MZ@ !L!This program cannot be run in DOS mode. $Rؕ3}3}3}H̴3}H̱3}Rich3}PEd%b"  Zp?>`X.rsrcXZ@@( @Xp   gSdMUI `  \02>i@BȅPZ؋`prT[h_`+t~..Ȳ00L@IP^ľ`kmmpx\<d+6ADJ  QR,Unused message ID $System Event $Logon/Logoff $Object Access $Privilege Use ,Detailed Tracking $Policy Change 0Account Management <Directory Service Access $Account Logon 8Windows is starting up. Windows is shutting down. All logon sessions will be terminated by this shutdown. An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts. %n Authentication Package Name:%t%1 A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. %n %n %tLogon Process Name:%t%1%n %tCaller User Name:%t%2%n %tCaller Domain:%t%3%n %tCaller Logon ID:%t%4%n XInternal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. %n %tNumber of audit messages discarded:%t%1 The audit log was cleared %n %tPrimary User Name:%t%1%n %tPrimary Domain:%t%2%n %tPrimary Logon ID:%t%3%n %tClient User Name:%t%4%n %tClient Domain:%t%5%n %tClient Logon ID:%t%6%n %tClient Process ID:%t%7%n hAn notification package has been loaded by the Security Account Manager. This package will be notified of any account or password changes. %n Notification Package Name:%t%1 4Invalid use of LPC port.%n %tProcess ID: %1%n %tImage File Name: %2%n %tPrimary User Name:%t%3%n %tPrimary Domain:%t%4%n %tPrimary Logon ID:%t%5%n %tClient User Name:%t%6%n %tClient Domain:%t%7%n %tClient Logon ID:%t%8%n %tInvalid use: %9%n %tServer Port Name:%t%10%n <The system time was changed.%n Process ID:%t%t%1%n Process Name:%t%t%2%n Primary User Name:%t%3%n Primary Domain:%t%t%4%n Primary Logon ID:%t%t%5%n Client User Name:%t%t%6%n Client Domain:%t%t%7%n Client Logon ID:%t%t%8%n Previous Time:%t%t%10 %9%n New Time:%t%t%12 %11%n Unable to log events to security log:%n %tStatus code:%t%t%1%n %tValue of CrashOnAuditFail:%t%2%n %tNumber of failed audits:%t%3%n \The security log is now %1 percent full. Event log auto-backup%n %tLog:%t%1%n %tFile:%t%2%n %tStatus:%t%3%n Administrator recovered system from CrashOnAuditFail. LSA will now accept non-administrative logons. Some auditable activity might not have been recorded.%n %tValue of CrashOnAuditFail:%t%1%n A security package has been loaded by the Local Security Authority. %n Security Package Name:%t%1 dSuccessful Logon:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tLogon Type:%t%4%n %tLogon Process:%t%5%n %tAuthentication Package:%t%6%n %tWorkstation Name:%t%7%n %tLogon GUID:%t%8%n %tCaller User Name:%t%9%n %tCaller Domain:%t%10%n %tCaller Logon ID:%t%11%n %tCaller Process ID: %12%n %tTransited Services: %13%n %tSource Network Address:%t%14%n %tSource Port:%t%15%n %tCaller Process Name:%t%16%n pLogon Failure:%n %tReason:%t%tUnknown user name or bad password%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n %tCaller Process Name:%t%14%n |Logon Failure:%n %tReason:%t%tAccount logon time restriction violation%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n %tCaller Process Name:%t%14%n `Logon Failure:%n %tReason:%t%tAccount currently disabled%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n %tCaller Process Name:%t%14%n xLogon Failure:%n %tReason:%t%tThe specified user account has expired%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n %tCaller Process Name:%t%14%n Logon Failure:%n %tReason:%t%tUser not allowed to logon at this computer%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n %tCaller Process Name:%t%14%n Logon Failure:%n %tReason:%tThe user has not been granted the requested%n %t%tlogon type at this machine%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n %tCaller Process Name:%t%14%n Logon Failure:%n %tReason:%t%tThe specified account's password has expired%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n %tCaller Process Name:%t%14%n tLogon Failure:%n %tReason:%t%tThe NetLogon component is not active%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n %tCaller Process Name:%t%14%n Logon Failure:%n %tReason:%t%tAn error occurred during logon%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tStatus code:%t%7%n %tSubstatus code:%t%8%n %tCaller User Name:%t%9%n %tCaller Domain:%t%10%n %tCaller Logon ID:%t%11%n %tCaller Process ID:%t%12%n %tTransited Services:%t%13%n %tSource Network Address:%t%14%n %tSource Port:%t%15%n %tCaller Process Name:%t%16%n User Logoff:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tLogon Type:%t%4%n HLogon Failure:%n %tReason:%t%tAccount locked out%n %tUser Name:%t%1%n %tDomain:%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID: %10%n %tTransited Services: %11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n %tCaller Process Name:%t%14%n tSuccessful Network Logon:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tLogon Type:%t%4%n %tLogon Process:%t%5%n %tAuthentication Package:%t%6%n %tWorkstation Name:%t%7%n %tLogon GUID:%t%8%n %tCaller User Name:%t%9%n %tCaller Domain:%t%10%n %tCaller Logon ID:%t%11%n %tCaller Process ID: %12%n %tTransited Services: %13%n %tSource Network Address:%t%14%n %tSource Port:%t%15%n %tCaller Process Name:%t%16%n IKE security association established.%n Mode: %n%1%n Peer Identity: %n%2%n Filter: %n%3%n Parameters: %n%4%n IKE security association ended.%n Mode: Data Protection (Quick mode) Filter: %n%1%n Inbound SPI: %n%2%n Outbound SPI: %n%3%n IKE security association ended.%n Mode: Key Exchange (Main mode)%n Filter: %n%1%n dIKE security association establishment failed because peer could not authenticate. The certificate trust could not be established.%n Peer Identity: %n%1%n Filter: %n%2%n IKE peer authentication failed.%n Peer Identity: %n%1%n Filter: %n%2%n tIKE security association establishment failed because peer sent invalid proposal.%n Mode: %n%1%n Filter: %n%2%n Attribute: %n%3%n Expected value: %n%4%n Received value: %n%5%n \IKE security association negotiation failed.%n Mode: %n%1%n Filter: %n%2%n Peer Identity: %n%3%n Failure Point: %n%4%n Failure Reason: %n%5%n Extra Status: %n%6%n Logon Failure:%n %tReason:%t%tDomain sid inconsistent%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6 %tTransited Services:%t%7%n Logon Failure:%n %tReason: %tAll sids were filtered out%n %tUser Name:%t%1%n %tDomain:%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package%t: %5%n %tWorkstation Name:%t%6 %1%n User initiated logoff:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n XLogon attempt using explicit credentials:%n Logged on user:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tLogon GUID:%t%4%n User whose credentials were used:%n %tTarget User Name:%t%5%n %tTarget Domain:%t%6%n %tTarget Logon GUID: %7%n%n Target Server Name:%t%8%n Target Server Info:%t%9%n Caller Process ID:%t%10%n Source Network Address:%t%11%n Source Port:%t%12%n Caller Process Name:%t%13%n x%tUser Name:%t%1%n %tDomain:%t%%t%2%n %tRequest Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID: %10%n %tTransited Services: %11%n %tCaller Process Name:%t%12%n xIPSec main mode security association established. User mode is not configured.%n Keying module type: %1%n Local address: %2%n Remote address: %3%n Local port: %4%n Remote port: %5%n Peer private address: %6%n Main mode authentication method: %7%n Main mode my Id: %8%n Main mode peer Id: %9%n Cipher algorithm: %10%n Integrity algorithm: %11%n Lifetime (seconds): %12%n Main mode impersonation: %13%n Main mode SA LUID: %14%n IPSec main mode security association established. User mode is not configured.