID:%t%t%7%n%tName:%t%t%8%n%tType:%t%t%9%n%tRun-Time ID:%t%10%n%nLayer Information:%n%tID:%t%t%11%n%tName:%t%t%12%n%tRun-Time ID:%t%13 \A Windows Filtering Platform filter has been changed.%n%t%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%nProcess Information:%n%tProcess ID:%t%1%n%nProvider Information:%n%tID:%t%t%4%n%tName:%t%t%5%n%nChange Information:%n%tChange Type:%t%6%n%nFilter Information:%n%tID:%t%t%7%n%tName:%t%t%8%n%tType:%t%t%9%n%tRun-Time ID:%t%10%n%nLayer Information:%n%tID:%t%t%11%n%tName:%t%t%12%n%tRun-Time ID:%t%13%n%nCallout Information:%n%tID:%t%t%17%n%tName:%t%t%18%n%nAdditional Information:%n%tWeight:%t%14%t%n%tConditions:%t%15%n%tFilter Action:%t%16 $A Windows Filtering Platform provider has been changed.%n%t%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%nProcess Information:%n%tProcess ID:%t%1%n%nChange Information:%n%tChange Type:%t%4%n%nProvider Information:%n%tID:%t%t%5%n%tName:%t%t%6%n%tType:%t%t%7 A Windows Filtering Platform provider context has been changed.%n%t%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%nProcess Information:%n%tProcess ID:%t%1%n%nProvider Information:%n%tProvider ID:%t%4%n%tProvider Name:%t%5%n%nChange Information:%n%tChange Type:%t%6%n%nProvider Context:%n%tID:%t%7%n%tName:%t%8%n%tType:%t%9 4A Windows Filtering Platform sub-layer has been changed.%n%t%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%nProcess Information:%n%tProcess ID:%t%1%n%nProvider Information:%n%tProvider ID:%t%4%n%tProvider Name:%t%5%n%nChange Information:%n%tChange Type:%t%6%n%nSub-layer Information:%n%tSub-layer ID:%t%7%n%tSub-layer Name:%t%8%n%tSub-layer Type:%t%9%n%nAdditional Information:%n%tWeight:%t%10 An IPsec quick mode security association was established.%n%t%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tNetwork Address mask:%t%2%n%tPort:%t%t%t%3%n%tTunnel Endpoint:%t%t%4%n%nRemote Endpoint:%n%tNetwork Address:%t%5%n%tNetwork Address Mask:%t%6%n%tPort:%t%t%t%7%n%tPrivate Address:%t%t%8%n%tTunnel Endpoint:%t%t%9%n%n%tProtocol:%t%t%10%n%tKeying Module Name:%t%11%n%nCryptographic Information:%n%tIntegrity Algorithm - AH:%t%12%n%tIntegrity Algorithm - ESP:%t%13%n%tEncryption Algorithm:%t%14%n%nSecurity Association Information:%n%tLifetime - seconds:%t%15%n%tLifetime - data:%t%t%16%n%tLifetime - packets:%t%17%n%tMode:%t%t%t%18%n%tRole:%t%t%t%19%n%tQuick Mode Filter ID:%t%20%n%tMain Mode SA ID:%t%21%n%tQuick Mode SA ID:%t%22%n%nAdditional Information:%n%tInbound SPI:%t%t%23%n%tOutbound SPI:%t%t%24%n%tVirtual Interface Tunnel ID:%t%t%25%n%tTraffic Selector ID:%t%t%26 XAn IPsec quick mode security association ended.%n%t%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tNetwork Address mask:%t%2%n%tPort:%t%t%t%3%n%tTunnel Endpoint:%t%t%4%n%nRemote Endpoint:%n%tNetwork Address:%t%5%n%tNetwork Address mask:%t%6%n%tPort:%t%t%t%7%n%tTunnel Endpoint:%t%t%8%n%nAdditional Information:%n%tProtocol:%t%t%9%n%tQuick Mode SA ID:%t%10%n%tVirtual Interface Tunnel ID:%t%t%11%n%tTraffic Selector ID:%t%t%12 An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. IPsec Policy Agent applied Active Directory storage IPsec policy on the computer.%n%nPolicy:%t%t%1 IPsec Policy Agent failed to apply Active Directory storage IPsec policy on the computer.%n%nDN:%t%t%1%nError code:%t%t%2 IPsec Policy Agent applied locally cached copy of Active Directory storage IPsec policy on the computer.%n%nPolicy:%t%t%1 4IPsec Policy Agent failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.%n%nPolicy:%t%t%1%nError Code:%t%t%2 IPsec Policy Agent applied local registry storage IPsec policy on the computer.%n%nPolicy:%t%t%1 IPsec Policy Agent failed to apply local registry storage IPsec policy on the computer.%n%nPolicy:%t%t%1%nError Code:%t%t%2 IPsec Policy Agent failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.%n%nPolicy:%t%t%1%nError Code:%t%t%2 IPsec Policy Agent polled for changes to the active IPsec policy and detected no changes. IPsec Policy Agent polled for changes to the active IPsec policy, detected changes, and applied them. IPsec Policy Agent received a control for forced reloading of IPsec policy and processed the control successfully. `IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied. IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used. IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used. IPsec Policy Agent loaded local storage IPsec policy on the computer.