Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

7843 lines
184 KiB

  1. ;/*++ BUILD Version: 0001 // Increment this if a change has global effects
  2. ;
  3. ;Copyright (c) 1991 Microsoft Corporation
  4. ;
  5. ;Module Name:
  6. ;
  7. ; msaudite.mc
  8. ;
  9. ;Abstract:
  10. ;
  11. ; Constant definitions for the NT Audit Event Messages.
  12. ;
  13. ;Author:
  14. ;
  15. ; Jim Kelly (JimK) 30-Mar-1992
  16. ;
  17. ;Revision History:
  18. ;
  19. ;Notes:
  20. ;
  21. ; The .h and .res forms of this file are generated from the .mc
  22. ; form of the file (base\seaudit\msaudite\msaudite.mc).
  23. ; Please make all changes to the .mc form of the file.
  24. ;
  25. ; If you add a new audit category or make any change to the
  26. ; audit event id valid limits (0x200 ~ 0x5ff), please make a
  27. ; corresponding change to ntlsa.h
  28. ;
  29. ;--*/
  30. ;
  31. ;#ifndef _MSAUDITE_
  32. ;#define _MSAUDITE_
  33. ;
  34. ;/*lint -e767 */ // Don't complain about different definitions // winnt
  35. MessageIdTypedef=ULONG
  36. SeverityNames=(None=0x0)
  37. FacilityNames=(None=0x0)
  38. MessageId=0x0000
  39. Language=English
  40. Unused message ID
  41. .
  42. ;// Message ID 0 is unused - just used to flush out the diagram
  43. ;//
  44. ;// min/max limits on audit category-id and event-id of audit events
  45. ;//
  46. ;
  47. ;#define SE_ADT_MIN_CATEGORY_ID 1 // SE_CATEGID_SYSTEM
  48. ;#define SE_ADT_MAX_CATEGORY_ID 9 // SE_CATEGID_ACCOUNT_LOGON
  49. ;
  50. ;
  51. ;#define SE_ADT_MIN_AUDIT_ID 0x200 // see msaudite.h
  52. ;#define SE_ADT_MAX_AUDIT_ID 0x5ff // see msaudite.h
  53. ;///////////////////////////////////////////////////////////////////////////
  54. ;///////////////////////////////////////////////////////////////////////////
  55. ;// //
  56. ;// //
  57. ;// Audit Message ID Space: //
  58. ;// //
  59. ;// 0x0000 - 0x00FF : Reserved for future use. //
  60. ;// //
  61. ;// 0x0100 - 0x01FF : Categories //
  62. ;// //
  63. ;// 0x0200 - 0x05FF : Events //
  64. ;// //
  65. ;// 0x0600 - 0x063F : Standard access types and names for //
  66. ;// specific accesses when no specific names //
  67. ;// can be found. //
  68. ;// //
  69. ;// 0x0640 - 0x06FF : Well known privilege names (as we would //
  70. ;// like them displayed in the event viewer). //
  71. ;// //
  72. ;// 0x0700 - 0x0FFE : Reserved for future use. //
  73. ;// //
  74. ;// 0X0FFF : SE_ADT_LAST_SYSTEM_MESSAGE (the highest //
  75. ;// value audit message used by the system) //
  76. ;// //
  77. ;// //
  78. ;// 0x1000 and above: For use by Parameter Message Files //
  79. ;// //
  80. ;///////////////////////////////////////////////////////////////////////////
  81. ;///////////////////////////////////////////////////////////////////////////
  82. MessageId=0x0FFF
  83. SymbolicName=SE_ADT_LAST_SYSTEM_MESSAGE
  84. Language=English
  85. Highest System-Defined Audit Message Value.
  86. .
  87. ;
  88. ;/////////////////////////////////////////////////////////////////////////////
  89. ;// //
  90. ;// //
  91. ;// CATEGORIES //
  92. ;// //
  93. ;// Categories take up the range 0x1 - 0x400 //
  94. ;// //
  95. ;// Category IDs: //
  96. ;// //
  97. ;// SE_CATEGID_SYSTEM //
  98. ;// SE_CATEGID_LOGON //
  99. ;// SE_CATEGID_OBJECT_ACCESS //
  100. ;// SE_CATEGID_PRIVILEGE_USE //
  101. ;// SE_CATEGID_DETAILED_TRACKING //
  102. ;// SE_CATEGID_POLICY_CHANGE //
  103. ;// SE_CATEGID_ACCOUNT_MANAGEMENT //
  104. ;// SE_CATEGID_DS_ACCESS //
  105. ;// SE_CATEGID_ACCOUNT_LOGON //
  106. ;// //
  107. ;// //
  108. ;/////////////////////////////////////////////////////////////////////////////
  109. MessageId=0x0001
  110. SymbolicName=SE_CATEGID_SYSTEM
  111. Language=English
  112. System Event
  113. .
  114. MessageId=0x0002
  115. SymbolicName=SE_CATEGID_LOGON
  116. Language=English
  117. Logon/Logoff
  118. .
  119. MessageId=0x0003
  120. SymbolicName=SE_CATEGID_OBJECT_ACCESS
  121. Language=English
  122. Object Access
  123. .
  124. MessageId=0x0004
  125. SymbolicName=SE_CATEGID_PRIVILEGE_USE
  126. Language=English
  127. Privilege Use
  128. .
  129. MessageId=0x0005
  130. SymbolicName=SE_CATEGID_DETAILED_TRACKING
  131. Language=English
  132. Detailed Tracking
  133. .
  134. MessageId=0x0006
  135. SymbolicName=SE_CATEGID_POLICY_CHANGE
  136. Language=English
  137. Policy Change
  138. .
  139. MessageId=0x0007
  140. SymbolicName=SE_CATEGID_ACCOUNT_MANAGEMENT
  141. Language=English
  142. Account Management
  143. .
  144. MessageId=0x0008
  145. SymbolicName=SE_CATEGID_DS_ACCESS
  146. Language=English
  147. Directory Service Access
  148. .
  149. MessageId=0x0009
  150. SymbolicName=SE_CATEGID_ACCOUNT_LOGON
  151. Language=English
  152. Account Logon
  153. .
  154. ;
  155. ;/////////////////////////////////////////////////////////////////////////////
  156. ;// //
  157. ;// //
  158. ;// Messages for Category: SE_CATEGID_SYSTEM //
  159. ;// //
  160. ;// Event IDs: //
  161. ;// SE_AUDITID_SYSTEM_RESTART //
  162. ;// SE_AUDITID_SYSTEM_SHUTDOWN //
  163. ;// SE_AUDITID_AUTH_PACKAGE_LOAD //
  164. ;// SE_AUDITID_LOGON_PROC_REGISTER //
  165. ;// SE_AUDITID_AUDITS_DISCARDED //
  166. ;// SE_AUDITID_NOTIFY_PACKAGE_LOAD //
  167. ;// SE_AUDITID_LPC_INVALID_USE //
  168. ;// SE_AUDITID_SYSTEM_TIME_CHANGE //
  169. ;// SE_AUDITID_UNABLE_TO_LOG_EVENTS //
  170. ;// SE_AUDITID_SECURITY_LOG_EXCEEDS_WARNING_LEVEL //
  171. ;// //
  172. ;/////////////////////////////////////////////////////////////////////////////
  173. ;//
  174. ;//
  175. ;// SE_AUDITID_SYSTEM_RESTART
  176. ;//
  177. ;// Category: SE_CATEGID_SYSTEM
  178. ;//
  179. ;// Parameter Strings - None
  180. ;//
  181. ;//
  182. ;//
  183. MessageId=0x0200
  184. SymbolicName=SE_AUDITID_SYSTEM_RESTART
  185. Language=English
  186. Windows is starting up.
  187. .
  188. ;//
  189. ;//
  190. ;// SE_AUDITID_SYSTEM_SHUTDOWN
  191. ;//
  192. ;// Category: SE_CATEGID_SYSTEM
  193. ;//
  194. ;// Parameter Strings - None
  195. ;//
  196. ;//
  197. ;//
  198. MessageId=0x0201
  199. SymbolicName=SE_AUDITID_SYSTEM_SHUTDOWN
  200. Language=English
  201. Windows is shutting down.
  202. All logon sessions will be terminated by this shutdown.
  203. .
  204. ;//
  205. ;//
  206. ;// SE_AUDITID_SYSTEM_AUTH_PACKAGE_LOAD
  207. ;//
  208. ;// Category: SE_CATEGID_SYSTEM
  209. ;//
  210. ;// Parameter Strings -
  211. ;//
  212. ;// 1 - Authentication Package Name
  213. ;//
  214. ;//
  215. ;//
  216. MessageId=0x0202
  217. SymbolicName=SE_AUDITID_AUTH_PACKAGE_LOAD
  218. Language=English
  219. An authentication package has been loaded by the Local Security Authority.
  220. This authentication package will be used to authenticate logon attempts.
  221. %n
  222. Authentication Package Name:%t%1
  223. .
  224. ;//
  225. ;//
  226. ;// SE_AUDITID_SYSTEM_LOGON_PROC_REGISTER
  227. ;//
  228. ;// Category: SE_CATEGID_SYSTEM
  229. ;//
  230. ;// Parameter Strings -
  231. ;//
  232. ;// 1 - Logon Process Name
  233. ;//
  234. ;//
  235. ;//
  236. MessageId=0x0203
  237. SymbolicName=SE_AUDITID_SYSTEM_LOGON_PROC_REGISTER
  238. Language=English
  239. A trusted logon process has registered with the Local Security Authority.
  240. This logon process will be trusted to submit logon requests.
  241. %n
  242. %n
  243. Logon Process Name:%t%1
  244. .
  245. ;//
  246. ;//
  247. ;// SE_AUDITID_AUDITS_DISCARDED
  248. ;//
  249. ;// Category: SE_CATEGID_SYSTEM
  250. ;//
  251. ;// Parameter Strings -
  252. ;//
  253. ;// 1 - Number of audits discarded
  254. ;//
  255. ;//
  256. ;//
  257. MessageId=0x0204
  258. SymbolicName=SE_AUDITID_AUDITS_DISCARDED
  259. Language=English
  260. Internal resources allocated for the queuing of audit messages have been exhausted,
  261. leading to the loss of some audits.
  262. %n
  263. %tNumber of audit messages discarded:%t%1
  264. .
  265. ;//
  266. ;//
  267. ;// SE_AUDITID_AUDIT_LOG_CLEARED
  268. ;//
  269. ;// Category: SE_CATEGID_SYSTEM
  270. ;//
  271. ;// Parameter Strings -
  272. ;//
  273. ;// 1 - Primary user account name
  274. ;//
  275. ;// 2 - Primary authenticating domain name
  276. ;//
  277. ;// 3 - Primary logon ID string
  278. ;//
  279. ;// 4 - Client user account name ("-" if no client)
  280. ;//
  281. ;// 5 - Client authenticating domain name ("-" if no client)
  282. ;//
  283. ;// 6 - Client logon ID string ("-" if no client)
  284. ;//
  285. ;//
  286. ;//
  287. MessageId=0x0205
  288. SymbolicName=SE_AUDITID_AUDIT_LOG_CLEARED
  289. Language=English
  290. The audit log was cleared
  291. %n
  292. %tPrimary User Name:%t%1%n
  293. %tPrimary Domain:%t%2%n
  294. %tPrimary Logon ID:%t%3%n
  295. %tClient User Name:%t%4%n
  296. %tClient Domain:%t%5%n
  297. %tClient Logon ID:%t%6%n
  298. .
  299. ;//
  300. ;//
  301. ;// SE_AUDITID_SYSTEM_NOTIFY_PACKAGE_LOAD
  302. ;//
  303. ;// Category: SE_CATEGID_SYSTEM
  304. ;//
  305. ;// Parameter Strings -
  306. ;//
  307. ;// 1 - Notification Package Name
  308. ;//
  309. ;//
  310. ;//
  311. MessageId=0x0206
  312. SymbolicName=SE_AUDITID_NOTIFY_PACKAGE_LOAD
  313. Language=English
  314. An notification package has been loaded by the Security Account Manager.
  315. This package will be notified of any account or password changes.
  316. %n
  317. Notification Package Name:%t%1
  318. .
  319. ;//
  320. ;//
  321. ;// SE_AUDITID_LPC_INVALID_USE
  322. ;//
  323. ;// Category: SE_CATEGID_SYSTEM
  324. ;//
  325. ;// Parameter Strings -
  326. ;//
  327. ;// 1 - LPC call (e.g. "impersonation" | "reply")
  328. ;//
  329. ;// 2 - Server Port name
  330. ;//
  331. ;// 3 - Faulting process
  332. ;//
  333. ;// Event type: success
  334. ;//
  335. ;// Description:
  336. ;// SE_AUDIT_LPC_INVALID_USE is generated when a process uses an invalid LPC
  337. ;// port in an attempt to impersonate a client, reply or read/write from/to a client address space.
  338. ;//
  339. MessageId=0x0207
  340. SymbolicName=SE_AUDITID_LPC_INVALID_USE
  341. Language=English
  342. Invalid use of LPC port.%n
  343. %tProcess ID: %1%n
  344. %tImage File Name: %2%n
  345. %tPrimary User Name:%t%3%n
  346. %tPrimary Domain:%t%4%n
  347. %tPrimary Logon ID:%t%5%n
  348. %tClient User Name:%t%6%n
  349. %tClient Domain:%t%7%n
  350. %tClient Logon ID:%t%8%n
  351. %tInvalid use: %9%n
  352. %tServer Port Name:%t%10%n
  353. .
  354. ;//
  355. ;//
  356. ;// SE_AUDITID_SYSTEM_TIME_CHANGE
  357. ;//
  358. ;// Category: SE_CATEGID_SYSTEM
  359. ;//
  360. ;// Parameter Strings -
  361. ;//
  362. ;// Type: success
  363. ;//
  364. ;// Description: This event is generated when the system time is changed.
  365. ;//
  366. ;// Note: This will often appear twice in the audit log; this is an implementation
  367. ;// detail wherein changing the system time results in two calls to NtSetSystemTime.
  368. ;// This is necessary to deal with time zone changes.
  369. ;//
  370. ;//
  371. MessageId=0x0208
  372. SymbolicName=SE_AUDITID_SYSTEM_TIME_CHANGE
  373. Language=English
  374. The system time was changed.%n
  375. Process ID:%t%t%1%n
  376. Process Name:%t%t%2%n
  377. Primary User Name:%t%3%n
  378. Primary Domain:%t%t%4%n
  379. Primary Logon ID:%t%t%5%n
  380. Client User Name:%t%t%6%n
  381. Client Domain:%t%t%7%n
  382. Client Logon ID:%t%t%8%n
  383. Previous Time:%t%t%10 %9%n
  384. New Time:%t%t%12 %11%n
  385. .
  386. ;//
  387. ;//
  388. ;// SE_AUDITID_UNABLE_TO_LOG_EVENTS
  389. ;//
  390. ;// Category: SE_CATEGID_SYSTEM
  391. ;//
  392. ;// Type: failure
  393. ;//
  394. ;// Description:
  395. ;// This event is generated when the system is not able to log
  396. ;// security audit events.
  397. ;//
  398. ;// Parameters:
  399. ;// 1 : Win32 error code
  400. ;//
  401. ;// 2 : value of the key System\CurrentControlSet\Control\Lsa\CrashOnAuditFail
  402. ;// 0 --> CrashOnAuditFail is not set
  403. ;// 1 --> system will crash if not able to log audit events
  404. ;// 2 --> system has rebooted after such a crash and will allow
  405. ;// only admins to logon
  406. ;//
  407. ;//
  408. MessageId=0x0209
  409. SymbolicName=SE_AUDITID_UNABLE_TO_LOG_EVENTS
  410. Language=English
  411. Unable to log events to security log:%n
  412. %tStatus code:%t%t%1%n
  413. %tValue of CrashOnAuditFail:%t%2%n
  414. .
  415. ;//
  416. ;//
  417. ;// SE_AUDITID_AUDIT_COLLECTION_AGENT_ERROR
  418. ;//
  419. ;// Category: SE_CATEGID_SYSTEM
  420. ;//
  421. ;// Type: failure
  422. ;//
  423. ;// Description:
  424. ;// This event is generated when AdtAgent/AdtServer
  425. ;// encounter an error.
  426. ;//
  427. ;// Parameters:
  428. ;// 1 : Component (AdtAgent, AdtServer, etc.)
  429. ;// 2 : Version of the component
  430. ;// 3 : Win32 error
  431. ;//
  432. MessageId=0x020A
  433. SymbolicName=SE_AUDITID_AUDIT_COLLECTION_AGENT_ERROR
  434. Language=English
  435. The audit collection system has encountered an error.%n
  436. %tComponent:%t%1%n
  437. %tVersion:%t%2%n
  438. %tStatus code:%t%3%n
  439. .
  440. ;//
  441. ;//
  442. ;// SE_AUDITID_SECURITY_LOG_EXCEEDS_WARNING_LEVEL
  443. ;//
  444. ;// Category: SE_CATEGID_SYSTEM
  445. ;//
  446. ;// Parameter Strings -
  447. ;//
  448. ;// 1 - Percent Full
  449. ;//
  450. ;// Description: This event is generated when security logs exceedes a certain
  451. ;// percent full. That percent is controlled by the registry value named
  452. ;// "WarningLevel" which is stored in the security subkey of the eventlog.
  453. ;//
  454. ;//
  455. MessageId=0x020b
  456. SymbolicName=SE_AUDITID_SECURITY_LOG_EXCEEDS_WARNING_LEVEL
  457. Language=English
  458. The security log is now %1 percent full.
  459. .
  460. ;//
  461. ;//
  462. ;// SE_AUDITID_EVENT_LOG_AUTOBACKUP
  463. ;//
  464. ;// Category: SE_CATEGID_SYSTEM
  465. ;//
  466. ;// Type: success/failure
  467. ;//
  468. ;// Description:
  469. ;// This event is generated when the eventlog service automatically
  470. ;// backs-up the security log.
  471. ;//
  472. ;// Parameters:
  473. ;// 1 : Type of log (for example, 'Security')
  474. ;// 2 : Full path to the backed-up copy
  475. ;// 3 : Win32 error (0 ==> success)
  476. ;//
  477. MessageId=0x20c
  478. SymbolicName=SE_AUDITID_EVENT_LOG_AUTOBACKUP
  479. Language=English
  480. Event log auto-backup%n
  481. %tLog:%t%1%n
  482. %tFile:%t%2%n
  483. %tStatus:%t%3%n
  484. .
  485. ;
  486. ;/////////////////////////////////////////////////////////////////////////////
  487. ;// //
  488. ;// //
  489. ;// Messages for Category: SE_CATEGID_LOGON //
  490. ;// //
  491. ;// Event IDs: //
  492. ;// SE_AUDITID_SUCCESSFUL_LOGON //
  493. ;// SE_AUDITID_UNKNOWN_USER_OR_PWD //
  494. ;// SE_AUDITID_ACCOUNT_TIME_RESTR //
  495. ;// SE_AUDITID_ACCOUNT_DISABLED //
  496. ;// SE_AUDITID_ACCOUNT_EXPIRED //
  497. ;// SE_AUDITID_WORKSTATION_RESTR //
  498. ;// SE_AUDITID_LOGON_TYPE_RESTR //
  499. ;// SE_AUDITID_PASSWORD_EXPIRED //
  500. ;// SE_AUDITID_NETLOGON_NOT_STARTED //
  501. ;// SE_AUDITID_UNSUCCESSFUL_LOGON //
  502. ;// SE_AUDITID_LOGOFF //
  503. ;// SE_AUDITID_ACCOUNT_LOCKED //
  504. ;// SE_AUDITID_NETWORK_LOGON //
  505. ;// SE_AUDITID_IPSEC_LOGON_SUCCESS //
  506. ;// SE_AUDITID_IPSEC_LOGOFF_MM //
  507. ;// SE_AUDITID_IPSEC_LOGOFF_QM //
  508. ;// SE_AUDITID_IPSEC_AUTH_FAIL_CERT_TRUST //
  509. ;// SE_AUDITID_IPSEC_AUTH //
  510. ;// SE_AUDITID_IPSEC_ATTRIB_FAIL //
  511. ;// SE_AUDITID_IPSEC_NEGOTIATION_FAIL //
  512. ;// SE_AUDITID_IPSEC_IKE_NOTIFICATION //
  513. ;// SE_AUDITID_DOMAIN_TRUST_INCONSISTENT //
  514. ;// SE_AUDITID_AUTH_REPLAY_DETECTED //
  515. ;// //
  516. ;/////////////////////////////////////////////////////////////////////////////
  517. ;//
  518. ;//
  519. ;// SE_AUDITID_SUCCESSFUL_LOGON
  520. ;//
  521. ;// Category: SE_CATEGID_LOGON
  522. ;//
  523. ;// Parameter Strings -
  524. ;//
  525. ;// 1 - User account name
  526. ;//
  527. ;// 2 - Authenticating domain name
  528. ;//
  529. ;// 3 - Logon ID string
  530. ;//
  531. ;// 4 - Logon Type string
  532. ;//
  533. ;// 5 - Logon process name
  534. ;//
  535. ;// 6 - Authentication package name
  536. ;//
  537. ;// 7 - Workstation from which logon request came
  538. ;//
  539. ;// 8 - Globally unique logon ID
  540. ;//
  541. ;//
  542. MessageId=0x0210
  543. SymbolicName=SE_AUDITID_SUCCESSFUL_LOGON
  544. Language=English
  545. Successful Logon:%n
  546. %tUser Name:%t%1%n
  547. %tDomain:%t%t%2%n
  548. %tLogon ID:%t%t%3%n
  549. %tLogon Type:%t%4%n
  550. %tLogon Process:%t%5%n
  551. %tAuthentication Package:%t%6%n
  552. %tWorkstation Name:%t%7%n
  553. %tLogon GUID:%t%8%n
  554. %tCaller User Name:%t%9%n
  555. %tCaller Domain:%t%10%n
  556. %tCaller Logon ID:%t%11%n
  557. %tCaller Process ID: %12%n
  558. %tTransited Services: %13%n
  559. %tSource Network Address:%t%14%n
  560. %tSource Port:%t%15%n
  561. .
  562. ;//
  563. ;//
  564. ;// SE_AUDITID_UNKNOWN_USER_OR_PWD
  565. ;//
  566. ;// Category: SE_CATEGID_LOGON
  567. ;//
  568. ;// Parameter Strings -
  569. ;//
  570. ;// 1 - User account name
  571. ;//
  572. ;// 2 - Authenticating domain name
  573. ;//
  574. ;// 3 - Logon Type string
  575. ;//
  576. ;// 4 - Logon process name
  577. ;//
  578. ;// 5 - Authentication package name
  579. ;//
  580. ;//
  581. MessageId=0x0211
  582. SymbolicName=SE_AUDITID_UNKNOWN_USER_OR_PWD
  583. Language=English
  584. Logon Failure:%n
  585. %tReason:%t%tUnknown user name or bad password%n
  586. %tUser Name:%t%1%n
  587. %tDomain:%t%t%2%n
  588. %tLogon Type:%t%3%n
  589. %tLogon Process:%t%4%n
  590. %tAuthentication Package:%t%5%n
  591. %tWorkstation Name:%t%6%n
  592. %tCaller User Name:%t%7%n
  593. %tCaller Domain:%t%8%n
  594. %tCaller Logon ID:%t%9%n
  595. %tCaller Process ID:%t%10%n
  596. %tTransited Services:%t%11%n
  597. %tSource Network Address:%t%12%n
  598. %tSource Port:%t%13%n
  599. .
  600. ;//
  601. ;//
  602. ;// SE_AUDITID_ACCOUNT_TIME_RESTR
  603. ;//
  604. ;// Category: SE_CATEGID_LOGON
  605. ;//
  606. ;// Parameter Strings -
  607. ;//
  608. ;// 1 - User account name
  609. ;//
  610. ;// 2 - Authenticating domain name
  611. ;//
  612. ;// 3 - Logon Type string
  613. ;//
  614. ;// 4 - Logon process name
  615. ;//
  616. ;// 5 - Authentication package name
  617. ;//
  618. ;//
  619. MessageId=0x0212
  620. SymbolicName=SE_AUDITID_ACCOUNT_TIME_RESTR
  621. Language=English
  622. Logon Failure:%n
  623. %tReason:%t%tAccount logon time restriction violation%n
  624. %tUser Name:%t%1%n
  625. %tDomain:%t%t%2%n
  626. %tLogon Type:%t%3%n
  627. %tLogon Process:%t%4%n
  628. %tAuthentication Package:%t%5%n
  629. %tWorkstation Name:%t%6%n
  630. %tCaller User Name:%t%7%n
  631. %tCaller Domain:%t%8%n
  632. %tCaller Logon ID:%t%9%n
  633. %tCaller Process ID:%t%10%n
  634. %tTransited Services:%t%11%n
  635. %tSource Network Address:%t%12%n
  636. %tSource Port:%t%13%n
  637. .
  638. ;//
  639. ;//
  640. ;// SE_AUDITID_ACCOUNT_DISABLED
  641. ;//
  642. ;// Category: SE_CATEGID_LOGON
  643. ;//
  644. ;// Parameter Strings -
  645. ;//
  646. ;// 1 - User account name
  647. ;//
  648. ;// 2 - Authenticating domain name
  649. ;//
  650. ;// 3 - Logon Type string
  651. ;//
  652. ;// 4 - Logon process name
  653. ;//
  654. ;// 5 - Authentication package name
  655. ;//
  656. ;//
  657. MessageId=0x0213
  658. SymbolicName=SE_AUDITID_ACCOUNT_DISABLED
  659. Language=English
  660. Logon Failure:%n
  661. %tReason:%t%tAccount currently disabled%n
  662. %tUser Name:%t%1%n
  663. %tDomain:%t%t%2%n
  664. %tLogon Type:%t%3%n
  665. %tLogon Process:%t%4%n
  666. %tAuthentication Package:%t%5%n
  667. %tWorkstation Name:%t%6%n
  668. %tCaller User Name:%t%7%n
  669. %tCaller Domain:%t%8%n
  670. %tCaller Logon ID:%t%9%n
  671. %tCaller Process ID:%t%10%n
  672. %tTransited Services:%t%11%n
  673. %tSource Network Address:%t%12%n
  674. %tSource Port:%t%13%n
  675. .
  676. ;//
  677. ;//
  678. ;// SE_AUDITID_ACCOUNT_EXPIRED
  679. ;//
  680. ;// Category: SE_CATEGID_LOGON
  681. ;//
  682. ;// Parameter Strings -
  683. ;//
  684. ;// 1 - User account name
  685. ;//
  686. ;// 2 - Authenticating domain name
  687. ;//
  688. ;// 3 - Logon Type string
  689. ;//
  690. ;// 4 - Logon process name
  691. ;//
  692. ;// 5 - Authentication package name
  693. ;//
  694. ;//
  695. MessageId=0x0214
  696. SymbolicName=SE_AUDITID_ACCOUNT_EXPIRED
  697. Language=English
  698. Logon Failure:%n
  699. %tReason:%t%tThe specified user account has expired%n
  700. %tUser Name:%t%1%n
  701. %tDomain:%t%t%2%n
  702. %tLogon Type:%t%3%n
  703. %tLogon Process:%t%4%n
  704. %tAuthentication Package:%t%5%n
  705. %tWorkstation Name:%t%6%n
  706. %tCaller User Name:%t%7%n
  707. %tCaller Domain:%t%8%n
  708. %tCaller Logon ID:%t%9%n
  709. %tCaller Process ID:%t%10%n
  710. %tTransited Services:%t%11%n
  711. %tSource Network Address:%t%12%n
  712. %tSource Port:%t%13%n
  713. .
  714. ;//
  715. ;//
  716. ;// SE_AUDITID_WORKSTATION_RESTR
  717. ;//
  718. ;// Category: SE_CATEGID_LOGON
  719. ;//
  720. ;// Parameter Strings -
  721. ;//
  722. ;// 1 - User account name
  723. ;//
  724. ;// 2 - Authenticating domain name
  725. ;//
  726. ;// 3 - Logon Type string
  727. ;//
  728. ;// 4 - Logon process name
  729. ;//
  730. ;// 5 - Authentication package name
  731. ;//
  732. ;//
  733. MessageId=0x0215
  734. SymbolicName=SE_AUDITID_WORKSTATION_RESTR
  735. Language=English
  736. Logon Failure:%n
  737. %tReason:%t%tUser not allowed to logon at this computer%n
  738. %tUser Name:%t%1%n
  739. %tDomain:%t%t%2%n
  740. %tLogon Type:%t%3%n
  741. %tLogon Process:%t%4%n
  742. %tAuthentication Package:%t%5%n
  743. %tWorkstation Name:%t%6%n
  744. %tCaller User Name:%t%7%n
  745. %tCaller Domain:%t%8%n
  746. %tCaller Logon ID:%t%9%n
  747. %tCaller Process ID:%t%10%n
  748. %tTransited Services:%t%11%n
  749. %tSource Network Address:%t%12%n
  750. %tSource Port:%t%13%n
  751. .
  752. ;//
  753. ;//
  754. ;// SE_AUDITID_LOGON_TYPE_RESTR
  755. ;//
  756. ;// Category: SE_CATEGID_LOGON
  757. ;//
  758. ;// Parameter Strings -
  759. ;//
  760. ;// 1 - User account name
  761. ;//
  762. ;// 2 - Authenticating domain name
  763. ;//
  764. ;// 3 - Logon Type string
  765. ;//
  766. ;// 4 - Logon process name
  767. ;//
  768. ;// 5 - Authentication package name
  769. ;//
  770. ;//
  771. MessageId=0x0216
  772. SymbolicName=SE_AUDITID_LOGON_TYPE_RESTR
  773. Language=English
  774. Logon Failure:%n
  775. %tReason:%tThe user has not been granted the requested%n
  776. %t%tlogon type at this machine%n
  777. %tUser Name:%t%1%n
  778. %tDomain:%t%t%2%n
  779. %tLogon Type:%t%3%n
  780. %tLogon Process:%t%4%n
  781. %tAuthentication Package:%t%5%n
  782. %tWorkstation Name:%t%6%n
  783. %tCaller User Name:%t%7%n
  784. %tCaller Domain:%t%8%n
  785. %tCaller Logon ID:%t%9%n
  786. %tCaller Process ID:%t%10%n
  787. %tTransited Services:%t%11%n
  788. %tSource Network Address:%t%12%n
  789. %tSource Port:%t%13%n
  790. .
  791. ;//
  792. ;//
  793. ;// SE_AUDITID_PASSWORD_EXPIRED
  794. ;//
  795. ;// Category: SE_CATEGID_LOGON
  796. ;//
  797. ;// Parameter Strings -
  798. ;//
  799. ;// 1 - User account name
  800. ;//
  801. ;// 2 - Authenticating domain name
  802. ;//
  803. ;// 3 - Logon Type string
  804. ;//
  805. ;// 4 - Logon process name
  806. ;//
  807. ;// 5 - Authentication package name
  808. ;//
  809. ;//
  810. MessageId=0x0217
  811. SymbolicName=SE_AUDITID_PASSWORD_EXPIRED
  812. Language=English
  813. Logon Failure:%n
  814. %tReason:%t%tThe specified account's password has expired%n
  815. %tUser Name:%t%1%n
  816. %tDomain:%t%t%2%n
  817. %tLogon Type:%t%3%n
  818. %tLogon Process:%t%4%n
  819. %tAuthentication Package:%t%5%n
  820. %tWorkstation Name:%t%6%n
  821. %tCaller User Name:%t%7%n
  822. %tCaller Domain:%t%8%n
  823. %tCaller Logon ID:%t%9%n
  824. %tCaller Process ID:%t%10%n
  825. %tTransited Services:%t%11%n
  826. %tSource Network Address:%t%12%n
  827. %tSource Port:%t%13%n
  828. .
  829. ;//'
  830. ;//
  831. ;// SE_AUDITID_NETLOGON_NOT_STARTED
  832. ;//
  833. ;// Category: SE_CATEGID_LOGON
  834. ;//
  835. ;// Parameter Strings -
  836. ;//
  837. ;// 1 - User account name
  838. ;//
  839. ;// 2 - Authenticating domain name
  840. ;//
  841. ;// 3 - Logon Type string
  842. ;//
  843. ;// 4 - Logon process name
  844. ;//
  845. ;// 5 - Authentication package name
  846. ;//
  847. ;//
  848. MessageId=0x0218
  849. SymbolicName=SE_AUDITID_NETLOGON_NOT_STARTED
  850. Language=English
  851. Logon Failure:%n
  852. %tReason:%t%tThe NetLogon component is not active%n
  853. %tUser Name:%t%1%n
  854. %tDomain:%t%t%2%n
  855. %tLogon Type:%t%3%n
  856. %tLogon Process:%t%4%n
  857. %tAuthentication Package:%t%5%n
  858. %tWorkstation Name:%t%6%n
  859. %tCaller User Name:%t%7%n
  860. %tCaller Domain:%t%8%n
  861. %tCaller Logon ID:%t%9%n
  862. %tCaller Process ID:%t%10%n
  863. %tTransited Services:%t%11%n
  864. %tSource Network Address:%t%12%n
  865. %tSource Port:%t%13%n
  866. .