%n Keying module type: %1%n Local address: %2%n Remote address: %3%n Local port: %4%n Remote port: %5%n Peer private address: %6%n Main mode authentication method: %7%n Main mode peer subject: %n%8%n Main mode peer issuing certificate authority: %n%9%n Main mode peer root certificate authority: %n%10%n Main mode peer SHA thumbprint: %n%11%n Main mode my subject: %n%12%n Main mode my SHA thumbprint: %n%13%n Cipher algorithm: %14%n Integrity algorithm: %15%n Lifetime (seconds): %16%n Main mode impersonation: %17%n Main mode SA LUID: %18%n IPSec main mode security association establishment failed.%n Keying module type: %1%n Local address: %2%n Remote address: %3%n Local port: %4%n Remote port: %5%n Peer private address: %6%n Main mode authentication method: %7%n Main mode peer subject: %n%8%n Main mode peer issuing certificate authority: %n%9%n Main mode peer root certificate authority: %n%10%n Main mode peer SHA thumbprint: %n%11%n Main mode my subject: %n%12%n Main mode my SHA thumbprint: %n%13%n Failure point: %14%n Failure reason: %15%n Main mode IKE state: %16%n Initiator or Responder: %17%n Main mode impersonation: %18%n LIPSec main mode security association establishment failed.%n Keying module type: %1%n Local address: %2%n Remote address: %3%n Local port: %4%n Remote port: %5%n Peer private address: %6%n Main mode authentication method: %7%n Main mode my Id: %8%n Main mode peer Id: %9%n Failure point: %10%n Failure reason: %11%n Main mode IKE state: %12%n Initiator or Responder: %13%n Main mode impersonation: %14%n IPSec quick mode security association establishment failed.%n Keying module type: %1%n Local address: %2%n Local address mask: %3%n Remote address: %4%n Remote address mask: %5%n Local port: %6%n Remote port: %7%n Protocol: %8%n Encapsulation type: %9%n Failure point: %10%n Failure reason: %11%n Quick mode IKE state: %12%n Initiator or Responder: %13%n Main mode SA LUID: %14%n IPSec main mode security association ended.%n Keying module type: %1%n Local address: %2%n Remote address: %3%n Local port: %4%n Remote port: %5%n Peer private address: %6%n Main mode SA LUID: %7%n hObject Open:%n %tObject Server:%t%1%n %tObject Type:%t%2%n %tObject Name:%t%3%n %tHandle ID:%t%4%n %tOperation ID:%t%5%n %tProcess ID:%t%6%n %tImage File Name:%t%7%n %tPrimary User Name:%t%8%n %tPrimary Domain:%t%9%n %tPrimary Logon ID:%t%10%n %tClient User Name:%t%11%n %tClient Domain:%t%12%n %tClient Logon ID:%t%13%n %tAccesses:%t%14%n %tPrivileges:%t%15%n %tRestricted Sid Count:%t%16%n %tAccess Mask:%t%17%n Handle Closed:%n %tObject Server:%t%1%n %tHandle ID:%t%2%n %tProcess ID:%t%3%n %tImage File Name:%t%4%n Object Open for Delete:%n %tObject Server:%t%1%n %tObject Type:%t%2%n %tObject Name:%t%3%n %tHandle ID:%t%4%n %tOperation ID:%t{%5,%6}%n %tProcess ID:%t%7%n %tPrimary User Name:%t%8%n %tPrimary Domain:%t%9%n %tPrimary Logon ID:%t%10%n %tClient User Name:%t%11%n %tClient Domain:%t%12%n %tClient Logon ID:%t%13%n %tAccesses:%t%t%14%n %tPrivileges:%t%t%15%n %tAccess Mask:%t%16%n Object Deleted:%n %tObject Server:%t%1%n %tHandle ID:%t%2%n %tProcess ID:%t%3%n %tImage File Name:%t%4%n \Object Open:%n %tObject Server:%t%1%n %tObject Type:%t%2%n %tObject Name:%t%3%n %tHandle ID:%t%4%n %tOperation ID:%t{%5,%6}%n %tProcess ID:%t%7%n %tProcess Name:%t%8%n %tPrimary User Name:%t%9%n %tPrimary Domain:%t%10%n %tPrimary Logon ID:%t%11%n %tClient User Name:%t%12%n %tClient Domain:%t%13%n %tClient Logon ID:%t%14%n %tAccesses:%t%15%n %tPrivileges:%t%16%n%n %tProperties:%n%17%n %tAccess Mask:%t%18%n DObject Operation:%n %tObject Server:%t%1%n %tOperation Type:%t%2%n %tObject Type:%t%3%n %tObject Name:%t%4%n %tHandle ID:%t%5%n %tPrimary User Name:%t%6%n %tPrimary Domain:%t%7%n %tPrimary Logon ID:%t%8%n %tClient User Name:%t%9%n %tClient Domain:%t%10%n %tClient Logon ID:%t%11%n %tAccesses:%t%12%n %tProperties:%n%t%13%n %tAdditional Info:%t%14%n %tAdditional Info2:%t%15%n %tAccess Mask:%t%16%n Object Access Attempt:%n %tObject Server:%t%1%n %tHandle ID:%t%2%n %tObject Type:%t%3%n %tProcess ID:%t%4%n %tImage File Name:%t%5%n %tAccesses:%t%6%n %tAccess Mask:%t%7%n %tObject Name:%t%8%n %tPrimary User Name:%t%9%n %tPrimary Domain:%t%10%n %tPrimary Logon ID:%t%11%n %tClient User Name:%t%12%n %tClient Domain:%t%13%n %tClient Logon ID:%t%14%n 4Hard link creation attempt:%n %tPrimary User Name:%t%1%n %tPrimary Domain:%t%2%n %tPrimary Logon ID:%t%3%n %tFile Name:%t%4%n %tLink Name:%t%5%n Application client context creation attempt:%n %tApplication Name:%t%1%n %tApplication Instance ID:%t%2%n %tClient Name:%t%3%n %tClient Domain:%t%4%n %tClient Context ID:%t%5%n %tStatus:%t%6%n 0Application operation attempt:%n %tApplication Name:%t%1%n %tApplication Instance ID:%t%2%n %tObject Name:%t%3%n %tScope Names:%t%4%n %tClient Name:%t%5%n %tClient Domain:%t%6%n %tClient Context ID:%t%7%n %tRole:%t%8%n %tGroups:%t%9%n %tOperation Name:%t%10 (%11)%n dApplication client context deletion:%n %tApplication Name:%t%1%n %tApplication Instance ID:%t%2%n %tClient Name:%t%3%n %tClient Domain:%t%4%n %tClient Context ID:%t%5%n pApplication Initialized%n %tApplication Name:%t%1%n %tApplication Instance ID:%t%2%n %tClient Name:%t%3%n %tClient Domain:%t%4%n %tClient ID:%t%5%n %tPolicy Store URL:%t%6%n %nApplication-specific security event.%n %tEvent Source:%t%1%n %tEvent ID:%t%2%n %t%t%3%n %t%t%4%n %t%t%5%n %t%t%6%n %t%t%7%n %t%t%8%n %t%t%9%n %t%t%10%n %t%t%11%n %t%t%12%n %t%t%13%n %t%t%14%n %t%t%15%n %t%t%16%n %t%t%17%n %t%t%18%n %t%t%19%n %t%t%20%n %t%t%21%n %t%t%22%n %t%t%23%n %t%t%24%n %t%t%25%n %t%t%26%n %t%t%27%n ,Security on object changed:%n %tObject Server:%t%1%n %tObject Type:%t%2%n %tObject Name:%t%3%n %tHandle ID:%t%4%n %tProcess ID:%t%5%n %tImage File Name:%t%6%n%n %tPrimary User Name:%t%7%n %tPrimary Domain:%t%8%n %tPrimary Logon ID:%t%9%n %tClient User Name:%t%10%n %tClient Domain:%t%11%n %tClient Logon ID:%t%12%n %tOriginal Security Descriptor:%t%13%n %tNew Security Descriptor:%t%14%n Special privileges assigned to new logon:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tPrivileges:%t%4 LPrivileged Service Called:%n %tServer:%t%t%1%n %tService:%t%t%2%n %tPrimary User Name:%t%3%n %tPrimary Domain:%t%4%n %tPrimary Logon ID:%t%5%n %tClient User Name:%t%6%n %tClient Domain:%t%7%n %tClient Logon ID:%t%8%n %tPrivileges:%t%9%n %tProcess ID:%t%10%n %tProcess Name:%t%11 Privileged object operation:%n %tObject Server:%t%1%n %tObject Handle:%t%2%n %tProcess ID:%t%3%n %tPrimary User Name:%t%4%n %tPrimary Domain:%t%5%n %tPrimary Logon ID:%t%6%n %tClient User Name:%t%7%n %tClient Domain:%t%8%n %tClient Logon ID:%t%9%n %tPrivileges:%t%10%n %tObject Type:%t%11%n %tObject Name:%t%12%n %tDesired Access:%t%13 A new process has been created:%n %tNew Process ID:%t%1%n %tImage File Name:%t%2%n %tCreator Process ID:%t%3%n %tUser Name:%t%4%n %tDomain:%t%t%5%n %tLogon ID:%t%t%6%n %tToken Elevation Type:%t%7%n @A process has exited:%n %tProcess ID:%t%1%n %tImage File Name:%t%2%n %tUser Name:%t%3%n %tDomain:%t%t%4%n %tLogon ID:%t%t%5%n %tExit Status:%t%t%6%n @A handle to an object has been duplicated:%n %tSource Handle ID:%t%1%n %tSource Process ID:%t%2%n %tTarget Handle ID:%t%3%n %tTarget Process ID:%t%4%n Indirect access to an object has been obtained:%n %tObject Type:%t%1%n %tObject Name:%t%2%n %tProcess ID:%t%3%n %tPrimary User Name:%t%4%n %tPrimary Domain:%t%5%n %tPrimary Logon ID:%t%6%n %tClient User Name:%t%7%n %tClient Domain:%t%8%n %tClient Logon ID:%t%9%n %tAccesses:%t%10%n %tAccess Mask:%t%11%n Backup of data protection master key. %n %tKey Identifier:%t%t%1%n %tRecovery Server:%t%t%2%n %tRecovery Key ID:%t%t%3%n %tFailure Reason:%t%t%4%n By:%n %t User Name:%t%5%n %t Domain Name:%t%6%n %t Logon ID:%t%7 Recovery of data protection master key. %n %tKey Identifier:%t%t%1%n %tRecovery Reason:%t%t%3%n %tRecovery Server:%t%t%2%n %tRecovery Key ID:%t%t%4%n %tFailure Reason:%t%t%5%n By:%n %t User Name:%t%6%n %t Domain Name:%t%7%n %t Logon ID:%t%8 Protection of auditable protected data. %n %tData Description:%t%t%2%n %tKey Identifier:%t%t%1%n %tProtected Data Flags:%t%3%n %tProtection Algorithms:%t%4%n %tFailure Reason:%t%t%5%n By:%n %t User Name:%t%6%n %t Domain Name:%t%7%n %t Logon ID:%t%8 Unprotection of auditable protected data. %n %tData Description:%t%t%2%n %tKey Identifier:%t%t%1%n %tProtected Data Flags:%t%3%n %tProtection Algorithms:%t%4%n %tFailure Reason:%t%t%5%n By:%n %t User Name:%t%6%n %t Domain Name:%t%7%n %t Logon ID:%t%8 A process was assigned a primary token.%n Assigning Process Information:%n %tProcess ID:%t%1%n %tImage File Name:%t%2%n %tPrimary User Name:%t%3%n %tPrimary Domain:%t%4%n %tPrimary Logon ID:%t%5%n New Process Information:%n %tProcess ID:%t%6%n %tImage File Name:%t%7%n %tTarget User Name:%t%8%n %tTarget Domain:%t%9%n %tTarget Logon ID:%t%10%n Attempt to install service:%n %tService Name:%t%1%n %tService File Name:%t%2%n %tService Type:%t%3%n %tService Start Type:%t%4%n %tService Account:%t%5%n By:%n %tUser Name:%t%6%n %tDomain:%t%t%7%n %tLogon ID:%t%t%8%n Scheduled Task created:%n %tFile Name:%t%1%n %tCommand:%t%2%n %tTriggers:%t%t%3%n %tTime:%t%t%4 %5%n %tFlags:%t%t%6%n %tTarget User:%t%7%n By:%n %tUser:%t%t%8%n %tDomain:%t%t%9%n %tLogon ID:%t%t%10%n 0User Right Assigned:%n %tUser Right:%t%1%n %tAssigned To:%t%2%n %tAssigned By:%n %t User Name:%t%3%n %t Domain:%t%t%4%n %t Logon ID:%t%5%n 0User Right Removed:%n %tUser Right:%t%1%n %tRemoved From:%t%2%n %tRemoved By:%n %t User Name:%t%3%n %t Domain:%t%t%4%n %t Logon ID:%t%5%n New Trusted Domain:%n %tDomain Name:%t%1%n %tDomain ID:%t%2%n %tEstablished By:%n %t User Name:%t%3%n %t Domain:%t%t%4%n %t Logon ID:%t%5%n %tTrust Type:%t%6%n %tTrust Direction:%t%7%n %tTrust Attributes:%t%8%n %tSID Filtering:%t%9%n 4Trusted Domain Removed:%n %tDomain Name:%t%1%n %tDomain ID:%t%2%n %tRemoved By:%n %t User Name:%t%3%n %t Domain:%t%t%4%n %t Logon ID:%t%5%n Audit Policy Change:%n New Policy:%n %tSuccess%tFailure%n %t %3%t %4%tLogon/Logoff%n %t %5%t %6%tObject Access%n %t %7%t %8%tPrivilege Use%n %t %13%t %14%tAccount Management%n %t %11%t %12%tPolicy Change%n %t %1%t %2%tSystem%n %t %9%t %10%tDetailed Tracking%n %t %15%t %16%tDirectory Service Access%n %t %17%t %18%tAccount Logon%n%n Changed By:%n %t User Name:%t%19%n %t Domain Name:%t%20%n %t Logon ID:%t%21 IPSec Services started: %t%1%n Policy Source: %t%2%n %3%n TIPSec Services disabled: %t%1%n %2%n %1 IPSec Services encountered a potentially serious failure.%n %1%n Kerberos Policy Changed:%n Changed By:%n %t User Name:%t%1%n %t Domain Name:%t%2%n %t Logon ID:%t%3%n Changes made:%n ('--' means no changes, otherwise each change is shown as:%n <ParameterName>: <new value> (<old value>))%n %4%n Encrypted Data Recovery Policy Changed:%n Changed By:%n %t User Name:%t%1%n %t Domain Name:%t%2%n %t Logon ID:%t%3%n Changes made:%n ('--' means no changes, otherwise each change is shown as:%n <ParameterName>: <new value> (<old value>))%n %4%n Audit Security Object changed:%n %tPrimary User Name:%t%1%n %tPrimary Domain:%t%2%n %tPrimary Logon ID:%t%3%n %tClient User Name:%t%4%n %tClient Domain:%t%5%n %tClient Logon ID:%t%6%n %tOriginal Security Descriptor:%t%7%n %tNew Security Descriptor:%t%8%n Trusted Domain Information Modified:%n %tDomain Name:%t%1%n %tDomain ID:%t%2%n %tModified By:%n %t User Name:%t%3%n %t Domain:%t%t%4%n %t Logon ID:%t%5%n %tTrust Type:%t%6%n %tTrust Direction:%t%7%n %tTrust Attributes:%t%8%n %tSID Filtering:%t%9%n XSystem Security Access Granted:%n %tAccess Granted:%t%4%n %tAccount Modified:%t%5%n %tAssigned By:%n %t User Name:%t%1%n %t Domain:%t%t%2%n %t Logon ID:%t%3%n XSystem Security Access Removed:%n %tAccess Removed:%t%4%n %tAccount Modified:%t%5%n %tRemoved By:%n %t User Name:%t%1%n %t Domain:%t%t%2%n %t Logon ID:%t%3%n System Audit Policy Change:%n Category:%t%1%n Sub Category:%t%2%n Sub Category Guid:%t%3%n Changes:%t%4%n%n Changed By:%n User Name:%t%5%n Domain Name:%t%6%n Logon ID:%t%7 dUser Account Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges%t%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tDisplay Name:%t%9%n %tUser Principal Name:%t%10%n %tHome Directory:%t%11%n %tHome Drive:%t%12%n %tScript Path:%t%13%n %tProfile Path:%t%14%n %tUser Workstations:%t%15%n %tPassword Last Set:%t%16%n %tAccount Expires:%t%17%n %tPrimary Group ID:%t%18%n %tAllowedToDelegateTo:%t%19%n %tOld UAC Value:%t%20%n %tNew UAC Value:%t%21%n %tUser Account Control:%t%22%n %tUser Parameters:%t%23%n %tSid History:%t%24%n %tLogon Hours:%t%25%n xUser Account Enabled:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n Change Password Attempt:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n User Account password set:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n xUser Account Disabled:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n User Account Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n 0Security Enabled Global Group Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n Security Enabled Global Group Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n $Security Enabled Global Group Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n Security Enabled Global Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n 0Security Enabled Local Group Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n Security Enabled Local Group Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n $Security Enabled Local Group Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n Security Enabled Local Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n PSecurity Enabled Local Group Changed:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n General Account Database Change:%n %tType of change:%t%1%n %tObject Type:%t%2%n %tObject Name:%t%3%n %tObject ID:%t%4%n %tCaller User Name:%t%5%n %tCaller Domain:%t%6%n %tCaller Logon ID:%t%7%n TSecurity Enabled Global Group Changed:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n User Account Changed:%n %tTarget Account Name:%t%2%n %tTarget Domain:%t%3%n %tTarget Account ID:%t%4%n %tCaller User Name:%t%5%n %tCaller Domain:%t%6%n %tCaller Logon ID:%t%7%n %tPrivileges:%t%8%n Changed Attributes:%n %tSam Account Name:%t%9%n %tDisplay Name:%t%10%n %tUser Principal Name:%t%11%n %tHome Directory:%t%12%n %tHome Drive:%t%13%n %tScript Path:%t%14%n %tProfile Path:%t%15%n %tUser Workstations:%t%16%n %tPassword Last Set:%t%17%n %tAccount Expires:%t%18%n %tPrimary Group ID:%t%19%n %tAllowedToDelegateTo:%t%20%n %tOld UAC Value:%t%21%n %tNew UAC Value:%t%22%n %tUser Account Control:%t%23%n %tUser Parameters:%t%24%n %tSid History:%t%25%n %tLogon Hours:%t%26%n Domain Policy Changed: %1 modified%n %tDomain Name:%t%t%2%n %tDomain ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tMin. Password Age:%t%8%n %tMax. Password Age:%t%9%n %tForce Logoff:%t%10%n %tLockout Threshold:%t%11%n %tLockout Observation Window:%t%12%n %tLockout Duration:%t%13%n %tPassword Properties:%t%14%n %tMin. Password Length:%t%15%n %tPassword History Length:%t%16%n %tMachine Account Quota:%t%17%n %tMixed Domain Mode:%t%18%n %tDomain Behavior Version:%t%19%n %tOEM Information:%t%20%n User Account Locked Out:%n %tTarget Account Name:%t%1%n %tTarget Account ID:%t%3%n %tCaller Machine Name:%t%2%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n Computer Account Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges%t%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tDisplay Name:%t%9%n %tUser Principal Name:%t%10%n %tHome Directory:%t%11%n %tHome Drive:%t%12%n %tScript Path:%t%13%n %tProfile Path:%t%14%n %tUser Workstations:%t%15%n %tPassword Last Set:%t%16%n %tAccount Expires:%t%17%n %tPrimary Group ID:%t%18%n %tAllowedToDelegateTo:%t%19%n %tOld UAC Value:%t%20%n %tNew UAC Value:%t%21%n %tUser Account Control:%t%22%n %tUser Parameters:%t%23%n %tSid History:%t%24%n %tLogon Hours:%t%25%n %tDNS Host Name:%t%26%n %tService Principal Names:%t%27%n Computer Account Changed:%n %t%1%n %tTarget Account Name:%t%2%n %tTarget Domain:%t%3%n %tTarget Account ID:%t%4%n %tCaller User Name:%t%5%n %tCaller Domain:%t%6%n %tCaller Logon ID:%t%7%n %tPrivileges:%t%8%n Changed Attributes:%n %tSam Account Name:%t%9%n %tDisplay Name:%t%10%n %tUser Principal Name:%t%11%n %tHome Directory:%t%12%n %tHome Drive:%t%13%n %tScript Path:%t%14%n %tProfile Path:%t%15%n %tUser Workstations:%t%16%n %tPassword Last Set:%t%17%n %tAccount Expires:%t%18%n %tPrimary Group ID:%t%19%n %tAllowedToDelegateTo:%t%20%n %tOld UAC Value:%t%21%n %tNew UAC Value:%t%22%n %tUser Account Control:%t%23%n %tUser Parameters:%t%24%n %tSid History:%t%25%n %tLogon Hours:%t%26%n %tDNS Host Name:%t%27%n %tService Principal Names:%t%28%n Computer Account Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n DSecurity Disabled Local Group Created:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n TSecurity Disabled Local Group Changed:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n Security Disabled Local Group Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n $Security Disabled Local Group Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n Security Disabled Local Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n 4Security Disabled Global Group Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n TSecurity Disabled Global Group Changed:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n $Security Disabled Global Group Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n (Security Disabled Global Group Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n Security Disabled Global Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n 8Security Enabled Universal Group Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n XSecurity Enabled Universal Group Changed:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n (Security Enabled Universal Group Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n ,Security Enabled Universal Group Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n Security Enabled Universal Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n 8Security Disabled Universal Group Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n \Security Disabled Universal Group Changed:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n (Security Disabled Universal Group Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n ,Security Disabled Universal Group Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n Security Disabled Universal Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Group Type Changed:%n %t%1%n %tTarget Account Name:%t%2%n %tTarget Domain:%t%3%n %tTarget Account ID:%t%4%n %tCaller User Name:%t%5%n %tCaller Domain:%t%6%n %tCaller Logon ID:%t%7%n %tPrivileges:%t%8%n 0Add SID History:%n %tSource Account Name:%t%1%n %tSource Account ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n %tSidList:%t%10%n Add SID History:%n %tSource Account Name:%t%1%n %tTarget Account Name:%t%2%n %tTarget Domain:%t%3%n %tTarget Account ID:%t%4%n %tCaller User Name:%t%5%n %tCaller Domain:%t%6%n %tCaller Logon ID:%t%7%n %tPrivileges:%t%8%n |User Account Unlocked:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n 8Authentication Ticket Request:%n %tUser Name:%t%t%1%n %tSupplied Realm Name:%t%2%n %tUser ID:%t%t%t%3%n %tService Name:%t%t%4%n %tService ID:%t%t%5%n %tTicket Options:%t%t%6%n %tResult Code:%t%t%7%n %tTicket Encryption Type:%t%8%n %tPre-Authentication Type:%t%9%n %tClient Address:%t%t%10%n %tCertificate Issuer Name:%t%11%n %tCertificate Serial Number:%t%12%n %tCertificate Thumbprint:%t%13%n DService Ticket Request:%n %tUser Name:%t%t%1%n %tUser Domain:%t%t%2%n %tService Name:%t%t%3%n %tService ID:%t%t%4%n %tTicket Options:%t%t%5%n %tTicket Encryption Type:%t%6%n %tClient Address:%t%t%7%n %tFailure Code:%t%t%8%n %tLogon GUID:%t%t%9%n %tTransited Services:%t%10%n Service Ticket Renewed:%n %tUser Name:%t%1%n %tUser Domain:%t%2%n %tService Name:%t%3%n %tService ID:%t%4%n %tTicket Options:%t%5%n %tTicket Encryption Type:%t%6%n %tClient Address:%t%7%n 4Pre-authentication failed:%n %tUser Name:%t%1%n %tUser ID:%t%t%2%n %tService Name:%t%3%n %tPre-Authentication Type:%t%4%n %tFailure Code:%t%5%n %tClient Address:%t%6%n %tCertificate Issuer Name:%t%7%n %tCertificate Serial Number:%t%8%n %tCertificate Thumbprint:%t%9%n |Authentication Ticket Request Failed:%n %tUser Name:%t%1%n %tSupplied Realm Name:%t%2%n %tService Name:%t%3%n %tTicket Options:%t%4%n %tFailure Code:%t%5%n %tClient Address:%t%6%n `Service Ticket Request Failed:%n %tUser Name:%t%1%n %tUser Domain:%t%2%n %tService Name:%t%3%n %tTicket Options:%t%4%n %tFailure Code:%t%5%n %tClient Address:%t%6%n Account Mapped for Logon.%n Mapping Attempted By:%n %t%1%n Client Name:%n %t%2%n %tMapped Name:%n %t%3%n The name:%n %t%2%n could not be mapped for logon by: %t%1%n Logon attempt by:%t%1%n Logon account:%t%2%n Source Workstation:%t%3%n Error Code:%t%4%n The logon to account: %2%n by: %1%n from workstation: %3%n failed. The error code was: %4%n TSession reconnected to winstation:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tSession Name:%t%4%n %tClient Name:%t%5%n %tClient Address:%t%6 XSession disconnected from winstation:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tSession Name:%t%4%n %tClient Name:%t%5%n %tClient Address:%t%6 Set ACLs of members in administrators groups:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Account Name Changed:%n %tOld Account Name:%t%1%n %tNew Account Name:%t%2%n %tTarget Domain:%t%t%3%n %tTarget Account ID:%t%4%n %tCaller User Name:%t%5%n %tCaller Domain:%t%6%n %tCaller Logon ID:%t%7%n %tPrivileges:%t%8%n Password of the following user accessed:%n %tTarget User Name:%t%1%n %tTarget User Domain:%t%t%2%n By user:%n %tCaller User Name:%t%3%n %tCaller Domain:%t%t%4%n %tCaller Logon ID:%t%t%5%n $Basic Application Group Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n 4Basic Application Group Changed:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n Basic Application Group Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n Basic Application Group Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n Basic Application Group Non-Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n Basic Application Group Non-Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n Basic Application Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n LDAP Query Group Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n (LDAP Query Group Changed:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n LDAP Query Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Password Policy Checking API is called:%n %tCaller Username:%t%1%n %tCaller Domain:%t%2%n %tCaller Logon ID:%t%3%n %tCaller Workstation:%t%4%n %tProvided User Name (unauthenticated):%t%5%n %tStatus Code:%t%6%n An attempt to set the Directory Services Restore Mode administrator password has been made.%n %tCaller Username:%t%1%n %tCaller Domain:%t%2%n %tCaller Logon ID:%t%3%n %tCaller Workstation:%t%4%n %tStatus Code:%t%5%n RODC SpecifiC Local Group Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n RODC Specific Local Group Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n An attempt was made to query the existence of a blank password for an account:%n %tCaller Username:%t%1%n %tCaller Domain:%t%2%n %tCaller Logon ID:%t%3%n %tCaller Workstation:%t%4%n %tTarget Account Name:%t%5%n %tTarget Account Domain:%t%6%n Workstation is locked:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tSession ID:%t%4%n Workstation is unlocked:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tSession ID:%t%4%n Screen saver is invoked:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tSession ID:%t%4%n Screen saver is dismissed:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tSession ID:%t%4%n 4RPC detected an integrity violation while decrypting an incoming message.%n %tPeer Name:%t%1%n %tProtocol Sequence:%t%2%n %tSecurity Error:%t%3%n (A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.%n %n Account Information:%n %tAccount Name:%t%t%1%n %tSupplied Realm Name:%t%2%n %tUser ID:%t%t%t%3%n %n Authentication Policy Information:%n %tSilo Name:%t%t%16%n %tPolicy Name:%t%t%17%n %tTGT Lifetime:%t%t%18%n %n Device Information:%n %tDevice Name:%t%t%4%n %n Service Information:%n %tService Name:%t%t%5%n %tService ID:%t%t%6%n %n Network Information:%n %tClient Address:%t%t%11%n %tClient Port:%t%t%12%n %n Additional Information:%n %tTicket Options:%t%t%7%n %tResult Code:%t%t%8%n %tTicket Encryption Type:%t%9%n %tPre-Authentication Type:%t%10%n %n Certificate Information:%n %tCertificate Issuer Name:%t%t%13%n %tCertificate Serial Number:%t%14%n %tCertificate Thumbprint:%t%t%15%n %n Certificate information is only provided if a certificate was used for pre-authentication.%n%nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. p A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.%n %n Account Information:%n %tAccount Name:%t%t%1%n %tAccount Domain:%t%t%2%n %tLogon GUID:%t%t%11%n %n Authentication Policy Information:%n %tSilo Name:%t%t%13%n %tPolicy Name:%t%t%14%n %n Device Information:%n %tDevice Name:%t%t%3%n %n Service Information:%n %tService Name:%t%t%4%n %tService ID:%t%t%5%n %n Network Information:%n %tClient Address:%t%t%8%n %tClient Port:%t%t%9%n %n Additional Information:%n %tTicket Options:%t%t%6%n %tTicket Encryption Type:%t%7%n %tFailure Code:%t%t%10%n %tTransited Services:%t%12%n %n This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.%n %n This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.%n %n Ticket options, encryption types, and failure codes are defined in RFC 4120. <NTLM authentication failed because the account was a member of the Protected User group.%n %n Account Name:%t%1%n Device Name:%t%2%n Error Code:%t%3 NTLM authentication failed because access control restrictions are required.%n %n Account Name:%t%1%n Device Name:%t%2%n Error Code:%t%3%n %n Authentication Policy Information:%n %tSilo Name:%t%4%n %tPolicyName:%t%5 0Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.%n %n Account Information:%n %tSecurity ID:%t%t%2%n %tAccount Name:%t%t%1%n %n Service Information:%n %tService Name:%t%t%3%n %n Network Information:%n %tClient Address:%t%t%7%n %tClient Port:%t%t%8%n %n Additional Information:%n %tTicket Options:%t%t%4%n %tFailure Code:%t%t%5%n %tPre-Authentication Type:%t%6%n %n Certificate Information:%n %tCertificate Issuer Name:%t%t%9%n %tCertificate Serial Number: %t%10%n %tCertificate Thumbprint:%t%t%11%n %n Certificate information is only provided if a certificate was used for pre-authentication.%n %n Pre-authentication types, ticket options and failure codes are defined in RFC 4120.%n %n If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.%n%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%3%n %tClient Address:%t%4 Namespace collision detected:%n %tTarget type:%t%1%n %tTarget name:%t%2%n %tForest Root:%t%3%n %tTop Level Name:%t%4%n %tDNS Name:%t%5%n %tNetBIOS Name:%t%6%n %tSID:%t%t%7%n %tNew Flags:%t%8%n Trusted Forest Information Entry Added:%n %tForest Root:%t%1%n %tForest Root SID:%t%2%n %tOperation ID:%t{%3,%4}%n %tEntry Type:%t%5%n %tFlags:%t%t%6%n %tTop Level Name:%t%7%n %tDNS Name:%t%8%n %tNetBIOS Name:%t%9%n %tDomain SID:%t%10%n %tAdded by%t:%n %tClient User Name:%t%11%n %tClient Domain:%t%12%n %tClient Logon ID:%t%13%n Trusted Forest Information Entry Removed:%n %tForest Root:%t%1%n %tForest Root SID:%t%2%n %tOperation ID:%t{%3,%4}%n %tEntry Type:%t%5%n %tFlags:%t%t%6%n %tTop Level Name:%t%7%n %tDNS Name:%t%8%n %tNetBIOS Name:%t%9%n %tDomain SID:%t%10%n %tRemoved by%t:%n %tClient User Name:%t%11%n %tClient Domain:%t%12%n %tClient Logon ID:%t%13%n Trusted Forest Information Entry Modified:%n %tForest Root:%t%1%n %tForest Root SID:%t%2%n %tOperation ID:%t{%3,%4}%n %tEntry Type:%t%5%n %tFlags:%t%t%6%n %tTop Level Name:%t%7%n %tDNS Name:%t%8%n %tNetBIOS Name:%t%9%n %tDomain SID:%t%10%n %tModified by%t:%n %tClient User Name:%t%11%n %tClient Domain:%t%12%n %tClient Logon ID:%t%13%n The certificate manager denied a pending certificate request.%n %n Request ID:%t%1 Certificate Services received a resubmitted certificate request.%n %n Request ID:%t%1 Certificate Services revoked a certificate.%n %n Serial No:%t%1%n Reason:%t%2 DCertificate Services received a request to publish the certificate revocation list (CRL).%n %n Next Update:%t%1%n Publish Base:%t%2%n Publish Delta:%t%3 `Certificate Services published the certificate revocation list (CRL).%n %n Base CRL:%t%1%n CRL No:%t%t%2%n Key Container:%t%3%n Next Publish:%t%4%n Publish URLs:%t%5 A certificate request extension changed.%n %n Request ID:%t%1%n Name:%t%2%n Type:%t%3%n Flags:%t%4%n Data:%t%5 One or more certificate request attributes changed.%n %n Request ID:%t%1%n Attributes:%t%2 tCertificate Services received a request to shut down. |Certificate Services backup started.%n Backup Type:%t%1 XCertificate Services backup completed. X Certificate Services restore started. XCertificate Services restore completed. @Certificate Services started.%n %n Certificate Database Hash:%t%1%n Private Key Usage Count:%t%2%n CA Certificate Hash:%t%3%n CA Public Key Hash:%t%4 @Certificate Services stopped.%n %n Certificate Database Hash:%t%1%n Private Key Usage Count:%t%2%n CA Certificate Hash:%t%3%n CA Public Key Hash:%t%4 The security permissions for Certificate Services changed.%n %n %1 Certificate Services retrieved an archived key.%n %n Request ID:%t%1 Certificate Services imported a certificate into its database.%n %n Certificate:%t%1%n Request ID:%t%2 The audit filter for Certificate Services changed.%n %n Filter:%t%1 Certificate Services received a certificate request.%n %n Request ID:%t%1%n Requester:%t%2%n Attributes:%t%3 Certificate Services approved a certificate request and issued a certificate.%n %n Request ID:%t%1%n Requester:%t%2%n Attributes:%t%3%n Disposition:%t%4%n SKI:%t%t%5%n Subject:%t%6 LCertificate Services denied a certificate request.%n %n Request ID:%t%1%n Requester:%t%2%n Attributes:%t%3%n Disposition:%t%4%n SKI:%t%t%5%n Subject:%t%6 xCertificate Services set the status of a certificate request to pending.%n %n Request ID:%t%1%n Requester:%t%2%n Attributes:%t%3%n Disposition:%t%4%n SKI:%t%t%5%n Subject:%t%6 The certificate manager settings for Certificate Services changed.%n %n Enable:%t%1%n %n %2 A configuration entry changed in Certificate Services.%n %n Node:%t%1%n Entry:%t%2%n Value:%t%3 A property of Certificate Services changed.%n %n Property:%t%1%n Index:%t%2%n Type:%t%3%n Value:%t%4 Certificate Services archived a key.%n %n Request ID:%t%1%n Requester:%t%2%n KRA Hashes:%t%3 Certificate Services imported and archived a key.%n %n Request ID:%t%1 8Certificate Services published the CA certificate to Active Directory Domain Services.%n %n Certificate Hash:%t%1%n Valid From:%t%2%n Valid To:%t%3 One or more rows have been deleted from the certificate database.%n %n Table ID:%t%1%n Filter:%t%2%n Rows Deleted:%t%3 DRole separation enabled:%t%1 Certificate Services template:%n%1 v%2 (Schema V%3)%n%4%n%5%n%nDomain Controller:%t%6%n%nTemplate Content:%n%7%nSecurity Descriptor:%n%8 8Certificate Services template updated:%n%1 v%2 (Schema V%3)%n%4%n%5%n%nDomain Controller:%t%6%n%nOld Template Content:%n%8%n%nNew Template Content:%n%7 Certificate Services template security updated:%n%1 v%2 (Schema V%3)%n%4%n%5%n%nDomain Controller:%t%6%n%nOld Template Content:%n%9%nOld Security Descriptor:%n%10%n%nNew Template Content:%n%7%nNew Security Descriptor:%n%8 LConfiguration of security log for this session: %tMaximum Log Size (KB): %1%n %tAction to take on reaching max log size: %2%n %tEvent age limit in days: %3%n Per User Audit Policy table created.%n %tNumber of elements:%t%1%n %tPolicy ID:%t%2%n Per user auditing policy set for user:%n %tTarget user:%t%1%n %tPolicy ID:%t%2%n %tCategory Settings:%n %t System:%t%3%n %t Logon:%t%4%n %t Object Access%t%5%n %t Privilege Use:%t%6%n %t Detailed Tracking:%t%7%n %t Policy Change:%t%8%n %t Account Management:%t%9%n %t DS Access:%t%10%n %t Account Logon:%t%11%n lA security event source has attempted to register.%n %tPrimary User Name:%t%1%n %tPrimary Domain:%t%2%n %tPrimary Logon ID:%t%3%n %tClient User Name:%t%4%n %tClient Domain:%t%5%n %tClient Logon ID:%t%6%n %tSource Name:%t%7%n %tProcess Id:%t%8%n %tEvent Source Id:%t%9%n %tImage File Name:%t%10%n pA security event source has attempted to unregister.%n %tPrimary User Name:%t%1%n %tPrimary Domain:%t%2%n %tPrimary Logon ID:%t%3%n %tClient User Name:%t%4%n %tClient Domain:%t%5%n %tClient Logon ID:%t%6%n %tSource Name:%t%7%n %tProcess Id:%t%8%n %tEvent Source Id:%t%9%n %tImage File Name:%t%10%n CrashOnAuditFail value has changed.%n %tNew value of CrashOnAuditFail:%t%1%n @Auditing settings on object changed:%n %tObject Server:%t%1%n %tObject Type:%t%2%n %tObject Name:%t%3%n %tHandle ID:%t%4%n %tProcess ID:%t%5%n %tImage File Name:%t%6%n%n %tPrimary User Name:%t%7%n %tPrimary Domain:%t%8%n %tPrimary Logon ID:%t%9%n %tClient User Name:%t%10%n %tClient Domain:%t%11%n %tClient Logon ID:%t%12%n %tOriginal Security Descriptor:%t%13%n %tNew Security Descriptor:%t%14%n Special Groups Logon table created.%n Special Groups:%t%1%n Per User Audit Policy Change:%n User:%t%t%1%n Category:%t%2%n Sub Category:%t%3%n Sub Category Guid:%t%4%n Changes:%t%5%n%n Changed By:%n User Name:%t%6%n Domain Name:%t%7%n Logon ID:%t%8 %tDestination DRA:%t%1%n %tSource DRA:%t%2%n %tSource Addr:%t%3%n %tNaming Context:%t%4%n %tOptions:%t%5%n %tStatus Code:%t%6%n %tDestination DRA:%t%1%n %tSource DRA:%t%2%n %tSource Addr:%t%3%n %tNaming Context:%t%4%n %tOptions:%t%5%n %tStatus Code:%t%6%n %tDestination DRA:%t%1%n %tSource DRA:%t%2%n %tSource Addr:%t%3%n %tNaming Context:%t%4%n %tOptions:%t%5%n %tStatus Code:%t%6%n %tDestination DRA:%t%1%n %tSource DRA:%t%2%n %tDest. Addr:%t%3%n %tNaming Context:%t%4%n %tOptions:%t%5%n %tStatus Code:%t%6%n %tDestination DRA:%t%1%n %tSource DRA:%t%2%n %tNaming Context:%t%3%n %tOptions:%t%4%n %tSession ID:%t%5%n %tStart USN:%t%6%n 4%tDestination DRA:%t%1%n %tSource DRA:%t%2%n %tNaming Context:%t%3%n %tOptions:%t%4%n %tSession ID:%t%5%n %tEnd USN:%t%6%n %tStatus Code:%t%7%n %tSession ID:%t%1%n %tObject:%t%2%n %tAttribute:%t%3%n %tType of change:%t%4%n %tNew Value:%t%5%n %tUSN:%t%6%n %tStatus Code:%t%7%n x%tReplication Event:%t%1%n %tAudit Status Code:%t%2%n %tReplication Event:%t%1%n %tAudit Status Code:%t%2%n %tReplication Status Code:%t%3%n %tDestination DRA:%t%1%n %tSource DRA:%t%2%n %tObject:%t%3%n %tOptions:%t%4%n %tStatus Code:%t%5%n The following policy was active when the Windows Firewall started. %n %nGroup Policy applied: %1 %nProfile used: %2 %nOperational mode: %3 %nAllow remote administration: %4 %nAllow unicast responses to multicast/broadcast traffic: %5 %nSecurity Logging: %n Log dropped packets: %6 %n Log successful connections %7 A rule was listed when the Windows Firewall started. %n %nProfile used: %1 %nRule: %n Rule Id: %2 %n Rule Name: %3 HA change has been made to Windows Firewall exception list. A rule was added. %n %nProfile changed: %1 %nAdded Rule: %n Rule Id: %2 %n Rule Name: %3 TA change has been made to Windows Firewall exception list. A rule was modified. %n %nProfile changed: %1 %nModified Rule: %n Rule Id: %2 %n Rule Name: %3 PA change has been made to Windows Firewall exception list. A rule was deleted. %n %nProfile changed: %1 %nDeleted Rule: %n Rule Id: %2 %n Rule Name: %3 A change has been made to Windows Firewall settings. Settings restored to factory defaults. %n A Windows Firewall setting has changed. %n %nProfile changed: %1 %nNew Setting: %n Type: %2 %n Value: %3 PA rule has been ignored because its major version number was not recognized by Windows Firewall. %n %nProfile: %1 %nIgnored Rule: %n Id:%2 %n Name:%3 xA rule has been partially ignored because its minor version number was not recognized by Windows Firewall. %n %nProfile: %1 %nPartially Ignored Rule: %n Id:%2 %n Name:%3 A rule has been rejected by Windows Firewall. %n %nProfile: %1 %nReason for Rejection:%2 %nRule: %n Id:%3 %n Name:%4 |Windows Firewall group policy settings have been applied. The Windows Firewall group policy settings have been removed. The Windows Firewall has switched the active policy profile. %n %nActive profile: %1 Windows Firewall did not apply the following rule: %nRule: %n Id:%1 %n Name:%2 %nReason: %3 resolved to an empty set. Windows Firewall did not apply the following rule: %nRule: %n Id:%1 %n Name:%2 %nError: %3 %nReason: %4 IPSec inbound packet integrity check failed:%n %tPacket Source:%t%1%n %tInbound SA:%t%2%n %tNumber Of Packets:%t%3%n Received packet from over a security association that failed data integrity verification. This could be a temporary problem; if it persists it may indicate either a poor network condition or that packets are being modified in transit to the system.%n  IPSec inbound packet replay check failed:%n %tPacket Source:%t%1%n %tInbound SA:%t%2%n %tNumber of Packets:%t%3%n Received packet from over a security association with a sequence number for a packet already processed by the system.This could be a temporary problem; if it persists it may indicate a replay attack against the system.%n  Received a packet over a security association with a low sequence number. IPsec inbound packet replay check failed. This may indicate a either network or hardware problem or that a replay attack is in process. Check your IPsec peer network for errors. To check for a replay attack shutdown the peer device and check if these messages persist. If the messages persist it may indicate a replay attack.:%n %tPacket Source:%t%1%n %tInbound SA:%t%2%n %tNumber of Packets:%t%3%n 4 IPSec received inbound clear text packet that should have been secured:%n %tPacket Source:%t%1%n %tInbound SA:%t%2%n %tNumber of Packets:%t%3%n  The Windows Filter Platform blocked a packet .:%n %tDirection:%t%1%n %tLocal Address:%t%2%n %tLocal Port:%t%3%n %tRemote Address:%t%4%n %tRemote Port:%t%5%n %tProtocol:%t%6%n %tFilter LUID:%t%7%n %tLayer Id:%t%8%n P A more restrictive Windows Filtering Platform filter has blocked the packet.:%n %tApplication:%t%1%n %tDirection:%t%2%n %tSource Address:%t%3%n %tSource Port:%t%4%n %tDestination Address:%t%5%n %tDestination Port:%t%6%n %tProtocol:%t%7%n %tFilter run-time ID:%t%8%n %tLayer:%t%9%n  Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.:%n %tProcess ID:%t%1%n %tApplication:%t%2%n %tSource Address:%t%3%n %tSource Port:%t%4%n %tFilter run-time ID:%t%5%n %tLayer:%t%6%n  Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.:%n %tProcess ID:%t%1%n %tApplication:%t%2%n %tSource Address:%t%3%n %tSource Port:%t%4%n %tFilter run-time ID:%t%5%n %tLayer:%t%6%n l Windows Filtering Platform has permitted a connection to take place.:%n %tProcess ID:%t%1%n %tApplication:%t%2%n %tSource Address:%t%3%n %tSource Port:%t%4%n %tProtocol:%t%5%n %tDestination Address:%t%6%n %tDestination Port:%t%7%n %tDirection:%t%8%n %tFilter run-time ID:%t%9%n %tLayer:%t%10%n p Windows Filtering Platform has blocked a connection from taking place.:%n %tProcess ID:%t%1%n %tApplication:%t%2%n %tSource Address:%t%3%n %tSource Port:%t%4%n %tProtocol:%t%5%n %tDestination Address:%t%6%n %tDestination Port:%t%7%n %tDirection:%t%8%n %tFilter run-time ID:%t%9%n %tLayer:%t%10%n  Windows Filtering Platform has permitted a bind to a local port.:%n %tProcess ID:%t%1%n %tApplication:%t%2%n %tSource Address:%t%3%n %tSource Port:%t%4%n %tProtocol:%t%5%n %tFilter run-time ID:%t%6%n %tLayer:%t%7%n  Windows Filtering Platform has blocked a bind to a local port.:%n %tProcess ID:%t%1%n %tApplication:%t%2%n %tSource Address:%t%3%n %tSource Port:%t%4%n %tProtocol:%t%5%n %tFilter run-time ID:%t%6%n %tLayer:%t%7%n HSpecial groups have been assigned to a token:%n %tUser Sid:%t%1%n %tUser Name:%t%2%n %tDomain:%t%t%3%n %tLogon ID:%t%t%4%n %tLogon GUID:%t%5%n %tSpecial Groups assigned:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Logon Guid:%t%10%n PDuring IPSec main mode SA negotiation, IKE/Authip received an invalid ISAKMP packet. This could indicate a poor network condition or an attempt to modify or replay this negotiation. Local address: %1%n Remote address: %2%n Local port: %3%n Remote port: %4%n Peer private address: %5%n During IPSec quick mode SA negotiation, IKE/Authip received an invalid ISAKMP packet. This could indicate a poor network condition or an attempt to modify or replay this negotiation. Local address: %1%n Local address mask: %2%n Remote address: %3%n Remote address mask: %4%n Local port: %5%n Remote port: %6%n Protocol: %7%n Encapsulation type: %8%n HDuring IPSec user mode SA negotiation, Authip received an invalid ISAKMP packet. This could indicate a poor network condition or an attempt to modify or replay this negotiation. Local address: %1%n Remote address: %2%n Local port: %3%n Remote port: %4%n Peer private address: %5%n \IPSec main mode and user mode security associations established.%n Keying module type: AuthIp%n Local address: %1%n Remote address: %2%n Local port: %3%n Remote port: %4%n Peer private address: %5%n Main mode authentication method: %6%n Main mode my Id: %7%n Main mode Peer Id: %8%n Cipher algorithm: %9%n Integrity algorithm: %10%n Lifetime (seconds): %11%n Main mode impersonation: %12%n Main mode SA LUID: %13%n%n User mode authentication method: %14%n User mode my Id: %15%n User mode peer Id: %16%n User mode impersonation: %17%n IPSec main mode and user mode security associations established.%n Keying module type: AuthIp%n Local address: %1%n Remote address: %2%n Local port: %3%n Remote port: %4%n Peer private address: %5%n Main mode authentication method: %6%n Main mode my Id: %7%n Main mode peer Id: %8%n Cipher algorithm: %9%n Integrity algorithm: %10%n Lifetime (seconds): %11%n Main mode impersonation: %12%n Main mode SA LUID: %13%n%n User mode authentication method: %14%n User mode peer subject: %n%15%n User mode peer issuing certificate authority: %n%16%n User mode peer root certificate authority: %n%17%n User mode peer SHA thumbprint: %n%18%n User mode my subject: %n%19%n User mode my SHA thumbprint: %n%20%n User mode impersonation: %21%n IPSec main mode and user mode security associations established.%n Keying module type: AuthIp%n Local address: %1%n Remote address: %2%n Local port: %3%n Remote port: %4%n Peer private address: %5%n Main mode authentication method: %6%n Main mode peer subject: %n%7%n Main mode peer issuing certificate authority: %n%8%n Main mode peer root certificate authority: %n%9%n Main mode peer SHA thumbprint: %n%10%n Main mode my subject: %n%11%n Main mode my SHA thumbprint: %n%12%n Cipher algorithm: %13%n Integrity algorithm: %14%n Lifetime (seconds): %15%n Main mode impersonation: %16%n Main mode SA LUID: %17%n%n User mode authentication method: %18%n User mode my Id: %19%n User mode peer Id: %20%n User mode impersonation: %21%n xIPSec main mode and user mode security associations established.%n Keying module type: AuthIp%n Local address: %1%n Remote address: %2%n Local port: %3%n Remote port: %4%n Peer private address: %5%n Main mode authentication method: %6%n Main mode peer subject: %n%7%n Main mode peer issuing certificate authority: %n%8%n Main mode peer root certificate authority: %n%9%n Main mode peer SHA thumbprint: %n%10%n Main mode my subject: %n%11%n Main mode my SHA thumbprint: %n%12%n Cipher algorithm: %13%n Integrity algorithm: %14%n Lifetime (seconds): %15%n Main mode impersonation: %16%n Main mode SA LUID: %17%n%n User mode authentication method: %18%n User mode peer subject: %n%19%n User mode peer issuing certificate authority: %n%20%n User mode peer root certificate authority: %n%21%n User mode peer SHA thumbprint: %n%22%n User mode my subject: %n%23%n User mode my SHA thumbprint: %n%24%n User mode impersonation: %25%n IPSec user mode security association establishment failed.%n Keying module type: AuthIp%n Local address: %1%n Remote address: %2%n Local port: %3%n Remote port: %4%n Peer private address: %5%n User mode authentication method: %6%n User mode peer subject: %n%7%n User mode peer issuing certificate authority: %n%8%n User mode peer root certificate authority: %n%9%n User mode peer SHA thumbprint: %n%10%n User mode my subject: %n%11%n User mode my SHA thumbprint: %n%12%n Failure point: %13%n Failure reason: %14%n User mode IKE state: %15%n Initiator or Responder: %16%n User mode impersonation: %17%n TIPSec user mode security association establishment failed.%n Keying module type: AuthIp%n Local address: %1%n Remote address: %2%n Local port: %3%n Remote port: %4%n Peer private address: %5%n User mode authentication method: %6%n User mode my Id: %7%n User mode peer Id: %8%n Failure point: %9%n Failure reason: %10%n User mode IKE state: %11%n Initiator or Responder: %12%n User mode impersonation: %13%n xThe Windows Firewall Service has successfully started. hThe Windows Firewall Service has been stopped. tThe Windows Firewall was unable to retrieve the security policy from the local storage. The Windows Firewall will continue enforcing the current enforced policy. %n Error Code: %1 <The Windows Firewall was unable to parse the new security policy. The Windows Firewall will continue with currently enforced policy. %n Error Code: %1 The Windows Firewall failed to initialize the driver. The Windows Firewall will continue to enforce current policy. %n Error Code: %1 The Windows Firewall service failed to start. %n Error Code: %1 The Windows Firewall service found errors during shutdown. %n Error Code: %1 The Windows Firewall service found a critical runtime error. Terminating. %n Error Code: %1 tThe Windows Firewall Driver has successfully started. dThe Windows Firewall Driver has been stopped. The Windows Firewall Driver failed to start. %n Error Code: %1 The Windows Firewall Driver found errors during shutdown. %n Error Code: %1 The Windows Firewall Driver found critical runtime error. Terminating. %n Error Code: %1 PA change has been made to IPSec settings. An Authentication Set was added. %n %nProfile changed: %1 %nAdded Authentication Set: %n Id: %2 %n Name: %3 \A change has been made to IPSec settings. An Authentication Set was modified. %n %nProfile changed: %1 %nModified Authentication Set: %n Id: %2 %n Name: %3 XA change has been made to IPSec settings. An Authentication Set was deleted. %n %nProfile changed: %1 %nDeleted Authentication Set: %n Id: %2 %n Name: %3 dA change has been made to IPSec settings. A Connection Security Rule was added. %n %nProfile changed: %1 %nAdded Connection Security Rule: %n Id: %2 %n Name: %3 pA change has been made to IPSec settings. A Connection Security Rule was modified. %n %nProfile changed: %1 %nModified Connection Security Rule: %n Id: %2 %n Name: %3 lA change has been made to IPSec settings. A Connection Security Rule was deleted. %n %nProfile changed: %1 %nDeleted Connection Security Rule: %n Id: %2 %n Name: %3 ,A change has been made to IPSec settings. A Crypto Set was added. %n %nProfile changed: %1 %nAdded Crypto Set: %n Id: %2 %n Name: %3 8A change has been made to IPSec settings. A Crypto Set was modified. %n %nProfile changed: %1 %nModified Crypto Set: %n Id: %2 %n Name: %3 4A change has been made to IPSec settings. A Crypto Set was deleted. %n %nProfile changed: %1 %nDeleted Crypto Set: %n Id: %2 %n Name: %3 An IPSec Security Association was deleted. %n %nProfile changed: %1 %nDeleted SA: %n Id: %2 %n Name: %3 The IPSec policy was not updated because Active Directory Domain Services could not be reached. %n \The following callout was present when the Windows Filtering Platform Base Filtering Engine started. %n %nProvider ID:%t%1 %nProvider name:%t%2 %nCallout ID:%t%3 %nCallout name:%t%4 %nCallout type:%t%5 %nCallout run-time ID:%t%6 %nLayer ID:%t%7 %nLayer name:%t%8 %nLayer run-time ID:%t%9 $The following filter was present when the Windows Filtering Platform Base Filtering Engine started. %n %nProvider ID:%t%1 %nProvider name:%t%2 %nFilter ID:%t%3 %nFilter name:%t%4 %nFilter type:%t%5 %nFilter run-time ID:%t%6 %nLayer ID:%t%7 %nLayer name:%t%8 %nLayer run-time ID:%t%9 %nWeight:%t%10 %n %nConditions:%t%11 %nFilter Action:%t%12 %nCallout ID:%t%13 %nCallout name:%t%14 \The following provider was present when the Windows Filtering Platform Base Filtering Engine started. %n %nProvider ID:%t%1 %nProvider name:%t%2 %nProvider type:%t%3 The following provider context was present when the Windows Filtering Platform Base Filtering Engine started. %n %nProvider ID:%t%1 %nProvider name:%t%2 %nProvider context ID:%t%3 %nProvider context name:%t%4 %nProvider context type:%t%5 The following sublayer was present when the Windows Filtering Platform Base Filtering Engine started. %n %nProvider ID:%t%1 %nProvider name:%t%2 %nSublayer ID:%t%3 %nSublayer name:%t%4 %nSublayer type:%t%5 %nWeight:%t%6 A Windows Filtering Platform callout has been changed. %n %nProcess ID:%t%1 %nUser ID:%t%2 %nUser name:%t%3 %nProvider ID:%t%4 %nProvider name:%t%5 %nChange type:%t%6 %nCallout ID:%t%7 %nCallout name:%t%8 %nCallout type:%t%9 %nCallout run-time ID:%t%10 %nLayer ID:%t%11 %nLayer name:%t%12 %nLayer run-time ID:%t%13 dA Windows Filtering Platform filter has been changed. %n %nProcess ID:%t%1 %nUser ID:%t%2 %nUser name:%t%3 %nProvider ID:%t%4 %nProvider name:%t%5 %nChange type:%t%6 %nFilter ID:%t%7 %nFilter name:%t%8 %nFilter type:%t%9 %nFilter run-time ID:%t%10 %nLayer ID:%t%11 %nLayer name:%t%12 %nLayer run-time ID:%t%13 %nWeight:%t%14 %n %nConditions:%t%15 %nFilter Action:%t%16 %nCallout ID:%t%17 %nCallout name:%t%18 A Windows Filtering Platform provider has been changed. %n %nProcess ID:%t%1 %nUser ID:%t%2 %nUser name:%t%3 %nChange type:%t%4 %nProvider ID:%t%5 %nProvider name:%t%6 %nProvider type:%t%7 (A Windows Filtering Platform provider context has been changed. %n %nProcess ID:%t%1 %nUser ID:%t%2 %nUser name:%t%3 %nProvider ID:%t%4 %nProvider name:%t%5 %nChange type:%t%6 %nProvider context ID:%t%7 %nProvider context name:%t%8 %nProvider context type:%t%9 A Windows Filtering Platform sublayer has been changed. %n %nProcess ID:%t%1 %nUser ID:%t%2 %nUser name:%t%3 %nProvider ID:%t%4 %nProvider name:%t%5 %nChange type:%t%6 %nSublayer ID:%t%7 %nSublayer name:%t%8 %nSublayer type:%t%9 %nWeight:%t%10 xAn IPsec Quick Mode security association was established.%n %n Local address:%t%1%n Local address mask:%t%2%n Local port:%t%3%n Local tunnel endpoint:%t%4%n Remote address:%t%5%n Remote address mask:%t%6%n Remote port:%t%7%n Remote private address:%t%8%n Remote tunnel endpoint:%t%9%n Protocol:%t%10%n Keying module name:%t%11%n Integrity algorithm - AH:%t%12%n Integrity algorithm - ESP:%t%13%n Encryption algorithm:%t%14%n Lifetime - seconds:%t%15%n Lifetime - data:%t%16%n Lifetime - packets:%t%17%n Mode:%t%18%n Role:%t%19%n Quick Mode filter identifier:%t%20%n Main Mode SA identifier:%t%21%n Quick Mode SA identifier:%t%22%n Inbound SPI:%t%23%n Outbound SPI:%t%24 An IPsec Quick Mode security association ended.%n %n Local address:%t%1%n Local port:%t%2%n Local tunnel endpoint:%t%3%n Remote address:%t%4%n Remote port:%t%5%n Remote tunnel endpoint:%t%6%n Protocol:%t%7%n Quick Mode SA identifier:%t%8 An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. HOCSP Responder Service Started. HOCSP Responder Service Stopped. A Configuration entry changed in OCSP Responder Service.%n CA Configuration ID: %t%1%n New Value: %t%2%n A Configuration entry changed in OCSP Responder Service.%n PropertyName: %t%1%n New Value: %t%2%n Security setting is updated on OCSP Responder Service.%n New Value:%t%1%n pA request is submitted to OCSP Responder Service.%n $Signing Certificate is automatically updated by OCSP Responder Service.%n CA Configuration ID: %t%1%n New Signing Certificate Hash: %t%2%n TOCSP Revocation Provider successfully updated the revocation information.%n CA Configuration ID: %t%1%n Base CRL Number: %t%2%n Base CRL This Update: %t%3%n Base CRL Hash: %t%4%n Delta CRL Number: %t%5%n Delta CRL Indicator: %t%6%n Delta CRL This Update: %t%7%n Delta CRL Hash: %t%8%n Details:%n %tTrusted Domain Name:%t%2%n %tTrusted Domain SID:%t%3%n %tModified By:%n %t User Name:%t%3%n %t Domain:%t%t%4%n %t Logon ID:%t%5%n %t Client Network Address:%n %t RPC Method Name:%t%1%n `Highest System-Defined Audit Message Value. 4VS_VERSION_INFO%P%%P%?StringFileInfo040904B0LCompanyNameMicrosoft Corporation\FileDescriptionSecurity Audit Events DLL1FileVersion6.3.9600.20517 (winblue_ltsb_escrow.220725-1737): InternalNamemsaudite.dll.LegalCopyright Microsoft Corporation. All rights reserved.B OriginalFilenamemsaudite.dllj%ProductNameMicrosoft Windows Operating SystemBProductVersion6.3.9600.20517DVarFileInfo$Translation {\#'7^L&X03kg&> MUI MUI en-US