%n%nPolicy:%t%t%1 IPsec Policy Agent failed to load local storage IPsec policy on the computer.%n%nPolicy:%t%t%1%nError Code:%t%t%2 IPsec Policy Agent loaded directory storage IPsec policy on the computer.%n%nPolicy:%t%t%1 IPsec Policy Agent failed to load directory storage IPsec policy on the computer.%n%nPolicy:%t%t%1%nError Code:%t%t%2 IPsec Policy Agent failed to add quick mode filter.%n%nQuick Mode Filter:%t%t%1%nError Code:%t%t%2 `The IPsec Policy Agent service was started. dThe IPsec Policy Agent service was stopped. Stopping this service can put the computer at greater risk of network attack or expose the computer to potential security risks. TIPsec Policy Agent failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. The IPsec Policy Agent service failed to initialize its RPC server. The service could not be started.%n%nError Code:%t%t%1 The IPsec Policy Agent service experienced a critical failure and has shut down. The shutdown of this service can put the computer at greater risk of network attack or expose the computer to potential security risks.%n%nError Code:%t%t%1 pIPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. xA request was made to authenticate to a wireless network.%n%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%tLogon ID:%t%t%5%n%nNetwork Information:%n%tName (SSID):%t%t%1%n%tInterface GUID:%t%t%8%n%tLocal MAC Address:%t%7%n%tPeer MAC Address:%t%6%n%nAdditional Information:%n%tReason Code:%t%t%10 (%9)%n%tError Code:%t%t%11%n%tEAP Reason Code:%t%12%n%tEAP Root Cause String:%t%13%n%tEAP Error Code:%t%t%14 A request was made to authenticate to a wired network.%n%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%tLogon ID:%t%t%5%n%nInterface:%n%tName:%t%t%t%1%n%nAdditional Information%n%tReason Code:%t%t%7 (%6)%n%tError Code:%t%t%8 A Remote Procedure Call (RPC) was attempted.%n%nSubject:%n%tSID:%t%t%t%1%n%tName:%t%t%t%2%n%tAccount Domain:%t%t%3%n%tLogonId:%t%t%4%n%nProcess Information:%n%tPID:%t%t%t%5%n%tName:%t%t%t%6%n%nNetwork Information:%n%tRemote IP Address:%t%7%n%tRemote Port:%t%t%8%n%nRPC Attributes:%n%tInterface UUID:%t%t%9%n%tProtocol Sequence:%t%10%n%tAuthentication Service:%t%11%n%tAuthentication Level:%t%12 An object in the COM+ Catalog was modified.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tCOM+ Catalog Collection:%t%5%n%tObject Name:%t%t%t%6%n%tObject Properties Modified:%t%7 pAn object was deleted from the COM+ Catalog.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tCOM+ Catalog Collection:%t%5%n%tObject Name:%t%t%t%6%n%tObject Details:%t%t%t%7%nThis event occurs when an object is deleted from the COM+ catalog. An object was added to the COM+ Catalog.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tCOM+ Catalog Collection:%t%5%n%tObject Name:%t%t%t%6%n%tObject Details:%t%t%t%7 Security policy in the group policy objects has been applied successfully. %n%nReturn Code:%t%1%n%nGPO List:%n%2 One or more errors occured while processing security policy in the group policy objects.%n%nError Code:%t%1%nGPO List:%n%2 Network Policy Server granted access to a user.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%tLogging Results:%t%t%t%27%n%nQuarantine Information:%n%tResult:%t%t%t%t%25%n%tSession Identifier:%t%t%t%26%n Network Policy Server denied access to a user.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%tLogging Results:%t%t%t%27%n%tReason Code:%t%t%t%25%n%tReason:%t%t%t%t%26%n Network Policy Server discarded the request for a user.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%tReason Code:%t%t%t%25%n%tReason:%t%t%t%t%26%n Network Policy Server discarded the accounting request for a user.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%tReason Code:%t%t%t%25%n%tReason:%t%t%t%t%26%n Network Policy Server quarantined a user.