  867. ;//
  868. ;//
  869. ;// SE_AUDITID_UNSUCCESSFUL_LOGON
  870. ;//
  871. ;// Category: SE_CATEGID_LOGON
  872. ;//
  873. ;// Parameter Strings -
  874. ;//
  875. ;// 1 - User account name
  876. ;//
  877. ;// 2 - Authenticating domain name
  878. ;//
  879. ;// 3 - Logon Type string
  880. ;//
  881. ;// 4 - Logon process name
  882. ;//
  883. ;// 5 - Authentication package name
  884. ;//
  885. ;//
  886. MessageId=0x0219
  887. SymbolicName=SE_AUDITID_UNSUCCESSFUL_LOGON
  888. Language=English
  889. Logon Failure:%n
  890. %tReason:%t%tAn error occurred during logon%n
  891. %tUser Name:%t%1%n
  892. %tDomain:%t%t%2%n
  893. %tLogon Type:%t%3%n
  894. %tLogon Process:%t%4%n
  895. %tAuthentication Package:%t%5%n
  896. %tWorkstation Name:%t%6%n
  897. %tStatus code:%t%7%n
  898. %tSubstatus code:%t%8%n
  899. %tCaller User Name:%t%9%n
  900. %tCaller Domain:%t%10%n
  901. %tCaller Logon ID:%t%11%n
  902. %tCaller Process ID:%t%12%n
  903. %tTransited Services:%t%13%n
  904. %tSource Network Address:%t%14%n
  905. %tSource Port:%t%15%n
  906. .
  907. ;//
  908. ;//
  909. ;// SE_AUDITID_LOGOFF
  910. ;//
  911. ;// Category: SE_CATEGID_LOGON
  912. ;//
  913. ;// Event Type : success
  914. ;//
  915. ;// Description:
  916. ;// This event is generated when the logoff process is complete,
  917. ;// A logoff is considered complete when the associated logon session object
  918. ;// is deleted.
  919. ;//
  920. ;// Notes:
  921. ;// A logon session object is deleted only after all tokens
  922. ;// associated with it are closed. This can take arbitrarily long time.
  923. ;// Because of this, the time difference between SE_AUDITID_SUCCESSFUL_LOGON
  924. ;// and SE_AUDITID_LOGOFF does not accurately indicate the total logon duration
  925. ;// for a user. To calculate the logon duration, use the SE_AUDITID_BEGIN_LOGOFF
  926. ;// time instead.
  927. ;//
  928. ;// Parameter Strings -
  929. ;//
  930. ;// 1 - User account name
  931. ;//
  932. ;// 2 - Authenticating domain name
  933. ;//
  934. ;// 3 - Logon ID string
  935. ;//
  936. ;// 3 - Logon Type string
  937. ;//
  938. ;//
  939. ;//
  940. MessageId=0x021A
  941. SymbolicName=SE_AUDITID_LOGOFF
  942. Language=English
  943. User Logoff:%n
  944. %tUser Name:%t%1%n
  945. %tDomain:%t%t%2%n
  946. %tLogon ID:%t%t%3%n
  947. %tLogon Type:%t%4%n
  948. .
  949. ;//
  950. ;//
  951. ;// SE_AUDITID_ACCOUNT_LOCKED
  952. ;//
  953. ;// Category: SE_CATEGID_LOGON
  954. ;//
  955. ;// Parameter Strings -
  956. ;//
  957. ;// 1 - User account name
  958. ;//
  959. ;// 2 - Authenticating domain name
  960. ;//
  961. ;// 3 - Logon Type string
  962. ;//
  963. ;// 4 - Logon process name
  964. ;//
  965. ;// 5 - Authentication package name
  966. ;//
  967. ;//
  968. MessageId=0x021B
  969. SymbolicName=SE_AUDITID_ACCOUNT_LOCKED
  970. Language=English
  971. Logon Failure:%n
  972. %tReason:%t%tAccount locked out%n
  973. %tUser Name:%t%1%n
  974. %tDomain:%t%2%n
  975. %tLogon Type:%t%3%n
  976. %tLogon Process:%t%4%n
  977. %tAuthentication Package:%t%5%n
  978. %tWorkstation Name:%t%6%n
  979. %tCaller User Name:%t%7%n
  980. %tCaller Domain:%t%8%n
  981. %tCaller Logon ID:%t%9%n
  982. %tCaller Process ID: %10%n
  983. %tTransited Services: %11%n
  984. %tSource Network Address:%t%12%n
  985. %tSource Port:%t%13%n
  986. .
  987. ;//
  988. ;//
  989. ;// SE_AUDITID_NETWORK_LOGON
  990. ;//
  991. ;// Category: SE_CATEGID_LOGON
  992. ;//
  993. ;// Description:
  994. ;// This event represents a successful logon of type Network(2) or
  995. ;// NetworkCleartext(8).
  996. ;//
  997. ;// [kumarp] I do not know why this event was created separately because
  998. ;// this was already covered by SE_AUDITID_SUCCESSFUL_LOGON with
  999. ;// the right logon types.
  1000. ;//
  1001. ;// Parameter Strings -
  1002. ;//
  1003. ;// 1 - User account name
  1004. ;//
  1005. ;// 2 - Authenticating domain name
  1006. ;//
  1007. ;// 3 - Logon ID string
  1008. ;//
  1009. ;// 4 - Logon Type string
  1010. ;//
  1011. ;// 5 - Logon process name
  1012. ;//
  1013. ;// 6 - Authentication package name
  1014. ;//
  1015. ;// 7 - Workstation from which logon request came
  1016. ;//
  1017. ;// 8 - Globally unique logon ID
  1018. ;//
  1019. MessageId=0x021c
  1020. SymbolicName=SE_AUDITID_NETWORK_LOGON
  1021. Language=English
  1022. Successful Network Logon:%n
  1023. %tUser Name:%t%1%n
  1024. %tDomain:%t%t%2%n
  1025. %tLogon ID:%t%t%3%n
  1026. %tLogon Type:%t%4%n
  1027. %tLogon Process:%t%5%n
  1028. %tAuthentication Package:%t%6%n
  1029. %tWorkstation Name:%t%7%n
  1030. %tLogon GUID:%t%8%n
  1031. %tCaller User Name:%t%9%n
  1032. %tCaller Domain:%t%10%n
  1033. %tCaller Logon ID:%t%11%n
  1034. %tCaller Process ID: %12%n
  1035. %tTransited Services: %13%n
  1036. %tSource Network Address:%t%14%n
  1037. %tSource Port:%t%15%n
  1038. .
  1039. ;//
  1040. ;//
  1041. ;// SE_AUDITID_IPSEC_LOGON_SUCCESS
  1042. ;//
  1043. ;// Category: SE_CATEGID_LOGON
  1044. ;//
  1045. ;// Parameter Strings -
  1046. ;//
  1047. ;// 1 - Mode
  1048. ;//
  1049. ;// 2 - Peer Identity
  1050. ;//
  1051. ;// 3 - Filter
  1052. ;//
  1053. ;// 4 - Parameters
  1054. ;//
  1055. ;//
  1056. MessageId=0x021d
  1057. SymbolicName=SE_AUDITID_IPSEC_LOGON_SUCCESS
  1058. Language=English
  1059. IKE security association established.%n
  1060. Mode: %n%1%n
  1061. Peer Identity: %n%2%n
  1062. Filter: %n%3%n
  1063. Parameters: %n%4%n
  1064. .
  1065. ;//
  1066. ;//
  1067. ;// SE_AUDITID_IPSEC_LOGOFF_QM
  1068. ;//
  1069. ;// Category: SE_CATEGID_LOGON
  1070. ;//
  1071. ;// Parameter Strings -
  1072. ;//
  1073. ;// 1 - Filter
  1074. ;//
  1075. ;// 2 - Inbound SPI
  1076. ;//
  1077. ;// 3 - Outbound SPI
  1078. ;//
  1079. ;//
  1080. MessageId=0x021e
  1081. SymbolicName=SE_AUDITID_IPSEC_LOGOFF_QM
  1082. Language=English
  1083. IKE security association ended.%n
  1084. Mode: Data Protection (Quick mode)
  1085. Filter: %n%1%n
  1086. Inbound SPI: %n%2%n
  1087. Outbound SPI: %n%3%n
  1088. .
  1089. ;//
  1090. ;//
  1091. ;// SE_AUDITID_IPSEC_LOGOFF_MM
  1092. ;//
  1093. ;// Category: SE_CATEGID_LOGON
  1094. ;//
  1095. ;// Parameter Strings -
  1096. ;//
  1097. ;// 1 - Filter
  1098. ;//
  1099. MessageId=0x021f
  1100. SymbolicName=SE_AUDITID_IPSEC_LOGOFF_MM
  1101. Language=English
  1102. IKE security association ended.%n
  1103. Mode: Key Exchange (Main mode)%n
  1104. Filter: %n%1%n
  1105. .
  1106. ;//
  1107. ;//
  1108. ;// SE_AUDITID_IPSEC_AUTH_FAIL_CERT_TRUST
  1109. ;//
  1110. ;// Category: SE_CATEGID_LOGON
  1111. ;//
  1112. ;// Parameter Strings -
  1113. ;//
  1114. ;// 1 - Peer Identity
  1115. ;//
  1116. ;// 2 - Filter
  1117. ;//
  1118. ;//
  1119. MessageId=0x0220
  1120. SymbolicName=SE_AUDITID_IPSEC_AUTH_FAIL_CERT_TRUST
  1121. Language=English
  1122. IKE security association establishment failed because peer could not authenticate.
  1123. The certificate trust could not be established.%n
  1124. Peer Identity: %n%1%n
  1125. Filter: %n%2%n
  1126. .
  1127. ;//
  1128. ;//
  1129. ;// SE_AUDITID_IPSEC_AUTH_FAIL
  1130. ;//
  1131. ;// Category: SE_CATEGID_LOGON
  1132. ;//
  1133. ;// Parameter Strings -
  1134. ;//
  1135. ;// 1 - Peer Identity
  1136. ;//
  1137. ;// 2 - Filter
  1138. ;//
  1139. ;//
  1140. MessageId=0x0221
  1141. SymbolicName=SE_AUDITID_IPSEC_AUTH_FAIL
  1142. Language=English
  1143. IKE peer authentication failed.%n
  1144. Peer Identity: %n%1%n
  1145. Filter: %n%2%n
  1146. .
  1147. ;//
  1148. ;//
  1149. ;// SE_AUDITID_IPSEC_ATTRIB_FAIL
  1150. ;//
  1151. ;// Category: SE_CATEGID_LOGON
  1152. ;//
  1153. ;// Parameter Strings -
  1154. ;//
  1155. ;// 1 - Mode
  1156. ;//
  1157. ;// 2 - Filter
  1158. ;//
  1159. ;// 3 - Attribute Name
  1160. ;//
  1161. ;// 4 - Expected Value
  1162. ;//
  1163. ;// 5 - Received Value
  1164. ;//
  1165. ;//
  1166. MessageId=0x0222
  1167. SymbolicName=SE_AUDITID_IPSEC_ATTRIB_FAIL
  1168. Language=English
  1169. IKE security association establishment failed because peer
  1170. sent invalid proposal.%n
  1171. Mode: %n%1%n
  1172. Filter: %n%2%n
  1173. Attribute: %n%3%n
  1174. Expected value: %n%4%n
  1175. Received value: %n%5%n
  1176. .
  1177. ;//
  1178. ;//
  1179. ;// SE_AUDITID_IPSEC_NEGOTIATION_FAIL
  1180. ;//
  1181. ;// Category: SE_CATEGID_LOGON
  1182. ;//
  1183. ;// Parameter Strings -
  1184. ;//
  1185. ;// 1 - Mode
  1186. ;//
  1187. ;// 2 - Filter
  1188. ;//
  1189. ;// 3 - Failure Point
  1190. ;//
  1191. ;// 4 - Failure Reason
  1192. ;//
  1193. ;//
  1194. MessageId=0x0223
  1195. SymbolicName=SE_AUDITID_IPSEC_NEGOTIATION_FAIL
  1196. Language=English
  1197. IKE security association negotiation failed.%n
  1198. Mode: %n%1%n
  1199. Filter: %n%2%n
  1200. Peer Identity: %n%3%n
  1201. Failure Point: %n%4%n
  1202. Failure Reason: %n%5%n
  1203. Extra Status: %n%6%n
  1204. .
  1205. ;//
  1206. ;//
  1207. ;// SE_AUDITID_DOMAIN_TRUST_INCONSISTENT
  1208. ;//
  1209. ;// Category: SE_CATEGID_LOGON
  1210. ;//
  1211. ;// Event Type : failure
  1212. ;//
  1213. ;// Description:
  1214. ;// This event is generated by an authentication package when the
  1215. ;// quarantined domain SID filtering function in LSA returns
  1216. ;// STATUS_DOMAIN_TRUST_INCONSISTENT error code.
  1217. ;//
  1218. ;// In case of kerberos:
  1219. ;// If the server ticket info has a TDOSid then KdcCheckPacForSidFiltering
  1220. ;// function makes a check to make sure the SID from the TDO matches
  1221. ;// the client's home domain SID. A call to LsaIFilterSids
  1222. ;// is made to do the check. If this function fails with
  1223. ;// STATUS_DOMAIN_TRUST_INCONSISTENT then this event is generated.
  1224. ;//
  1225. ;// In case of netlogon:
  1226. ;// NlpUserValidateHigher function does a similar check by
  1227. ;// calling LsaIFilterSids.
  1228. ;//
  1229. ;// Notes:
  1230. ;//
  1231. MessageId=0x0224
  1232. SymbolicName=SE_AUDITID_DOMAIN_TRUST_INCONSISTENT
  1233. Language=English
  1234. Logon Failure:%n
  1235. %tReason:%t%tDomain sid inconsistent%n
  1236. %tUser Name:%t%1%n
  1237. %tDomain:%t%t%2%n
  1238. %tLogon Type:%t%3%n
  1239. %tLogon Process:%t%4%n
  1240. %tAuthentication Package:%t%5%n
  1241. %tWorkstation Name:%t%6
  1242. %tTransited Services:%t%7%n
  1243. .
  1244. ;//
  1245. ;//
  1246. ;// SE_AUDITID_ALL_SIDS_FILTERED
  1247. ;//
  1248. ;// Category: SE_CATEGID_LOGON
  1249. ;//
  1250. ;// Event Type : failure
  1251. ;//
  1252. ;// Description:
  1253. ;// During a cross forest authentication, SIDS corresponding to untrusted
  1254. ;// namespaces are filtered out. If this filtering action results into
  1255. ;// removal of all sids then this event is generated.
  1256. ;//
  1257. ;// Notes:
  1258. ;// This is generated on the computer running kdc
  1259. ;//
  1260. ;// **** This event is now obsolete. The schema below is retained so that
  1261. ;// people can view old instance of this event using a new viewer.
  1262. ;//
  1263. MessageId=0x0225
  1264. SymbolicName=SE_AUDITID_ALL_SIDS_FILTERED
  1265. Language=English
  1266. Logon Failure:%n
  1267. %tReason: %tAll sids were filtered out%n
  1268. %tUser Name:%t%1%n
  1269. %tDomain:%t%2%n
  1270. %tLogon Type:%t%3%n
  1271. %tLogon Process:%t%4%n
  1272. %tAuthentication Package%t: %5%n
  1273. %tWorkstation Name:%t%6
  1274. .
  1275. ;//
  1276. ;//
  1277. ;// SE_AUDITID_IPSEC_IKE_NOTIFICATION
  1278. ;//
  1279. ;// Category: SE_CATEGID_LOGON
  1280. ;//
  1281. ;// Parameter Strings -
  1282. ;//
  1283. ;// 1 - Notification Message
  1284. ;//
  1285. MessageId=0x0226
  1286. SymbolicName=SE_AUDITID_IPSEC_IKE_NOTIFICATION
  1287. Language=English
  1288. %1%n
  1289. .
  1290. ;//
  1291. ;//
  1292. ;// SE_AUDITID_BEGIN_LOGOFF
  1293. ;//
  1294. ;// Category: SE_CATEGID_LOGON
  1295. ;//
  1296. ;// Event Type : success
  1297. ;//
  1298. ;// Description:
  1299. ;// This event is generated when a user initiates logoff.
  1300. ;//
  1301. ;// Notes:
  1302. ;// When the logoff process is complete, SE_AUDITID_LOGOFF event is generated.
  1303. ;// A logoff is considered complete when the associated logon session object
  1304. ;// is deleted. This happens only after all tokens associated with it are closed.
  1305. ;// This can take arbitrarily long time therefore there can be a substantial
  1306. ;// time difference between the two events.
  1307. ;//
  1308. ;//
  1309. ;// Parameter Strings -
  1310. ;//
  1311. ;// 1 - User account name
  1312. ;//
  1313. ;// 2 - Authenticating domain name
  1314. ;//
  1315. ;// 3 - Logon ID string
  1316. ;//
  1317. ;//
  1318. MessageId=0x0227
  1319. SymbolicName=SE_AUDITID_BEGIN_LOGOFF
  1320. Language=English
  1321. User initiated logoff:%n
  1322. %tUser Name:%t%1%n
  1323. %tDomain:%t%t%2%n
  1324. %tLogon ID:%t%t%3%n
  1325. .
  1326. ;//
  1327. ;//
  1328. ;// SE_AUDITID_LOGON_USING_EXPLICIT_CREDENTIALS
  1329. ;//
  1330. ;// Category: SE_CATEGID_LOGON
  1331. ;//
  1332. ;// Event Type : success
  1333. ;//
  1334. ;// Description:
  1335. ;// This event is generated when someone tries to logon using
  1336. ;// explicit credentials while already logged on as a different user.
  1337. ;//
  1338. ;// Notes:
  1339. ;// This is generated on the client machine from which logon request originates.
  1340. ;//
  1341. ;//
  1342. MessageId=0x0228
  1343. SymbolicName=SE_AUDITID_LOGON_USING_EXPLICIT_CREDENTIALS
  1344. Language=English
  1345. Logon attempt using explicit credentials:%n
  1346. Logged on user:%n
  1347. %tUser Name:%t%1%n
  1348. %tDomain:%t%t%2%n
  1349. %tLogon ID:%t%t%3%n
  1350. %tLogon GUID:%t%4%n
  1351. User whose credentials were used:%n
  1352. %tTarget User Name:%t%5%n
  1353. %tTarget Domain:%t%6%n
  1354. %tTarget Logon GUID: %7%n%n
  1355. Target Server Name:%t%8%n
  1356. Target Server Info:%t%9%n
  1357. Caller Process ID:%t%10%n
  1358. Source Network Address:%t%11%n
  1359. Source Port:%t%12%n
  1360. .
  1361. ;//
  1362. ;//
  1363. ;// SE_AUDITID_AUTH_REPLAY_DETECTED
  1364. ;//
  1365. ;// Category: SE_CATEGID_LOGON
  1366. ;//
  1367. ;// Event Type : failure
  1368. ;//
  1369. ;// Description:
  1370. ;// This event is generated when an auth package detects replay attack.
  1371. ;//
  1372. ;// Notes:
  1373. ;// This is generated by the computer running kdc or the server machine
  1374. ;// that is receiving the auth request. For kerberos, Request Type is one of
  1375. ;// the KRB_XXX_REQ or whatever request depending on the specific auth protocol.
  1376. ;//
  1377. ;//
  1378. MessageId=0x0229
  1379. SymbolicName=SE_AUDITID_AUTH_REPLAY_DETECTED
  1380. Language=English
  1381. %tUser Name:%t%1%n
  1382. %tDomain:%t%%t%2%n
  1383. %tRequest Type:%t%3%n
  1384. %tLogon Process:%t%4%n
  1385. %tAuthentication Package:%t%5%n
  1386. %tWorkstation Name:%t%6%n
  1387. %tCaller User Name:%t%7%n
  1388. %tCaller Domain:%t%8%n
  1389. %tCaller Logon ID:%t%9%n
  1390. %tCaller Process ID: %10%n
  1391. %tTransited Services: %11%n
  1392. .
  1393. ;
  1394. ;/////////////////////////////////////////////////////////////////////////////
  1395. ;// //
  1396. ;// //
  1397. ;// Messages for Category: SE_CATEGID_OBJECT_ACCESS //
  1398. ;// //
  1399. ;// Event IDs: //
  1400. ;// SE_AUDITID_OPEN_HANDLE //
  1401. ;// SE_AUDITID_CLOSE_HANDLE //
  1402. ;// SE_AUDITID_OPEN_OBJECT_FOR_DELETE //
  1403. ;// SE_AUDITID_DELETE_OBJECT //
  1404. ;// SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE //
  1405. ;// SE_AUDITID_OBJECT_OPERATION //
  1406. ;// SE_AUDITID_OBJECT_ACCESS //
  1407. ;// SE_AUDITID_HARDLINK_CREATION //
  1408. ;// //
  1409. ;// //
  1410. ;/////////////////////////////////////////////////////////////////////////////
  1411. ;//
  1412. ;//
  1413. ;// SE_AUDITID_OPEN_HANDLE
  1414. ;//
  1415. ;// Category: SE_CATEGID_OBJECT_ACCESS
  1416. ;//
  1417. ;// Parameter Strings -
  1418. ;//
  1419. ;// 1 - Object Type string
  1420. ;//
  1421. ;// 2 - Object name
  1422. ;//
  1423. ;// 3 - New handle ID string
  1424. ;//
  1425. ;// 4 - Object server name
  1426. ;//
  1427. ;// 5 - Process ID string
  1428. ;//
  1429. ;// 6 - Primary user account name
  1430. ;//
  1431. ;// 7 - Primary authenticating domain name
  1432. ;//
  1433. ;// 8 - Primary logon ID string
  1434. ;//
  1435. ;// 9 - Client user account name ("-" if no client)
  1436. ;//
  1437. ;// 10 - Client authenticating domain name ("-" if no client)
  1438. ;//
  1439. ;// 11 - Client logon ID string ("-" if no client)
  1440. ;//
  1441. ;// 12 - Access names
  1442. ;//
  1443. ;//
  1444. ;//
  1445. ;//
  1446. MessageId=0x0230
  1447. SymbolicName=SE_AUDITID_OPEN_HANDLE
  1448. Language=English
  1449. Object Open:%n
  1450. %tObject Server:%t%1%n
  1451. %tObject Type:%t%2%n
  1452. %tObject Name:%t%3%n
  1453. %tHandle ID:%t%4%n
  1454. %tOperation ID:%t{%5,%6}%n
  1455. %tProcess ID:%t%7%n
  1456. %tImage File Name:%t%8%n
  1457. %tPrimary User Name:%t%9%n
  1458. %tPrimary Domain:%t%10%n
  1459. %tPrimary Logon ID:%t%11%n
  1460. %tClient User Name:%t%12%n
  1461. %tClient Domain:%t%13%n
  1462. %tClient Logon ID:%t%14%n
  1463. %tAccesses:%t%15%n
  1464. %tPrivileges:%t%16%n
  1465. %tRestricted Sid Count:%t%17%n
  1466. %tAccess Mask:%t%18%n
  1467. .
  1468. ;//
  1469. ;//
  1470. ;// SE_AUDITID_CLOSE_HANDLE
  1471. ;//
  1472. ;// Category: SE_CATEGID_OBJECT_ACCESS
  1473. ;//
  1474. ;// Parameter Strings -
  1475. ;//
  1476. ;// 1 - Object server name
  1477. ;//
  1478. ;// 2 - Handle ID string
  1479. ;//
  1480. ;// 3 - Process ID string
  1481. ;//
  1482. ;//
  1483. ;//
  1484. ;//
  1485. MessageId=0x0232
  1486. SymbolicName=SE_AUDITID_CLOSE_HANDLE
  1487. Language=English
  1488. Handle Closed:%n
  1489. %tObject Server:%t%1%n
  1490. %tHandle ID:%t%2%n
  1491. %tProcess ID:%t%3%n
  1492. %tImage File Name:%t%4%n
  1493. .
  1494. ;//
  1495. ;//
  1496. ;// SE_AUDITID_OPEN_OBJECT_FOR_DELETE
  1497. ;//
  1498. ;// Category: SE_CATEGID_OBJECT_ACCESS
  1499. ;//
  1500. ;// Parameter Strings -
  1501. ;//
  1502. ;// 1 - Object Type string
  1503. ;//
  1504. ;// 2 - Object name
  1505. ;//
  1506. ;// 3 - New handle ID string
  1507. ;//
  1508. ;// 4 - Object server name
  1509. ;//
  1510. ;// 5 - Process ID string
  1511. ;//
  1512. ;// 6 - Primary user account name
  1513. ;//
  1514. ;// 7 - Primary authenticating domain name
  1515. ;//
  1516. ;// 8 - Primary logon ID string
  1517. ;//
  1518. ;// 9 - Client user account name ("-" if no client)
  1519. ;//
  1520. ;// 10 - Client authenticating domain name ("-" if no client)
  1521. ;//
  1522. ;// 11 - Client logon ID string ("-" if no client)
  1523. ;//
  1524. ;// 12 - Access names
  1525. ;//
  1526. ;//
  1527. ;//
  1528. ;//
  1529. MessageId=0x0233
  1530. SymbolicName=SE_AUDITID_OPEN_OBJECT_FOR_DELETE
  1531. Language=English
  1532. Object Open for Delete:%n
  1533. %tObject Server:%t%1%n
  1534. %tObject Type:%t%2%n
  1535. %tObject Name:%t%3%n
  1536. %tHandle ID:%t%4%n
  1537. %tOperation ID:%t{%5,%6}%n
  1538. %tProcess ID:%t%7%n
  1539. %tPrimary User Name:%t%8%n
  1540. %tPrimary Domain:%t%9%n
  1541. %tPrimary Logon ID:%t%10%n
  1542. %tClient User Name:%t%11%n
  1543. %tClient Domain:%t%12%n
  1544. %tClient Logon ID:%t%13%n
  1545. %tAccesses:%t%t%14%n
  1546. %tPrivileges:%t%t%15%n
  1547. %tAccess Mask:%t%16%n
  1548. .
  1549. ;//
  1550. ;//
  1551. ;// SE_AUDITID_DELETE_OBJECT
  1552. ;//
  1553. ;// Category: SE_CATEGID_OBJECT_ACCESS
  1554. ;//
  1555. ;// Parameter Strings -
  1556. ;//
  1557. ;// 1 - Object server name
  1558. ;//
  1559. ;// 2 - Handle ID string
  1560. ;//
  1561. ;// 3 - Process ID string
  1562. ;//
  1563. ;//
  1564. ;//
  1565. ;//
  1566. MessageId=0x0234
  1567. SymbolicName=SE_AUDITID_DELETE_OBJECT
  1568. Language=English
  1569. Object Deleted:%n
  1570. %tObject Server:%t%1%n
  1571. %tHandle ID:%t%2%n
  1572. %tProcess ID:%t%3%n
  1573. %tImage File Name:%t%4%n
  1574. .
  1575. ;//
  1576. ;//
  1577. ;// SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE
  1578. ;//
  1579. ;// Category: SE_CATEGID_OBJECT_ACCESS
  1580. ;//
  1581. ;// Parameter Strings -
  1582. ;//
  1583. ;// 1 - Object Type string
  1584. ;//
  1585. ;// 2 - Object name
  1586. ;//
  1587. ;// 3 - New handle ID string
  1588. ;//
  1589. ;// 4 - Object server name
  1590. ;//
  1591. ;// 5 - Process ID string
  1592. ;//
  1593. ;// 6 - Primary user account name
  1594. ;//
  1595. ;// 7 - Primary authenticating domain name
  1596. ;//
  1597. ;// 8 - Primary logon ID string
  1598. ;//
  1599. ;// 9 - Client user account name ("-" if no client)
  1600. ;//
  1601. ;// 10 - Client authenticating domain name ("-" if no client)
  1602. ;//
  1603. ;// 11 - Client logon ID string ("-" if no client)
  1604. ;//
  1605. ;// 12 - Access names
  1606. ;//
  1607. ;// 13 - Object Type parameters
  1608. ;//
  1609. ;//
  1610. ;//
  1611. ;//
  1612. MessageId=0x0235
  1613. SymbolicName=SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE
  1614. Language=English
  1615. Object Open:%n
  1616. %tObject Server:%t%1%n
  1617. %tObject Type:%t%2%n
  1618. %tObject Name:%t%3%n
  1619. %tHandle ID:%t%4%n
  1620. %tOperation ID:%t{%5,%6}%n
  1621. %tProcess ID:%t%7%n
  1622. %tProcess Name:%t%8%n
  1623. %tPrimary User Name:%t%9%n
  1624. %tPrimary Domain:%t%10%n
  1625. %tPrimary Logon ID:%t%11%n
  1626. %tClient User Name:%t%12%n
  1627. %tClient Domain:%t%13%n
  1628. %tClient Logon ID:%t%14%n
  1629. %tAccesses:%t%15%n
  1630. %tPrivileges:%t%16%n%n
  1631. %tProperties:%n%17%n
  1632. %tAccess Mask:%t%18%n
  1633. .
  1634. ;
  1635. ;// SE_AUDITID_OBJECT_OPERATION
  1636. ;//
  1637. ;// Category: SE_CATEGID_OBJECT_ACCESS
  1638. ;//
  1639. ;// Parameter Strings -
  1640. ;//
  1641. ;// 1 - Operation Name
  1642. ;//
  1643. ;// 2 - Object Type
  1644. ;//
  1645. ;// 3 - Object name
  1646. ;//
  1647. ;// 4 - Handle ID
  1648. ;//
  1649. ;// 5 - Primary user account name
  1650. ;//
  1651. ;// 6 - Primary authenticating domain name
  1652. ;//
  1653. ;// 7 - Primary logon ID string
  1654. ;//
  1655. ;// 8 - Client user account name ("-" if no client)
  1656. ;//
  1657. ;// 9 - Client authenticating domain name ("-" if no client)
  1658. ;//
  1659. ;// 10 - Client logon ID string ("-" if no client)
  1660. ;//
  1661. ;// 11 - Requested accesses to the object
  1662. ;//
  1663. ;// 12 - Object properties ("-" if none)
  1664. ;//
  1665. ;// 13 - additional information ("-" if none)
  1666. ;//
  1667. MessageId=0x0236
  1668. SymbolicName=SE_AUDITID_OBJECT_OPERATION
  1669. Language=English
  1670. Object Operation:%n
  1671. %tObject Server:%t%1%n
  1672. %tOperation Type:%t%2%n
  1673. %tObject Type:%t%3%n
  1674. %tObject Name:%t%4%n
  1675. %tHandle ID:%t%5%n
  1676. %tPrimary User Name:%t%6%n
  1677. %tPrimary Domain:%t%7%n
  1678. %tPrimary Logon ID:%t%8%n
  1679. %tClient User Name:%t%9%n
  1680. %tClient Domain:%t%10%n
  1681. %tClient Logon ID:%t%11%n
  1682. %tAccesses:%t%12%n
  1683. %tProperties:%n%t%13%n
  1684. %tAdditional Info:%t%14%n
  1685. %tAdditional Info2:%t%15%n
  1686. %tAccess Mask:%t%16%n
  1687. .
  1688. ;//
  1689. ;//
  1690. ;// SE_AUDITID_OBJECT_ACCESS
  1691. ;//
  1692. ;// Category: SE_CATEGID_OBJECT_ACCESS
  1693. ;//
  1694. ;// Parameter Strings -
  1695. ;//
  1696. ;// 1 - Object server name
  1697. ;//
  1698. ;// 2 - Handle ID string
  1699. ;//
  1700. ;// 3 - Process ID string
  1701. ;//
  1702. ;// 4 - List of Accesses
  1703. ;//
  1704. ;//
  1705. MessageId=0x0237
  1706. SymbolicName=SE_AUDITID_OBJECT_ACCESS
  1707. Language=English
  1708. Object Access Attempt:%n
  1709. %tObject Server:%t%1%n
  1710. %tHandle ID:%t%2%n
  1711. %tObject Type:%t%3%n
  1712. %tProcess ID:%t%4%n
  1713. %tImage File Name:%t%5%n
  1714. %tAccesses:%t%6%n
  1715. %tAccess Mask:%t%7%n
  1716. .