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%nQuarantine Information:%n%tResult:%t%t%t%t%25%n%tExtended-Result:%t%t%t%26%n%tSession Identifier:%t%t%t%27%n%tHelp URL:%t%t%t%28%n%tSystem Health Validator Result(s):%t%29%n Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%nQuarantine Information:%n%tResult:%t%t%t%t%25%n%tExtended-Result:%t%t%t%26%n%tSession Identifier:%t%t%t%27%n%tHelp URL:%t%t%t%28%n%tSystem Health Validator Result(s):%t%29%n%tQuarantine Grace Time:%t%t%30%n xNetwork Policy Server granted full access to a user because the host met the defined health policy.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%nQuarantine Information:%n%tResult:%t%t%t%t%25%n%tExtended-Result:%t%t%t%26%n%tSession Identifier:%t%t%t%27%n%tHelp URL:%t%t%t%28%n%tSystem Health Validator Result(s):%t%29%n Network Policy Server locked the user account due to repeated failed authentication attempts.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n dNetwork Policy Server unlocked the user account.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.%n%nFile Name:%t%1%t XBranchCache: Received an incorrectly formatted response while discovering availability of content. %n%nIP address of the client that sent this response:%t%t%t%1%n%t%n BranchCache: Received invalid data from a peer. Data discarded. %n%nIP address of the client that sent this data:%t%t%t%1%n%t%n @BranchCache: The message to the hosted cache offering it data is incorrectly formatted. %n%nIP address of the client that sent this message: %t%t%t%1%n%t%n TBranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data. %n%nDomain name of the hosted cache is:%t%t%t%1%n%t%n XBranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. %n%nDomain name of the hosted cache:%t%t%t%1%n%t%nError Code:%t%t%t%2%n%t%n xBranchCache: %2 instance(s) of event id %1 occurred.%n %1 registered to Windows Firewall to control filtering for the following: %n%2. %1 Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. BranchCache: A service connection point object could not be parsed. %n%nSCP object GUID: %1 Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues.%n%nFile Name:%t%1%t dA new external device was recognized by the system.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nDevice ID:%t%5%n%nDevice Name:%t%6%n%nClass ID:%t%t%7%n%nClass Name:%t%8%n%nVendor IDs:%t%9%n%nCompatible IDs:%t%10%n%nLocation Information:%t%11 PA request was made to disable a device.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nDevice ID:%t%5%n%nDevice Name:%t%6%n%nClass ID:%t%t%7%n%nClass Name:%t%8%n%nHardware IDs:%t%9%n%nCompatible IDs:%t%10%n%nLocation Information:%t%11 0A device was disabled.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nDevice ID:%t%5%n%nDevice Name:%t%6%n%nClass ID:%t%t%7%n%nClass Name:%t%8%n%nHardware IDs:%t%9%n%nCompatible IDs:%t%10%n%nLocation Information:%t%11 PA request was made to enable a device.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nDevice ID:%t%5%n%nDevice Name:%t%6%n%nClass ID:%t%t%7%n%nClass Name:%t%8%n%nHardware IDs:%t%9%n%nCompatible IDs:%t%10%n%nLocation Information:%t%11 ,A device was enabled.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nDevice ID:%t%5%n%nDevice Name:%t%6%n%nClass ID:%t%t%7%n%nClass Name:%t%8%n%nHardware IDs:%t%9%n%nCompatible IDs:%t%10%n%nLocation Information:%t%11 The installation of this device is forbidden by system policy.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nDevice ID:%t%5%n%nDevice Name:%t%6%n%nClass ID:%t%t%7%n%nClass Name:%t%8%n%nHardware IDs:%t%9%n%nCompatible IDs:%t%10%n%nLocation Information:%t%11 The installation of this device was allowed, after having previously been forbidden by policy.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nDevice ID:%t%5%n%nDevice Name:%t%6%n%nClass ID:%t%t%7%n%nClass Name:%t%8%n%nHardware IDs:%t%9%n%nCompatible IDs:%t%10%n%nLocation Information:%t%11 A network client used a legacy RPC method to modify authentication information on a trusted domain object. The authentication information was encrypted with a legacy encryption algorithm. Consider upgrading the client operating system or application to use the latest and more secure version of this method.%n%nTrusted Domain:%n%tDomain Name:%t%t%5%n%tDomain ID:%t%t%6%n%nModified By:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nClient Network Address:%t%t%7%nRPC Method Name:%t%t%8%n%nFor more information please see https://go.microsoft.com/fwlink/?linkid=2161080. `Highest System-Defined Audit Message Value. Info Information 4Security State Change <Security System Extension ,System Integrity $IPsec Driver 0Other System Events Logon Logoff (Account Lockout (IPsec Main Mode $Special Logon ,IPsec Quick Mode 0IPsec Extended Mode <Other Logon/Logoff Events 4Network Policy Server 4User / Device Claims File System Registry $Kernel Object SAM @Other Object Access Events 8Certification Services 4Application Generated 0Handle Manipulation File Share HFiltering Platform Packet Drop DFiltering Platform Connection 0Detailed File Share ,Removable Storage DCentral Access Policy Staging 8Sensitive Privilege Use @Non Sensitive Privilege Use @Other Privilege Use Events ,Process Creation 0Process Termination (DPAPI Activity RPC Events 4Plug and Play Events 0Audit Policy Change DAuthentication Policy Change @Authorization Policy Change HMPSSVC Rule-Level Policy Change LFiltering Platform Policy Change @Other Policy Change Events 8User Account Management @Computer Account Management <Security Group Management DDistribution Group Management DApplication Group Management HOther Account Management Events <Directory Service Access <Directory Service Changes DDirectory Service Replication XDetailed Directory Service Replication 4Credential Validation PKerberos Service Ticket Operations @Other Account Logon Events HKerberos Authentication Service PSubcategory could not be determined TMicrosoft Windows security auditing. Security The system time was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tProcess ID:%t%9%n%tName:%t%t%10%n%nPrevious Time:%t%t%6 %5%nNew Time:%t%t%8 %7%n%nThis event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. lAn account was successfully logged on.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Type:%t%t%t%9%n%nNew Logon:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%tLogon GUID:%t%t%13%n%nProcess Information:%n%tProcess ID:%t%t%17%n%tProcess Name:%t%t%18%n%nNetwork Information:%n%tWorkstation Name:%t%12%n%tSource Network Address:%t%19%n%tSource Port:%t%t%20%n%nDetailed Authentication Information:%n%tLogon Process:%t%t%10%n%tAuthentication Package:%t%11%n%tTransited Services:%t%14%n%tPackage Name (NTLM only):%t%15%n%tKey Length:%t%t%16%n%nThis event is generated when a logon session is created. It is generated on the computer that was accessed.%n%nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.%n%nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).%n%nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.%n%nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.%n%nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.%n%nThe authentication information fields provide detailed information about this specific logon request.%n%t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.%n%t- Transited services indicate which intermediate services have participated in this logon request.%n%t- Package name indicates which sub-protocol was used among the NTLM protocols.%n%t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. An IPsec quick mode negotiation failed.%n%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tNetwork Address mask:%t%2%n%tPort:%t%t%t%3%n%tTunnel Endpoint:%t%t%4%n%nRemote Endpoint:%n%tNetwork Address:%t%5%n%tAddress Mask:%t%t%6%n%tPort:%t%t%t%7%n%tTunnel Endpoint:%t%t%8%n%tPrivate Address:%t%t%10%n%nAdditional Information:%n%tProtocol:%t%t%9%n%tKeying Module Name:%t%11%n%tMode:%t%t%t%14%n%tRole:%t%t%t%16%n%tQuick Mode Filter ID:%t%18%n%tMain Mode SA ID:%t%19%n%nFailure Information:%n%tState:%t%t%t%15%n%tMessage ID:%t%t%17%n%tFailure Point:%t%t%12%n%tFailure Reason:%t%t%13 A handle to an object was requested.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tObject Type:%t%t%6%n%tObject Name:%t%t%7%n%tHandle ID:%t%t%8%n%nProcess Information:%n%tProcess ID:%t%t%14%n%tProcess Name:%t%t%15%n%nAccess Request Information:%n%tTransaction ID:%t%t%9%n%tAccesses:%t%t%10%n%tAccess Mask:%t%t%11%n%tPrivileges Used for Access Check:%t%12%n%tRestricted SID Count:%t%13 A handle to an object was requested.