  1717. ;//
  1718. ;//
  1719. ;// SE_AUDITID_HARDLINK_CREATION
  1720. ;//
  1721. ;// Category: SE_CATEGID_OBJECT_ACCESS
  1722. ;//
  1723. ;// Parameter Strings -
  1724. ;//
  1725. ;// 1 - Object server name
  1726. ;//
  1727. ;// 2 - Handle ID string
  1728. ;//
  1729. ;// 3 - Process ID string
  1730. ;//
  1731. ;//
  1732. ;//
  1733. ;//
  1734. MessageId=0x0238
  1735. SymbolicName=SE_AUDITID_HARDLINK_CREATION
  1736. Language=English
  1737. Hard link creation attempt:%n
  1738. %tPrimary User Name:%t%1%n
  1739. %tPrimary Domain:%t%2%n
  1740. %tPrimary Logon ID:%t%3%n
  1741. %tFile Name:%t%4%n
  1742. %tLink Name:%t%5%n
  1743. .
  1744. ;//
  1745. ;//
  1746. ;// SE_AUDITID_AZ_CLIENTCONTEXT_CREATION
  1747. ;//
  1748. ;// Category: SE_CATEGID_OBJECT_ACCESS
  1749. ;//
  1750. ;// Parameter Strings -
  1751. ;//
  1752. ;// 1 - Application name
  1753. ;//
  1754. ;// 2 - Application instance id
  1755. ;//
  1756. ;// 3 - Client name
  1757. ;//
  1758. ;// 4 - Client domain name
  1759. ;//
  1760. ;// 5 - Client Logon id
  1761. ;//
  1762. ;// 6 - Error status
  1763. ;//
  1764. ;//
  1765. ;// Description: This audit is generated when the resource manager in AZ
  1766. ;// creates a client context. Currently, the only creation supported is
  1767. ;// from a Nt Token. To track back to the identity of the client, use the Client
  1768. ;// context Id and match it with the Logon Id in the Token Creation audit.
  1769. ;//
  1770. ;//
  1771. MessageId=0x0239
  1772. SymbolicName=SE_AUDITID_AZ_CLIENTCONTEXT_CREATION
  1773. Language=English
  1774. Application client context creation attempt:%n
  1775. %tApplication Name:%t%1%n
  1776. %tApplication Instance ID:%t%2%n
  1777. %tClient Name:%t%3%n
  1778. %tClient Domain:%t%4%n
  1779. %tClient Context ID:%t%5%n
  1780. %tStatus:%t%6%n
  1781. .
  1782. ;//
  1783. ;//
  1784. ;// SE_AUDITID_AZ_ACCESSCHECK
  1785. ;//
  1786. ;// Category: SE_CATEGID_OBJECT_ACCESS
  1787. ;//
  1788. ;// Parameter Strings -
  1789. ;//
  1790. ;// 1 - Application Name
  1791. ;//
  1792. ;// 2 - Application instance luid
  1793. ;//
  1794. ;// 3 - Object Name
  1795. ;//
  1796. ;// 4 - Scope name to which the object belongs
  1797. ;// Scopes are not nested in V1. In V2, this will be a comma
  1798. ;// separated list.
  1799. ;//
  1800. ;// 5 - Client name
  1801. ;//
  1802. ;// 6 - Client domain name
  1803. ;//
  1804. ;// 7 - Client Logon Id
  1805. ;//
  1806. ;// 8 - Role information
  1807. ;// Role because of which the client was granted access.
  1808. ;//
  1809. ;// 9 - Group Information
  1810. ;// Groups because of which the client belonged to the role.
  1811. ;// This is a comma separated list.
  1812. ;//
  1813. ;// 10 - Operation name
  1814. ;// Name of the operation e.g. Read general information
  1815. ;//
  1816. ;// 11 - Operation Id
  1817. ;// DWORD internal representation of the operation.
  1818. ;//
  1819. ;//
  1820. ;// Desription: This audit is generated when the client accesses an object.
  1821. ;// One audit (success/failure) is generated per every Operation asked for.
  1822. ;// Ex: Asked for Op1, Op2, Op3.
  1823. ;// Granted Op1; Denied Op2, Op3
  1824. ;// Will generate one success and 2 failure audits.
  1825. ;//
  1826. MessageId=0x023A
  1827. SymbolicName=SE_AUDITID_AZ_ACCESSCHECK
  1828. Language=English
  1829. Application operation attempt:%n
  1830. %tApplication Name:%t%1%n
  1831. %tApplication Instance ID:%t%2%n
  1832. %tObject Name:%t%3%n
  1833. %tScope Names:%t%4%n
  1834. %tClient Name:%t%5%n
  1835. %tClient Domain:%t%6%n
  1836. %tClient Context ID:%t%7%n
  1837. %tRole:%t%8%n
  1838. %tGroups:%t%9%n
  1839. %tOperation Name:%t%10 (%11)%n
  1840. .
  1841. ;//
  1842. ;//
  1843. ;// SE_AUDITID_AZ_CLIENTCONTEXT_DELETION
  1844. ;//
  1845. ;// Category: SE_CATEGID_OBJECT_ACCESS
  1846. ;//
  1847. ;// Parameter Strings -
  1848. ;//
  1849. ;// 1 - Application name
  1850. ;//
  1851. ;// 2 - Application instance luid
  1852. ;//
  1853. ;// 3 - Client name
  1854. ;//
  1855. ;// 4 - Client domain name
  1856. ;//
  1857. ;// 5 - Client login Id
  1858. ;//
  1859. ;// Description: This audit is generated when the client context is deleted by
  1860. ;// the AZ app. Tie this with the client context creation audit.
  1861. ;//
  1862. ;//
  1863. ;//
  1864. MessageId=0x023B
  1865. SymbolicName=SE_AUDITID_AZ_CLIENTCONTEXT_DELETION
  1866. Language=English
  1867. Application client context deletion:%n
  1868. %tApplication Name:%t%1%n
  1869. %tApplication Instance ID:%t%2%n
  1870. %tClient Name:%t%3%n
  1871. %tClient Domain:%t%4%n
  1872. %tClient Context ID:%t%5%n
  1873. .
  1874. ;//
  1875. ;//
  1876. ;// SE_AUDITID_AZ_APPLICATION_INITIALIZATION
  1877. ;//
  1878. ;// Category: SE_CATEGID_OBJECT_ACCESS
  1879. ;//
  1880. ;// Parameter Strings -
  1881. ;//
  1882. ;// 1 - Application name
  1883. ;//
  1884. ;// 2 - Application instance luid
  1885. ;//
  1886. ;// 3 - Client name
  1887. ;//
  1888. ;// 4 - Client domain name
  1889. ;//
  1890. ;// 5 - Client logon id
  1891. ;//
  1892. ;// 6 - Policy store url
  1893. ;//
  1894. ;// Description: This audit is generated when the admin manager initializes the
  1895. ;// app. The applciation name and instance Id help to tie the future audits.
  1896. ;//
  1897. ;//
  1898. ;//
  1899. MessageId=0x023C
  1900. SymbolicName=SE_AUDITID_AZ_APPLICATION_INITIALIZATION
  1901. Language=English
  1902. Application Initialized%n
  1903. %tApplication Name:%t%1%n
  1904. %tApplication Instance ID:%t%2%n
  1905. %tClient Name:%t%3%n
  1906. %tClient Domain:%t%4%n
  1907. %tClient ID:%t%5%n
  1908. %tPolicy Store URL:%t%6%n
  1909. .
  1910. ;//
  1911. ;//
  1912. ;// SE_AUDITID_GENERIC_AUDIT_EVENT
  1913. ;//
  1914. ;// Category: SE_CATEGID_OBJECT_ACCESS
  1915. ;//
  1916. ;// Parameter Strings -
  1917. ;//
  1918. ;// 1 - source name
  1919. ;//
  1920. ;// 2 - event ID specific to this source
  1921. ;//
  1922. ;// 3 - 27 : insertion strings
  1923. ;//
  1924. ;//
  1925. ;// Description:
  1926. ;// This audit is generated when a process generates non-system audit event
  1927. ;// using the AuthZ audit API. Parameters supplied by the process are converted
  1928. ;// to strings and inserted as strings %3 through %27.
  1929. ;//
  1930. ;//
  1931. ;//
  1932. MessageId=0x023D
  1933. SymbolicName=SE_AUDITID_GENERIC_AUDIT_EVENT
  1934. Language=English
  1935. %nApplication-specific security event.%n
  1936. %tEvent Source:%t%1%n
  1937. %tEvent ID:%t%2%n
  1938. %t%t%3%n
  1939. %t%t%4%n
  1940. %t%t%5%n
  1941. %t%t%6%n
  1942. %t%t%7%n
  1943. %t%t%8%n
  1944. %t%t%9%n
  1945. %t%t%10%n
  1946. %t%t%11%n
  1947. %t%t%12%n
  1948. %t%t%13%n
  1949. %t%t%14%n
  1950. %t%t%15%n
  1951. %t%t%16%n
  1952. %t%t%17%n
  1953. %t%t%18%n
  1954. %t%t%19%n
  1955. %t%t%20%n
  1956. %t%t%21%n
  1957. %t%t%22%n
  1958. %t%t%23%n
  1959. %t%t%24%n
  1960. %t%t%25%n
  1961. %t%t%26%n
  1962. %t%t%27%n
  1963. .
  1964. ;
  1965. ;/////////////////////////////////////////////////////////////////////////////
  1966. ;// //
  1967. ;// //
  1968. ;// Messages for Category: SE_CATEGID_PRIVILEGE_USE //
  1969. ;// //
  1970. ;// Event IDs: //
  1971. ;// SE_AUDITID_ASSIGN_SPECIAL_PRIV //
  1972. ;// SE_AUDITID_PRIVILEGED_SERVICE //
  1973. ;// SE_AUDITID_PRIVILEGED_OBJECT //
  1974. ;// //
  1975. ;// //
  1976. ;// //
  1977. ;/////////////////////////////////////////////////////////////////////////////
  1978. ;//
  1979. ;//
  1980. ;// SE_AUDITID_ASSIGN_SPECIAL_PRIV
  1981. ;//
  1982. ;// Category: SE_CATEGID_PRIVILEGE_USE
  1983. ;//
  1984. ;// Description:
  1985. ;// When a user logs on, if any one of the following privileges is added
  1986. ;// to his/her token, this event is generated.
  1987. ;//
  1988. ;// - SeChangeNotifyPrivilege
  1989. ;// - SeAuditPrivilege
  1990. ;// - SeCreateTokenPrivilege
  1991. ;// - SeAssignPrimaryTokenPrivilege
  1992. ;// - SeBackupPrivilege
  1993. ;// - SeRestorePrivilege
  1994. ;// - SeDebugPrivilege
  1995. ;//
  1996. ;//
  1997. ;// Parameter Strings -
  1998. ;//
  1999. ;// 1 - User name
  2000. ;//
  2001. ;// 2 - domain name
  2002. ;//
  2003. ;// 3 - Logon ID string
  2004. ;//
  2005. ;// 4 - Privilege names (as 1 string, with formatting)
  2006. ;//
  2007. ;//
  2008. ;//
  2009. ;//
  2010. MessageId=0x0240
  2011. SymbolicName=SE_AUDITID_ASSIGN_SPECIAL_PRIV
  2012. Language=English
  2013. Special privileges assigned to new logon:%n
  2014. %tUser Name:%t%1%n
  2015. %tDomain:%t%t%2%n
  2016. %tLogon ID:%t%t%3%n
  2017. %tPrivileges:%t%4
  2018. .
  2019. ;//
  2020. ;//
  2021. ;// SE_AUDITID_PRIVILEGED_SERVICE
  2022. ;//
  2023. ;// Category: SE_CATEGID_PRIVILEGE_USE
  2024. ;//
  2025. ;// Description:
  2026. ;// This event is generated when a user makes an attempt to perform
  2027. ;// a privileged system service operation.
  2028. ;//
  2029. ;// Parameter Strings -
  2030. ;//
  2031. ;// 1 - server name
  2032. ;//
  2033. ;// 2 - service name
  2034. ;//
  2035. ;// 3 - Primary User name
  2036. ;//
  2037. ;// 4 - Primary domain name
  2038. ;//
  2039. ;// 5 - Primary Logon ID string
  2040. ;//
  2041. ;// 6 - Client User name (or "-" if not impersonating)
  2042. ;//
  2043. ;// 7 - Client domain name (or "-" if not impersonating)
  2044. ;//
  2045. ;// 8 - Client Logon ID string (or "-" if not impersonating)
  2046. ;//
  2047. ;// 9 - Privilege names (as 1 string, with formatting)
  2048. ;//
  2049. ;//
  2050. ;//
  2051. ;//
  2052. MessageId=0x0241
  2053. SymbolicName=SE_AUDITID_PRIVILEGED_SERVICE
  2054. Language=English
  2055. Privileged Service Called:%n
  2056. %tServer:%t%t%1%n
  2057. %tService:%t%t%2%n
  2058. %tPrimary User Name:%t%3%n
  2059. %tPrimary Domain:%t%4%n
  2060. %tPrimary Logon ID:%t%5%n
  2061. %tClient User Name:%t%6%n
  2062. %tClient Domain:%t%7%n
  2063. %tClient Logon ID:%t%8%n
  2064. %tPrivileges:%t%9
  2065. .
  2066. ;//
  2067. ;//
  2068. ;// SE_AUDITID_PRIVILEGED_OBJECT
  2069. ;//
  2070. ;// Category: SE_CATEGID_PRIVILEGE_USE
  2071. ;//
  2072. ;// Parameter Strings -
  2073. ;//
  2074. ;// 1 - object server
  2075. ;//
  2076. ;// 2 - object handle (if available)
  2077. ;//
  2078. ;// 3 - process ID string
  2079. ;//
  2080. ;// 4 - Primary User name
  2081. ;//
  2082. ;// 5 - Primary domain name
  2083. ;//
  2084. ;// 6 - Primary Logon ID string
  2085. ;//
  2086. ;// 7 - Client User name (or "-" if not impersonating)
  2087. ;//
  2088. ;// 8 - Client domain name (or "-" if not impersonating)
  2089. ;//
  2090. ;// 9 - Client Logon ID string (or "-" if not impersonating)
  2091. ;//
  2092. ;// 10 - Privilege names (as 1 string, with formatting)
  2093. ;//
  2094. ;//
  2095. MessageId=0x0242
  2096. SymbolicName=SE_AUDITID_PRIVILEGED_OBJECT
  2097. Language=English
  2098. Privileged object operation:%n
  2099. %tObject Server:%t%1%n
  2100. %tObject Handle:%t%2%n
  2101. %tProcess ID:%t%3%n
  2102. %tPrimary User Name:%t%4%n
  2103. %tPrimary Domain:%t%5%n
  2104. %tPrimary Logon ID:%t%6%n
  2105. %tClient User Name:%t%7%n
  2106. %tClient Domain:%t%8%n
  2107. %tClient Logon ID:%t%9%n
  2108. %tPrivileges:%t%10
  2109. .
  2110. ;
  2111. ;/////////////////////////////////////////////////////////////////////////////
  2112. ;// //
  2113. ;// //
  2114. ;// Messages for Category: SE_CATEGID_DETAILED_TRACKING //
  2115. ;// //
  2116. ;// Event IDs: //
  2117. ;// SE_AUDITID_PROCESS_CREATED //
  2118. ;// SE_AUDITID_PROCESS_EXIT //
  2119. ;// SE_AUDITID_DUPLICATE_HANDLE //
  2120. ;// SE_AUDITID_INDIRECT_REFERENCE //
  2121. ;// SE_AUDITID_DPAPI_BACKUP //
  2122. ;// SE_AUDITID_DPAPI_RECOVERY //
  2123. ;// SE_AUDITID_DPAPI_PROTECT //
  2124. ;// SE_AUDITID_DPAPI_UNPROTECT //
  2125. ;// SE_AUDITID_ASSIGN_TOKEN //
  2126. ;// SE_AUDITID_SERVICE_INSTALL //
  2127. ;// SE_AUDITID_JOB_CREATED //
  2128. ;// //
  2129. ;// //
  2130. ;/////////////////////////////////////////////////////////////////////////////
  2131. ;//
  2132. ;//
  2133. ;// SE_AUDITID_PROCESS_CREATED
  2134. ;//
  2135. ;// Category: SE_CATEGID_DETAILED_TRACKING
  2136. ;//
  2137. ;// Parameter Strings -
  2138. ;//
  2139. ;// 1 - process ID string
  2140. ;//
  2141. ;// 2 - Image file name (if available - otherwise "-")
  2142. ;//
  2143. ;// 3 - Creating process's ID
  2144. ;//
  2145. ;// 4 - User name (of new process)
  2146. ;//
  2147. ;// 5 - domain name (of new process)
  2148. ;//
  2149. ;// 6 - Logon ID string (of new process)
  2150. ;//
  2151. MessageId=0x0250
  2152. SymbolicName=SE_AUDITID_PROCESS_CREATED
  2153. Language=English
  2154. A new process has been created:%n
  2155. %tNew Process ID:%t%1%n
  2156. %tImage File Name:%t%2%n
  2157. %tCreator Process ID:%t%3%n
  2158. %tUser Name:%t%4%n
  2159. %tDomain:%t%t%5%n
  2160. %tLogon ID:%t%t%6%n
  2161. .
  2162. ;//
  2163. ;//
  2164. ;// SE_AUDITID_PROCESS_EXIT
  2165. ;//
  2166. ;// Category: SE_CATEGID_DETAILED_TRACKING
  2167. ;//
  2168. ;// Parameter Strings -
  2169. ;//
  2170. ;// 1 - process ID string
  2171. ;//
  2172. ;// 2 - image name
  2173. ;//
  2174. ;// 3 - User name
  2175. ;//
  2176. ;// 4 - domain name
  2177. ;//
  2178. ;// 5 - Logon ID string
  2179. ;//
  2180. ;//
  2181. ;//
  2182. ;//
  2183. MessageId=0x0251
  2184. SymbolicName=SE_AUDITID_PROCESS_EXIT
  2185. Language=English
  2186. A process has exited:%n
  2187. %tProcess ID:%t%1%n
  2188. %tImage File Name:%t%2%n
  2189. %tUser Name:%t%3%n
  2190. %tDomain:%t%t%4%n
  2191. %tLogon ID:%t%t%5%n
  2192. .
  2193. ;//
  2194. ;//
  2195. ;// SE_AUDITID_DUPLICATE_HANDLE
  2196. ;//
  2197. ;// Category: SE_CATEGID_DETAILED_TRACKING
  2198. ;//
  2199. ;// Parameter Strings -
  2200. ;//
  2201. ;// 1 - Origin (source) handle ID string
  2202. ;//
  2203. ;// 2 - Origin (source) process ID string
  2204. ;//
  2205. ;// 3 - New (Target) handle ID string
  2206. ;//
  2207. ;// 4 - Target process ID string
  2208. ;//
  2209. ;//
  2210. ;//
  2211. MessageId=0x0252
  2212. SymbolicName=SE_AUDITID_DUPLICATE_HANDLE
  2213. Language=English
  2214. A handle to an object has been duplicated:%n
  2215. %tSource Handle ID:%t%1%n
  2216. %tSource Process ID:%t%2%n
  2217. %tTarget Handle ID:%t%3%n
  2218. %tTarget Process ID:%t%4%n
  2219. .
  2220. ;//
  2221. ;//
  2222. ;// SE_AUDITID_INDIRECT_REFERENCE
  2223. ;//
  2224. ;// Category: SE_CATEGID_DETAILED_TRACKING
  2225. ;//
  2226. ;// Parameter Strings -
  2227. ;//
  2228. ;// 1 - Object type
  2229. ;//
  2230. ;// 2 - object name (if available - otherwise "-")
  2231. ;//
  2232. ;// 3 - ID string of handle used to gain access
  2233. ;//
  2234. ;// 3 - server name
  2235. ;//
  2236. ;// 4 - process ID string
  2237. ;//
  2238. ;// 5 - primary User name
  2239. ;//
  2240. ;// 6 - primary domain name
  2241. ;//
  2242. ;// 7 - primary logon ID
  2243. ;//
  2244. ;// 8 - client User name
  2245. ;//
  2246. ;// 9 - client domain name
  2247. ;//
  2248. ;// 10 - client logon ID
  2249. ;//
  2250. ;// 11 - granted access names (with formatting)
  2251. ;//
  2252. ;//
  2253. MessageId=0x0253
  2254. SymbolicName=SE_AUDITID_INDIRECT_REFERENCE
  2255. Language=English
  2256. Indirect access to an object has been obtained:%n
  2257. %tObject Type:%t%1%n
  2258. %tObject Name:%t%2%n
  2259. %tProcess ID:%t%3%n
  2260. %tPrimary User Name:%t%4%n
  2261. %tPrimary Domain:%t%5%n
  2262. %tPrimary Logon ID:%t%6%n
  2263. %tClient User Name:%t%7%n
  2264. %tClient Domain:%t%8%n
  2265. %tClient Logon ID:%t%9%n
  2266. %tAccesses:%t%10%n
  2267. %tAccess Mask:%t%11%n
  2268. .
  2269. ;//
  2270. ;//
  2271. ;// SE_AUDITID_DPAPI_BACKUP
  2272. ;//
  2273. ;// Category: SE_CATEGID_DETAILED_TRACKING
  2274. ;//
  2275. ;// Parameter Strings -
  2276. ;//
  2277. ;// 1 - Master key GUID
  2278. ;//
  2279. ;// 2 - Recovery Server
  2280. ;//
  2281. ;// 3 - GUID identifier of the recovery key
  2282. ;//
  2283. ;// 4 - Failure reason
  2284. ;//
  2285. MessageId=0x0254
  2286. SymbolicName=SE_AUDITID_DPAPI_BACKUP
  2287. Language=English
  2288. Backup of data protection master key.
  2289. %n
  2290. %tKey Identifier:%t%t%1%n
  2291. %tRecovery Server:%t%t%2%n
  2292. %tRecovery Key ID:%t%t%3%n
  2293. %tFailure Reason:%t%t%4%n
  2294. .
  2295. ;//
  2296. ;//
  2297. ;// SE_AUDITID_DPAPI_RECOVERY
  2298. ;//
  2299. ;// Category: SE_CATEGID_DETAILED_TRACKING
  2300. ;//
  2301. ;// Parameter Strings -
  2302. ;//
  2303. ;// 1 - Master key GUID
  2304. ;//
  2305. ;// 2 - Recovery Server
  2306. ;//
  2307. ;// 3 - Reason for the backup
  2308. ;//
  2309. ;// 4 - GUID identifier of the recovery key
  2310. ;//
  2311. ;// 5 - Failure reason
  2312. ;//
  2313. MessageId=0x0255
  2314. SymbolicName=SE_AUDITID_DPAPI_RECOVERY
  2315. Language=English
  2316. Recovery of data protection master key.
  2317. %n
  2318. %tKey Identifier:%t%t%1%n
  2319. %tRecovery Reason:%t%t%3%n
  2320. %tRecovery Server:%t%t%2%n
  2321. %tRecovery Key ID:%t%t%4%n
  2322. %tFailure Reason:%t%t%5%n
  2323. .
  2324. ;//
  2325. ;//
  2326. ;// SE_AUDITID_DPAPI_PROTECT
  2327. ;//
  2328. ;// Category: SE_CATEGID_DETAILED_TRACKING
  2329. ;//
  2330. ;// Parameter Strings -
  2331. ;//
  2332. ;//
  2333. ;// 1 - Master key GUID
  2334. ;//
  2335. ;// 2 - Data Description
  2336. ;//
  2337. ;// 3 - Protected data flags
  2338. ;//
  2339. ;// 4 - Algorithms
  2340. ;//
  2341. ;// 5 - failure reason
  2342. ;//
  2343. MessageId=0x0256
  2344. SymbolicName=SE_AUDITID_DPAPI_PROTECT
  2345. Language=English
  2346. Protection of auditable protected data.
  2347. %n
  2348. %tData Description:%t%t%2%n
  2349. %tKey Identifier:%t%t%1%n
  2350. %tProtected Data Flags:%t%3%n
  2351. %tProtection Algorithms:%t%4%n
  2352. %tFailure Reason:%t%t%5%n
  2353. .
  2354. ;//
  2355. ;//
  2356. ;// SE_AUDITID_DPAPI_UNPROTECT
  2357. ;//
  2358. ;// Category: SE_CATEGID_DETAILED_TRACKING
  2359. ;//
  2360. ;// Parameter Strings -
  2361. ;//
  2362. ;//
  2363. ;// 1 - Master key GUID
  2364. ;//
  2365. ;// 2 - Data Description
  2366. ;//
  2367. ;// 3 - Protected data flags
  2368. ;//
  2369. ;// 4 - Algorithms
  2370. ;//
  2371. ;// 5 - failure reason
  2372. ;//
  2373. MessageId=0x0257
  2374. SymbolicName=SE_AUDITID_DPAPI_UNPROTECT
  2375. Language=English
  2376. Unprotection of auditable protected data.
  2377. %n
  2378. %tData Description:%t%t%2%n
  2379. %tKey Identifier:%t%t%1%n
  2380. %tProtected Data Flags:%t%3%n
  2381. %tProtection Algorithms:%t%4%n
  2382. %tFailure Reason:%t%t%5%n
  2383. .
  2384. ;//
  2385. ;//
  2386. ;// SE_AUDITID_ASSIGN_TOKEN
  2387. ;//
  2388. ;// Category: SE_CATEGID_DETAILED_TRACKING
  2389. ;//
  2390. ;// Parameter Strings -
  2391. ;//
  2392. ;// 1. Current Process ID (the process doing the assignment
  2393. ;// 2. Current Image File Name
  2394. ;// 3. Current User Name
  2395. ;// 4. Current Domain
  2396. ;// 5. Current Logon ID
  2397. ;//
  2398. ;// 6. Process ID (of new process)
  2399. ;// 7. Image Name (of new process)
  2400. ;// 8. User name (of new process)
  2401. ;// 9. domain name (of new process)
  2402. ;// 10. Logon ID string (of new process)
  2403. ;//
  2404. MessageId=0x0258
  2405. SymbolicName=SE_AUDITID_ASSIGN_TOKEN
  2406. Language=English
  2407. A process was assigned a primary token.%n
  2408. Assigning Process Information:%n
  2409. %tProcess ID:%t%1%n
  2410. %tImage File Name:%t%2%n
  2411. %tPrimary User Name:%t%3%n
  2412. %tPrimary Domain:%t%4%n
  2413. %tPrimary Logon ID:%t%5%n
  2414. New Process Information:%n
  2415. %tProcess ID:%t%6%n
  2416. %tImage File Name:%t%7%n
  2417. %tTarget User Name:%t%8%n
  2418. %tTarget Domain:%t%9%n
  2419. %tTarget Logon ID:%t%10%n
  2420. .
  2421. ;//
  2422. ;//
  2423. ;// SE_AUDITID_SERVICE_INSTALL
  2424. ;//
  2425. ;// Category: SE_CATEGID_DETAILED_TRACKING
  2426. ;//
  2427. ;// Event type: success/failure
  2428. ;//
  2429. ;// Description:
  2430. ;// This event is generated when a service is installed
  2431. ;//
  2432. ;// Note:
  2433. ;//
  2434. MessageId=0x0259
  2435. SymbolicName=SE_AUDITID_SERVICE_INSTALL
  2436. Language=English
  2437. Attempt to install service:%n
  2438. %tService Name:%t%1%n
  2439. %tService File Name:%t%2%n
  2440. %tService Type:%t%3%n
  2441. %tService Start Type:%t%4%n
  2442. %tService Account:%t%5%n
  2443. By:%n
  2444. %tUser Name:%t%6%n
  2445. %tDomain:%t%t%7%n
  2446. %tLogon ID:%t%t%8%n
  2447. .
  2448. ;//
  2449. ;//
  2450. ;// SE_AUDITID_JOB_CREATED
  2451. ;//
  2452. ;// Category: SE_CATEGID_DETAILED_TRACKING
  2453. ;//
  2454. ;// Event type: success/failure
  2455. ;//
  2456. ;// Description:
  2457. ;// This event is generated when a scheduler job is created
  2458. ;// File Name is the name of the file in the Tasks folder.
  2459. ;// Task Time, Days of Month, Days of Week, Flags and Commandline
  2460. ;// are taken from the AT_INFO structure.
  2461. ;// Target Name and Target Domain are the user account the job
  2462. ;// is to run as. This event is generated by the task scheduler
  2463. ;// through for example the AT command.
  2464. ;//
  2465. ;// Note:
  2466. ;//
  2467. MessageId=0x025A
  2468. SymbolicName=SE_AUDITID_JOB_CREATED
  2469. Language=English
  2470. Scheduled Task created:%n
  2471. %tFile Name:%t%1%n
  2472. %tCommand:%t%2%n
  2473. %tTriggers:%t%t%3%n
  2474. %tTime:%t%t%4 %5%n
  2475. %tFlags:%t%t%6%n
  2476. %tTarget User:%t%7%n
  2477. By:%n
  2478. %tUser:%t%t%8%n
  2479. %tDomain:%t%t%9%n
  2480. %tLogon ID:%t%t%10%n
  2481. .
  2482. ;
  2483. ;/////////////////////////////////////////////////////////////////////////////
  2484. ;// //
  2485. ;// //
  2486. ;// Messages for Category: SE_CATEGID_POLICY_CHANGE //
  2487. ;// //
  2488. ;// Event IDs: //
  2489. ;// SE_AUDITID_USER_RIGHT_ASSIGNED //
  2490. ;// SE_AUDITID_USER_RIGHT_REMOVED //
  2491. ;// SE_AUDITID_TRUSTED_DOMAIN_ADD //
  2492. ;// SE_AUDITID_TRUSTED_DOMAIN_REM //
  2493. ;// SE_AUDITID_TRUSTED_DOMAIN_MOD //
  2494. ;// SE_AUDITID_POLICY_CHANGE //
  2495. ;// SE_AUDITID_IPSEC_POLICY_START //
  2496. ;// SE_AUDITID_IPSEC_POLICY_DISABLED //
  2497. ;// SE_AUDITID_IPSEC_POLICY_CHANGED //
  2498. ;// SE_AUDITID_IPSEC_POLICY_FAILURE //
  2499. ;// SE_AUDITID_SYSTEM_ACCESS_CHANGE //
  2500. ;// SE_AUDITID_NAMESPACE_COLLISION //
  2501. ;// SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_ADD //
  2502. ;// SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_REM //
  2503. ;// SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_MOD //
  2504. ;// SE_AUDITID_PER_USER_AUDIT_TABLE_CREATION //
  2505. ;// SE_AUDITID_PER_USER_AUDIT_TABLE_ELEMENT_CREATION //
  2506. ;// //
  2507. ;// //
  2508. ;/////////////////////////////////////////////////////////////////////////////
  2509. ;//
  2510. ;//
  2511. ;// SE_AUDITID_USER_RIGHT_ASSIGNED
  2512. ;//
  2513. ;// Category: SE_CATEGID_POLICY_CHANGE
  2514. ;//
  2515. ;// Parameter Strings -
  2516. ;//
  2517. ;// 1 - User right name
  2518. ;//
  2519. ;// 2 - SID string of account assigned the user right
  2520. ;//
  2521. ;// 3 - User name of subject assigning the right
  2522. ;//
  2523. ;// 4 - Domain name of subject assigning the right
  2524. ;//
  2525. ;// 5 - Logon ID string of subject assigning the right
  2526. ;//
  2527. ;//
  2528. ;//
  2529. MessageId=0x0260
  2530. SymbolicName=SE_AUDITID_USER_RIGHT_ASSIGNED
  2531. Language=English
  2532. User Right Assigned:%n
  2533. %tUser Right:%t%1%n
  2534. %tAssigned To:%t%2%n
  2535. %tAssigned By:%n
  2536. %t User Name:%t%3%n
  2537. %t Domain:%t%t%4%n
  2538. %t Logon ID:%t%5%n
  2539. .
  2540. ;//
  2541. ;//
  2542. ;// SE_AUDITID_USER_RIGHT_REMOVED
  2543. ;//
  2544. ;// Category: SE_CATEGID_POLICY_CHANGE
  2545. ;//
  2546. ;// Parameter Strings -
  2547. ;//
  2548. ;// 1 - User right name
  2549. ;//
  2550. ;// 2 - SID string of account from which the user
  2551. ;// right was removed
  2552. ;//
  2553. ;// 3 - User name of subject removing the right
  2554. ;//
  2555. ;// 4 - Domain name of subject removing the right
  2556. ;//
  2557. ;// 5 - Logon ID string of subject removing the right
  2558. ;//
  2559. ;//
  2560. MessageId=0x0261
  2561. SymbolicName=SE_AUDITID_USER_RIGHT_REMOVED
  2562. Language=English
  2563. User Right Removed:%n
  2564. %tUser Right:%t%1%n
  2565. %tRemoved From:%t%2%n
  2566. %tRemoved By:%n
  2567. %t User Name:%t%3%n
  2568. %t Domain:%t%t%4%n
  2569. %t Logon ID:%t%5%n
  2570. .
  2571. ;//
  2572. ;//
  2573. ;// SE_AUDITID_TRUSTED_DOMAIN_ADD
  2574. ;//
  2575. ;// Category: SE_CATEGID_POLICY_CHANGE
  2576. ;//
  2577. ;// Event type: success/failure
  2578. ;//
  2579. ;// Description:
  2580. ;// This event is generated when somebody creates a trust relationship
  2581. ;// with another domain.
  2582. ;//
  2583. ;// Note:
  2584. ;// It is recorded on the domain controller on which
  2585. ;// the trusted domain object (TDO) is created and not on any other
  2586. ;// domain controller to which the TDO creation replicates.
  2587. ;//
  2588. MessageId=0x0262
  2589. SymbolicName=SE_AUDITID_TRUSTED_DOMAIN_ADD
  2590. Language=English
  2591. New Trusted Domain:%n
  2592. %tDomain Name:%t%1%n
  2593. %tDomain ID:%t%2%n
  2594. %tEstablished By:%n
  2595. %t User Name:%t%3%n
  2596. %t Domain:%t%t%4%n
  2597. %t Logon ID:%t%5%n
  2598. %tTrust Type:%t%6%n
  2599. %tTrust Direction:%t%7%n
  2600. %tTrust Attributes:%t%8%n
  2601. %tSID Filtering:%t%9%n
  2602. .
  2603. ;//
  2604. ;//
  2605. ;// SE_AUDITID_TRUSTED_DOMAIN_REM
  2606. ;//
  2607. ;// Category: SE_CATEGID_POLICY_CHANGE
  2608. ;//
  2609. ;// Event type: success/failure
  2610. ;//
  2611. ;// Description:
  2612. ;// This event is generated when somebody removes a trust relationship
  2613. ;// with another domain.
  2614. ;//
  2615. ;// Note:
  2616. ;// It is recorded on the domain controller on which
  2617. ;// the trusted domain object (TDO) is deleted and not on any other
  2618. ;// domain controller to which the TDO deletion replicates.
  2619. ;//
  2620. MessageId=0x0263
  2621. SymbolicName=SE_AUDITID_TRUSTED_DOMAIN_REM
  2622. Language=English
  2623. Trusted Domain Removed:%n
  2624. %tDomain Name:%t%1%n
  2625. %tDomain ID:%t%2%n
  2626. %tRemoved By:%n
  2627. %t User Name:%t%3%n
  2628. %t Domain:%t%t%4%n
  2629. %t Logon ID:%t%5%n
  2630. .
  2631. ;//
  2632. ;//
  2633. ;// SE_AUDITID_POLICY_CHANGE
  2634. ;//
  2635. ;// Category: SE_CATEGID_POLICY_CHANGE
  2636. ;//
  2637. ;// Parameter Strings -
  2638. ;//
  2639. ;// 1 - System success audit status ("+" or "-")
  2640. ;// 2 - System failure audit status ("+" or "-")
  2641. ;//
  2642. ;// 3 - Logon/Logoff success audit status ("+" or "-")
  2643. ;// 4 - Logon/Logoff failure audit status ("+" or "-")
  2644. ;//
  2645. ;// 5 - Object Access success audit status ("+" or "-")
  2646. ;// 6 - Object Access failure audit status ("+" or "-")
  2647. ;//
  2648. ;// 7 - Detailed Tracking success audit status ("+" or "-")
  2649. ;// 8 - Detailed Tracking failure audit status ("+" or "-")
  2650. ;//
  2651. ;// 9 - Privilege Use success audit status ("+" or "-")
  2652. ;// 10 - Privilege Use failure audit status ("+" or "-")
  2653. ;//
  2654. ;// 11 - Policy Change success audit status ("+" or "-")
  2655. ;// 12 - Policy Change failure audit status ("+" or "-")
  2656. ;//
  2657. ;// 13 - Account Management success audit status ("+" or "-")
  2658. ;// 14 - Account Management failure audit status ("+" or "-")
  2659. ;//
  2660. ;// 15 - Directory Service access success audit status ("+" or "-")
  2661. ;// 16 - Directory Service access failure audit status ("+" or "-")
  2662. ;//
  2663. ;// 17 - Account Logon success audit status ("+" or "-")
  2664. ;// 18 - Account Logon failure audit status ("+" or "-")
  2665. ;//
  2666. ;// 19 - Account Name of user that changed the policy
  2667. ;//
  2668. ;// 20 - Domain of user that changed the policy
  2669. ;//
  2670. ;// 21 - Logon ID of user that changed the policy
  2671. ;//
  2672. ;//
  2673. MessageId=0x0264
  2674. SymbolicName=SE_AUDITID_POLICY_CHANGE
  2675. Language=English
  2676. Audit Policy Change:%n
  2677. New Policy:%n
  2678. %tSuccess%tFailure%n
  2679. %t %3%t %4%tLogon/Logoff%n
  2680. %t %5%t %6%tObject Access%n
  2681. %t %7%t %8%tPrivilege Use%n
  2682. %t %13%t %14%tAccount Management%n
  2683. %t %11%t %12%tPolicy Change%n
  2684. %t %1%t %2%tSystem%n
  2685. %t %9%t %10%tDetailed Tracking%n
  2686. %t %15%t %16%tDirectory Service Access%n
  2687. %t %17%t %18%tAccount Logon%n%n
  2688. Changed By:%n
  2689. %t User Name:%t%19%n
  2690. %t Domain Name:%t%20%n
  2691. %t Logon ID:%t%21
  2692. .
  2693. ;//
  2694. ;//
  2695. ;// SE_AUDITID_IPSEC_POLICY_START
  2696. ;//
  2697. ;// Category: SE_CATEGID_POLICY_CHANGE
  2698. ;//
  2699. ;// Parameter Strings -
  2700. ;//
  2701. ;// 1 - Ipsec Policy Agent
  2702. ;//
  2703. ;// 2 - Policy Source
  2704. ;//
  2705. ;// 3 - Event Data
  2706. ;//
  2707. ;//
  2708. MessageId=0x0265
  2709. SymbolicName=SE_AUDITID_IPSEC_POLICY_START
  2710. Language=English
  2711. IPSec Services started: %t%1%n
  2712. Policy Source: %t%2%n
  2713. %3%n
  2714. .
  2715. ;//
  2716. ;//
  2717. ;// SE_AUDITID_IPSEC_POLICY_DISABLED
  2718. ;//
  2719. ;// Category: SE_CATEGID_POLICY_CHANGE
  2720. ;//
  2721. ;// Parameter Strings -
  2722. ;//
  2723. ;// 1 - Ipsec Policy Agent
  2724. ;//
  2725. ;// 2 - Event Data
  2726. ;//
  2727. ;//
  2728. MessageId=0x0266
  2729. SymbolicName=SE_AUDITID_IPSEC_POLICY_DISABLED
  2730. Language=English
  2731. IPSec Services disabled: %t%1%n
  2732. %2%n
  2733. .
  2734. ;//
  2735. ;//
  2736. ;// SE_AUDITID_IPSEC_POLICY_CHANGED
  2737. ;//
  2738. ;// Category: SE_CATEGID_POLICY_CHANGE
  2739. ;//
  2740. ;// Parameter Strings -
  2741. ;//
  2742. ;// 1 - Event Data
  2743. ;//
  2744. ;//
  2745. MessageId=0x0267
  2746. SymbolicName=SE_AUDITID_IPSEC_POLICY_CHANGED
  2747. Language=English
  2748. IPSec Services: %t%1%n
  2749. .
  2750. ;//
  2751. ;//
  2752. ;// SE_AUDITID_IPSEC_POLICY_FAILURE
  2753. ;//
  2754. ;// Category: SE_CATEGID_POLICY_CHANGE
  2755. ;//
  2756. ;// Parameter Strings -
  2757. ;//
  2758. ;// 1 - Event Data
  2759. ;//
  2760. ;//
  2761. MessageId=0x0268
  2762. SymbolicName=SE_AUDITID_IPSEC_POLICY_FAILURE
  2763. Language=English
  2764. IPSec Services encountered a potentially serious failure.%n
  2765. %1%n
  2766. .
  2767. ;//
  2768. ;//
  2769. ;// SE_AUDITID_KERBEROS_POLICY_CHANGE
  2770. ;//
  2771. ;// Category: SE_CATEGID_POLICY_CHANGE
  2772. ;//
  2773. ;// Parameter Strings -
  2774. ;//
  2775. ;// 1 - user account name
  2776. ;//
  2777. ;// 2 - domain name of user
  2778. ;//
  2779. ;// 3 - logon ID of user
  2780. ;//
  2781. ;// 4 - description of the change made
  2782. ;//
  2783. ;//
  2784. MessageId=0x0269
  2785. SymbolicName=SE_AUDITID_KERBEROS_POLICY_CHANGE
  2786. Language=English
  2787. Kerberos Policy Changed:%n
  2788. Changed By:%n
  2789. %t User Name:%t%1%n
  2790. %t Domain Name:%t%2%n
  2791. %t Logon ID:%t%3%n
  2792. Changes made:%n
  2793. ('--' means no changes, otherwise each change is shown as:%n
  2794. <ParameterName>: <new value> (<old value>))%n
  2795. %4%n
  2796. .
  2797. ;//
  2798. ;//
  2799. ;// SE_AUDITID_EFS_POLICY_CHANGE
  2800. ;//
  2801. ;// Category: SE_CATEGID_POLICY_CHANGE
  2802. ;//
  2803. ;// Parameter Strings -
  2804. ;//
  2805. ;// 1 - user account name
  2806. ;//
  2807. ;// 2 - domain name of user
  2808. ;//
  2809. ;// 3 - logon ID of user
  2810. ;//
  2811. ;// 4 - description of the change made
  2812. ;//
  2813. ;//
  2814. MessageId=0x026a
  2815. SymbolicName=SE_AUDITID_EFS_POLICY_CHANGE
  2816. Language=English
  2817. Encrypted Data Recovery Policy Changed:%n
  2818. Changed By:%n
  2819. %t User Name:%t%1%n
  2820. %t Domain Name:%t%2%n
  2821. %t Logon ID:%t%3%n
  2822. Changes made:%n
  2823. ('--' means no changes, otherwise each change is shown as:%n
  2824. <ParameterName>: <new value> (<old value>))%n
  2825. %4%n
  2826. .
  2827. ;//
  2828. ;//
  2829. ;// SE_AUDITID_TRUSTED_DOMAIN_MOD
  2830. ;//
  2831. ;// Category: SE_CATEGID_POLICY_CHANGE
  2832. ;//
  2833. ;// Event type: success/failure
  2834. ;//
  2835. ;// Description:
  2836. ;// This event is generated when somebody modifies a trust relationship
  2837. ;// with another domain.
  2838. ;//
  2839. ;// Note:
  2840. ;// It is recorded on the domain controller on which
  2841. ;// the trusted domain object (TDO) is modified and not on any other
  2842. ;// domain controller to which the TDO modification replicates.
  2843. ;//
  2844. MessageId=0x026C
  2845. SymbolicName=SE_AUDITID_TRUSTED_DOMAIN_MOD
  2846. Language=English
  2847. Trusted Domain Information Modified:%n
  2848. %tDomain Name:%t%1%n
  2849. %tDomain ID:%t%2%n
  2850. %tModified By:%n
  2851. %t User Name:%t%3%n
  2852. %t Domain:%t%t%4%n
  2853. %t Logon ID:%t%5%n
  2854. %tTrust Type:%t%6%n
  2855. %tTrust Direction:%t%7%n
  2856. %tTrust Attributes:%t%8%n
  2857. %tSID Filtering:%t%9%n
  2858. .
  2859. ;//
  2860. ;//
  2861. ;// SE_AUDITID_SYSTEM_ACCESS_GRANTED
  2862. ;//
  2863. ;// Category: SE_CATEGID_POLICY_CHANGE
  2864. ;//
  2865. ;// Parameter Strings -
  2866. ;//
  2867. ;// 1 - User right name
  2868. ;//
  2869. ;// 2 - SID string of account for which the user
  2870. ;// right was affected
  2871. ;//
  2872. ;// 3 - User name of subject changing the right
  2873. ;//
  2874. ;// 4 - Domain name of subject changing the right
  2875. ;//
  2876. ;// 5 - Logon ID string of subject changing the right
  2877. ;//
  2878. ;//
  2879. MessageId=0x026d
  2880. SymbolicName=SE_AUDITID_SYSTEM_ACCESS_GRANTED
  2881. Language=English
  2882. System Security Access Granted:%n
  2883. %tAccess Granted:%t%4%n
  2884. %tAccount Modified:%t%5%n
  2885. %tAssigned By:%n
  2886. %t User Name:%t%1%n
  2887. %t Domain:%t%t%2%n
  2888. %t Logon ID:%t%3%n
  2889. .
  2890. ;//
  2891. ;//
  2892. ;// SE_AUDITID_SYSTEM_ACCESS_REMOVED
  2893. ;//
  2894. ;// Category: SE_CATEGID_POLICY_CHANGE
  2895. ;//
  2896. ;// Parameter Strings -
  2897. ;//
  2898. ;// 1 - User right name
  2899. ;//
  2900. ;// 2 - SID string of account for which the user
  2901. ;// right was affected
  2902. ;//
  2903. ;// 3 - User name of subject changing the right
  2904. ;//
  2905. ;// 4 - Domain name of subject changing the right
  2906. ;//
  2907. ;// 5 - Logon ID string of subject changing the right
  2908. ;//
  2909. ;//
  2910. MessageId=0x026e
  2911. SymbolicName=SE_AUDITID_SYSTEM_ACCESS_REMOVED
  2912. Language=English
  2913. System Security Access Removed:%n
  2914. %tAccess Removed:%t%4%n
  2915. %tAccount Modified:%t%5%n
  2916. %tRemoved By:%n
  2917. %t User Name:%t%1%n
  2918. %t Domain:%t%t%2%n
  2919. %t Logon ID:%t%3%n
  2920. .
  2921. ;//
  2922. ;//
  2923. ;// SE_AUDITID_NAMESPACE_COLLISION
  2924. ;//
  2925. ;// Category: SE_CATEGID_POLICY_CHANGE
  2926. ;//
  2927. ;// Event type: success
  2928. ;//
  2929. ;// Description:
  2930. ;// When a namespace element in one forest overlaps a namespace element in
  2931. ;// some other forest, it can lead to ambiguity in resolving a name
  2932. ;// belonging to one of the namespace elements. This overlap is also called
  2933. ;// a collision.This event is generated when such a collision is detected.
  2934. ;//
  2935. ;// Note:
  2936. ;// Not all fields are valid for each entry type.
  2937. ;// For example, fields like DNS name, NetBIOS name and SID are not valid
  2938. ;// for an entry of type 'TopLevelName'.
  2939. ;//
  2940. MessageId=0x0300
  2941. SymbolicName=SE_AUDITID_NAMESPACE_COLLISION
  2942. Language=English
  2943. Namespace collision detected:%n
  2944. %tTarget type:%t%1%n
  2945. %tTarget name:%t%2%n
  2946. %tForest Root:%t%3%n
  2947. %tTop Level Name:%t%4%n
  2948. %tDNS Name:%t%5%n
  2949. %tNetBIOS Name:%t%6%n
  2950. %tSID:%t%t%7%n
  2951. %tNew Flags:%t%8%n
  2952. .
  2953. ;//
  2954. ;//
  2955. ;// SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_ADD
  2956. ;//
  2957. ;// Category: SE_CATEGID_POLICY_CHANGE
  2958. ;//
  2959. ;// Event type: success
  2960. ;//
  2961. ;// Description:
  2962. ;// This event is generated when the forest trust information is updated and
  2963. ;// one or more entries get added. One such audit event is generated
  2964. ;// per added entry. If multiple entries get added, deleted or modified
  2965. ;// in a single update of the forest trust information, all the generated
  2966. ;// audit events will have a single unique identifier called OperationID.
  2967. ;// This allows one to determine that the multiple generated audits are
  2968. ;// the result of a single operation.
  2969. ;//
  2970. ;// Note:
  2971. ;// Not all fields are valid for each entry type.
  2972. ;// For example, fields like DNS name, NetBIOS name and SID are not valid
  2973. ;// for an entry of type 'TopLevelName'.
  2974. ;//
  2975. MessageId=0x0301
  2976. SymbolicName=SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_ADD
  2977. Language=English
  2978. Trusted Forest Information Entry Added:%n
  2979. %tForest Root:%t%1%n
  2980. %tForest Root SID:%t%2%n
  2981. %tOperation ID:%t{%3,%4}%n
  2982. %tEntry Type:%t%5%n
  2983. %tFlags:%t%t%6%n
  2984. %tTop Level Name:%t%7%n
  2985. %tDNS Name:%t%8%n
  2986. %tNetBIOS Name:%t%9%n
  2987. %tDomain SID:%t%10%n
  2988. %tAdded by%t:%n
  2989. %tClient User Name:%t%11%n
  2990. %tClient Domain:%t%12%n
  2991. %tClient Logon ID:%t%13%n
  2992. .
  2993. ;//
  2994. ;//
  2995. ;// SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_REM
  2996. ;//
  2997. ;// Category: SE_CATEGID_POLICY_CHANGE
  2998. ;//
  2999. ;// Event type: success
  3000. ;//
  3001. ;// Description:
  3002. ;// This event is generated when the forest trust information is updated and
  3003. ;// one or more entries get deleted. One such audit event is generated
  3004. ;// per deleted entry. If multiple entries get added, deleted or modified
  3005. ;// in a single update of the forest trust information, all the generated
  3006. ;// audit events will have a single unique identifier called OperationID.
  3007. ;// This allows one to determine that the multiple generated audits are
  3008. ;// the result of a single operation.
  3009. ;//
  3010. ;// Note:
  3011. ;// Not all fields are valid for each entry type.
  3012. ;// For example, fields like DNS name, NetBIOS name and SID are not valid
  3013. ;// for an entry of type 'TopLevelName'.
  3014. ;//
  3015. MessageId=0x0302
  3016. SymbolicName=SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_REM
  3017. Language=English
  3018. Trusted Forest Information Entry Removed:%n
  3019. %tForest Root:%t%1%n
  3020. %tForest Root SID:%t%2%n
  3021. %tOperation ID:%t{%3,%4}%n
  3022. %tEntry Type:%t%5%n
  3023. %tFlags:%t%t%6%n
  3024. %tTop Level Name:%t%7%n
  3025. %tDNS Name:%t%8%n
  3026. %tNetBIOS Name:%t%9%n
  3027. %tDomain SID:%t%10%n
  3028. %tRemoved by%t:%n
  3029. %tClient User Name:%t%11%n
  3030. %tClient Domain:%t%12%n
  3031. %tClient Logon ID:%t%13%n
  3032. .
  3033. ;//
  3034. ;//
  3035. ;// SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_MOD
  3036. ;//
  3037. ;// Category: SE_CATEGID_POLICY_CHANGE
  3038. ;//
  3039. ;// Event type: success
  3040. ;//
  3041. ;// Description:
  3042. ;// This event is generated when the forest trust information is updated and
  3043. ;// one or more entries get modified. One such audit event is generated
  3044. ;// per modified entry. If multiple entries get added, deleted or modified
  3045. ;// in a single update of the forest trust information, all the generated
  3046. ;// audit events will have a single unique identifier called OperationID.
  3047. ;// This allows one to determine that the multiple generated audits are
  3048. ;// the result of a single operation.
  3049. ;//
  3050. ;// Note:
  3051. ;// Not all fields are valid for each entry type.
  3052. ;// For example, fields like DNS name, NetBIOS name and SID are not valid
  3053. ;// for an entry of type 'TopLevelName'.
  3054. ;//
  3055. MessageId=0x0303
  3056. SymbolicName=SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_MOD
  3057. Language=English
  3058. Trusted Forest Information Entry Modified:%n
  3059. %tForest Root:%t%1%n
  3060. %tForest Root SID:%t%2%n
  3061. %tOperation ID:%t{%3,%4}%n
  3062. %tEntry Type:%t%5%n
  3063. %tFlags:%t%t%6%n
  3064. %tTop Level Name:%t%7%n
  3065. %tDNS Name:%t%8%n
  3066. %tNetBIOS Name:%t%9%n
  3067. %tDomain SID:%t%10%n
  3068. %tModified by%t:%n
  3069. %tClient User Name:%t%11%n
  3070. %tClient Domain:%t%12%n
  3071. %tClient Logon ID:%t%13%n
  3072. .
  3073. ;//
  3074. ;//
  3075. ;// SE_AUDITID_SECURITY_LOG_CONFIG
  3076. ;//
  3077. ;// Category: SE_CATEGID_POLICY_CHANGE
  3078. ;//
  3079. ;// Event type: success
  3080. ;//
  3081. ;// Description:
  3082. ;// This event is generated when the eventlog service reads security log
  3083. ;// configuration from the registry key:
  3084. ;// SYSTEM\CurrentControlSet\Services\Eventlog\Security
  3085. ;// This event is generated in the context in which eventlog runs. The
  3086. ;// registry key has a SACL so that it is possible to find out the user
  3087. ;// who changed the key.
  3088. ;//
  3089. ;// Parameters:
  3090. ;// 1 : max size in KB
  3091. ;//
  3092. ;// 2 : Action to take on reaching max log size
  3093. ;// 1 --> overwrite events as needed
  3094. ;// 2 --> overwrite events older than the limit specified
  3095. ;// in parameter 3
  3096. ;// 3 --> do not overwrite
  3097. ;//
  3098. ;// 3 : Event age limit. Applicable only if value param 2 is 2
  3099. ;//
  3100. ;// Note:
  3101. ;//
  3102. MessageId=0x0325
  3103. SymbolicName=SE_AUDITID_SECURITY_LOG_CONFIG
  3104. Language=English
  3105. Configuration of security log for this session:
  3106. %tMaximum Log Size (KB): %1%n
  3107. %tAction to take on reaching max log size: %2%n
  3108. %tEvent age limit in days: %3%n
  3109. .
  3110. ;//
  3111. ;//
  3112. ;// SE_AUDITID_PER_USER_AUDIT_TABLE_CREATION
  3113. ;//
  3114. ;// Category: SE_CATEGID_POLICY_CHANGE
  3115. ;//
  3116. ;// Event type: success
  3117. ;//
  3118. ;// Description:
  3119. ;// This event is generated when the LSA per user audit policy is
  3120. ;// created or recreated.
  3121. ;//
  3122. MessageId=0x0326
  3123. SymbolicName=SE_AUDITID_PER_USER_AUDIT_TABLE_CREATION
  3124. Language=English
  3125. Per User Audit Policy was refreshed.%n
  3126. %tNumber of elements:%t%1%n
  3127. %tPolicy ID:%t%2%n
  3128. .
  3129. ;//
  3130. ;//
  3131. ;// SE_AUDITID_PER_USER_AUDIT_TABLE_ELEMENT_CREATION
  3132. ;//
  3133. ;// Category: SE_CATEGID_POLICY_CHANGE
  3134. ;//
  3135. ;// Event type: success
  3136. ;//
  3137. ;// Description:
  3138. ;// This event is generated when the per user audit policy table is
  3139. ;// created. An instance of the audit is generated for each element
  3140. ;// contained in the peruser table.
  3141. ;//
  3142. ;// Note:
  3143. ;//
  3144. MessageId=0x0327
  3145. SymbolicName=SE_AUDITID_PER_USER_AUDIT_TABLE_ELEMENT_CREATION
  3146. Language=English
  3147. Per user auditing policy set for user:%n
  3148. %tTarget user:%t%1%n
  3149. %tPolicy ID:%t%2%n
  3150. %tCategory Settings:%n
  3151. %t System:%t%3%n
  3152. %t Logon:%t%4%n
  3153. %t Object Access%t%5%n
  3154. %t Privilege Use:%t%6%n
  3155. %t Detailed Tracking:%t%7%n
  3156. %t Policy Change:%t%8%n
  3157. %t Account Management:%t%9%n
  3158. %t DS Access:%t%10%n
  3159. %t Account Logon:%t%11%n
  3160. .
  3161. ;//
  3162. ;//
  3163. ;// SE_AUDITID_SECURITY_EVENT_SOURCE_REGISTERED
  3164. ;//
  3165. ;// Category: SE_CATEGID_POLICY_CHANGE
  3166. ;//
  3167. ;// Event type: success
  3168. ;//
  3169. ;// Description:
  3170. ;//
  3171. ;// Note:
  3172. ;//
  3173. MessageId=0x0328
  3174. SymbolicName=SE_AUDITID_SECURITY_EVENT_SOURCE_REGISTERED
  3175. Language=English
  3176. A security event source has attempted to register.%n
  3177. %tPrimary User Name:%t%1%n
  3178. %tPrimary Domain:%t%2%n
  3179. %tPrimary Logon ID:%t%3%n
  3180. %tClient User Name:%t%4%n
  3181. %tClient Domain:%t%5%n
  3182. %tClient Logon ID:%t%6%n
  3183. %tSource Name:%t%7%n
  3184. %tProcess Id:%t%8%n
  3185. %tEvent Source Id:%t%9%n
  3186. .
  3187. ;//
  3188. ;//
  3189. ;// SE_AUDITID_SECURITY_EVENT_SOURCE_UNREGISTERED
  3190. ;//
  3191. ;// Category: SE_CATEGID_POLICY_CHANGE
  3192. ;//
  3193. ;// Event type: success
  3194. ;//
  3195. ;// Description:
  3196. ;//
  3197. ;// Note:
  3198. ;//
  3199. MessageId=0x0329
  3200. SymbolicName=SE_AUDITID_SECURITY_EVENT_SOURCE_UNREGISTERED
  3201. Language=English
  3202. A security event source has attempted to unregister.%n
  3203. %tPrimary User Name:%t%1%n
  3204. %tPrimary Domain:%t%2%n
  3205. %tPrimary Logon ID:%t%3%n
  3206. %tClient User Name:%t%4%n
  3207. %tClient Domain:%t%5%n
  3208. %tClient Logon ID:%t%6%n
  3209. %tSource Name:%t%7%n
  3210. %tProcess Id:%t%8%n
  3211. %tEvent Source Id:%t%9%n
  3212. .
  3213. ;
  3214. ;/////////////////////////////////////////////////////////////////////////////
  3215. ;// //
  3216. ;// //
  3217. ;// Messages for Category: SE_CATEGID_ACCOUNT_MANAGEMENT //
  3218. ;// //
  3219. ;// Event IDs: //
  3220. ;// SE_AUDITID_USER_CREATED //
  3221. ;// SE_AUDITID_USER_CHANGE //
  3222. ;// SE_AUDITID_ACCOUNT_TYPE_CHANGE //
  3223. ;// SE_AUDITID_USER_ENABLED //
  3224. ;// SE_AUDITID_USER_PWD_CHANGED //
  3225. ;// SE_AUDITID_USER_PWD_SET //
  3226. ;// SE_AUDITID_USER_DISABLED //
  3227. ;// SE_AUDITID_USER_DELETED //
  3228. ;// //
  3229. ;// SE_AUDITID_COMPUTER_CREATED //
  3230. ;// SE_AUDITID_COMPUTER_CHANGE //
  3231. ;// SE_AUDITID_COMPUTER_DELETED //
  3232. ;// //
  3233. ;// SE_AUDITID_GLOBAL_GROUP_CREATED //
  3234. ;// SE_AUDITID_GLOBAL_GROUP_CHANGE //
  3235. ;// SE_AUDITID_GLOBAL_GROUP_ADD //
  3236. ;// SE_AUDITID_GLOBAL_GROUP_REM //
  3237. ;// SE_AUDITID_GLOBAL_GROUP_DELETED //
  3238. ;// SE_AUDITID_LOCAL_GROUP_CREATED //
  3239. ;// SE_AUDITID_LOCAL_GROUP_CHANGE //
  3240. ;// SE_AUDITID_LOCAL_GROUP_ADD //
  3241. ;// SE_AUDITID_LOCAL_GROUP_REM //
  3242. ;// SE_AUDITID_LOCAL_GROUP_DELETED //
  3243. ;// //
  3244. ;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED //
  3245. ;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE //
  3246. ;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD //
  3247. ;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM //
  3248. ;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED //
  3249. ;// //
  3250. ;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED //
  3251. ;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CHANGE //
  3252. ;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD //
  3253. ;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM //
  3254. ;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_DELETED //
  3255. ;// //
  3256. ;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CREATED //
  3257. ;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE //
  3258. ;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD //
  3259. ;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM //
  3260. ;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_DELETED //
  3261. ;// //
  3262. ;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CREATED //
  3263. ;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CHANGE //
  3264. ;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD //
  3265. ;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM //
  3266. ;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_DELETED //
  3267. ;// //
  3268. ;// SE_AUDITID_APP_BASIC_GROUP_CREATED //
  3269. ;// SE_AUDITID_APP_BASIC_GROUP_CHANGE //
  3270. ;// SE_AUDITID_APP_BASIC_GROUP_ADD //
  3271. ;// SE_AUDITID_APP_BASIC_GROUP_REM //
  3272. ;// SE_AUDITID_APP_BASIC_GROUP_NM_ADD //
  3273. ;// SE_AUDITID_APP_BASIC_GROUP_NM_REM //
  3274. ;// SE_AUDITID_APP_BASIC_GROUP_DELETED //
  3275. ;// //
  3276. ;// SE_AUDITID_APP_QUERY_GROUP_CREATED //
  3277. ;// SE_AUDITID_APP_QUERY_GROUP_CHANGE //
  3278. ;// SE_AUDITID_APP_QUERY_GROUP_DELETED //
  3279. ;// //
  3280. ;// SE_AUDITID_GROUP_TYPE_CHANGE //
  3281. ;// //
  3282. ;// SE_AUDITID_ADD_SID_HISTORY //
  3283. ;// //
  3284. ;// SE_AUDITID_OTHER_ACCT_CHANGE //
  3285. ;// SE_AUDITID_DOMAIN_POLICY_CHANGE //
  3286. ;// SE_AUDITID_ACCOUNT_AUTO_LOCKED //
  3287. ;// SE_AUDITID_ACCOUNT_UNLOCKED //
  3288. ;// SE_AUDITID_SECURE_ADMIN_GROUP //
  3289. ;// //
  3290. ;// SE_AUDITID_PASSWORD_POLICY_API_CALLED //
  3291. ;// //
  3292. ;// SE_AUDITID_DSRM_PASSWORD_SET //
  3293. ;/////////////////////////////////////////////////////////////////////////////
  3294. ;//
  3295. ;//
  3296. ;// SE_AUDITID_USER_CREATED
  3297. ;//
  3298. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3299. ;//
  3300. ;// Parameter Strings -
  3301. ;//
  3302. ;// 1 - name of new user account
  3303. ;//
  3304. ;// 2 - domain of new user account
  3305. ;//
  3306. ;// 3 - SID string of new user account
  3307. ;//
  3308. ;// 4 - User name of subject creating the user account
  3309. ;//
  3310. ;// 5 - Domain name of subject creating the user account
  3311. ;//
  3312. ;// 6 - Logon ID string of subject creating the user account
  3313. ;//
  3314. ;// 7 - Privileges used to create the user account
  3315. ;//
  3316. ;//
  3317. MessageId=0x0270
  3318. SymbolicName=SE_AUDITID_USER_CREATED
  3319. Language=English
  3320. User Account Created:%n
  3321. %tNew Account Name:%t%1%n
  3322. %tNew Domain:%t%2%n
  3323. %tNew Account ID:%t%3%n
  3324. %tCaller User Name:%t%4%n
  3325. %tCaller Domain:%t%5%n
  3326. %tCaller Logon ID:%t%6%n
  3327. %tPrivileges%t%t%7%n
  3328. Attributes:%n
  3329. %tSam Account Name:%t%8%n
  3330. %tDisplay Name:%t%9%n
  3331. %tUser Principal Name:%t%10%n
  3332. %tHome Directory:%t%11%n
  3333. %tHome Drive:%t%12%n
  3334. %tScript Path:%t%13%n
  3335. %tProfile Path:%t%14%n
  3336. %tUser Workstations:%t%15%n
  3337. %tPassword Last Set:%t%16%n
  3338. %tAccount Expires:%t%17%n
  3339. %tPrimary Group ID:%t%18%n
  3340. %tAllowedToDelegateTo:%t%19%n
  3341. %tOld UAC Value:%t%20%n
  3342. %tNew UAC Value:%t%21%n
  3343. %tUser Account Control:%t%22%n
  3344. %tUser Parameters:%t%23%n
  3345. %tSid History:%t%24%n
  3346. %tLogon Hours:%t%25%n
  3347. .
  3348. ;//
  3349. ;//
  3350. ;// SE_AUDITID_ACCOUNT_TYPE_CHANGE
  3351. ;//
  3352. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3353. ;//
  3354. ;// MessageId 0x271 unused
  3355. ;//
  3356. ;//
  3357. ;//
  3358. ;// SE_AUDITID_USER_ENABLED
  3359. ;//
  3360. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3361. ;//
  3362. ;// Parameter Strings -
  3363. ;//
  3364. ;// 1 - name of target user account
  3365. ;//
  3366. ;// 2 - domain of target user account
  3367. ;//
  3368. ;// 3 - SID string of target user account
  3369. ;//
  3370. ;// 4 - User name of subject changing the user account
  3371. ;//
  3372. ;// 5 - Domain name of subject changing the user account
  3373. ;//
  3374. ;// 6 - Logon ID string of subject changing the user account
  3375. ;//
  3376. ;//
  3377. MessageId=0x0272
  3378. SymbolicName=SE_AUDITID_USER_ENABLED
  3379. Language=English
  3380. User Account Enabled:%n
  3381. %tTarget Account Name:%t%1%n
  3382. %tTarget Domain:%t%2%n
  3383. %tTarget Account ID:%t%3%n
  3384. %tCaller User Name:%t%4%n
  3385. %tCaller Domain:%t%5%n
  3386. %tCaller Logon ID:%t%6%n
  3387. .
  3388. ;//
  3389. ;//
  3390. ;// SE_AUDITID_USER_PWD_CHANGED
  3391. ;//
  3392. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3393. ;//
  3394. ;// Parameter Strings -
  3395. ;//
  3396. ;// 1 - name of target user account
  3397. ;//
  3398. ;// 2 - domain of target user account
  3399. ;//
  3400. ;// 3 - SID string of target user account
  3401. ;//
  3402. ;// 4 - User name of subject changing the user account
  3403. ;//
  3404. ;// 5 - Domain name of subject changing the user account
  3405. ;//
  3406. ;// 6 - Logon ID string of subject changing the user account
  3407. ;//
  3408. ;//
  3409. MessageId=0x0273
  3410. SymbolicName=SE_AUDITID_USER_PWD_CHANGED
  3411. Language=English
  3412. Change Password Attempt:%n
  3413. %tTarget Account Name:%t%1%n
  3414. %tTarget Domain:%t%2%n
  3415. %tTarget Account ID:%t%3%n
  3416. %tCaller User Name:%t%4%n
  3417. %tCaller Domain:%t%5%n
  3418. %tCaller Logon ID:%t%6%n
  3419. %tPrivileges:%t%7%n
  3420. .
  3421. ;//
  3422. ;//
  3423. ;// SE_AUDITID_USER_PWD_SET
  3424. ;//
  3425. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3426. ;//
  3427. ;// Parameter Strings -
  3428. ;//
  3429. ;// 1 - name of target user account
  3430. ;//
  3431. ;// 2 - domain of target user account
  3432. ;//
  3433. ;// 3 - SID string of target user account
  3434. ;//
  3435. ;// 4 - User name of subject changing the user account
  3436. ;//
  3437. ;// 5 - Domain name of subject changing the user account
  3438. ;//
  3439. ;// 6 - Logon ID string of subject changing the user account
  3440. ;//
  3441. ;//
  3442. MessageId=0x0274
  3443. SymbolicName=SE_AUDITID_USER_PWD_SET
  3444. Language=English
  3445. User Account password set:%n
  3446. %tTarget Account Name:%t%1%n
  3447. %tTarget Domain:%t%2%n
  3448. %tTarget Account ID:%t%3%n
  3449. %tCaller User Name:%t%4%n
  3450. %tCaller Domain:%t%5%n
  3451. %tCaller Logon ID:%t%6%n
  3452. .
  3453. ;//
  3454. ;//
  3455. ;// SE_AUDITID_USER_DISABLED
  3456. ;//
  3457. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3458. ;//
  3459. ;// Parameter Strings -
  3460. ;//
  3461. ;// 1 - name of target user account
  3462. ;//
  3463. ;// 2 - domain of target user account
  3464. ;//
  3465. ;// 3 - SID string of target user account
  3466. ;//
  3467. ;// 4 - User name of subject changing the user account
  3468. ;//
  3469. ;// 5 - Domain name of subject changing the user account
  3470. ;//
  3471. ;// 6 - Logon ID string of subject changing the user account
  3472. ;//
  3473. ;//
  3474. MessageId=0x0275
  3475. SymbolicName=SE_AUDITID_USER_DISABLED
  3476. Language=English
  3477. User Account Disabled:%n
  3478. %tTarget Account Name:%t%1%n
  3479. %tTarget Domain:%t%2%n
  3480. %tTarget Account ID:%t%3%n
  3481. %tCaller User Name:%t%4%n
  3482. %tCaller Domain:%t%5%n
  3483. %tCaller Logon ID:%t%6%n
  3484. .
  3485. ;//
  3486. ;//
  3487. ;// SE_AUDITID_USER_DELETED
  3488. ;//
  3489. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3490. ;//
  3491. ;// Parameter Strings -
  3492. ;//
  3493. ;// 1 - name of target account
  3494. ;//
  3495. ;// 2 - domain of target account
  3496. ;//
  3497. ;// 3 - SID string of target account
  3498. ;//
  3499. ;// 4 - User name of subject changing the account
  3500. ;//
  3501. ;// 5 - Domain name of subject changing the account
  3502. ;//
  3503. ;// 6 - Logon ID string of subject changing the account
  3504. ;//
  3505. ;//
  3506. MessageId=0x0276
  3507. SymbolicName=SE_AUDITID_USER_DELETED
  3508. Language=English
  3509. User Account Deleted:%n
  3510. %tTarget Account Name:%t%1%n
  3511. %tTarget Domain:%t%2%n
  3512. %tTarget Account ID:%t%3%n
  3513. %tCaller User Name:%t%4%n
  3514. %tCaller Domain:%t%5%n
  3515. %tCaller Logon ID:%t%6%n
  3516. %tPrivileges:%t%7%n
  3517. .
  3518. ;//
  3519. ;//
  3520. ;// SE_AUDITID_GLOBAL_GROUP_CREATED
  3521. ;//
  3522. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3523. ;//
  3524. ;// Parameter Strings -
  3525. ;//
  3526. ;// 1 - name of new group account
  3527. ;//
  3528. ;// 2 - domain of new group account
  3529. ;//
  3530. ;// 3 - SID string of new group account
  3531. ;//
  3532. ;// 4 - User name of subject creating the account
  3533. ;//
  3534. ;// 5 - Domain name of subject creating the account
  3535. ;//
  3536. ;// 6 - Logon ID string of subject creating the account
  3537. ;//
  3538. ;//
  3539. MessageId=0x0277
  3540. SymbolicName=SE_AUDITID_GLOBAL_GROUP_CREATED
  3541. Language=English
  3542. Security Enabled Global Group Created:%n
  3543. %tNew Account Name:%t%1%n
  3544. %tNew Domain:%t%2%n
  3545. %tNew Account ID:%t%3%n
  3546. %tCaller User Name:%t%4%n
  3547. %tCaller Domain:%t%5%n
  3548. %tCaller Logon ID:%t%6%n
  3549. %tPrivileges:%t%7%n
  3550. Attributes:%n
  3551. %tSam Account Name:%t%8%n
  3552. %tSid History:%t%9%n
  3553. .
  3554. ;//
  3555. ;//
  3556. ;// SE_AUDITID_GLOBAL_GROUP_ADD
  3557. ;//
  3558. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3559. ;//
  3560. ;// Parameter Strings -
  3561. ;//
  3562. ;// 1 - SID string of member being added
  3563. ;//
  3564. ;// 2 - name of target account
  3565. ;//
  3566. ;// 3 - domain of target account
  3567. ;//
  3568. ;// 4 - SID string of target account
  3569. ;//
  3570. ;// 5 - User name of subject changing the account
  3571. ;//
  3572. ;// 6 - Domain name of subject changing the account
  3573. ;//
  3574. ;// 7 - Logon ID string of subject changing the account
  3575. ;//
  3576. ;//
  3577. MessageId=0x0278
  3578. SymbolicName=SE_AUDITID_GLOBAL_GROUP_ADD
  3579. Language=English
  3580. Security Enabled Global Group Member Added:%n
  3581. %tMember Name:%t%1%n
  3582. %tMember ID:%t%2%n
  3583. %tTarget Account Name:%t%3%n
  3584. %tTarget Domain:%t%4%n
  3585. %tTarget Account ID:%t%5%n
  3586. %tCaller User Name:%t%6%n
  3587. %tCaller Domain:%t%7%n
  3588. %tCaller Logon ID:%t%8%n
  3589. %tPrivileges:%t%9%n
  3590. .
  3591. ;//
  3592. ;//
  3593. ;// SE_AUDITID_GLOBAL_GROUP_REM
  3594. ;//
  3595. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3596. ;//
  3597. ;// Parameter Strings -
  3598. ;//
  3599. ;// 1 - SID string of member being removed
  3600. ;//
  3601. ;// 2 - name of target account
  3602. ;//
  3603. ;// 3 - domain of target account
  3604. ;//
  3605. ;// 4 - SID string of target account
  3606. ;//
  3607. ;// 5 - User name of subject changing the account
  3608. ;//
  3609. ;// 6 - Domain name of subject changing the account
  3610. ;//
  3611. ;// 7 - Logon ID string of subject changing the account
  3612. ;//
  3613. ;//
  3614. MessageId=0x0279
  3615. SymbolicName=SE_AUDITID_GLOBAL_GROUP_REM
  3616. Language=English
  3617. Security Enabled Global Group Member Removed:%n
  3618. %tMember Name:%t%1%n
  3619. %tMember ID:%t%2%n
  3620. %tTarget Account Name:%t%3%n
  3621. %tTarget Domain:%t%4%n
  3622. %tTarget Account ID:%t%5%n
  3623. %tCaller User Name:%t%6%n
  3624. %tCaller Domain:%t%7%n
  3625. %tCaller Logon ID:%t%8%n
  3626. %tPrivileges:%t%9%n
  3627. .
  3628. ;//
  3629. ;//
  3630. ;// SE_AUDITID_GLOBAL_GROUP_DELETED
  3631. ;//
  3632. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3633. ;//
  3634. ;// Parameter Strings -
  3635. ;//
  3636. ;// 1 - name of target account
  3637. ;//
  3638. ;// 2 - domain of target account
  3639. ;//
  3640. ;// 3 - SID string of target account
  3641. ;//
  3642. ;// 4 - User name of subject changing the account
  3643. ;//
  3644. ;// 5 - Domain name of subject changing the account
  3645. ;//
  3646. ;// 6 - Logon ID string of subject changing the account
  3647. ;//
  3648. ;//
  3649. MessageId=0x027A
  3650. SymbolicName=SE_AUDITID_GLOBAL_GROUP_DELETED
  3651. Language=English
  3652. Security Enabled Global Group Deleted:%n
  3653. %tTarget Account Name:%t%1%n
  3654. %tTarget Domain:%t%2%n
  3655. %tTarget Account ID:%t%3%n
  3656. %tCaller User Name:%t%4%n
  3657. %tCaller Domain:%t%5%n
  3658. %tCaller Logon ID:%t%6%n
  3659. %tPrivileges:%t%7%n
  3660. .
  3661. ;//
  3662. ;//
  3663. ;// SE_AUDITID_LOCAL_GROUP_CREATED
  3664. ;//
  3665. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3666. ;//
  3667. ;// Parameter Strings -
  3668. ;//
  3669. ;// 1 - name of new group account
  3670. ;//
  3671. ;// 2 - domain of new group account
  3672. ;//
  3673. ;// 3 - SID string of new group account
  3674. ;//
  3675. ;// 4 - User name of subject creating the account
  3676. ;//
  3677. ;// 5 - Domain name of subject creating the account
  3678. ;//
  3679. ;// 6 - Logon ID string of subject creating the account
  3680. ;//
  3681. ;//
  3682. MessageId=0x027B
  3683. SymbolicName=SE_AUDITID_LOCAL_GROUP_CREATED
  3684. Language=English
  3685. Security Enabled Local Group Created:%n
  3686. %tNew Account Name:%t%1%n
  3687. %tNew Domain:%t%2%n
  3688. %tNew Account ID:%t%3%n
  3689. %tCaller User Name:%t%4%n
  3690. %tCaller Domain:%t%5%n
  3691. %tCaller Logon ID:%t%6%n
  3692. %tPrivileges:%t%7%n
  3693. Attributes:%n
  3694. %tSam Account Name:%t%8%n
  3695. %tSid History:%t%9%n
  3696. .
  3697. ;//
  3698. ;//
  3699. ;// SE_AUDITID_LOCAL_GROUP_ADD
  3700. ;//
  3701. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3702. ;//
  3703. ;// Parameter Strings -
  3704. ;//
  3705. ;// 1 - SID string of member being added
  3706. ;//
  3707. ;// 2 - name of target account
  3708. ;//
  3709. ;// 3 - domain of target account
  3710. ;//
  3711. ;// 4 - SID string of target account
  3712. ;//
  3713. ;// 5 - User name of subject changing the account
  3714. ;//
  3715. ;// 6 - Domain name of subject changing the account
  3716. ;//
  3717. ;// 7 - Logon ID string of subject changing the account
  3718. ;//
  3719. ;//
  3720. MessageId=0x027C
  3721. SymbolicName=SE_AUDITID_LOCAL_GROUP_ADD
  3722. Language=English
  3723. Security Enabled Local Group Member Added:%n
  3724. %tMember Name:%t%1%n
  3725. %tMember ID:%t%2%n
  3726. %tTarget Account Name:%t%3%n
  3727. %tTarget Domain:%t%4%n
  3728. %tTarget Account ID:%t%5%n
  3729. %tCaller User Name:%t%6%n
  3730. %tCaller Domain:%t%7%n
  3731. %tCaller Logon ID:%t%8%n
  3732. %tPrivileges:%t%9%n
  3733. .
  3734. ;//
  3735. ;//
  3736. ;// SE_AUDITID_LOCAL_GROUP_REM
  3737. ;//
  3738. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3739. ;//
  3740. ;// Parameter Strings -
  3741. ;//
  3742. ;// 1 - SID string of member being removed
  3743. ;//
  3744. ;// 2 - name of target account
  3745. ;//
  3746. ;// 3 - domain of target account
  3747. ;//
  3748. ;// 4 - SID string of target account
  3749. ;//
  3750. ;// 5 - User name of subject changing the account
  3751. ;//
  3752. ;// 6 - Domain name of subject changing the account
  3753. ;//
  3754. ;// 7 - Logon ID string of subject changing the account
  3755. ;//
  3756. ;//
  3757. MessageId=0x027D
  3758. SymbolicName=SE_AUDITID_LOCAL_GROUP_REM
  3759. Language=English
  3760. Security Enabled Local Group Member Removed:%n
  3761. %tMember Name:%t%1%n
  3762. %tMember ID:%t%2%n
  3763. %tTarget Account Name:%t%3%n
  3764. %tTarget Domain:%t%4%n
  3765. %tTarget Account ID:%t%5%n
  3766. %tCaller User Name:%t%6%n
  3767. %tCaller Domain:%t%7%n
  3768. %tCaller Logon ID:%t%8%n
  3769. %tPrivileges:%t%9%n
  3770. .
  3771. ;//
  3772. ;//
  3773. ;// SE_AUDITID_LOCAL_GROUP_DELETED
  3774. ;//
  3775. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3776. ;//
  3777. ;// Parameter Strings -
  3778. ;//
  3779. ;// 1 - name of target account
  3780. ;//
  3781. ;// 2 - domain of target account
  3782. ;//
  3783. ;// 3 - SID string of target account
  3784. ;//
  3785. ;// 4 - User name of subject changing the account
  3786. ;//
  3787. ;// 5 - Domain name of subject changing the account
  3788. ;//
  3789. ;// 6 - Logon ID string of subject changing the account
  3790. ;//
  3791. ;//
  3792. MessageId=0x027E
  3793. SymbolicName=SE_AUDITID_LOCAL_GROUP_DELETED
  3794. Language=English
  3795. Security Enabled Local Group Deleted:%n
  3796. %tTarget Account Name:%t%1%n
  3797. %tTarget Domain:%t%2%n
  3798. %tTarget Account ID:%t%3%n
  3799. %tCaller User Name:%t%4%n
  3800. %tCaller Domain:%t%5%n
  3801. %tCaller Logon ID:%t%6%n
  3802. %tPrivileges:%t%7%n
  3803. .
  3804. ;//
  3805. ;//
  3806. ;// SE_AUDITID_LOCAL_GROUP_CHANGE
  3807. ;//
  3808. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3809. ;//
  3810. ;// Parameter Strings -
  3811. ;//
  3812. ;// 1 - name of target account
  3813. ;//
  3814. ;// 2 - domain of target account
  3815. ;//
  3816. ;// 3 - SID string of target account
  3817. ;//
  3818. ;// 4 - User name of subject changing the account
  3819. ;//
  3820. ;// 5 - Domain name of subject changing the account
  3821. ;//
  3822. ;// 6 - Logon ID string of subject changing the account
  3823. ;//
  3824. ;//
  3825. MessageId=0x027F
  3826. SymbolicName=SE_AUDITID_LOCAL_GROUP_CHANGE
  3827. Language=English
  3828. Security Enabled Local Group Changed:%n
  3829. %tTarget Account Name:%t%1%n
  3830. %tTarget Domain:%t%2%n
  3831. %tTarget Account ID:%t%3%n
  3832. %tCaller User Name:%t%4%n
  3833. %tCaller Domain:%t%5%n
  3834. %tCaller Logon ID:%t%6%n
  3835. %tPrivileges:%t%7%n
  3836. Changed Attributes:%n
  3837. %tSam Account Name:%t%8%n
  3838. %tSid History:%t%9%n
  3839. .
  3840. ;//
  3841. ;//
  3842. ;// SE_AUDITID_OTHER_ACCOUNT_CHANGE
  3843. ;//
  3844. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3845. ;//
  3846. ;// Parameter Strings -
  3847. ;//
  3848. ;// 1 - Type of change (sigh, this isn't localizable)
  3849. ;//
  3850. ;// 2 - Type of changed object
  3851. ;//
  3852. ;// 3 - SID string (of changed object)
  3853. ;//
  3854. ;// 4 - User name of subject changing the account
  3855. ;//
  3856. ;// 5 - Domain name of subject changing the account
  3857. ;//
  3858. ;// 6 - Logon ID string of subject changing the account
  3859. ;//
  3860. ;//
  3861. MessageId=0x0280
  3862. SymbolicName=SE_AUDITID_OTHER_ACCOUNT_CHANGE
  3863. Language=English
  3864. General Account Database Change:%n
  3865. %tType of change:%t%1%n
  3866. %tObject Type:%t%2%n
  3867. %tObject Name:%t%3%n
  3868. %tObject ID:%t%4%n
  3869. %tCaller User Name:%t%5%n
  3870. %tCaller Domain:%t%6%n
  3871. %tCaller Logon ID:%t%7%n
  3872. .
  3873. ;//
  3874. ;//
  3875. ;// SE_AUDITID_GLOBAL_GROUP_CHANGE
  3876. ;//
  3877. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3878. ;//
  3879. ;// Parameter Strings -
  3880. ;//
  3881. ;// 1 - name of target account
  3882. ;//
  3883. ;// 2 - domain of target account
  3884. ;//
  3885. ;// 3 - SID string of target account
  3886. ;//
  3887. ;// 4 - User name of subject changing the account
  3888. ;//
  3889. ;// 5 - Domain name of subject changing the account
  3890. ;//
  3891. ;// 6 - Logon ID string of subject changing the account
  3892. ;//
  3893. ;//
  3894. MessageId=0x0281
  3895. SymbolicName=SE_AUDITID_GLOBAL_GROUP_CHANGE
  3896. Language=English
  3897. Security Enabled Global Group Changed:%n
  3898. %tTarget Account Name:%t%1%n
  3899. %tTarget Domain:%t%2%n
  3900. %tTarget Account ID:%t%3%n
  3901. %tCaller User Name:%t%4%n
  3902. %tCaller Domain:%t%5%n
  3903. %tCaller Logon ID:%t%6%n
  3904. %tPrivileges:%t%7%n
  3905. Changed Attributes:%n
  3906. %tSam Account Name:%t%8%n
  3907. %tSid History:%t%9%n
  3908. .
  3909. ;//
  3910. ;//
  3911. ;// SE_AUDITID_USER_CHANGE
  3912. ;//
  3913. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3914. ;//
  3915. ;// Parameter Strings -
  3916. ;//
  3917. ;// 1 - name of target user account
  3918. ;//
  3919. ;// 2 - domain of target user account
  3920. ;//
  3921. ;// 3 - SID string of target user account
  3922. ;//
  3923. ;// 4 - User name of subject changing the user account
  3924. ;//
  3925. ;// 5 - Domain name of subject changing the user account
  3926. ;//
  3927. ;// 6 - Logon ID string of subject changing the user account
  3928. ;//
  3929. ;//
  3930. MessageId=0x0282
  3931. SymbolicName=SE_AUDITID_USER_CHANGE
  3932. Language=English
  3933. User Account Changed:%n
  3934. %tTarget Account Name:%t%2%n
  3935. %tTarget Domain:%t%3%n
  3936. %tTarget Account ID:%t%4%n
  3937. %tCaller User Name:%t%5%n
  3938. %tCaller Domain:%t%6%n
  3939. %tCaller Logon ID:%t%7%n
  3940. %tPrivileges:%t%8%n
  3941. Changed Attributes:%n
  3942. %tSam Account Name:%t%9%n
  3943. %tDisplay Name:%t%10%n
  3944. %tUser Principal Name:%t%11%n
  3945. %tHome Directory:%t%12%n
  3946. %tHome Drive:%t%13%n
  3947. %tScript Path:%t%14%n
  3948. %tProfile Path:%t%15%n
  3949. %tUser Workstations:%t%16%n
  3950. %tPassword Last Set:%t%17%n
  3951. %tAccount Expires:%t%18%n
  3952. %tPrimary Group ID:%t%19%n
  3953. %tAllowedToDelegateTo:%t%20%n
  3954. %tOld UAC Value:%t%21%n
  3955. %tNew UAC Value:%t%22%n
  3956. %tUser Account Control:%t%23%n
  3957. %tUser Parameters:%t%24%n
  3958. %tSid History:%t%25%n
  3959. %tLogon Hours:%t%26%n
  3960. .
  3961. ;//
  3962. ;//
  3963. ;// SE_AUDITID_DOMAIN_POLICY_CHANGE
  3964. ;//
  3965. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  3966. ;//
  3967. ;// Parameter Strings -
  3968. ;//
  3969. ;// 1 - (unused)
  3970. ;//
  3971. ;// 2 - domain of target user account
  3972. ;//
  3973. ;// 3 - SID string of target user account
  3974. ;//
  3975. ;// 4 - User name of subject changing the user account
  3976. ;//
  3977. ;// 5 - Domain name of subject changing the user account
  3978. ;//
  3979. ;// 6 - Logon ID string of subject changing the user account
  3980. ;//
  3981. ;//
  3982. MessageId=0x0283
  3983. SymbolicName=SE_AUDITID_DOMAIN_POLICY_CHANGE
  3984. Language=English
  3985. Domain Policy Changed: %1 modified%n
  3986. %tDomain Name:%t%t%2%n
  3987. %tDomain ID:%t%3%n
  3988. %tCaller User Name:%t%4%n
  3989. %tCaller Domain:%t%5%n
  3990. %tCaller Logon ID:%t%6%n
  3991. %tPrivileges:%t%7%n
  3992. Changed Attributes:%n
  3993. %tMin. Password Age:%t%8%n
  3994. %tMax. Password Age:%t%9%n
  3995. %tForce Logoff:%t%10%n
  3996. %tLockout Threshold:%t%11%n
  3997. %tLockout Observation Window:%t%12%n
  3998. %tLockout Duration:%t%13%n
  3999. %tPassword Properties:%t%14%n
  4000. %tMin. Password Length:%t%15%n
  4001. %tPassword History Length:%t%16%n
  4002. %tMachine Account Quota:%t%17%n
  4003. %tMixed Domain Mode:%t%18%n
  4004. %tDomain Behavior Version:%t%19%n
  4005. %tOEM Information:%t%20%n
  4006. .
  4007. ;//
  4008. ;//
  4009. ;// SE_AUDITID_ACCOUNT_AUTO_LOCKED
  4010. ;//
  4011. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4012. ;//
  4013. ;// Type: success / failure
  4014. ;//
  4015. ;// Description: This event is generated when an account is auto locked. This happens
  4016. ;// when a user attempts to log in unsuccessfully multiple times. The exact
  4017. ;// number of times is specified by the administrator.
  4018. ;//
  4019. ;// Parameter Strings -
  4020. ;//
  4021. ;// 1 - name of target user account
  4022. ;//
  4023. ;// 2 - domain of target user account
  4024. ;//
  4025. ;// 3 - SID string of target user account
  4026. ;//
  4027. ;// 4 - User name of subject changing the user account
  4028. ;//
  4029. ;// 5 - Domain name of subject changing the user account
  4030. ;//
  4031. ;// 6 - Logon ID string of subject changing the user account
  4032. ;//
  4033. ;//
  4034. MessageId=0x0284
  4035. SymbolicName=SE_AUDITID_ACCOUNT_AUTO_LOCKED
  4036. Language=English
  4037. User Account Locked Out:%n
  4038. %tTarget Account Name:%t%1%n
  4039. %tTarget Account ID:%t%3%n
  4040. %tCaller Machine Name:%t%2%n
  4041. %tCaller User Name:%t%4%n
  4042. %tCaller Domain:%t%5%n
  4043. %tCaller Logon ID:%t%6%n
  4044. .
  4045. ;//
  4046. ;//
  4047. ;// SE_AUDITID_COMPUTER_CREATED
  4048. ;//
  4049. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4050. ;//
  4051. ;// Parameter Strings -
  4052. ;//
  4053. ;// 1 - name of new computer account
  4054. ;//
  4055. ;// 2 - domain of new computer account
  4056. ;//
  4057. ;// 3 - SID string of new computer account
  4058. ;//
  4059. ;// 4 - User name of subject creating the computer account
  4060. ;//
  4061. ;// 5 - Domain name of subject creating the computer account
  4062. ;//
  4063. ;// 6 - Logon ID string of subject creating the computer account
  4064. ;//
  4065. ;// 7 - Privileges used to create the computer account
  4066. ;//
  4067. ;//
  4068. MessageId=0x0285
  4069. SymbolicName=SE_AUDITID_COMPUTER_CREATED
  4070. Language=English
  4071. Computer Account Created:%n
  4072. %tNew Account Name:%t%1%n
  4073. %tNew Domain:%t%2%n
  4074. %tNew Account ID:%t%3%n
  4075. %tCaller User Name:%t%4%n
  4076. %tCaller Domain:%t%5%n
  4077. %tCaller Logon ID:%t%6%n
  4078. %tPrivileges%t%t%7%n
  4079. Attributes:%n
  4080. %tSam Account Name:%t%8%n
  4081. %tDisplay Name:%t%9%n
  4082. %tUser Principal Name:%t%10%n
  4083. %tHome Directory:%t%11%n
  4084. %tHome Drive:%t%12%n
  4085. %tScript Path:%t%13%n
  4086. %tProfile Path:%t%14%n
  4087. %tUser Workstations:%t%15%n
  4088. %tPassword Last Set:%t%16%n
  4089. %tAccount Expires:%t%17%n
  4090. %tPrimary Group ID:%t%18%n
  4091. %tAllowedToDelegateTo:%t%19%n
  4092. %tOld UAC Value:%t%20%n
  4093. %tNew UAC Value:%t%21%n
  4094. %tUser Account Control:%t%22%n
  4095. %tUser Parameters:%t%23%n
  4096. %tSid History:%t%24%n
  4097. %tLogon Hours:%t%25%n
  4098. %tDNS Host Name:%t%26%n
  4099. %tService Principal Names:%t%27%n
  4100. .
  4101. ;//
  4102. ;//
  4103. ;// SE_AUDITID_COMPUTER_CHANGE
  4104. ;//
  4105. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4106. ;//
  4107. ;// Parameter Strings -
  4108. ;//
  4109. ;// 1 - name of target computer account
  4110. ;//
  4111. ;// 2 - domain of target computer account
  4112. ;//
  4113. ;// 3 - SID string of target computer account
  4114. ;//
  4115. ;// 4 - User name of subject changing the computer account
  4116. ;//
  4117. ;// 5 - Domain name of subject changing the computer account
  4118. ;//
  4119. ;// 6 - Logon ID string of subject changing the computer account
  4120. ;//
  4121. ;//
  4122. MessageId=0x0286
  4123. SymbolicName=SE_AUDITID_COMPUTER_CHANGE
  4124. Language=English
  4125. Computer Account Changed:%n
  4126. %t%1%n
  4127. %tTarget Account Name:%t%2%n
  4128. %tTarget Domain:%t%3%n
  4129. %tTarget Account ID:%t%4%n
  4130. %tCaller User Name:%t%5%n
  4131. %tCaller Domain:%t%6%n
  4132. %tCaller Logon ID:%t%7%n
  4133. %tPrivileges:%t%8%n
  4134. Changed Attributes:%n
  4135. %tSam Account Name:%t%9%n
  4136. %tDisplay Name:%t%10%n
  4137. %tUser Principal Name:%t%11%n
  4138. %tHome Directory:%t%12%n
  4139. %tHome Drive:%t%13%n
  4140. %tScript Path:%t%14%n
  4141. %tProfile Path:%t%15%n
  4142. %tUser Workstations:%t%16%n
  4143. %tPassword Last Set:%t%17%n
  4144. %tAccount Expires:%t%18%n
  4145. %tPrimary Group ID:%t%19%n
  4146. %tAllowedToDelegateTo:%t%20%n
  4147. %tOld UAC Value:%t%21%n
  4148. %tNew UAC Value:%t%22%n
  4149. %tUser Account Control:%t%23%n
  4150. %tUser Parameters:%t%24%n
  4151. %tSid History:%t%25%n
  4152. %tLogon Hours:%t%26%n
  4153. %tDNS Host Name:%t%27%n
  4154. %tService Principal Names:%t%28%n
  4155. .
  4156. ;//
  4157. ;//
  4158. ;// SE_AUDITID_COMPUTER_DELETED
  4159. ;//
  4160. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4161. ;//
  4162. ;// Parameter Strings -
  4163. ;//
  4164. ;// 1 - name of target account
  4165. ;//
  4166. ;// 2 - domain of target account
  4167. ;//
  4168. ;// 3 - SID string of target account
  4169. ;//
  4170. ;// 4 - User name of subject changing the account
  4171. ;//
  4172. ;// 5 - Domain name of subject changing the account
  4173. ;//
  4174. ;// 6 - Logon ID string of subject changing the account
  4175. ;//
  4176. ;//
  4177. MessageId=0x0287
  4178. SymbolicName=SE_AUDITID_COMPUTER_DELETED
  4179. Language=English
  4180. Computer Account Deleted:%n
  4181. %tTarget Account Name:%t%1%n
  4182. %tTarget Domain:%t%2%n
  4183. %tTarget Account ID:%t%3%n
  4184. %tCaller User Name:%t%4%n
  4185. %tCaller Domain:%t%5%n
  4186. %tCaller Logon ID:%t%6%n
  4187. %tPrivileges:%t%7%n
  4188. .
  4189. ;//
  4190. ;//
  4191. ;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED
  4192. ;//
  4193. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4194. ;//
  4195. ;// Parameter Strings -
  4196. ;//
  4197. ;// 1 - name of target account
  4198. ;//
  4199. ;// 2 - domain of target account
  4200. ;//
  4201. ;// 3 - SID string of target account
  4202. ;//
  4203. ;// 4 - User name of subject changing the account
  4204. ;//
  4205. ;// 5 - Domain name of subject changing the account
  4206. ;//
  4207. ;// 6 - Logon ID string of subject changing the account
  4208. ;//
  4209. ;//
  4210. MessageId=0x0288
  4211. SymbolicName=SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED
  4212. Language=English
  4213. Security Disabled Local Group Created:%n
  4214. %tTarget Account Name:%t%1%n
  4215. %tTarget Domain:%t%2%n
  4216. %tTarget Account ID:%t%3%n
  4217. %tCaller User Name:%t%4%n
  4218. %tCaller Domain:%t%5%n
  4219. %tCaller Logon ID:%t%6%n
  4220. %tPrivileges:%t%7%n
  4221. Attributes:%n
  4222. %tSam Account Name:%t%8%n
  4223. %tSid History:%t%9%n
  4224. .
  4225. ;//
  4226. ;//
  4227. ;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE
  4228. ;//
  4229. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4230. ;//
  4231. ;// Parameter Strings -
  4232. ;//
  4233. ;// 1 - name of target account
  4234. ;//
  4235. ;// 2 - domain of target account
  4236. ;//
  4237. ;// 3 - SID string of target account
  4238. ;//
  4239. ;// 4 - User name of subject changing the account
  4240. ;//
  4241. ;// 5 - Domain name of subject changing the account
  4242. ;//
  4243. ;// 6 - Logon ID string of subject changing the account
  4244. ;//
  4245. ;//
  4246. MessageId=0x0289
  4247. SymbolicName=SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE
  4248. Language=English
  4249. Security Disabled Local Group Changed:%n
  4250. %tTarget Account Name:%t%1%n
  4251. %tTarget Domain:%t%2%n
  4252. %tTarget Account ID:%t%3%n
  4253. %tCaller User Name:%t%4%n
  4254. %tCaller Domain:%t%5%n
  4255. %tCaller Logon ID:%t%6%n
  4256. %tPrivileges:%t%7%n
  4257. Changed Attributes:%n
  4258. %tSam Account Name:%t%8%n
  4259. %tSid History:%t%9%n
  4260. .
  4261. ;//
  4262. ;//
  4263. ;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD
  4264. ;//
  4265. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4266. ;//
  4267. ;// Parameter Strings -
  4268. ;//
  4269. ;// 1 - SID string of member being added
  4270. ;//
  4271. ;// 2 - name of target account
  4272. ;//
  4273. ;// 3 - domain of target account
  4274. ;//
  4275. ;// 4 - SID string of target account
  4276. ;//
  4277. ;// 5 - User name of subject changing the account
  4278. ;//
  4279. ;// 6 - Domain name of subject changing the account
  4280. ;//
  4281. ;// 7 - Logon ID string of subject changing the account
  4282. ;//
  4283. ;//
  4284. MessageId=0x028A
  4285. SymbolicName=SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD
  4286. Language=English
  4287. Security Disabled Local Group Member Added:%n
  4288. %tMember Name:%t%1%n
  4289. %tMember ID:%t%2%n
  4290. %tTarget Account Name:%t%3%n
  4291. %tTarget Domain:%t%4%n
  4292. %tTarget Account ID:%t%5%n
  4293. %tCaller User Name:%t%6%n
  4294. %tCaller Domain:%t%7%n
  4295. %tCaller Logon ID:%t%8%n
  4296. %tPrivileges:%t%9%n
  4297. .
  4298. ;//
  4299. ;//
  4300. ;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM
  4301. ;//
  4302. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4303. ;//
  4304. ;// Parameter Strings -
  4305. ;//
  4306. ;// 1 - SID string of member being removed
  4307. ;//
  4308. ;// 2 - name of target account
  4309. ;//
  4310. ;// 3 - domain of target account
  4311. ;//
  4312. ;// 4 - SID string of target account
  4313. ;//
  4314. ;// 5 - User name of subject changing the account
  4315. ;//
  4316. ;// 6 - Domain name of subject changing the account
  4317. ;//
  4318. ;// 7 - Logon ID string of subject changing the account
  4319. ;//
  4320. ;//
  4321. MessageId=0x028B
  4322. SymbolicName=SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM
  4323. Language=English
  4324. Security Disabled Local Group Member Removed:%n
  4325. %tMember Name:%t%1%n
  4326. %tMember ID:%t%2%n
  4327. %tTarget Account Name:%t%3%n
  4328. %tTarget Domain:%t%4%n
  4329. %tTarget Account ID:%t%5%n
  4330. %tCaller User Name:%t%6%n
  4331. %tCaller Domain:%t%7%n
  4332. %tCaller Logon ID:%t%8%n
  4333. %tPrivileges:%t%9%n
  4334. .
  4335. ;//
  4336. ;//
  4337. ;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED
  4338. ;//
  4339. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4340. ;//
  4341. ;// Parameter Strings -
  4342. ;//
  4343. ;// 1 - name of target account
  4344. ;//
  4345. ;// 2 - domain of target account
  4346. ;//
  4347. ;// 3 - SID string of target account
  4348. ;//
  4349. ;// 4 - User name of subject changing the account
  4350. ;//
  4351. ;// 5 - Domain name of subject changing the account
  4352. ;//
  4353. ;// 6 - Logon ID string of subject changing the account
  4354. ;//
  4355. ;//
  4356. MessageId=0x028C
  4357. SymbolicName=SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED
  4358. Language=English
  4359. Security Disabled Local Group Deleted:%n
  4360. %tTarget Account Name:%t%1%n
  4361. %tTarget Domain:%t%2%n
  4362. %tTarget Account ID:%t%3%n
  4363. %tCaller User Name:%t%4%n
  4364. %tCaller Domain:%t%5%n
  4365. %tCaller Logon ID:%t%6%n
  4366. %tPrivileges:%t%7%n
  4367. .
  4368. ;//
  4369. ;//
  4370. ;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED
  4371. ;//
  4372. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4373. ;//
  4374. ;// Parameter Strings -
  4375. ;//
  4376. ;// 1 - name of new group account
  4377. ;//
  4378. ;// 2 - domain of new group account
  4379. ;//
  4380. ;// 3 - SID string of new group account
  4381. ;//
  4382. ;// 4 - User name of subject creating the account
  4383. ;//
  4384. ;// 5 - Domain name of subject creating the account
  4385. ;//
  4386. ;// 6 - Logon ID string of subject creating the account
  4387. ;//
  4388. ;//
  4389. MessageId=0x028D
  4390. SymbolicName=SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED
  4391. Language=English
  4392. Security Disabled Global Group Created:%n
  4393. %tNew Account Name:%t%1%n
  4394. %tNew Domain:%t%2%n
  4395. %tNew Account ID:%t%3%n
  4396. %tCaller User Name:%t%4%n
  4397. %tCaller Domain:%t%5%n
  4398. %tCaller Logon ID:%t%6%n
  4399. %tPrivileges:%t%7%n
  4400. Attributes:%n
  4401. %tSam Account Name:%t%8%n
  4402. %tSid History:%t%9%n
  4403. .
  4404. ;//
  4405. ;//
  4406. ;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CHANGE
  4407. ;//
  4408. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4409. ;//
  4410. ;// Parameter Strings -
  4411. ;//
  4412. ;// 1 - name of target account
  4413. ;//
  4414. ;// 2 - domain of target account
  4415. ;//
  4416. ;// 3 - SID string of target account
  4417. ;//
  4418. ;// 4 - User name of subject changing the account
  4419. ;//
  4420. ;// 5 - Domain name of subject changing the account
  4421. ;//
  4422. ;// 6 - Logon ID string of subject changing the account
  4423. ;//
  4424. ;//
  4425. MessageId=0x028E
  4426. SymbolicName=SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CHANGE
  4427. Language=English
  4428. Security Disabled Global Group Changed:%n
  4429. %tTarget Account Name:%t%1%n
  4430. %tTarget Domain:%t%2%n
  4431. %tTarget Account ID:%t%3%n
  4432. %tCaller User Name:%t%4%n
  4433. %tCaller Domain:%t%5%n
  4434. %tCaller Logon ID:%t%6%n
  4435. %tPrivileges:%t%7%n
  4436. Changed Attributes:%n
  4437. %tSam Account Name:%t%8%n
  4438. %tSid History:%t%9%n
  4439. .
  4440. ;//
  4441. ;//
  4442. ;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD
  4443. ;//
  4444. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4445. ;//
  4446. ;// Parameter Strings -
  4447. ;//
  4448. ;// 1 - SID string of member being added
  4449. ;//
  4450. ;// 2 - name of target account
  4451. ;//
  4452. ;// 3 - domain of target account
  4453. ;//
  4454. ;// 4 - SID string of target account
  4455. ;//
  4456. ;// 5 - User name of subject changing the account
  4457. ;//
  4458. ;// 6 - Domain name of subject changing the account
  4459. ;//
  4460. ;// 7 - Logon ID string of subject changing the account
  4461. ;//
  4462. ;//
  4463. MessageId=0x028F
  4464. SymbolicName=SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD
  4465. Language=English
  4466. Security Disabled Global Group Member Added:%n
  4467. %tMember Name:%t%1%n
  4468. %tMember ID:%t%2%n
  4469. %tTarget Account Name:%t%3%n
  4470. %tTarget Domain:%t%4%n
  4471. %tTarget Account ID:%t%5%n
  4472. %tCaller User Name:%t%6%n
  4473. %tCaller Domain:%t%7%n
  4474. %tCaller Logon ID:%t%8%n
  4475. %tPrivileges:%t%9%n
  4476. .
  4477. ;//
  4478. ;//
  4479. ;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM
  4480. ;//
  4481. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4482. ;//
  4483. ;// Parameter Strings -
  4484. ;//
  4485. ;// 1 - SID string of member being removed
  4486. ;//
  4487. ;// 2 - name of target account
  4488. ;//
  4489. ;// 3 - domain of target account
  4490. ;//
  4491. ;// 4 - SID string of target account
  4492. ;//
  4493. ;// 5 - User name of subject changing the account
  4494. ;//
  4495. ;// 6 - Domain name of subject changing the account
  4496. ;//
  4497. ;// 7 - Logon ID string of subject changing the account
  4498. ;//
  4499. ;//
  4500. MessageId=0x0290
  4501. SymbolicName=SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM
  4502. Language=English
  4503. Security Disabled Global Group Member Removed:%n
  4504. %tMember Name:%t%1%n
  4505. %tMember ID:%t%2%n
  4506. %tTarget Account Name:%t%3%n
  4507. %tTarget Domain:%t%4%n
  4508. %tTarget Account ID:%t%5%n
  4509. %tCaller User Name:%t%6%n
  4510. %tCaller Domain:%t%7%n
  4511. %tCaller Logon ID:%t%8%n
  4512. %tPrivileges:%t%9%n
  4513. .
  4514. ;//
  4515. ;//
  4516. ;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_DELETED
  4517. ;//
  4518. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4519. ;//
  4520. ;// Parameter Strings -
  4521. ;//
  4522. ;// 1 - name of target account
  4523. ;//
  4524. ;// 2 - domain of target account
  4525. ;//
  4526. ;// 3 - SID string of target account
  4527. ;//
  4528. ;// 4 - User name of subject changing the account
  4529. ;//
  4530. ;// 5 - Domain name of subject changing the account
  4531. ;//
  4532. ;// 6 - Logon ID string of subject changing the account
  4533. ;//
  4534. ;//
  4535. MessageId=0x0291
  4536. SymbolicName=SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_DELETED
  4537. Language=English
  4538. Security Disabled Global Group Deleted:%n
  4539. %tTarget Account Name:%t%1%n
  4540. %tTarget Domain:%t%2%n
  4541. %tTarget Account ID:%t%3%n
  4542. %tCaller User Name:%t%4%n
  4543. %tCaller Domain:%t%5%n
  4544. %tCaller Logon ID:%t%6%n
  4545. %tPrivileges:%t%7%n
  4546. .
  4547. ;//
  4548. ;//
  4549. ;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CREATED
  4550. ;//
  4551. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4552. ;//
  4553. ;// Parameter Strings -
  4554. ;//
  4555. ;// 1 - name of new group account
  4556. ;//
  4557. ;// 2 - domain of new group account
  4558. ;//
  4559. ;// 3 - SID string of new group account
  4560. ;//
  4561. ;// 4 - User name of subject creating the account
  4562. ;//
  4563. ;// 5 - Domain name of subject creating the account
  4564. ;//
  4565. ;// 6 - Logon ID string of subject creating the account
  4566. ;//
  4567. ;//
  4568. MessageId=0x0292
  4569. SymbolicName=SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CREATED
  4570. Language=English
  4571. Security Enabled Universal Group Created:%n
  4572. %tNew Account Name:%t%1%n
  4573. %tNew Domain:%t%2%n
  4574. %tNew Account ID:%t%3%n
  4575. %tCaller User Name:%t%4%n
  4576. %tCaller Domain:%t%5%n
  4577. %tCaller Logon ID:%t%6%n
  4578. %tPrivileges:%t%7%n
  4579. Attributes:%n
  4580. %tSam Account Name:%t%8%n
  4581. %tSid History:%t%9%n
  4582. .
  4583. ;//
  4584. ;//
  4585. ;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE
  4586. ;//
  4587. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4588. ;//
  4589. ;// Parameter Strings -
  4590. ;//
  4591. ;// 1 - name of target account
  4592. ;//
  4593. ;// 2 - domain of target account
  4594. ;//
  4595. ;// 3 - SID string of target account
  4596. ;//
  4597. ;// 4 - User name of subject changing the account
  4598. ;//
  4599. ;// 5 - Domain name of subject changing the account
  4600. ;//
  4601. ;// 6 - Logon ID string of subject changing the account
  4602. ;//
  4603. ;//
  4604. MessageId=0x0293
  4605. SymbolicName=SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE
  4606. Language=English
  4607. Security Enabled Universal Group Changed:%n
  4608. %tTarget Account Name:%t%1%n
  4609. %tTarget Domain:%t%2%n
  4610. %tTarget Account ID:%t%3%n
  4611. %tCaller User Name:%t%4%n
  4612. %tCaller Domain:%t%5%n
  4613. %tCaller Logon ID:%t%6%n
  4614. %tPrivileges:%t%7%n
  4615. Changed Attributes:%n
  4616. %tSam Account Name:%t%8%n
  4617. %tSid History:%t%9%n
  4618. .
  4619. ;//
  4620. ;//
  4621. ;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD
  4622. ;//
  4623. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4624. ;//
  4625. ;// Parameter Strings -
  4626. ;//
  4627. ;// 1 - SID string of member being added
  4628. ;//
  4629. ;// 2 - name of target account
  4630. ;//
  4631. ;// 3 - domain of target account
  4632. ;//
  4633. ;// 4 - SID string of target account
  4634. ;//
  4635. ;// 5 - User name of subject changing the account
  4636. ;//
  4637. ;// 6 - Domain name of subject changing the account
  4638. ;//
  4639. ;// 7 - Logon ID string of subject changing the account
  4640. ;//
  4641. ;//
  4642. MessageId=0x0294
  4643. SymbolicName=SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD
  4644. Language=English
  4645. Security Enabled Universal Group Member Added:%n
  4646. %tMember Name:%t%1%n
  4647. %tMember ID:%t%2%n
  4648. %tTarget Account Name:%t%3%n
  4649. %tTarget Domain:%t%4%n
  4650. %tTarget Account ID:%t%5%n
  4651. %tCaller User Name:%t%6%n
  4652. %tCaller Domain:%t%7%n
  4653. %tCaller Logon ID:%t%8%n
  4654. %tPrivileges:%t%9%n
  4655. .
  4656. ;//
  4657. ;//
  4658. ;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM
  4659. ;//
  4660. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4661. ;//
  4662. ;// Parameter Strings -
  4663. ;//
  4664. ;// 1 - SID string of member being removed
  4665. ;//
  4666. ;// 2 - name of target account
  4667. ;//
  4668. ;// 3 - domain of target account
  4669. ;//
  4670. ;// 4 - SID string of target account
  4671. ;//
  4672. ;// 5 - User name of subject changing the account
  4673. ;//
  4674. ;// 6 - Domain name of subject changing the account
  4675. ;//
  4676. ;// 7 - Logon ID string of subject changing the account
  4677. ;//
  4678. ;//
  4679. MessageId=0x0295
  4680. SymbolicName=SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM
  4681. Language=English
  4682. Security Enabled Universal Group Member Removed:%n
  4683. %tMember Name:%t%1%n
  4684. %tMember ID:%t%2%n
  4685. %tTarget Account Name:%t%3%n
  4686. %tTarget Domain:%t%4%n
  4687. %tTarget Account ID:%t%5%n
  4688. %tCaller User Name:%t%6%n
  4689. %tCaller Domain:%t%7%n
  4690. %tCaller Logon ID:%t%8%n
  4691. %tPrivileges:%t%9%n
  4692. .
  4693. ;//
  4694. ;//
  4695. ;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_DELETED
  4696. ;//
  4697. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4698. ;//
  4699. ;// Parameter Strings -
  4700. ;//
  4701. ;// 1 - name of target account
  4702. ;//
  4703. ;// 2 - domain of target account
  4704. ;//
  4705. ;// 3 - SID string of target account
  4706. ;//
  4707. ;// 4 - User name of subject changing the account
  4708. ;//
  4709. ;// 5 - Domain name of subject changing the account
  4710. ;//
  4711. ;// 6 - Logon ID string of subject changing the account
  4712. ;//
  4713. ;//
  4714. MessageId=0x0296
  4715. SymbolicName=SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_DELETED
  4716. Language=English
  4717. Security Enabled Universal Group Deleted:%n
  4718. %tTarget Account Name:%t%1%n
  4719. %tTarget Domain:%t%2%n
  4720. %tTarget Account ID:%t%3%n
  4721. %tCaller User Name:%t%4%n
  4722. %tCaller Domain:%t%5%n
  4723. %tCaller Logon ID:%t%6%n
  4724. %tPrivileges:%t%7%n
  4725. .
  4726. ;//
  4727. ;//
  4728. ;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CREATED
  4729. ;//
  4730. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4731. ;//
  4732. ;// Parameter Strings -
  4733. ;//
  4734. ;// 1 - name of new group account
  4735. ;//
  4736. ;// 2 - domain of new group account
  4737. ;//
  4738. ;// 3 - SID string of new group account
  4739. ;//
  4740. ;// 4 - User name of subject creating the account
  4741. ;//
  4742. ;// 5 - Domain name of subject creating the account
  4743. ;//
  4744. ;// 6 - Logon ID string of subject creating the account
  4745. ;//
  4746. ;//
  4747. MessageId=0x0297
  4748. SymbolicName=SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CREATED
  4749. Language=English
  4750. Security Disabled Universal Group Created:%n
  4751. %tNew Account Name:%t%1%n
  4752. %tNew Domain:%t%2%n
  4753. %tNew Account ID:%t%3%n
  4754. %tCaller User Name:%t%4%n
  4755. %tCaller Domain:%t%5%n
  4756. %tCaller Logon ID:%t%6%n
  4757. %tPrivileges:%t%7%n
  4758. Attributes:%n
  4759. %tSam Account Name:%t%8%n
  4760. %tSid History:%t%9%n
  4761. .
  4762. ;//
  4763. ;//
  4764. ;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CHANGE
  4765. ;//
  4766. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4767. ;//
  4768. ;// Parameter Strings -
  4769. ;//
  4770. ;// 1 - name of target account
  4771. ;//
  4772. ;// 2 - domain of target account
  4773. ;//
  4774. ;// 3 - SID string of target account
  4775. ;//
  4776. ;// 4 - User name of subject changing the account
  4777. ;//
  4778. ;// 5 - Domain name of subject changing the account
  4779. ;//
  4780. ;// 6 - Logon ID string of subject changing the account
  4781. ;//
  4782. ;//
  4783. MessageId=0x0298
  4784. SymbolicName=SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CHANGE
  4785. Language=English
  4786. Security Disabled Universal Group Changed:%n
  4787. %tTarget Account Name:%t%1%n
  4788. %tTarget Domain:%t%2%n
  4789. %tTarget Account ID:%t%3%n
  4790. %tCaller User Name:%t%4%n
  4791. %tCaller Domain:%t%5%n
  4792. %tCaller Logon ID:%t%6%n
  4793. %tPrivileges:%t%7%n
  4794. Changed Attributes:%n
  4795. %tSam Account Name:%t%8%n
  4796. %tSid History:%t%9%n
  4797. .
  4798. ;//
  4799. ;//
  4800. ;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD
  4801. ;//
  4802. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4803. ;//
  4804. ;// Parameter Strings -
  4805. ;//
  4806. ;// 1 - SID string of member being added
  4807. ;//
  4808. ;// 2 - name of target account
  4809. ;//
  4810. ;// 3 - domain of target account
  4811. ;//
  4812. ;// 4 - SID string of target account
  4813. ;//
  4814. ;// 5 - User name of subject changing the account
  4815. ;//
  4816. ;// 6 - Domain name of subject changing the account
  4817. ;//
  4818. ;// 7 - Logon ID string of subject changing the account
  4819. ;//
  4820. ;//
  4821. MessageId=0x0299
  4822. SymbolicName=SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD
  4823. Language=English
  4824. Security Disabled Universal Group Member Added:%n
  4825. %tMember Name:%t%1%n
  4826. %tMember ID:%t%2%n
  4827. %tTarget Account Name:%t%3%n
  4828. %tTarget Domain:%t%4%n
  4829. %tTarget Account ID:%t%5%n
  4830. %tCaller User Name:%t%6%n
  4831. %tCaller Domain:%t%7%n
  4832. %tCaller Logon ID:%t%8%n
  4833. %tPrivileges:%t%9%n
  4834. .
  4835. ;//
  4836. ;//
  4837. ;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM
  4838. ;//
  4839. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4840. ;//
  4841. ;// Parameter Strings -
  4842. ;//
  4843. ;// 1 - SID string of member being removed
  4844. ;//
  4845. ;// 2 - name of target account
  4846. ;//
  4847. ;// 3 - domain of target account
  4848. ;//
  4849. ;// 4 - SID string of target account
  4850. ;//
  4851. ;// 5 - User name of subject changing the account
  4852. ;//
  4853. ;// 6 - Domain name of subject changing the account
  4854. ;//
  4855. ;// 7 - Logon ID string of subject changing the account
  4856. ;//
  4857. ;//
  4858. MessageId=0x029A
  4859. SymbolicName=SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM
  4860. Language=English
  4861. Security Disabled Universal Group Member Removed:%n
  4862. %tMember Name:%t%1%n
  4863. %tMember ID:%t%2%n
  4864. %tTarget Account Name:%t%3%n
  4865. %tTarget Domain:%t%4%n
  4866. %tTarget Account ID:%t%5%n
  4867. %tCaller User Name:%t%6%n
  4868. %tCaller Domain:%t%7%n
  4869. %tCaller Logon ID:%t%8%n
  4870. %tPrivileges:%t%9%n
  4871. .
  4872. ;//
  4873. ;//
  4874. ;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_DELETED
  4875. ;//
  4876. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4877. ;//
  4878. ;// Parameter Strings -
  4879. ;//
  4880. ;// 1 - name of target account
  4881. ;//
  4882. ;// 2 - domain of target account
  4883. ;//
  4884. ;// 3 - SID string of target account
  4885. ;//
  4886. ;// 4 - User name of subject changing the account
  4887. ;//
  4888. ;// 5 - Domain name of subject changing the account
  4889. ;//
  4890. ;// 6 - Logon ID string of subject changing the account
  4891. ;//
  4892. ;//
  4893. MessageId=0x029B
  4894. SymbolicName=SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_DELETED
  4895. Language=English
  4896. Security Disabled Universal Group Deleted:%n
  4897. %tTarget Account Name:%t%1%n
  4898. %tTarget Domain:%t%2%n
  4899. %tTarget Account ID:%t%3%n
  4900. %tCaller User Name:%t%4%n
  4901. %tCaller Domain:%t%5%n
  4902. %tCaller Logon ID:%t%6%n
  4903. %tPrivileges:%t%7%n
  4904. .
  4905. ;//
  4906. ;//
  4907. ;// SE_AUDITID_GROUP_TYPE_CHANGE
  4908. ;//
  4909. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4910. ;//
  4911. ;// Parameter Strings -
  4912. ;//
  4913. ;// 1 - nature of group type change
  4914. ;//
  4915. ;// 2 - name of target account
  4916. ;//
  4917. ;// 3 - domain of target account
  4918. ;//
  4919. ;// 4 - SID string of target account
  4920. ;//
  4921. ;// 5 - User name of subject changing the account
  4922. ;//
  4923. ;// 6 - Domain name of subject changing the account
  4924. ;//
  4925. ;// 7 - Logon ID string of subject changing the account
  4926. ;//
  4927. ;//
  4928. MessageId=0x029C
  4929. SymbolicName=SE_AUDITID_GROUP_TYPE_CHANGE
  4930. Language=English
  4931. Group Type Changed:%n
  4932. %t%1%n
  4933. %tTarget Account Name:%t%2%n
  4934. %tTarget Domain:%t%3%n
  4935. %tTarget Account ID:%t%4%n
  4936. %tCaller User Name:%t%5%n
  4937. %tCaller Domain:%t%6%n
  4938. %tCaller Logon ID:%t%7%n
  4939. %tPrivileges:%t%8%n
  4940. .
  4941. ;//
  4942. ;//
  4943. ;// SE_AUDITID_ADD_SID_HISTORY
  4944. ;//
  4945. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4946. ;//
  4947. ;// Parameter Strings -
  4948. ;//
  4949. ;// 1 - SID string of the source account
  4950. ;//
  4951. ;// 2 - Name of the source account (including domain name)
  4952. ;//
  4953. ;// 3 - Name of the target account
  4954. ;//
  4955. ;// 4 - Domain name of subject changing the SID history
  4956. ;//
  4957. ;// 5 - SID String of the target account
  4958. ;//
  4959. ;// 6 - Logon ID string of subject changing the user account
  4960. ;//
  4961. ;//
  4962. MessageId=0x029D
  4963. SymbolicName=SE_AUDITID_ADD_SID_HISTORY
  4964. Language=English
  4965. Add SID History:%n
  4966. %tSource Account Name:%t%1%n
  4967. %tSource Account ID:%t%2%n
  4968. %tTarget Account Name:%t%3%n
  4969. %tTarget Domain:%t%4%n
  4970. %tTarget Account ID:%t%5%n
  4971. %tCaller User Name:%t%6%n
  4972. %tCaller Domain:%t%7%n
  4973. %tCaller Logon ID:%t%8%n
  4974. %tPrivileges:%t%9%n
  4975. %tSidList:%t%10%n
  4976. .
  4977. ;//
  4978. ;//
  4979. ;// SE_AUDITID_ADD_SID_HISTORY_FAILURE
  4980. ;//
  4981. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  4982. ;//
  4983. ;// Note:
  4984. ;// This event is obsolete. It is not generated by Whistler.
  4985. ;// It is retained in this file so that anybody viewing w2k events
  4986. ;// from a whistler machine can view them correctly.
  4987. ;//
  4988. ;//
  4989. ;//
  4990. MessageId=0x029E
  4991. SymbolicName=SE_AUDITID_ADD_SID_HISTORY_FAILURE
  4992. Language=English
  4993. Add SID History:%n
  4994. %tSource Account Name:%t%1%n
  4995. %tTarget Account Name:%t%2%n
  4996. %tTarget Domain:%t%3%n
  4997. %tTarget Account ID:%t%4%n
  4998. %tCaller User Name:%t%5%n
  4999. %tCaller Domain:%t%6%n
  5000. %tCaller Logon ID:%t%7%n
  5001. %tPrivileges:%t%8%n
  5002. .
  5003. ;//
  5004. ;//
  5005. ;// SE_AUDITID_ACCOUNT_UNLOCKED
  5006. ;//
  5007. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  5008. ;//
  5009. ;// Parameter Strings -
  5010. ;//
  5011. ;// 1 - name of target user account
  5012. ;//
  5013. ;// 2 - domain of target user account
  5014. ;//
  5015. ;// 3 - SID string of target user account
  5016. ;//
  5017. ;// 4 - User name of subject changing the user account
  5018. ;//
  5019. ;// 5 - Domain name of subject changing the user account
  5020. ;//
  5021. ;// 6 - Logon ID string of subject changing the user account
  5022. ;//
  5023. ;//
  5024. MessageId=0x029F
  5025. SymbolicName=SE_AUDITID_ACCOUNT_UNLOCKED
  5026. Language=English
  5027. User Account Unlocked:%n
  5028. %tTarget Account Name:%t%1%n
  5029. %tTarget Domain:%t%t%2%n
  5030. %tTarget Account ID:%t%3%n
  5031. %tCaller User Name:%t%4%n
  5032. %tCaller Domain:%t%5%n
  5033. %tCaller Logon ID:%t%6%n
  5034. .
  5035. ;//
  5036. ;//
  5037. ;// SE_AUDITID_SECURE_ADMIN_GROUP
  5038. ;//
  5039. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  5040. ;//
  5041. ;// Parameter Strings -
  5042. ;//
  5043. ;// 1 - (unused)
  5044. ;//
  5045. ;// 2 - domain of target user account
  5046. ;//
  5047. ;// 3 - SID string of target user account
  5048. ;//
  5049. ;// 4 - User name of subject changing the user account
  5050. ;//
  5051. ;// 5 - Domain name of subject changing the user account
  5052. ;//
  5053. ;// 6 - Logon ID string of subject changing the user account
  5054. ;//
  5055. ;//
  5056. ;//
  5057. MessageId=0x02AC
  5058. SymbolicName=SE_AUDITID_SECURE_ADMIN_GROUP
  5059. Language=English
  5060. Set ACLs of members in administrators groups:%n
  5061. %tTarget Account Name:%t%1%n
  5062. %tTarget Domain:%t%t%2%n
  5063. %tTarget Account ID:%t%3%n
  5064. %tCaller User Name:%t%4%n
  5065. %tCaller Domain:%t%5%n
  5066. %tCaller Logon ID:%t%6%n
  5067. %tPrivileges:%t%7%n
  5068. .
  5069. ;//
  5070. ;//
  5071. ;// SE_AUDITID_ACCOUNT_NAME_CHANGE
  5072. ;//
  5073. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  5074. ;//
  5075. ;// Parameter Strings -
  5076. ;//
  5077. ;// 1 - name of target account
  5078. ;//
  5079. ;// 2 - domain of target account
  5080. ;//
  5081. ;// 3 - SID string of target account
  5082. ;//
  5083. ;// 4 - Account name of subject changing the account
  5084. ;//
  5085. ;// 5 - Domain name of subject changing the account
  5086. ;//
  5087. ;// 6 - Logon ID string of subject changing the account
  5088. ;//
  5089. ;//
  5090. ;//
  5091. MessageId=0x02AD
  5092. SymbolicName=SE_AUDITID_ACCOUNT_NAME_CHANGE
  5093. Language=English
  5094. Account Name Changed:%n
  5095. %tOld Account Name:%t%1%n
  5096. %tNew Account Name:%t%2%n
  5097. %tTarget Domain:%t%t%3%n
  5098. %tTarget Account ID:%t%4%n
  5099. %tCaller User Name:%t%5%n
  5100. %tCaller Domain:%t%6%n
  5101. %tCaller Logon ID:%t%7%n
  5102. %tPrivileges:%t%8%n
  5103. .
  5104. ;//
  5105. ;//
  5106. ;// SE_AUDITID_PASSWORD_HASH_ACCESS
  5107. ;//
  5108. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  5109. ;//
  5110. ;// Event Type : success/failure
  5111. ;//
  5112. ;// Description:
  5113. ;// This event is generated when user password hashes are retrieved
  5114. ;// by the ADMT password filter DLL. This typically happens during
  5115. ;// ADMT password migration.
  5116. ;//
  5117. ;// Notes:
  5118. ;// To migrate passwords, a DLL (name?) gets loaded in lsass.exe as
  5119. ;// a password filter. This filter registers an RPC interface used by ADMT
  5120. ;// to request password migration. One SE_AUDITID_PASSWORD_HASH_ACCESS event
  5121. ;// is generated per password fetched.
  5122. ;//
  5123. ;//
  5124. MessageId=0x02AE
  5125. SymbolicName=SE_AUDITID_PASSWORD_HASH_ACCESS
  5126. Language=English
  5127. Password of the following user accessed:%n
  5128. %tTarget User Name:%t%1%n
  5129. %tTarget User Domain:%t%t%2%n
  5130. By user:%n
  5131. %tCaller User Name:%t%3%n
  5132. %tCaller Domain:%t%t%4%n
  5133. %tCaller Logon ID:%t%t%5%n
  5134. .
  5135. ;//
  5136. ;//
  5137. ;// SE_AUDITID_APP_BASIC_GROUP_CREATED
  5138. ;//
  5139. ;// Category: SE_AUDITID_APP_BASIC_GROUP_CREATED
  5140. ;//
  5141. ;// Parameter Strings -
  5142. ;//
  5143. ;// 1 - name of new group account
  5144. ;//
  5145. ;// 2 - domain of new group account
  5146. ;//
  5147. ;// 3 - SID string of new group account
  5148. ;//
  5149. ;// 4 - User name of subject creating the account
  5150. ;//
  5151. ;// 5 - Domain name of subject creating the account
  5152. ;//
  5153. ;// 6 - Logon ID string of subject creating the account
  5154. ;//
  5155. ;//
  5156. MessageId=0x02AF
  5157. SymbolicName=SE_AUDITID_APP_BASIC_GROUP_CREATED
  5158. Language=English
  5159. Basic Application Group Created:%n
  5160. %tNew Account Name:%t%1%n
  5161. %tNew Domain:%t%2%n
  5162. %tNew Account ID:%t%3%n
  5163. %tCaller User Name:%t%4%n
  5164. %tCaller Domain:%t%5%n
  5165. %tCaller Logon ID:%t%6%n
  5166. %tPrivileges:%t%7%n
  5167. Attributes:%n
  5168. %tSam Account Name:%t%8%n
  5169. %tSid History:%t%9%n
  5170. .
  5171. ;//
  5172. ;//
  5173. ;// SE_AUDITID_APP_BASIC_GROUP_CHANGE
  5174. ;//
  5175. ;// Category: SE_AUDITID_APP_BASIC_GROUP_CHANGE
  5176. ;//
  5177. ;// Parameter Strings -
  5178. ;//
  5179. ;// 1 - name of group account
  5180. ;//
  5181. ;// 2 - domain of group account
  5182. ;//
  5183. ;// 3 - SID string of group account
  5184. ;//
  5185. ;// 4 - User name of subject changing the account
  5186. ;//
  5187. ;// 5 - Domain name of subject changing the account
  5188. ;//
  5189. ;// 6 - Logon ID string of subject changing the account
  5190. ;//
  5191. ;//
  5192. MessageId=0x02B0
  5193. SymbolicName=SE_AUDITID_APP_BASIC_GROUP_CHANGE
  5194. Language=English
  5195. Basic Application Group Changed:%n
  5196. %tNew Account Name:%t%1%n
  5197. %tNew Domain:%t%2%n
  5198. %tNew Account ID:%t%3%n
  5199. %tCaller User Name:%t%4%n
  5200. %tCaller Domain:%t%5%n
  5201. %tCaller Logon ID:%t%6%n
  5202. %tPrivileges:%t%7%n
  5203. Changed Attributes:%n
  5204. %tSam Account Name:%t%8%n
  5205. %tSid History:%t%9%n
  5206. .
  5207. ;//
  5208. ;//
  5209. ;// SE_AUDITID_APP_BASIC_GROUP_ADD
  5210. ;//
  5211. ;// Category: SE_AUDITID_APP_BASIC_GROUP_ADD
  5212. ;//
  5213. ;// Parameter Strings -
  5214. ;//
  5215. ;// 1 - name of member being added
  5216. ;//
  5217. ;// 2 - string SID of member being added
  5218. ;//
  5219. ;// 3 - name of target account
  5220. ;//
  5221. ;// 4 - domain of target account
  5222. ;//
  5223. ;// 5 - SID string of target account
  5224. ;//
  5225. ;// 6 - User name of subject changing the account
  5226. ;//
  5227. ;// 7 - Domain name of subject changing the account
  5228. ;//
  5229. ;// 8 - Logon ID string of subject changing the account
  5230. ;//
  5231. ;// 9 - Privileges
  5232. ;//
  5233. ;//
  5234. MessageId=0x02B1
  5235. SymbolicName=SE_AUDITID_APP_BASIC_GROUP_ADD
  5236. Language=English
  5237. Basic Application Group Member Added:%n
  5238. %tMember Name:%t%1%n
  5239. %tMember ID:%t%2%n
  5240. %tTarget Account Name:%t%3%n
  5241. %tTarget Domain:%t%4%n
  5242. %tTarget Account ID:%t%5%n
  5243. %tCaller User Name:%t%6%n
  5244. %tCaller Domain:%t%7%n
  5245. %tCaller Logon ID:%t%8%n
  5246. %tPrivileges:%t%9%n
  5247. .
  5248. ;//
  5249. ;//
  5250. ;// SE_AUDITID_APP_BASIC_GROUP_REM
  5251. ;//
  5252. ;// Category: SE_AUDITID_APP_BASIC_GROUP_REM
  5253. ;//
  5254. ;// Parameter Strings -
  5255. ;//
  5256. ;// 1 - name of member being removed
  5257. ;//
  5258. ;// 2 - string SID of member being removed
  5259. ;//
  5260. ;// 3 - name of target account
  5261. ;//
  5262. ;// 4 - domain of target account
  5263. ;//
  5264. ;// 5 - SID string of target account
  5265. ;//
  5266. ;// 6 - User name of subject changing the account
  5267. ;//
  5268. ;// 7 - Domain name of subject changing the account
  5269. ;//
  5270. ;// 8 - Logon ID string of subject changing the account
  5271. ;//
  5272. ;// 9 - Privileges
  5273. ;//
  5274. ;//
  5275. MessageId=0x02B2
  5276. SymbolicName=SE_AUDITID_APP_BASIC_GROUP_REM
  5277. Language=English
  5278. Basic Application Group Member Removed:%n
  5279. %tMember Name:%t%1%n
  5280. %tMember ID:%t%2%n
  5281. %tTarget Account Name:%t%3%n
  5282. %tTarget Domain:%t%4%n
  5283. %tTarget Account ID:%t%5%n
  5284. %tCaller User Name:%t%6%n
  5285. %tCaller Domain:%t%7%n
  5286. %tCaller Logon ID:%t%8%n
  5287. %tPrivileges:%t%9%n
  5288. .
  5289. ;//
  5290. ;//
  5291. ;// SE_AUDITID_APP_BASIC_GROUP_NM_ADD
  5292. ;//
  5293. ;// Category: SE_AUDITID_APP_BASIC_GROUP_NM_ADD
  5294. ;//
  5295. ;// Parameter Strings -
  5296. ;//
  5297. ;// 1 - name of non-member being added
  5298. ;//
  5299. ;// 2 - string SID of non-member being added
  5300. ;//
  5301. ;// 3 - name of target account
  5302. ;//
  5303. ;// 4 - domain of target account
  5304. ;//
  5305. ;// 5 - SID string of target account
  5306. ;//
  5307. ;// 6 - User name of subject changing the account
  5308. ;//
  5309. ;// 7 - Domain name of subject changing the account
  5310. ;//
  5311. ;// 8 - Logon ID string of subject changing the account
  5312. ;//
  5313. ;// 9 - Privileges
  5314. ;//
  5315. ;//
  5316. MessageId=0x02B3
  5317. SymbolicName=SE_AUDITID_APP_BASIC_GROUP_NM_ADD
  5318. Language=English
  5319. Basic Application Group Non-Member Added:%n
  5320. %tMember Name:%t%1%n
  5321. %tMember ID:%t%2%n
  5322. %tTarget Account Name:%t%3%n
  5323. %tTarget Domain:%t%4%n
  5324. %tTarget Account ID:%t%5%n
  5325. %tCaller User Name:%t%6%n
  5326. %tCaller Domain:%t%7%n
  5327. %tCaller Logon ID:%t%8%n
  5328. %tPrivileges:%t%9%n
  5329. .
  5330. ;//
  5331. ;//
  5332. ;// SE_AUDITID_APP_BASIC_GROUP_NM_REM
  5333. ;//
  5334. ;// Category: SE_AUDITID_APP_BASIC_GROUP_NM_REM
  5335. ;//
  5336. ;// Parameter Strings -
  5337. ;//
  5338. ;// 1 - name of non-member being removed
  5339. ;//
  5340. ;// 2 - string SID of non-member being removed
  5341. ;//
  5342. ;// 3 - name of target account
  5343. ;//
  5344. ;// 4 - domain of target account
  5345. ;//
  5346. ;// 5 - SID string of target account
  5347. ;//
  5348. ;// 6 - User name of subject changing the account
  5349. ;//
  5350. ;// 7 - Domain name of subject changing the account
  5351. ;//
  5352. ;// 8 - Logon ID string of subject changing the account
  5353. ;//
  5354. ;// 9 - Privileges
  5355. ;//
  5356. ;//
  5357. MessageId=0x02B4
  5358. SymbolicName=SE_AUDITID_APP_BASIC_GROUP_NM_REM
  5359. Language=English
  5360. Basic Application Group Non-Member Removed:%n
  5361. %tMember Name:%t%1%n
  5362. %tMember ID:%t%2%n
  5363. %tTarget Account Name:%t%3%n
  5364. %tTarget Domain:%t%4%n
  5365. %tTarget Account ID:%t%5%n
  5366. %tCaller User Name:%t%6%n
  5367. %tCaller Domain:%t%7%n
  5368. %tCaller Logon ID:%t%8%n
  5369. %tPrivileges:%t%9%n
  5370. .
  5371. ;//
  5372. ;//
  5373. ;// SE_AUDITID_APP_BASIC_GROUP_DELETED
  5374. ;//
  5375. ;// Category: SE_AUDITID_APP_BASIC_GROUP_DELETED
  5376. ;//
  5377. ;// Parameter Strings -
  5378. ;//
  5379. ;// 1 - name of target account
  5380. ;//
  5381. ;// 2 - domain of target account
  5382. ;//
  5383. ;// 3 - SID string of target account
  5384. ;//
  5385. ;// 4 - User name of subject changing the account
  5386. ;//
  5387. ;// 5 - Domain name of subject changing the account
  5388. ;//
  5389. ;// 6 - Logon ID string of subject changing the account
  5390. ;//
  5391. ;//
  5392. MessageId=0x02B5
  5393. SymbolicName=SE_AUDITID_APP_BASIC_GROUP_DELETED
  5394. Language=English
  5395. Basic Application Group Deleted:%n
  5396. %tTarget Account Name:%t%1%n
  5397. %tTarget Domain:%t%2%n
  5398. %tTarget Account ID:%t%3%n
  5399. %tCaller User Name:%t%4%n
  5400. %tCaller Domain:%t%5%n
  5401. %tCaller Logon ID:%t%6%n
  5402. %tPrivileges:%t%7%n
  5403. .
  5404. ;//
  5405. ;//
  5406. ;// SE_AUDITID_APP_QUERY_GROUP_CREATED
  5407. ;//
  5408. ;// Category: SE_AUDITID_APP_QUERY_GROUP_CREATED
  5409. ;//
  5410. ;// Parameter Strings -
  5411. ;//
  5412. ;// 1 - name of new group account
  5413. ;//
  5414. ;// 2 - domain of new group account
  5415. ;//
  5416. ;// 3 - SID string of new group account
  5417. ;//
  5418. ;// 4 - User name of subject creating the account
  5419. ;//
  5420. ;// 5 - Domain name of subject creating the account
  5421. ;//
  5422. ;// 6 - Logon ID string of subject creating the account
  5423. ;//
  5424. ;//
  5425. MessageId=0x02B6
  5426. SymbolicName=SE_AUDITID_APP_QUERY_GROUP_CREATED
  5427. Language=English
  5428. LDAP Query Group Created:%n
  5429. %tNew Account Name:%t%1%n
  5430. %tNew Domain:%t%2%n
  5431. %tNew Account ID:%t%3%n
  5432. %tCaller User Name:%t%4%n
  5433. %tCaller Domain:%t%5%n
  5434. %tCaller Logon ID:%t%6%n
  5435. %tPrivileges:%t%7%n
  5436. Attributes:%n
  5437. %tSam Account Name:%t%8%n
  5438. %tSid History:%t%9%n
  5439. .
  5440. ;//
  5441. ;//
  5442. ;// SE_AUDITID_APP_QUERY_GROUP_CHANGE
  5443. ;//
  5444. ;// Category: SE_AUDITID_APP_QUERY_GROUP_CHANGE
  5445. ;//
  5446. ;// Parameter Strings -
  5447. ;//
  5448. ;// 1 - name of group account
  5449. ;//
  5450. ;// 2 - domain of group account
  5451. ;//
  5452. ;// 3 - SID string of group account
  5453. ;//
  5454. ;// 4 - User name of subject changing the account
  5455. ;//
  5456. ;// 5 - Domain name of subject changing the account
  5457. ;//
  5458. ;// 6 - Logon ID string of subject changing the account
  5459. ;//
  5460. ;//
  5461. MessageId=0x02B7
  5462. SymbolicName=SE_AUDITID_APP_QUERY_GROUP_CHANGE
  5463. Language=English
  5464. LDAP Query Group Changed:%n
  5465. %tNew Account Name:%t%1%n
  5466. %tNew Domain:%t%2%n
  5467. %tNew Account ID:%t%3%n
  5468. %tCaller User Name:%t%4%n
  5469. %tCaller Domain:%t%5%n
  5470. %tCaller Logon ID:%t%6%n
  5471. %tPrivileges:%t%7%n
  5472. Changed Attributes:%n
  5473. %tSam Account Name:%t%8%n
  5474. %tSid History:%t%9%n
  5475. .
  5476. ;//
  5477. ;//
  5478. ;// SE_AUDITID_APP_QUERY_GROUP_DELETED
  5479. ;//
  5480. ;// Category: SE_AUDITID_APP_QUERY_GROUP_DELETED
  5481. ;//
  5482. ;// Parameter Strings -
  5483. ;//
  5484. ;// 1 - name of target account
  5485. ;//
  5486. ;// 2 - domain of target account
  5487. ;//
  5488. ;// 3 - SID string of target account
  5489. ;//
  5490. ;// 4 - User name of subject changing the account
  5491. ;//
  5492. ;// 5 - Domain name of subject changing the account
  5493. ;//
  5494. ;// 6 - Logon ID string of subject changing the account
  5495. ;//
  5496. ;//
  5497. MessageId=0x02B8
  5498. SymbolicName=SE_AUDITID_APP_QUERY_GROUP_DELETED
  5499. Language=English
  5500. LDAP Query Group Deleted:%n
  5501. %tTarget Account Name:%t%1%n
  5502. %tTarget Domain:%t%2%n
  5503. %tTarget Account ID:%t%3%n
  5504. %tCaller User Name:%t%4%n
  5505. %tCaller Domain:%t%5%n
  5506. %tCaller Logon ID:%t%6%n
  5507. %tPrivileges:%t%7%n
  5508. .
  5509. ;//
  5510. ;//
  5511. ;// SE_AUDITID_PASSWORD_POLICY_API_CALLED
  5512. ;//
  5513. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  5514. ;//
  5515. ;// Parameter Strings -
  5516. ;//
  5517. ;// 1 - Name of the account making this call
  5518. ;// 2 - Domain of the account making this call
  5519. ;// 3 - Authentication ID of the logon session
  5520. ;// 4 - Caller Workstation IP
  5521. ;// 5 - Target AccountName
  5522. ;// 6 - Status Code
  5523. ;//
  5524. MessageId=0x02B9
  5525. SymbolicName=SE_AUDITID_PASSWORD_POLICY_API_CALLED
  5526. Language=English
  5527. Password Policy Checking API is called:%n
  5528. %tCaller Username:%t%1%n
  5529. %tCaller Domain:%t%2%n
  5530. %tCaller Logon ID:%t%3%n
  5531. %tCaller Workstation:%t%4%n
  5532. %tProvided User Name (unauthenticated):%t%5%n
  5533. %tStatus Code:%t%6%n
  5534. .
  5535. ;//
  5536. ;//
  5537. ;// SE_AUDITID_DSRM_PASSWORD_SET
  5538. ;//
  5539. ;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
  5540. ;//
  5541. ;// Parameter Strings -
  5542. ;//
  5543. ;// 1 - Name of the account making this call
  5544. ;// 2 - Domain of the account making this call
  5545. ;// 3 - Authentication ID of the logon session
  5546. ;// 4 - Caller Workstation IP
  5547. ;// 5 - Status code
  5548. ;//
  5549. MessageId=0x02BA
  5550. SymbolicName=SE_AUDITID_DSRM_PASSWORD_SET
  5551. Language=English
  5552. An attempt to set the Directory Services Restore Mode
  5553. administrator password has been made.%n
  5554. %tCaller Username:%t%1%n
  5555. %tCaller Domain:%t%2%n
  5556. %tCaller Logon ID:%t%3%n
  5557. %tCaller Workstation:%t%4%n
  5558. %tStatus Code:%t%5%n
  5559. .
  5560. ;
  5561. ;/////////////////////////////////////////////////////////////////////////////
  5562. ;// //
  5563. ;// //
  5564. ;// Messages for Category: SE_CATEGID_DS_ACCESS //
  5565. ;// //
  5566. ;// Event IDs: //
  5567. ;// SE_AUDITID_REPLICA_SOURCE_NC_ESTABLISHED //
  5568. ;// SE_AUDITID_REPLICA_SOURCE_NC_REMOVED //
  5569. ;// SE_AUDITID_REPLICA_SOURCE_NC_MODIFIED //
  5570. ;// SE_AUDITID_REPLICA_DEST_NC_MODIFIED //
  5571. ;// SE_AUDITID_REPLICA_SOURCE_NC_SYNC_BEGINS //
  5572. ;// SE_AUDITID_REPLICA_SOURCE_NC_SYNC_ENDS //
  5573. ;// SE_AUDITID_REPLICA_OBJ_ATTR_REPLICATION //
  5574. ;// SE_AUDITID_REPLICA_FAILURE_EVENT_BEGIN //
  5575. ;// SE_AUDITID_REPLICA_FAILURE_EVENT_END //
  5576. ;// SE_AUDITID_REPLICA_LINGERING_OBJECT_REMOVAL //
  5577. ;// //
  5578. ;/////////////////////////////////////////////////////////////////////////////
  5579. ;//
  5580. ;// SE_AUDITID_REPLICA_SOURCE_NC_ESTABLISHED
  5581. ;//
  5582. ;// Category: SE_CATEGID_DS_ACCESS
  5583. ;//
  5584. ;// Event Type : success/failure
  5585. ;//
  5586. ;// Description:
  5587. ;// This is generated when a replication source reference has been added to
  5588. ;// a destination naming context establishing a replication partnership.
  5589. ;//
  5590. ;// Note:
  5591. ;// This event is always generated in the local system context.
  5592. ;//
  5593. MessageId=0x0340
  5594. SymbolicName=SE_AUDITID_REPLICA_SOURCE_NC_ESTABLISHED
  5595. Language=English
  5596. %tDestination DRA:%t%1%n
  5597. %tSource DRA:%t%2%n
  5598. %tSource Addr:%t%3%n
  5599. %tNaming Context:%t%4%n
  5600. %tOptions:%t%5%n
  5601. %tStatus Code:%t%6%n
  5602. .
  5603. ;//
  5604. ;// SE_AUDITID_REPLICA_SOURCE_NC_REMOVED
  5605. ;//
  5606. ;// Category: SE_CATEGID_DS_ACCESS
  5607. ;//
  5608. ;// Event Type : success/failure
  5609. ;//
  5610. ;// Description:
  5611. ;// This is generated when a replication partnership between a source and
  5612. ;// the destination for a given naming context has been removed.
  5613. ;//
  5614. ;// Note:
  5615. ;// This event is always generated in the local system context.
  5616. ;//
  5617. MessageId=0x0341
  5618. SymbolicName=SE_AUDITID_REPLICA_SOURCE_NC_REMOVED
  5619. Language=English
  5620. %tDestination DRA:%t%1%n
  5621. %tSource DRA:%t%2%n
  5622. %tSource Addr:%t%3%n
  5623. %tNaming Context:%t%4%n
  5624. %tOptions:%t%5%n
  5625. %tStatus Code:%t%6%n
  5626. .
  5627. ;//
  5628. ;// SE_AUDITID_REPLICA_SOURCE_NC_MODIFIED
  5629. ;//
  5630. ;// Category: SE_CATEGID_DS_ACCESS
  5631. ;//
  5632. ;// Event Type : success/failure
  5633. ;//
  5634. ;// Description:
  5635. ;// This is generated when a replication source associated with
  5636. ;// a destination naming context has been modified.
  5637. ;//
  5638. ;// Note:
  5639. ;// This event is always generated in the local system context.
  5640. ;//
  5641. MessageId=0x0342
  5642. SymbolicName=SE_AUDITID_REPLICA_SOURCE_NC_MODIFIED
  5643. Language=English
  5644. %tDestination DRA:%t%1%n
  5645. %tSource DRA:%t%2%n
  5646. %tSource Addr:%t%3%n
  5647. %tNaming Context:%t%4%n
  5648. %tOptions:%t%5%n
  5649. %tStatus Code:%t%6%n
  5650. .
  5651. ;//
  5652. ;// SE_AUDITID_REPLICA_DEST_NC_MODIFIED
  5653. ;//
  5654. ;// Category: SE_CATEGID_DS_ACCESS
  5655. ;//
  5656. ;// Event Type : success/failure
  5657. ;//
  5658. ;// Description:
  5659. ;// This is generated when a replication destination associated with
  5660. ;// a source naming context has been modified.
  5661. ;//
  5662. ;// Note:
  5663. ;// This event is always generated in the local system context.
  5664. ;//
  5665. MessageId=0x0343
  5666. SymbolicName=SE_AUDITID_REPLICA_DEST_NC_MODIFIED
  5667. Language=English
  5668. %tDestination DRA:%t%1%n
  5669. %tSource DRA:%t%2%n
  5670. %tDest. Addr:%t%3%n
  5671. %tNaming Context:%t%4%n
  5672. %tOptions:%t%5%n
  5673. %tStatus Code:%t%6%n
  5674. .
  5675. ;//
  5676. ;// SE_AUDITID_REPLICA_SOURCE_NC_SYNC_BEGINS
  5677. ;//
  5678. ;// Category: SE_CATEGID_DS_ACCESS
  5679. ;//
  5680. ;// Event Type : success
  5681. ;//
  5682. ;// Description:
  5683. ;// This event records the start of a replication protocol session between
  5684. ;// the destination replica NC and one of its source replicas.
  5685. ;//
  5686. ;// Note:
  5687. ;// This event is always generated in the local system context.
  5688. ;//
  5689. MessageId=0x0344
  5690. SymbolicName=SE_AUDITID_REPLICA_SOURCE_NC_SYNC_BEGINS
  5691. Language=English
  5692. %tDestination DRA:%t%1%n
  5693. %tSource DRA:%t%2%n
  5694. %tNaming Context:%t%3%n
  5695. %tOptions:%t%4%n
  5696. %tSession ID:%t%5%n
  5697. %tStart USN:%t%6%n
  5698. .
  5699. ;//
  5700. ;// SE_AUDITID_REPLICA_SOURCE_NC_SYNC_ENDS
  5701. ;//
  5702. ;// Category: SE_CATEGID_DS_ACCESS
  5703. ;//
  5704. ;// Event Type : success/failure
  5705. ;//
  5706. ;// Description:
  5707. ;// This event records the end of a replication protocol session between
  5708. ;// the destination replica NC and one of its source replicas.
  5709. ;//
  5710. ;// Note:
  5711. ;// This event is always generated in the local system context.
  5712. ;//
  5713. MessageId=0x0345
  5714. SymbolicName=SE_AUDITID_REPLICA_SOURCE_NC_SYNC_ENDS
  5715. Language=English
  5716. %tDestination DRA:%t%1%n
  5717. %tSource DRA:%t%2%n
  5718. %tNaming Context:%t%3%n
  5719. %tOptions:%t%4%n
  5720. %tSession ID:%t%5%n
  5721. %tEnd USN:%t%6%n
  5722. %tStatus Code:%t%7%n
  5723. .
  5724. ;//
  5725. ;// SE_AUDITID_REPLICA_OBJ_ATTR_REPLICATION
  5726. ;//
  5727. ;// Category: SE_CATEGID_DS_ACCESS
  5728. ;//
  5729. ;// Event Type : success/failure
  5730. ;//
  5731. ;// Description:
  5732. ;// This event records the completion of replication of a single
  5733. ;// attribute of an object.
  5734. ;//
  5735. ;// Note:
  5736. ;// -- This event is always generated in the local system context.
  5737. ;// -- This event is generated if
  5738. ;// -- SE_CATEGID_DS_ACCESS is enabled AND
  5739. ;// -- the value of
  5740. ;// SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditDSObjectsInReplication
  5741. ;// is set to 1
  5742. ;//
  5743. MessageId=0x0346
  5744. SymbolicName=SE_AUDITID_REPLICA_OBJ_ATTR_REPLICATION
  5745. Language=English
  5746. %tSession ID:%t%1%n
  5747. %tObject:%t%2%n
  5748. %tAttribute:%t%3%n
  5749. %tType of change:%t%4%n
  5750. %tNew Value:%t%5%n
  5751. %tUSN:%t%6%n
  5752. %tStatus Code:%t%7%n
  5753. .
  5754. ;//
  5755. ;// SE_AUDITID_REPLICA_FAILURE_EVENT_BEGIN
  5756. ;//
  5757. ;// Category: SE_CATEGID_DS_ACCESS
  5758. ;//
  5759. ;// Event Type : failure
  5760. ;//
  5761. ;// Description:
  5762. ;// This event records an inability to gather enough data to succesfully
  5763. ;// record *before* one of the following replication events which were not
  5764. ;// executed:
  5765. ;// SE_AUDITID_REPLICA_SOURCE_NC_ESTABLISHED
  5766. ;// SE_AUDITID_REPLICA_SOURCE_NC_SYNC_BEGINS
  5767. ;//
  5768. ;// Note:
  5769. ;// This event is always generated in the local system context.
  5770. ;//
  5771. MessageId=0x0347
  5772. SymbolicName=SE_AUDITID_REPLICA_FAILURE_EVENT_BEGIN
  5773. Language=English
  5774. %tReplication Event:%t%1%n
  5775. %tAudit Status Code:%t%2%n
  5776. .
  5777. ;//
  5778. ;// SE_AUDITID_REPLICA_FAILURE_EVENT_END
  5779. ;//
  5780. ;// Category: SE_CATEGID_DS_ACCESS
  5781. ;//
  5782. ;// Event Type : success/failure
  5783. ;//
  5784. ;// Description:
  5785. ;// This event records an inability to gather enough data to succesfully
  5786. ;// record *after* one of the following replication events which may or
  5787. ;// may not have executed successfully:
  5788. ;// SE_AUDITID_REPLICA_SOURCE_NC_ESTABLISHED
  5789. ;// SE_AUDITID_REPLICA_SOURCE_NC_REMOVED
  5790. ;// SE_AUDITID_REPLICA_SOURCE_NC_MODIFIED
  5791. ;// SE_AUDITID_REPLICA_DEST_NC_MODIFIED
  5792. ;// SE_AUDITID_REPLICA_SOURCE_NC_SYNC_BEGINS
  5793. ;// SE_AUDITID_REPLICA_SOURCE_NC_SYNC_ENDS
  5794. ;// SE_AUDITID_REPLICA_OBJ_ATTR_REPLICATION
  5795. ;//
  5796. ;// Note:
  5797. ;// This event is always generated in the local system context.
  5798. ;//
  5799. MessageId=0x0348
  5800. SymbolicName=SE_AUDITID_REPLICA_FAILURE_EVENT_END
  5801. Language=English
  5802. %tReplication Event:%t%1%n
  5803. %tAudit Status Code:%t%2%n
  5804. %tReplication Status Code:%t%3%n
  5805. .
  5806. ;//
  5807. ;// SE_AUDITID_REPLICA_LINGERING_OBJECT_REMOVAL
  5808. ;//
  5809. ;// Category: SE_CATEGID_DS_ACCESS
  5810. ;//
  5811. ;// Event Type : success/failure
  5812. ;//
  5813. ;// Description:
  5814. ;// This event records an attempt made by the replication lingering
  5815. ;// object removal mechanism to delete and garbage collect an object.
  5816. ;//
  5817. ;// Note:
  5818. ;// This event is always generated in the local system context.
  5819. ;//
  5820. MessageId=0x0349
  5821. SymbolicName=SE_AUDITID_REPLICA_LINGERING_OBJECT_REMOVALv
  5822. Language=English
  5823. %tDestination DRA:%t%1%n
  5824. %tSource DRA:%t%2%n
  5825. %tObject:%t%3%n
  5826. %tOptions:%t%4%n
  5827. %tStatus Code:%t%5%n
  5828. .
  5829. ;
  5830. ;/////////////////////////////////////////////////////////////////////////////
  5831. ;// //
  5832. ;// //
  5833. ;// Messages for Category: SE_CATEGID_ACCOUNT_LOGON //
  5834. ;// //
  5835. ;// Event IDs: //
  5836. ;// SE_AUDITID_AS_TICKET //
  5837. ;// SE_AUDITID_TGS_TICKET_REQUEST //
  5838. ;// SE_AUDITID_TICKET_RENEW_SUCCESS //
  5839. ;// SE_AUDITID_PREAUTH_FAILURE //
  5840. ;// SE_AUDITID_TGS_TICKET_FAILURE //
  5841. ;// SE_AUDITID_ACCOUNT_MAPPED //
  5842. ;// SE_AUDITID_ACCOUNT_LOGON //
  5843. ;// //
  5844. ;/////////////////////////////////////////////////////////////////////////////
  5845. ;//
  5846. ;//
  5847. ;// SE_AUDITID_AS_TICKET
  5848. ;//
  5849. ;// Category: SE_CATEGID_ACCOUNT_LOGON
  5850. ;//
  5851. ;// Parameter Strings -
  5852. ;//
  5853. ;// 1 - User name of client
  5854. ;//
  5855. ;// 2 - Supplied realm name
  5856. ;//
  5857. ;// 3 - SID of client user
  5858. ;//
  5859. ;// 4 - User name of service
  5860. ;//
  5861. ;// 5 - SID of service
  5862. ;//
  5863. ;// 6 - Ticket Options
  5864. ;//
  5865. ;// 7 - Failure code
  5866. ;//
  5867. ;// 8 - Ticket Encryption Type
  5868. ;//
  5869. ;// 9 - Preauthentication type (i.e. PK_INIT)
  5870. ;//
  5871. ;// 10 - Client IP address
  5872. ;//
  5873. ;// 11 - Certificate Issuer Name
  5874. ;//
  5875. ;// 12 - Certificate Serial Number
  5876. ;//
  5877. ;// 13 - Certificate Thumbprint
  5878. ;//
  5879. MessageId=0x02a0
  5880. SymbolicName=SE_AUDITID_AS_TICKET
  5881. Language=English
  5882. Authentication Ticket Request:%n
  5883. %tUser Name:%t%t%1%n
  5884. %tSupplied Realm Name:%t%2%n
  5885. %tUser ID:%t%t%t%3%n
  5886. %tService Name:%t%t%4%n
  5887. %tService ID:%t%t%5%n
  5888. %tTicket Options:%t%t%6%n
  5889. %tResult Code:%t%t%7%n
  5890. %tTicket Encryption Type:%t%8%n
  5891. %tPre-Authentication Type:%t%9%n
  5892. %tClient Address:%t%t%10%n
  5893. %tCertificate Issuer Name:%t%11%n
  5894. %tCertificate Serial Number:%t%12%n
  5895. %tCertificate Thumbprint:%t%13%n
  5896. .
  5897. ;//
  5898. ;//
  5899. ;// SE_AUDITID_AS_TICKET_FAILURE
  5900. ;//
  5901. ;// Category: SE_CATEGID_ACCOUNT_LOGON
  5902. ;//
  5903. ;// Note:
  5904. ;// This event is obsolete. It is not generated by Whistler.
  5905. ;// It is retained in this file so that anybody viewing w2k events
  5906. ;// from a whistler machine can view them correctly.
  5907. ;//
  5908. ;//
  5909. MessageId=0x02a4
  5910. SymbolicName=SE_AUDITID_AS_TICKET_FAILURE
  5911. Language=English
  5912. Authentication Ticket Request Failed:%n
  5913. %tUser Name:%t%1%n
  5914. %tSupplied Realm Name:%t%2%n
  5915. %tService Name:%t%3%n
  5916. %tTicket Options:%t%4%n
  5917. %tFailure Code:%t%5%n
  5918. %tClient Address:%t%6%n
  5919. .
  5920. ;//
  5921. ;//
  5922. ;// SE_AUDITID_TGS_TICKET_REQUEST
  5923. ;//
  5924. ;// Category: SE_CATEGID_ACCOUNT_LOGON
  5925. ;//
  5926. ;// Parameter Strings -
  5927. ;//
  5928. ;// 1 - User name of client
  5929. ;//
  5930. ;// 2 - Domain name of client
  5931. ;//
  5932. ;// 3 - User name of service
  5933. ;//
  5934. ;// 4 - SID of service
  5935. ;//
  5936. ;// 5 - Ticket Options
  5937. ;//
  5938. ;// 6 - Ticket Encryption Type
  5939. ;//
  5940. ;// 7 - Client IP address
  5941. ;//
  5942. ;// 8 - Failure code (0 for success)
  5943. ;//
  5944. ;// 9 - logon GUID
  5945. ;//
  5946. ;// 10 - Transited Services
  5947. ;//
  5948. MessageId=0x02a1
  5949. SymbolicName=SE_AUDITID_TGS_TICKET_REQUEST
  5950. Language=English
  5951. Service Ticket Request:%n
  5952. %tUser Name:%t%t%1%n
  5953. %tUser Domain:%t%t%2%n
  5954. %tService Name:%t%t%3%n
  5955. %tService ID:%t%t%4%n
  5956. %tTicket Options:%t%t%5%n
  5957. %tTicket Encryption Type:%t%6%n
  5958. %tClient Address:%t%t%7%n
  5959. %tFailure Code:%t%t%8%n
  5960. %tLogon GUID:%t%t%9%n
  5961. %tTransited Services:%t%10%n
  5962. .
  5963. ;//
  5964. ;//
  5965. ;// SE_AUDITID_TICKET_RENEW_SUCCESS
  5966. ;//
  5967. ;// Category: SE_CATEGID_ACCOUNT_LOGON
  5968. ;//
  5969. ;// Parameter Strings -
  5970. ;//
  5971. ;// 1 - User name of client
  5972. ;//
  5973. ;// 2 - Domain name of client
  5974. ;//
  5975. ;// 3 - User name of service
  5976. ;//
  5977. ;// 4 - SID of service
  5978. ;//
  5979. ;// 5 - Ticket Options
  5980. ;//
  5981. ;// 6 - Ticket Encryption Type
  5982. ;//
  5983. ;// 7 - Client IP address
  5984. ;//
  5985. MessageId=0x02a2
  5986. SymbolicName=SE_AUDITID_TICKET_RENEW_SUCCESS
  5987. Language=English
  5988. Service Ticket Renewed:%n
  5989. %tUser Name:%t%1%n
  5990. %tUser Domain:%t%2%n
  5991. %tService Name:%t%3%n
  5992. %tService ID:%t%4%n
  5993. %tTicket Options:%t%5%n
  5994. %tTicket Encryption Type:%t%6%n
  5995. %tClient Address:%t%7%n
  5996. .
  5997. ;//
  5998. ;//
  5999. ;// SE_AUDITID_PREAUTH_FAILURE
  6000. ;//
  6001. ;// Category: SE_CATEGID_ACCOUNT_LOGON
  6002. ;//
  6003. ;// Parameter Strings -
  6004. ;//
  6005. ;// 1 - User name of client
  6006. ;//
  6007. ;// 2 - SID of client user
  6008. ;//
  6009. ;// 3 - User name of service
  6010. ;//
  6011. ;// 4 - Preauth Type
  6012. ;//
  6013. ;// 5 - Failure code
  6014. ;//
  6015. ;// 6 - Client IP address
  6016. ;//
  6017. ;// Event type: failure
  6018. ;// Description: This event is generated on a KDC when
  6019. ;// preauthentication fails (user types in wrong password).
  6020. ;//
  6021. MessageId=0x02a3
  6022. SymbolicName=SE_AUDITID_PREAUTH_FAILURE
  6023. Language=English
  6024. Pre-authentication failed:%n
  6025. %tUser Name:%t%1%n
  6026. %tUser ID:%t%t%2%n
  6027. %tService Name:%t%3%n
  6028. %tPre-Authentication Type:%t%4%n
  6029. %tFailure Code:%t%5%n
  6030. %tClient Address:%t%6%n
  6031. .
  6032. ;//
  6033. ;//
  6034. ;// SE_AUDITID_TGS_TICKET_FAILURE
  6035. ;//
  6036. ;// Category: SE_CATEGID_ACCOUNT_LOGON
  6037. ;//
  6038. ;// Note:
  6039. ;// This event is obsolete. It is not generated by Whistler.
  6040. ;// It is retained in this file so that anybody viewing w2k events
  6041. ;// from a whistler machine can view them correctly.
  6042. ;//
  6043. MessageId=0x02a5
  6044. SymbolicName=SE_AUDITID_TGS_TICKET_FAILURE
  6045. Language=English
  6046. Service Ticket Request Failed:%n
  6047. %tUser Name:%t%1%n
  6048. %tUser Domain:%t%2%n
  6049. %tService Name:%t%3%n
  6050. %tTicket Options:%t%4%n
  6051. %tFailure Code:%t%5%n
  6052. %tClient Address:%t%6%n
  6053. .
  6054. ;//
  6055. ;//
  6056. ;// SE_AUDITID_ACCOUNT_MAPPED
  6057. ;//
  6058. ;// Category: SE_CATEGID_ACCOUNT_LOGON
  6059. ;//
  6060. ;// Type: success / failure
  6061. ;//
  6062. ;// Description: An account mapping is a map of a user authenticated in an MIT realm to a
  6063. ;// domain account. A mapping acts much like a logon. Hence, it is important to audit this.
  6064. ;//
  6065. ;// Parameter Strings -
  6066. ;//
  6067. ;// 1 - Source
  6068. ;//
  6069. ;// 2 - Client Name
  6070. ;//
  6071. ;// 3 - Mapped Name
  6072. ;//
  6073. ;//
  6074. ;//
  6075. MessageId=0x02a6
  6076. SymbolicName=SE_AUDITID_ACCOUNT_MAPPED
  6077. Language=English
  6078. Account Mapped for Logon.%n
  6079. Mapping Attempted By:%n
  6080. %t%1%n
  6081. Client Name:%n
  6082. %t%2%n
  6083. %tMapped Name:%n
  6084. %t%3%n
  6085. .
  6086. ;//
  6087. ;//
  6088. ;// SE_AUDITID_ACCOUNT_NOT_MAPPED
  6089. ;//
  6090. ;// Category: SE_CATEGID_ACCOUNT_LOGON
  6091. ;//
  6092. ;// Note:
  6093. ;// This event is obsolete. It is not generated by Whistler.
  6094. ;// It is retained in this file so that anybody viewing w2k events
  6095. ;// from a whistler machine can view them correctly.
  6096. ;// Parameter Strings -
  6097. ;//
  6098. MessageId=0x02a7
  6099. SymbolicName=SE_AUDITID_ACCOUNT_NOT_MAPPED
  6100. Language=English
  6101. The name:%n
  6102. %t%2%n
  6103. could not be mapped for logon by:
  6104. %t%1%n
  6105. .
  6106. ;//
  6107. ;//
  6108. ;// SE_AUDITID_ACCOUNT_LOGON
  6109. ;//
  6110. ;// Category: SE_CATEGID_ACCOUNT_LOGON
  6111. ;//
  6112. ;// Type: Success / Failure
  6113. ;//
  6114. ;// Description: This audits a logon attempt. The audit appears on the DC.
  6115. ;// This is generated by calling LogonUser.
  6116. ;//
  6117. ;//
  6118. MessageId=0x02a8
  6119. SymbolicName=SE_AUDITID_ACCOUNT_LOGON
  6120. Language=English
  6121. Logon attempt by:%t%1%n
  6122. Logon account:%t%2%n
  6123. Source Workstation:%t%3%n
  6124. Error Code:%t%4%n
  6125. .
  6126. ;//
  6127. ;//
  6128. ;// SE_AUDITID_ACCOUNT_LOGON_FAILURE
  6129. ;//
  6130. ;// Category: SE_CATEGID_ACCOUNT_LOGON
  6131. ;//
  6132. ;// Note:
  6133. ;// This event is obsolete. It is not generated by Whistler.
  6134. ;// It is retained in this file so that anybody viewing w2k events
  6135. ;// from a whistler machine can view them correctly.
  6136. ;//
  6137. ;//
  6138. MessageId=0x02a9
  6139. SymbolicName=SE_AUDITID_ACCOUNT_LOGON_FAILURE
  6140. Language=English
  6141. The logon to account: %2%n
  6142. by: %1%n
  6143. from workstation: %3%n
  6144. failed. The error code was: %4%n
  6145. .
  6146. ;//
  6147. ;//
  6148. ;// SE_AUDITID_SESSION_RECONNECTED
  6149. ;//
  6150. ;// Category: SE_CATEGID_LOGON
  6151. ;//
  6152. ;// Parameter Strings -
  6153. ;//
  6154. ;// 1 - User account name
  6155. ;//
  6156. ;// 2 - Authenticating domain name
  6157. ;//
  6158. ;// 3 - Logon ID string
  6159. ;//
  6160. ;// 4 - Session Name
  6161. ;//
  6162. ;// 5 - Client Name
  6163. ;//
  6164. ;// 6 - Client Address
  6165. ;//
  6166. ;//
  6167. MessageId=0x02aa
  6168. SymbolicName=SE_AUDITID_SESSION_RECONNECTED
  6169. Language=English
  6170. Session reconnected to winstation:%n
  6171. %tUser Name:%t%1%n
  6172. %tDomain:%t%t%2%n
  6173. %tLogon ID:%t%t%3%n
  6174. %tSession Name:%t%4%n
  6175. %tClient Name:%t%5%n
  6176. %tClient Address:%t%6
  6177. .
  6178. ;//
  6179. ;//
  6180. ;// SE_AUDITID_SESSION_DISCONNECTED
  6181. ;//
  6182. ;// Category: SE_CATEGID_LOGON
  6183. ;//
  6184. ;// Parameter Strings -
  6185. ;//
  6186. ;// 1 - User account name
  6187. ;//
  6188. ;// 2 - Authenticating domain name
  6189. ;//
  6190. ;// 3 - Logon ID string
  6191. ;//
  6192. ;// 4 - Session Name
  6193. ;//
  6194. ;// 5 - Client Name
  6195. ;//
  6196. ;// 6 - Client Address
  6197. ;//
  6198. ;//
  6199. MessageId=0x02ab
  6200. SymbolicName=SE_AUDITID_SESSION_DISCONNECTED
  6201. Language=English
  6202. Session disconnected from winstation:%n
  6203. %tUser Name:%t%1%n
  6204. %tDomain:%t%t%2%n
  6205. %tLogon ID:%t%t%3%n
  6206. %tSession Name:%t%4%n
  6207. %tClient Name:%t%5%n
  6208. %tClient Address:%t%6
  6209. .
  6210. ;/////////////////////////////////////////////////////////////////////////////
  6211. ;// //
  6212. ;// //
  6213. ;// Messages for Category: SE_CATEGID_OBJECT_ACCESS - CertSrv //
  6214. ;// //
  6215. ;// Event IDs: //
  6216. ;// SE_AUDITID_CERTSRV_DENYREQUEST //
  6217. ;// SE_AUDITID_CERTSRV_RESUBMITREQUEST //
  6218. ;// SE_AUDITID_CERTSRV_REVOKECERT //
  6219. ;// SE_AUDITID_CERTSRV_PUBLISHCRL //
  6220. ;// SE_AUDITID_CERTSRV_AUTOPUBLISHCRL //
  6221. ;// SE_AUDITID_CERTSRV_SETEXTENSION //
  6222. ;// SE_AUDITID_CERTSRV_SETATTRIBUTES //
  6223. ;// SE_AUDITID_CERTSRV_SHUTDOWN //
  6224. ;// SE_AUDITID_CERTSRV_BACKUPSTART //
  6225. ;// SE_AUDITID_CERTSRV_BACKUPEND //
  6226. ;// SE_AUDITID_CERTSRV_RESTORESTART //
  6227. ;// SE_AUDITID_CERTSRV_RESTOREEND //
  6228. ;// SE_AUDITID_CERTSRV_SERVICESTART //
  6229. ;// SE_AUDITID_CERTSRV_SERVICESTOP //
  6230. ;// SE_AUDITID_CERTSRV_SETSECURITY //
  6231. ;// SE_AUDITID_CERTSRV_GETARCHIVEDKEY //
  6232. ;// SE_AUDITID_CERTSRV_IMPORTCERT //
  6233. ;// SE_AUDITID_CERTSRV_SETAUDITFILTER //
  6234. ;// SE_AUDITID_CERTSRV_NEWREQUEST //
  6235. ;// SE_AUDITID_CERTSRV_REQUESTAPPROVED //
  6236. ;// SE_AUDITID_CERTSRV_REQUESTDENIED //
  6237. ;// SE_AUDITID_CERTSRV_REQUESTPENDING //
  6238. ;// SE_AUDITID_CERTSRV_SETOFFICERRIGHTS //
  6239. ;// SE_AUDITID_CERTSRV_SETCONFIGENTRY //
  6240. ;// SE_AUDITID_CERTSRV_SETCAPROPERTY //
  6241. ;// SE_AUDITID_CERTSRV_KEYARCHIVED //
  6242. ;// SE_AUDITID_CERTSRV_IMPORTKEY //
  6243. ;// SE_AUDITID_CERTSRV_PUBLISHCERT //
  6244. ;// SE_AUDITID_CERTSRV_DELETEROW //
  6245. ;// SE_AUDITID_CERTSRV_ROLESEPARATIONSTATE //
  6246. ;// //
  6247. ;// //
  6248. ;/////////////////////////////////////////////////////////////////////////////
  6249. ;//
  6250. ;//
  6251. ;// SE_AUDITID_CERTSRV_DENYREQUEST
  6252. ;//
  6253. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6254. ;//
  6255. ;// Parameter Strings -
  6256. ;//
  6257. ;// 1 - Request ID
  6258. ;//
  6259. ;//
  6260. MessageId=0x0304
  6261. SymbolicName=SE_AUDITID_CERTSRV_DENYREQUEST
  6262. Language=English
  6263. The certificate manager denied a pending certificate request.%n
  6264. %n
  6265. Request ID:%t%1
  6266. .
  6267. ;//
  6268. ;//
  6269. ;// SE_AUDITID_CERTSRV_RESUBMITREQUEST
  6270. ;//
  6271. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6272. ;//
  6273. ;// Parameter Strings -
  6274. ;//
  6275. ;// 1 - Request ID
  6276. ;//
  6277. ;//
  6278. MessageId=0x0305
  6279. SymbolicName=SE_AUDITID_CERTSRV_RESUBMITREQUEST
  6280. Language=English
  6281. Certificate Services received a resubmitted certificate request.%n
  6282. %n
  6283. Request ID:%t%1
  6284. .
  6285. ;//
  6286. ;//
  6287. ;// SE_AUDITID_CERTSRV_REVOKECERT
  6288. ;//
  6289. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6290. ;//
  6291. ;// Parameter Strings -
  6292. ;//
  6293. ;// 1 - Serial No.
  6294. ;//
  6295. ;// 2 - Reason
  6296. ;//
  6297. ;//
  6298. MessageId=0x0306
  6299. SymbolicName=SE_AUDITID_CERTSRV_REVOKECERT
  6300. Language=English
  6301. Certificate Services revoked a certificate.%n
  6302. %n
  6303. Serial No:%t%1%n
  6304. Reason:%t%2
  6305. .
  6306. ;//
  6307. ;//
  6308. ;// SE_AUDITID_CERTSRV_PUBLISHCRL
  6309. ;//
  6310. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6311. ;//
  6312. ;// Parameter Strings -
  6313. ;//
  6314. ;// 1 - Next Update
  6315. ;//
  6316. ;// 2 - Publish Base
  6317. ;//
  6318. ;// 3 - Publish Delta
  6319. ;//
  6320. ;//
  6321. MessageId=0x0307
  6322. SymbolicName=SE_AUDITID_CERTSRV_PUBLISHCRL
  6323. Language=English
  6324. Certificate Services received a request to publish the certificate revocation list (CRL).%n
  6325. %n
  6326. Next Update:%t%1%n
  6327. Publish Base:%t%2%n
  6328. Publish Delta:%t%3
  6329. .
  6330. ;//
  6331. ;//
  6332. ;// SE_AUDITID_CERTSRV_AUTOPUBLISHCRL
  6333. ;//
  6334. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6335. ;//
  6336. ;// Parameter Strings -
  6337. ;//
  6338. ;// 1 - Base CRL
  6339. ;//
  6340. ;// 2 - CRL No.
  6341. ;//
  6342. ;// 3 - Key Container
  6343. ;//
  6344. ;// 4 - Next Publish
  6345. ;//
  6346. ;// 5 - Publish URLs
  6347. ;//
  6348. ;//
  6349. MessageId=0x0308
  6350. SymbolicName=SE_AUDITID_CERTSRV_AUTOPUBLISHCRL
  6351. Language=English
  6352. Certificate Services published the certificate revocation list (CRL).%n
  6353. %n
  6354. Base CRL:%t%1%n
  6355. CRL No:%t%t%2%n
  6356. Key Container:%t%3%n
  6357. Next Publish:%t%4%n
  6358. Publish URLs:%t%5
  6359. .
  6360. ;//
  6361. ;//
  6362. ;// SE_AUDITID_CERTSRV_SETEXTENSION
  6363. ;//
  6364. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6365. ;//
  6366. ;// Parameter Strings -
  6367. ;//
  6368. ;// 1 - Request ID
  6369. ;//
  6370. ;// 2 - Extension Name
  6371. ;//
  6372. ;// 3 - Extension Type
  6373. ;//
  6374. ;// 4 - Flags
  6375. ;//
  6376. ;// 5 - Extension Data
  6377. ;//
  6378. ;//
  6379. MessageId=0x0309
  6380. SymbolicName=SE_AUDITID_CERTSRV_SETEXTENSION
  6381. Language=English
  6382. A certificate request extension changed.%n
  6383. %n
  6384. Request ID:%t%1%n
  6385. Name:%t%2%n
  6386. Type:%t%3%n
  6387. Flags:%t%4%n
  6388. Data:%t%5
  6389. .
  6390. ;//
  6391. ;//
  6392. ;// SE_AUDITID_CERTSRV_SETATTRIBUTES
  6393. ;//
  6394. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6395. ;//
  6396. ;// Parameter Strings -
  6397. ;//
  6398. ;// 1 - Request ID
  6399. ;//
  6400. ;// 2 - Attributes
  6401. ;//
  6402. ;//
  6403. MessageId=0x030a
  6404. SymbolicName=SE_AUDITID_CERTSRV_SETATTRIBUTES
  6405. Language=English
  6406. One or more certificate request attributes changed.%n
  6407. %n
  6408. Request ID:%t%1%n
  6409. Attributes:%t%2
  6410. .
  6411. ;//
  6412. ;//
  6413. ;// SE_AUDITID_CERTSRV_SHUTDOWN
  6414. ;//
  6415. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6416. ;//
  6417. ;// Parameter Strings -
  6418. ;//
  6419. ;//
  6420. MessageId=0x030b
  6421. SymbolicName=SE_AUDITID_CERTSRV_SHUTDOWN
  6422. Language=English
  6423. Certificate Services received a request to shut down.
  6424. .
  6425. ;//
  6426. ;//
  6427. ;// SE_AUDITID_CERTSRV_BACKUPSTART
  6428. ;//
  6429. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6430. ;//
  6431. ;// Parameter Strings -
  6432. ;//
  6433. ;// 1 - Backup Type
  6434. ;//
  6435. ;//
  6436. MessageId=0x030c
  6437. SymbolicName=SE_AUDITID_CERTSRV_BACKUPSTART
  6438. Language=English
  6439. Certificate Services backup started.%n
  6440. Backup Type:%t%1
  6441. .
  6442. ;//
  6443. ;//
  6444. ;// SE_AUDITID_CERTSRV_BACKUPEND
  6445. ;//
  6446. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6447. ;//
  6448. ;// Parameter Strings -
  6449. ;//
  6450. ;//
  6451. MessageId=0x030d
  6452. SymbolicName=SE_AUDITID_CERTSRV_BACKUPEND
  6453. Language=English
  6454. Certificate Services backup completed.
  6455. .
  6456. ;//
  6457. ;//
  6458. ;// SE_AUDITID_CERTSRV_RESTORESTART
  6459. ;//
  6460. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6461. ;//
  6462. ;// Parameter Strings -
  6463. ;//
  6464. ;//
  6465. MessageId=0x030e
  6466. SymbolicName=SE_AUDITID_CERTSRV_RESTORESTART
  6467. Language=English
  6468. Certificate Services restore started.
  6469. .
  6470. ;//
  6471. ;//
  6472. ;// SE_AUDITID_CERTSRV_RESTOREEND
  6473. ;//
  6474. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6475. ;//
  6476. ;// Parameter Strings -
  6477. ;//
  6478. ;//
  6479. MessageId=0x030f
  6480. SymbolicName=SE_AUDITID_CERTSRV_RESTOREEND
  6481. Language=English
  6482. Certificate Services restore completed.
  6483. .
  6484. ;//
  6485. ;//
  6486. ;// SE_AUDITID_CERTSRV_SERVICESTART
  6487. ;//
  6488. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6489. ;//
  6490. ;// Parameter Strings -
  6491. ;//
  6492. ;// 1 - Certificate Database Hash
  6493. ;//
  6494. ;// 2 - Private Key Usage Count
  6495. ;//
  6496. ;// 3 - CA Certificate Hash
  6497. ;//
  6498. ;// 4 - CA Public Key Hash
  6499. ;//
  6500. ;//
  6501. MessageId=0x0310
  6502. SymbolicName=SE_AUDITID_CERTSRV_SERVICESTART
  6503. Language=English
  6504. Certificate Services started.%n
  6505. %n
  6506. Certificate Database Hash:%t%1%n
  6507. Private Key Usage Count:%t%2%n
  6508. CA Certificate Hash:%t%3%n
  6509. CA Public Key Hash:%t%4
  6510. .
  6511. ;//
  6512. ;//
  6513. ;// SE_AUDITID_CERTSRV_SERVICESTOP
  6514. ;//
  6515. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6516. ;//
  6517. ;// Parameter Strings -
  6518. ;//
  6519. ;// 1 - Certificate Database Hash
  6520. ;//
  6521. ;// 2 - Private Key Usage Count
  6522. ;//
  6523. ;// 3 - CA Certificate Hash
  6524. ;//
  6525. ;// 4 - CA Public Key Hash
  6526. ;//
  6527. ;//
  6528. MessageId=0x0311
  6529. SymbolicName=SE_AUDITID_CERTSRV_SERVICESTOP
  6530. Language=English
  6531. Certificate Services stopped.%n
  6532. %n
  6533. Certificate Database Hash:%t%1%n
  6534. Private Key Usage Count:%t%2%n
  6535. CA Certificate Hash:%t%3%n
  6536. CA Public Key Hash:%t%4
  6537. .
  6538. ;//
  6539. ;//
  6540. ;// SE_AUDITID_CERTSRV_SETSECURITY
  6541. ;//
  6542. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6543. ;//
  6544. ;// Parameter Strings -
  6545. ;//
  6546. ;// 1 - New permissions
  6547. ;//
  6548. ;//
  6549. MessageId=0x0312
  6550. SymbolicName=SE_AUDITID_CERTSRV_SETSECURITY
  6551. Language=English
  6552. The security permissions for Certificate Services changed.%n
  6553. %n
  6554. %1
  6555. .
  6556. ;//
  6557. ;//
  6558. ;// SE_AUDITID_CERTSRV_GETARCHIVEDKEY
  6559. ;//
  6560. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6561. ;//
  6562. ;// Parameter Strings -
  6563. ;//
  6564. ;// 1 - Request ID
  6565. ;//
  6566. ;//
  6567. MessageId=0x0313
  6568. SymbolicName=SE_AUDITID_CERTSRV_GETARCHIVEDKEY
  6569. Language=English
  6570. Certificate Services retrieved an archived key.%n
  6571. %n
  6572. Request ID:%t%1
  6573. .
  6574. ;//
  6575. ;//
  6576. ;// SE_AUDITID_CERTSRV_IMPORTCERT
  6577. ;//
  6578. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6579. ;//
  6580. ;// Parameter Strings -
  6581. ;//
  6582. ;// 1 - Certificate
  6583. ;//
  6584. ;// 2 - Request ID
  6585. ;//
  6586. ;//
  6587. MessageId=0x0314
  6588. SymbolicName=SE_AUDITID_CERTSRV_IMPORTCERT
  6589. Language=English
  6590. Certificate Services imported a certificate into its database.%n
  6591. %n
  6592. Certificate:%t%1%n
  6593. Request ID:%t%2
  6594. .
  6595. ;//
  6596. ;//
  6597. ;// SE_AUDITID_CERTSRV_SETAUDITFILTER
  6598. ;//
  6599. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6600. ;//
  6601. ;// Parameter Strings -
  6602. ;//
  6603. ;// 1 - Filter
  6604. ;//
  6605. ;//
  6606. MessageId=0x0315
  6607. SymbolicName=SE_AUDITID_CERTSRV_SETAUDITFILTER
  6608. Language=English
  6609. The audit filter for Certificate Services changed.%n
  6610. %n
  6611. Filter:%t%1
  6612. .
  6613. ;//
  6614. ;//
  6615. ;// SE_AUDITID_CERTSRV_NEWREQUEST
  6616. ;//
  6617. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6618. ;//
  6619. ;// Parameter Strings -
  6620. ;//
  6621. ;// 1 - Request ID
  6622. ;//
  6623. ;// 2 - Requester
  6624. ;//
  6625. ;// 3 - Attributes
  6626. ;//
  6627. ;//
  6628. MessageId=0x0316
  6629. SymbolicName=SE_AUDITID_CERTSRV_NEWREQUEST
  6630. Language=English
  6631. Certificate Services received a certificate request.%n
  6632. %n
  6633. Request ID:%t%1%n
  6634. Requester:%t%2%n
  6635. Attributes:%t%3
  6636. .
  6637. ;//
  6638. ;//
  6639. ;// SE_AUDITID_CERTSRV_REQUESTAPPROVED
  6640. ;//
  6641. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6642. ;//
  6643. ;// Parameter Strings -
  6644. ;//
  6645. ;// 1 - Request ID
  6646. ;//
  6647. ;// 2 - Requester
  6648. ;//
  6649. ;// 3 - Attributes
  6650. ;//
  6651. ;// 4 - Disposition
  6652. ;//
  6653. ;// 5 - SKI
  6654. ;//
  6655. ;// 6 - Subject
  6656. ;//
  6657. ;//
  6658. MessageId=0x0317
  6659. SymbolicName=SE_AUDITID_CERTSRV_REQUESTAPPROVED
  6660. Language=English
  6661. Certificate Services approved a certificate request and issued a certificate.%n
  6662. %n
  6663. Request ID:%t%1%n
  6664. Requester:%t%2%n
  6665. Attributes:%t%3%n
  6666. Disposition:%t%4%n
  6667. SKI:%t%t%5%n
  6668. Subject:%t%6
  6669. .
  6670. ;//
  6671. ;//
  6672. ;// SE_AUDITID_CERTSRV_REQUESTDENIED
  6673. ;//
  6674. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6675. ;//
  6676. ;// Parameter Strings -
  6677. ;//
  6678. ;// 1 - Request ID
  6679. ;//
  6680. ;// 2 - Requester
  6681. ;//
  6682. ;// 3 - Attributes
  6683. ;//
  6684. ;// 4 - Disposition
  6685. ;//
  6686. ;// 5 - SKI
  6687. ;//
  6688. ;// 6 - Subject
  6689. ;//
  6690. ;//
  6691. MessageId=0x0318
  6692. SymbolicName=SE_AUDITID_CERTSRV_REQUESTDENIED
  6693. Language=English
  6694. Certificate Services denied a certificate request.%n
  6695. %n
  6696. Request ID:%t%1%n
  6697. Requester:%t%2%n
  6698. Attributes:%t%3%n
  6699. Disposition:%t%4%n
  6700. SKI:%t%t%5%n
  6701. Subject:%t%6
  6702. .
  6703. ;//
  6704. ;//
  6705. ;// SE_AUDITID_CERTSRV_REQUESTPENDING
  6706. ;//
  6707. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6708. ;//
  6709. ;// Parameter Strings -
  6710. ;//
  6711. ;// 1 - Request ID
  6712. ;//
  6713. ;// 2 - Requester
  6714. ;//
  6715. ;// 3 - Attributes
  6716. ;//
  6717. ;// 4 - Disposition
  6718. ;//
  6719. ;// 5 - SKI
  6720. ;//
  6721. ;// 6 - Subject
  6722. ;//
  6723. ;//
  6724. MessageId=0x0319
  6725. SymbolicName=SE_AUDITID_CERTSRV_REQUESTPENDING
  6726. Language=English
  6727. Certificate Services set the status of a certificate request to pending.%n
  6728. %n
  6729. Request ID:%t%1%n
  6730. Requester:%t%2%n
  6731. Attributes:%t%3%n
  6732. Disposition:%t%4%n
  6733. SKI:%t%t%5%n
  6734. Subject:%t%6
  6735. .
  6736. ;//
  6737. ;//
  6738. ;// SE_AUDITID_CERTSRV_SETOFFICERRIGHTS
  6739. ;//
  6740. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6741. ;//
  6742. ;// Parameter Strings -
  6743. ;//
  6744. ;// 1 - Enable restrictions
  6745. ;//
  6746. ;// 2 - Restrictions
  6747. ;//
  6748. ;//
  6749. MessageId=0x031a
  6750. SymbolicName=SE_AUDITID_CERTSRV_SETOFFICERRIGHTS
  6751. Language=English
  6752. The certificate manager settings for Certificate Services changed.%n
  6753. %n
  6754. Enable:%t%1%n
  6755. %n
  6756. %2
  6757. .
  6758. ;//
  6759. ;//
  6760. ;// SE_AUDITID_CERTSRV_SETCONFIGENTRY
  6761. ;//
  6762. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6763. ;//
  6764. ;// Parameter Strings -
  6765. ;//
  6766. ;// 1 - Node
  6767. ;//
  6768. ;// 2 - Entry
  6769. ;//
  6770. ;// 3 - Value
  6771. ;//
  6772. ;//
  6773. MessageId=0x031b
  6774. SymbolicName=SE_AUDITID_CERTSRV_SETCONFIGENTRY
  6775. Language=English
  6776. A configuration entry changed in Certificate Services.%n
  6777. %n
  6778. Node:%t%1%n
  6779. Entry:%t%2%n
  6780. Value:%t%3
  6781. .
  6782. ;//
  6783. ;//
  6784. ;// SE_AUDITID_CERTSRV_SETCAPROPERTY
  6785. ;//
  6786. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6787. ;//
  6788. ;// Parameter Strings -
  6789. ;//
  6790. ;// 1 - Property
  6791. ;//
  6792. ;// 2 - Index
  6793. ;//
  6794. ;// 3 - Type
  6795. ;//
  6796. ;// 4 - Value
  6797. ;//
  6798. ;//
  6799. MessageId=0x031c
  6800. SymbolicName=SE_AUDITID_CERTSRV_SETCAPROPERTY
  6801. Language=English
  6802. A property of Certificate Services changed.%n
  6803. %n
  6804. Property:%t%1%n
  6805. Index:%t%2%n
  6806. Type:%t%3%n
  6807. Value:%t%4
  6808. .
  6809. ;//
  6810. ;//
  6811. ;// SE_AUDITID_CERTSRV_KEYARCHIVED
  6812. ;//
  6813. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6814. ;//
  6815. ;// Parameter Strings -
  6816. ;//
  6817. ;// 1 - Request ID
  6818. ;//
  6819. ;// 2 - Requester
  6820. ;//
  6821. ;// 3 - KRA Hashes
  6822. ;//
  6823. ;//
  6824. MessageId=0x031d
  6825. SymbolicName=SE_AUDITID_CERTSRV_KEYARCHIVED
  6826. Language=English
  6827. Certificate Services archived a key.%n
  6828. %n
  6829. Request ID:%t%1%n
  6830. Requester:%t%2%n
  6831. KRA Hashes:%t%3
  6832. .
  6833. ;//
  6834. ;//
  6835. ;// SE_AUDITID_CERTSRV_IMPORTKEY
  6836. ;//
  6837. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6838. ;//
  6839. ;// Parameter Strings -
  6840. ;//
  6841. ;// 1 - Request ID
  6842. ;//
  6843. ;//
  6844. MessageId=0x031e
  6845. SymbolicName=SE_AUDITID_CERTSRV_IMPORTKEY
  6846. Language=English
  6847. Certificate Services imported and archived a key.%n
  6848. %n
  6849. Request ID:%t%1
  6850. .
  6851. ;//
  6852. ;//
  6853. ;// SE_AUDITID_CERTSRV_PUBLISHCACERT
  6854. ;//
  6855. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6856. ;//
  6857. ;// Parameter Strings -
  6858. ;//
  6859. ;// 1 - Certificate Hash
  6860. ;//
  6861. ;// 2 - Valid From
  6862. ;//
  6863. ;// 3 - Valid To
  6864. ;//
  6865. ;//
  6866. MessageId=0x031f
  6867. SymbolicName=SE_AUDITID_CERTSRV_PUBLISHCACERT
  6868. Language=English
  6869. Certificate Services published the CA certificate to Active Directory.%n
  6870. %n
  6871. Certificate Hash:%t%1%n
  6872. Valid From:%t%2%n
  6873. Valid To:%t%3
  6874. .
  6875. ;//
  6876. ;//
  6877. ;// SE_AUDITID_CERTSRV_DELETEROW
  6878. ;//
  6879. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6880. ;//
  6881. ;// Parameter Strings -
  6882. ;//
  6883. ;// 1 - Table ID
  6884. ;//
  6885. ;// 2 - Filter
  6886. ;//
  6887. ;// 3 - Rows Deleted
  6888. ;//
  6889. ;//
  6890. MessageId=0x0320
  6891. SymbolicName=SE_AUDITID_CERTSRV_DELETEROW
  6892. Language=English
  6893. One or more rows have been deleted from the certificate database.%n
  6894. %n
  6895. Table ID:%t%1%n
  6896. Filter:%t%2%n
  6897. Rows Deleted:%t%3
  6898. .
  6899. ;//
  6900. ;//
  6901. ;// SE_AUDITID_CERTSRV_ROLESEPARATIONSTATE
  6902. ;//
  6903. ;// Category: SE_CATEGID_OBJECT_ACCESS
  6904. ;//
  6905. ;// Parameter Strings -
  6906. ;//
  6907. ;// 1 - Role separation state
  6908. ;//
  6909. ;//
  6910. MessageId=0x0321
  6911. SymbolicName=SE_AUDITID_CERTSRV_ROLESEPARATIONSTATE
  6912. Language=English
  6913. Role separation enabled:%t%1
  6914. .
  6915. ;/*lint +e767 */ // Resume checking for different macro definitions // winnt
  6916. ;
  6917. ;
  6918. ;#endif // _MSAUDITE_