%n%nSubject :%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%15%n%tProcess Name:%t%16%n%nAccess Request Information:%n%tTransaction ID:%t%9%n%tAccesses:%t%10%n%tAccess Mask:%t%11%n%tPrivileges Used for Access Check:%t%12%n%tProperties:%t%13%n%tRestricted SID Count:%t%14 An attempt was made to access an object.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nAccess Request Information:%n%tAccesses:%t%9%n%tAccess Mask:%t%10 p A new process has been created.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tNew Process ID:%t%t%5%n%tNew Process Name:%t%6%n%tToken Elevation Type:%t%7%n%tCreator Process ID:%t%8%n%nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.%n%nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.%n%nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.%n%nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. RPC detected an integrity violation while decrypting an incoming message.%n%nPeer Name:%t%1%nProtocol Sequence:%t%2%nSecurity Error:%t%3 pA request was submitted to OCSP Responder Service. A network share object was accessed.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nNetwork Information:%t%n%tSource Address:%t%t%5%n%tSource Port:%t%t%6%n%t%nShare Name:%t%t%t%7 $The Windows Filtering Platform has permitted a connection.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 The Windows Filtering Platform has blocked a connection.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11 XAn IPsec quick mode security association was established.%n%t%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tNetwork Address mask:%t%2%n%tPort:%t%t%t%3%n%tTunnel Endpoint:%t%t%4%n%nRemote Endpoint:%n%tNetwork Address:%t%5%n%tNetwork Address Mask:%t%6%n%tPort:%t%t%t%7%n%tPrivate Address:%t%t%8%n%tTunnel Endpoint:%t%t%9%n%n%tProtocol:%t%t%10%n%tKeying Module Name:%t%11%n%nCryptographic Information:%n%tIntegrity Algorithm - AH:%t%12%n%tIntegrity Algorithm - ESP:%t%13%n%tEncryption Algorithm:%t%14%n%nSecurity Association Information:%n%tLifetime - seconds:%t%15%n%tLifetime - data:%t%t%16%n%tLifetime - packets:%t%17%n%tMode:%t%t%t%18%n%tRole:%t%t%t%19%n%tQuick Mode Filter ID:%t%20%n%tMain Mode SA ID:%t%21%n%tQuick Mode SA ID:%t%22%n%nAdditional Information:%n%tInbound SPI:%t%t%23%n%tOutbound SPI:%t%t%24 TAn IPsec quick mode security association ended.%n%t%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tPort:%t%t%t%2%n%tTunnel Endpoint:%t%t%3%n%nRemote Endpoint:%n%tNetwork Address:%t%4%n%tPort:%t%t%t%5%n%tTunnel Endpoint:%t%t%6%n%nAdditional Information:%n%tProtocol:%t%t%7%n%tQuick Mode SA ID:%t%8 A request was made to authenticate to a wireless network.%n%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%tLogon ID:%t%t%5%n%nNetwork Information:%n%tName (SSID):%t%t%1%n%tInterface GUID:%t%t%8%n%tLocal MAC Address:%t%7%n%tPeer MAC Address:%t%6%n%nAdditional Information:%n%tReason Code:%t%t%10 (%9)%n%tError Code:%t%t%11 @Network Policy Server granted access to a user.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tProxy Policy Name:%t%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%nQuarantine Information:%n%tResult:%t%t%t%t%25%n%tSession Identifier:%t%t%t%26%n Network Policy Server denied access to a user.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tProxy Policy Name:%t%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%tReason Code:%t%t%t%25%n%tReason:%t%t%t%t%26%n A new process has been created.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tNew Process ID:%t%t%5%n%tNew Process Name:%t%6%n%tToken Elevation Type:%t%7%n%tCreator Process ID:%t%8%n%tProcess Command Line:%t%9%n%nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.%n%nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.%n%nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.%n%nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 4VS_VERSION_INFO%P%%P%?StringFileInfo040904B0LCompanyNameMicrosoft Corporation\FileDescriptionSecurity Audit Schema DLL1FileVersion6.3.9600.20517 (winblue_ltsb_escrow.220725-1737)<InternalNameadtschema.dll.LegalCopyright Microsoft Corporation. All rights reserved.LOriginalFilenameadtschema.dll.muij%ProductNameMicrosoft Windows Operating SystemBProductVersion6.3.9600.20517DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD