|
|
;/*++ BUILD Version: 0001 // Increment this if a change has global effects
; ;Copyright (c) 1991 Microsoft Corporation ; ;Module Name: ; ; msaudite.mc ; ;Abstract: ; ; Constant definitions for the NT Audit Event Messages. ; ;Author: ; ; Jim Kelly (JimK) 30-Mar-1992 ; ;Revision History: ; ;Notes: ; ; The .h and .res forms of this file are generated from the .mc ; form of the file (base\seaudit\msaudite\msaudite.mc). ; Please make all changes to the .mc form of the file. ; ; If you add a new audit category or make any change to the ; audit event id valid limits (0x200 ~ 0x5ff), please make a ; corresponding change to ntlsa.h ; ;--*/ ; ;#ifndef _MSAUDITE_ ;#define _MSAUDITE_ ; ;/*lint -e767 */ // Don't complain about different definitions // winnt
MessageIdTypedef=ULONG
SeverityNames=(None=0x0)
FacilityNames=(None=0x0)
MessageId=0x0000 Language=English Unused message ID . ;// Message ID 0 is unused - just used to flush out the diagram
;//
;// min/max limits on audit category-id and event-id of audit events
;//
; ;#define SE_ADT_MIN_CATEGORY_ID 1 // SE_CATEGID_SYSTEM
;#define SE_ADT_MAX_CATEGORY_ID 9 // SE_CATEGID_ACCOUNT_LOGON
; ; ;#define SE_ADT_MIN_AUDIT_ID 0x200 // see msaudite.h
;#define SE_ADT_MAX_AUDIT_ID 0x5ff // see msaudite.h
;///////////////////////////////////////////////////////////////////////////
;///////////////////////////////////////////////////////////////////////////
;// //
;// //
;// Audit Message ID Space: //
;// //
;// 0x0000 - 0x00FF : Reserved for future use. //
;// //
;// 0x0100 - 0x01FF : Categories //
;// //
;// 0x0200 - 0x05FF : Events //
;// //
;// 0x0600 - 0x063F : Standard access types and names for //
;// specific accesses when no specific names //
;// can be found. //
;// //
;// 0x0640 - 0x06FF : Well known privilege names (as we would //
;// like them displayed in the event viewer). //
;// //
;// 0x0700 - 0x0FFE : Reserved for future use. //
;// //
;// 0X0FFF : SE_ADT_LAST_SYSTEM_MESSAGE (the highest //
;// value audit message used by the system) //
;// //
;// //
;// 0x1000 and above: For use by Parameter Message Files //
;// //
;///////////////////////////////////////////////////////////////////////////
;///////////////////////////////////////////////////////////////////////////
MessageId=0x0FFF SymbolicName=SE_ADT_LAST_SYSTEM_MESSAGE Language=English Highest System-Defined Audit Message Value. .
; ;/////////////////////////////////////////////////////////////////////////////
;// //
;// //
;// CATEGORIES //
;// //
;// Categories take up the range 0x1 - 0x400 //
;// //
;// Category IDs: //
;// //
;// SE_CATEGID_SYSTEM //
;// SE_CATEGID_LOGON //
;// SE_CATEGID_OBJECT_ACCESS //
;// SE_CATEGID_PRIVILEGE_USE //
;// SE_CATEGID_DETAILED_TRACKING //
;// SE_CATEGID_POLICY_CHANGE //
;// SE_CATEGID_ACCOUNT_MANAGEMENT //
;// SE_CATEGID_DS_ACCESS //
;// SE_CATEGID_ACCOUNT_LOGON //
;// //
;// //
;/////////////////////////////////////////////////////////////////////////////
MessageId=0x0001 SymbolicName=SE_CATEGID_SYSTEM Language=English System Event .
MessageId=0x0002 SymbolicName=SE_CATEGID_LOGON Language=English Logon/Logoff .
MessageId=0x0003 SymbolicName=SE_CATEGID_OBJECT_ACCESS Language=English Object Access .
MessageId=0x0004 SymbolicName=SE_CATEGID_PRIVILEGE_USE Language=English Privilege Use .
MessageId=0x0005 SymbolicName=SE_CATEGID_DETAILED_TRACKING Language=English Detailed Tracking .
MessageId=0x0006 SymbolicName=SE_CATEGID_POLICY_CHANGE Language=English Policy Change .
MessageId=0x0007 SymbolicName=SE_CATEGID_ACCOUNT_MANAGEMENT Language=English Account Management . MessageId=0x0008 SymbolicName=SE_CATEGID_DS_ACCESS Language=English Directory Service Access . MessageId=0x0009 SymbolicName=SE_CATEGID_ACCOUNT_LOGON Language=English Account Logon .
; ;/////////////////////////////////////////////////////////////////////////////
;// //
;// //
;// Messages for Category: SE_CATEGID_SYSTEM //
;// //
;// Event IDs: //
;// SE_AUDITID_SYSTEM_RESTART //
;// SE_AUDITID_SYSTEM_SHUTDOWN //
;// SE_AUDITID_AUTH_PACKAGE_LOAD //
;// SE_AUDITID_LOGON_PROC_REGISTER //
;// SE_AUDITID_AUDITS_DISCARDED //
;// SE_AUDITID_NOTIFY_PACKAGE_LOAD //
;// SE_AUDITID_LPC_INVALID_USE //
;// SE_AUDITID_SYSTEM_TIME_CHANGE //
;// SE_AUDITID_UNABLE_TO_LOG_EVENTS //
;// SE_AUDITID_SECURITY_LOG_EXCEEDS_WARNING_LEVEL //
;// //
;/////////////////////////////////////////////////////////////////////////////
;//
;//
;// SE_AUDITID_SYSTEM_RESTART
;//
;// Category: SE_CATEGID_SYSTEM
;//
;// Parameter Strings - None
;//
;//
;//
MessageId=0x0200 SymbolicName=SE_AUDITID_SYSTEM_RESTART Language=English Windows is starting up. .
;//
;//
;// SE_AUDITID_SYSTEM_SHUTDOWN
;//
;// Category: SE_CATEGID_SYSTEM
;//
;// Parameter Strings - None
;//
;//
;//
MessageId=0x0201 SymbolicName=SE_AUDITID_SYSTEM_SHUTDOWN Language=English Windows is shutting down. All logon sessions will be terminated by this shutdown. .
;//
;//
;// SE_AUDITID_SYSTEM_AUTH_PACKAGE_LOAD
;//
;// Category: SE_CATEGID_SYSTEM
;//
;// Parameter Strings -
;//
;// 1 - Authentication Package Name
;//
;//
;//
MessageId=0x0202 SymbolicName=SE_AUDITID_AUTH_PACKAGE_LOAD Language=English An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts. %n Authentication Package Name:%t%1 .
;//
;//
;// SE_AUDITID_SYSTEM_LOGON_PROC_REGISTER
;//
;// Category: SE_CATEGID_SYSTEM
;//
;// Parameter Strings -
;//
;// 1 - Logon Process Name
;//
;//
;//
MessageId=0x0203 SymbolicName=SE_AUDITID_SYSTEM_LOGON_PROC_REGISTER Language=English A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. %n %n Logon Process Name:%t%1 .
;//
;//
;// SE_AUDITID_AUDITS_DISCARDED
;//
;// Category: SE_CATEGID_SYSTEM
;//
;// Parameter Strings -
;//
;// 1 - Number of audits discarded
;//
;//
;//
MessageId=0x0204 SymbolicName=SE_AUDITID_AUDITS_DISCARDED Language=English Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. %n %tNumber of audit messages discarded:%t%1 .
;//
;//
;// SE_AUDITID_AUDIT_LOG_CLEARED
;//
;// Category: SE_CATEGID_SYSTEM
;//
;// Parameter Strings -
;//
;// 1 - Primary user account name
;//
;// 2 - Primary authenticating domain name
;//
;// 3 - Primary logon ID string
;//
;// 4 - Client user account name ("-" if no client)
;//
;// 5 - Client authenticating domain name ("-" if no client)
;//
;// 6 - Client logon ID string ("-" if no client)
;//
;//
;//
MessageId=0x0205 SymbolicName=SE_AUDITID_AUDIT_LOG_CLEARED Language=English The audit log was cleared %n %tPrimary User Name:%t%1%n %tPrimary Domain:%t%2%n %tPrimary Logon ID:%t%3%n %tClient User Name:%t%4%n %tClient Domain:%t%5%n %tClient Logon ID:%t%6%n .
;//
;//
;// SE_AUDITID_SYSTEM_NOTIFY_PACKAGE_LOAD
;//
;// Category: SE_CATEGID_SYSTEM
;//
;// Parameter Strings -
;//
;// 1 - Notification Package Name
;//
;//
;//
MessageId=0x0206 SymbolicName=SE_AUDITID_NOTIFY_PACKAGE_LOAD Language=English An notification package has been loaded by the Security Account Manager. This package will be notified of any account or password changes. %n Notification Package Name:%t%1 .
;//
;//
;// SE_AUDITID_LPC_INVALID_USE
;//
;// Category: SE_CATEGID_SYSTEM
;//
;// Parameter Strings -
;//
;// 1 - LPC call (e.g. "impersonation" | "reply")
;//
;// 2 - Server Port name
;//
;// 3 - Faulting process
;//
;// Event type: success
;//
;// Description:
;// SE_AUDIT_LPC_INVALID_USE is generated when a process uses an invalid LPC
;// port in an attempt to impersonate a client, reply or read/write from/to a client address space.
;//
MessageId=0x0207 SymbolicName=SE_AUDITID_LPC_INVALID_USE Language=English Invalid use of LPC port.%n %tProcess ID: %1%n %tImage File Name: %2%n %tPrimary User Name:%t%3%n %tPrimary Domain:%t%4%n %tPrimary Logon ID:%t%5%n %tClient User Name:%t%6%n %tClient Domain:%t%7%n %tClient Logon ID:%t%8%n %tInvalid use: %9%n %tServer Port Name:%t%10%n .
;//
;//
;// SE_AUDITID_SYSTEM_TIME_CHANGE
;//
;// Category: SE_CATEGID_SYSTEM
;//
;// Parameter Strings -
;//
;// Type: success
;//
;// Description: This event is generated when the system time is changed.
;//
;// Note: This will often appear twice in the audit log; this is an implementation
;// detail wherein changing the system time results in two calls to NtSetSystemTime.
;// This is necessary to deal with time zone changes.
;//
;//
MessageId=0x0208 SymbolicName=SE_AUDITID_SYSTEM_TIME_CHANGE Language=English The system time was changed.%n Process ID:%t%t%1%n Process Name:%t%t%2%n Primary User Name:%t%3%n Primary Domain:%t%t%4%n Primary Logon ID:%t%t%5%n Client User Name:%t%t%6%n Client Domain:%t%t%7%n Client Logon ID:%t%t%8%n Previous Time:%t%t%10 %9%n New Time:%t%t%12 %11%n .
;//
;//
;// SE_AUDITID_UNABLE_TO_LOG_EVENTS
;//
;// Category: SE_CATEGID_SYSTEM
;//
;// Type: failure
;//
;// Description:
;// This event is generated when the system is not able to log
;// security audit events.
;//
;// Parameters:
;// 1 : Win32 error code
;//
;// 2 : value of the key System\CurrentControlSet\Control\Lsa\CrashOnAuditFail
;// 0 --> CrashOnAuditFail is not set
;// 1 --> system will crash if not able to log audit events
;// 2 --> system has rebooted after such a crash and will allow
;// only admins to logon
;//
;//
MessageId=0x0209 SymbolicName=SE_AUDITID_UNABLE_TO_LOG_EVENTS Language=English Unable to log events to security log:%n %tStatus code:%t%t%1%n %tValue of CrashOnAuditFail:%t%2%n .
;//
;//
;// SE_AUDITID_AUDIT_COLLECTION_AGENT_ERROR
;//
;// Category: SE_CATEGID_SYSTEM
;//
;// Type: failure
;//
;// Description:
;// This event is generated when AdtAgent/AdtServer
;// encounter an error.
;//
;// Parameters:
;// 1 : Component (AdtAgent, AdtServer, etc.)
;// 2 : Version of the component
;// 3 : Win32 error
;//
MessageId=0x020A SymbolicName=SE_AUDITID_AUDIT_COLLECTION_AGENT_ERROR Language=English The audit collection system has encountered an error.%n %tComponent:%t%1%n %tVersion:%t%2%n %tStatus code:%t%3%n .
;//
;//
;// SE_AUDITID_SECURITY_LOG_EXCEEDS_WARNING_LEVEL
;//
;// Category: SE_CATEGID_SYSTEM
;//
;// Parameter Strings -
;//
;// 1 - Percent Full
;//
;// Description: This event is generated when security logs exceedes a certain
;// percent full. That percent is controlled by the registry value named
;// "WarningLevel" which is stored in the security subkey of the eventlog.
;//
;//
MessageId=0x020b SymbolicName=SE_AUDITID_SECURITY_LOG_EXCEEDS_WARNING_LEVEL Language=English The security log is now %1 percent full. .
;//
;//
;// SE_AUDITID_EVENT_LOG_AUTOBACKUP
;//
;// Category: SE_CATEGID_SYSTEM
;//
;// Type: success/failure
;//
;// Description:
;// This event is generated when the eventlog service automatically
;// backs-up the security log.
;//
;// Parameters:
;// 1 : Type of log (for example, 'Security')
;// 2 : Full path to the backed-up copy
;// 3 : Win32 error (0 ==> success)
;//
MessageId=0x20c SymbolicName=SE_AUDITID_EVENT_LOG_AUTOBACKUP Language=English Event log auto-backup%n %tLog:%t%1%n %tFile:%t%2%n %tStatus:%t%3%n .
; ;/////////////////////////////////////////////////////////////////////////////
;// //
;// //
;// Messages for Category: SE_CATEGID_LOGON //
;// //
;// Event IDs: //
;// SE_AUDITID_SUCCESSFUL_LOGON //
;// SE_AUDITID_UNKNOWN_USER_OR_PWD //
;// SE_AUDITID_ACCOUNT_TIME_RESTR //
;// SE_AUDITID_ACCOUNT_DISABLED //
;// SE_AUDITID_ACCOUNT_EXPIRED //
;// SE_AUDITID_WORKSTATION_RESTR //
;// SE_AUDITID_LOGON_TYPE_RESTR //
;// SE_AUDITID_PASSWORD_EXPIRED //
;// SE_AUDITID_NETLOGON_NOT_STARTED //
;// SE_AUDITID_UNSUCCESSFUL_LOGON //
;// SE_AUDITID_LOGOFF //
;// SE_AUDITID_ACCOUNT_LOCKED //
;// SE_AUDITID_NETWORK_LOGON //
;// SE_AUDITID_IPSEC_LOGON_SUCCESS //
;// SE_AUDITID_IPSEC_LOGOFF_MM //
;// SE_AUDITID_IPSEC_LOGOFF_QM //
;// SE_AUDITID_IPSEC_AUTH_FAIL_CERT_TRUST //
;// SE_AUDITID_IPSEC_AUTH //
;// SE_AUDITID_IPSEC_ATTRIB_FAIL //
;// SE_AUDITID_IPSEC_NEGOTIATION_FAIL //
;// SE_AUDITID_IPSEC_IKE_NOTIFICATION //
;// SE_AUDITID_DOMAIN_TRUST_INCONSISTENT //
;// SE_AUDITID_AUTH_REPLAY_DETECTED //
;// //
;/////////////////////////////////////////////////////////////////////////////
;//
;//
;// SE_AUDITID_SUCCESSFUL_LOGON
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon ID string
;//
;// 4 - Logon Type string
;//
;// 5 - Logon process name
;//
;// 6 - Authentication package name
;//
;// 7 - Workstation from which logon request came
;//
;// 8 - Globally unique logon ID
;//
;//
MessageId=0x0210 SymbolicName=SE_AUDITID_SUCCESSFUL_LOGON Language=English Successful Logon:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tLogon Type:%t%4%n %tLogon Process:%t%5%n %tAuthentication Package:%t%6%n %tWorkstation Name:%t%7%n %tLogon GUID:%t%8%n %tCaller User Name:%t%9%n %tCaller Domain:%t%10%n %tCaller Logon ID:%t%11%n %tCaller Process ID: %12%n %tTransited Services: %13%n %tSource Network Address:%t%14%n %tSource Port:%t%15%n .
;//
;//
;// SE_AUDITID_UNKNOWN_USER_OR_PWD
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon Type string
;//
;// 4 - Logon process name
;//
;// 5 - Authentication package name
;//
;//
MessageId=0x0211 SymbolicName=SE_AUDITID_UNKNOWN_USER_OR_PWD Language=English Logon Failure:%n %tReason:%t%tUnknown user name or bad password%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n .
;//
;//
;// SE_AUDITID_ACCOUNT_TIME_RESTR
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon Type string
;//
;// 4 - Logon process name
;//
;// 5 - Authentication package name
;//
;//
MessageId=0x0212 SymbolicName=SE_AUDITID_ACCOUNT_TIME_RESTR Language=English Logon Failure:%n %tReason:%t%tAccount logon time restriction violation%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n .
;//
;//
;// SE_AUDITID_ACCOUNT_DISABLED
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon Type string
;//
;// 4 - Logon process name
;//
;// 5 - Authentication package name
;//
;//
MessageId=0x0213 SymbolicName=SE_AUDITID_ACCOUNT_DISABLED Language=English Logon Failure:%n %tReason:%t%tAccount currently disabled%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n .
;//
;//
;// SE_AUDITID_ACCOUNT_EXPIRED
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon Type string
;//
;// 4 - Logon process name
;//
;// 5 - Authentication package name
;//
;//
MessageId=0x0214 SymbolicName=SE_AUDITID_ACCOUNT_EXPIRED Language=English Logon Failure:%n %tReason:%t%tThe specified user account has expired%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n .
;//
;//
;// SE_AUDITID_WORKSTATION_RESTR
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon Type string
;//
;// 4 - Logon process name
;//
;// 5 - Authentication package name
;//
;//
MessageId=0x0215 SymbolicName=SE_AUDITID_WORKSTATION_RESTR Language=English Logon Failure:%n %tReason:%t%tUser not allowed to logon at this computer%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n .
;//
;//
;// SE_AUDITID_LOGON_TYPE_RESTR
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon Type string
;//
;// 4 - Logon process name
;//
;// 5 - Authentication package name
;//
;//
MessageId=0x0216 SymbolicName=SE_AUDITID_LOGON_TYPE_RESTR Language=English Logon Failure:%n %tReason:%tThe user has not been granted the requested%n %t%tlogon type at this machine%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n .
;//
;//
;// SE_AUDITID_PASSWORD_EXPIRED
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon Type string
;//
;// 4 - Logon process name
;//
;// 5 - Authentication package name
;//
;//
MessageId=0x0217 SymbolicName=SE_AUDITID_PASSWORD_EXPIRED Language=English Logon Failure:%n %tReason:%t%tThe specified account's password has expired%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n .
;//'
;//
;// SE_AUDITID_NETLOGON_NOT_STARTED
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon Type string
;//
;// 4 - Logon process name
;//
;// 5 - Authentication package name
;//
;//
MessageId=0x0218 SymbolicName=SE_AUDITID_NETLOGON_NOT_STARTED Language=English Logon Failure:%n %tReason:%t%tThe NetLogon component is not active%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID:%t%10%n %tTransited Services:%t%11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n .
;//
;//
;// SE_AUDITID_UNSUCCESSFUL_LOGON
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon Type string
;//
;// 4 - Logon process name
;//
;// 5 - Authentication package name
;//
;//
MessageId=0x0219 SymbolicName=SE_AUDITID_UNSUCCESSFUL_LOGON Language=English Logon Failure:%n %tReason:%t%tAn error occurred during logon%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tStatus code:%t%7%n %tSubstatus code:%t%8%n %tCaller User Name:%t%9%n %tCaller Domain:%t%10%n %tCaller Logon ID:%t%11%n %tCaller Process ID:%t%12%n %tTransited Services:%t%13%n %tSource Network Address:%t%14%n %tSource Port:%t%15%n .
;//
;//
;// SE_AUDITID_LOGOFF
;//
;// Category: SE_CATEGID_LOGON
;//
;// Event Type : success
;//
;// Description:
;// This event is generated when the logoff process is complete,
;// A logoff is considered complete when the associated logon session object
;// is deleted.
;//
;// Notes:
;// A logon session object is deleted only after all tokens
;// associated with it are closed. This can take arbitrarily long time.
;// Because of this, the time difference between SE_AUDITID_SUCCESSFUL_LOGON
;// and SE_AUDITID_LOGOFF does not accurately indicate the total logon duration
;// for a user. To calculate the logon duration, use the SE_AUDITID_BEGIN_LOGOFF
;// time instead.
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon ID string
;//
;// 3 - Logon Type string
;//
;//
;//
MessageId=0x021A SymbolicName=SE_AUDITID_LOGOFF Language=English User Logoff:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tLogon Type:%t%4%n .
;//
;//
;// SE_AUDITID_ACCOUNT_LOCKED
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon Type string
;//
;// 4 - Logon process name
;//
;// 5 - Authentication package name
;//
;//
MessageId=0x021B SymbolicName=SE_AUDITID_ACCOUNT_LOCKED Language=English Logon Failure:%n %tReason:%t%tAccount locked out%n %tUser Name:%t%1%n %tDomain:%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID: %10%n %tTransited Services: %11%n %tSource Network Address:%t%12%n %tSource Port:%t%13%n .
;//
;//
;// SE_AUDITID_NETWORK_LOGON
;//
;// Category: SE_CATEGID_LOGON
;//
;// Description:
;// This event represents a successful logon of type Network(2) or
;// NetworkCleartext(8).
;//
;// [kumarp] I do not know why this event was created separately because
;// this was already covered by SE_AUDITID_SUCCESSFUL_LOGON with
;// the right logon types.
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon ID string
;//
;// 4 - Logon Type string
;//
;// 5 - Logon process name
;//
;// 6 - Authentication package name
;//
;// 7 - Workstation from which logon request came
;//
;// 8 - Globally unique logon ID
;//
MessageId=0x021c SymbolicName=SE_AUDITID_NETWORK_LOGON Language=English Successful Network Logon:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tLogon Type:%t%4%n %tLogon Process:%t%5%n %tAuthentication Package:%t%6%n %tWorkstation Name:%t%7%n %tLogon GUID:%t%8%n %tCaller User Name:%t%9%n %tCaller Domain:%t%10%n %tCaller Logon ID:%t%11%n %tCaller Process ID: %12%n %tTransited Services: %13%n %tSource Network Address:%t%14%n %tSource Port:%t%15%n .
;//
;//
;// SE_AUDITID_IPSEC_LOGON_SUCCESS
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - Mode
;//
;// 2 - Peer Identity
;//
;// 3 - Filter
;//
;// 4 - Parameters
;//
;//
MessageId=0x021d SymbolicName=SE_AUDITID_IPSEC_LOGON_SUCCESS Language=English IKE security association established.%n Mode: %n%1%n Peer Identity: %n%2%n Filter: %n%3%n Parameters: %n%4%n .
;//
;//
;// SE_AUDITID_IPSEC_LOGOFF_QM
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - Filter
;//
;// 2 - Inbound SPI
;//
;// 3 - Outbound SPI
;//
;//
MessageId=0x021e SymbolicName=SE_AUDITID_IPSEC_LOGOFF_QM Language=English IKE security association ended.%n Mode: Data Protection (Quick mode) Filter: %n%1%n Inbound SPI: %n%2%n Outbound SPI: %n%3%n .
;//
;//
;// SE_AUDITID_IPSEC_LOGOFF_MM
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - Filter
;//
MessageId=0x021f SymbolicName=SE_AUDITID_IPSEC_LOGOFF_MM Language=English IKE security association ended.%n Mode: Key Exchange (Main mode)%n Filter: %n%1%n .
;//
;//
;// SE_AUDITID_IPSEC_AUTH_FAIL_CERT_TRUST
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - Peer Identity
;//
;// 2 - Filter
;//
;//
MessageId=0x0220 SymbolicName=SE_AUDITID_IPSEC_AUTH_FAIL_CERT_TRUST Language=English IKE security association establishment failed because peer could not authenticate. The certificate trust could not be established.%n Peer Identity: %n%1%n Filter: %n%2%n .
;//
;//
;// SE_AUDITID_IPSEC_AUTH_FAIL
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - Peer Identity
;//
;// 2 - Filter
;//
;//
MessageId=0x0221 SymbolicName=SE_AUDITID_IPSEC_AUTH_FAIL Language=English IKE peer authentication failed.%n Peer Identity: %n%1%n Filter: %n%2%n .
;//
;//
;// SE_AUDITID_IPSEC_ATTRIB_FAIL
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - Mode
;//
;// 2 - Filter
;//
;// 3 - Attribute Name
;//
;// 4 - Expected Value
;//
;// 5 - Received Value
;//
;//
MessageId=0x0222 SymbolicName=SE_AUDITID_IPSEC_ATTRIB_FAIL Language=English IKE security association establishment failed because peer sent invalid proposal.%n Mode: %n%1%n Filter: %n%2%n Attribute: %n%3%n Expected value: %n%4%n Received value: %n%5%n .
;//
;//
;// SE_AUDITID_IPSEC_NEGOTIATION_FAIL
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - Mode
;//
;// 2 - Filter
;//
;// 3 - Failure Point
;//
;// 4 - Failure Reason
;//
;//
MessageId=0x0223 SymbolicName=SE_AUDITID_IPSEC_NEGOTIATION_FAIL Language=English IKE security association negotiation failed.%n Mode: %n%1%n Filter: %n%2%n Peer Identity: %n%3%n Failure Point: %n%4%n Failure Reason: %n%5%n Extra Status: %n%6%n .
;//
;//
;// SE_AUDITID_DOMAIN_TRUST_INCONSISTENT
;//
;// Category: SE_CATEGID_LOGON
;//
;// Event Type : failure
;//
;// Description:
;// This event is generated by an authentication package when the
;// quarantined domain SID filtering function in LSA returns
;// STATUS_DOMAIN_TRUST_INCONSISTENT error code.
;//
;// In case of kerberos:
;// If the server ticket info has a TDOSid then KdcCheckPacForSidFiltering
;// function makes a check to make sure the SID from the TDO matches
;// the client's home domain SID. A call to LsaIFilterSids
;// is made to do the check. If this function fails with
;// STATUS_DOMAIN_TRUST_INCONSISTENT then this event is generated.
;//
;// In case of netlogon:
;// NlpUserValidateHigher function does a similar check by
;// calling LsaIFilterSids.
;//
;// Notes:
;//
MessageId=0x0224 SymbolicName=SE_AUDITID_DOMAIN_TRUST_INCONSISTENT Language=English Logon Failure:%n %tReason:%t%tDomain sid inconsistent%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6 %tTransited Services:%t%7%n .
;//
;//
;// SE_AUDITID_ALL_SIDS_FILTERED
;//
;// Category: SE_CATEGID_LOGON
;//
;// Event Type : failure
;//
;// Description:
;// During a cross forest authentication, SIDS corresponding to untrusted
;// namespaces are filtered out. If this filtering action results into
;// removal of all sids then this event is generated.
;//
;// Notes:
;// This is generated on the computer running kdc
;//
;// **** This event is now obsolete. The schema below is retained so that
;// people can view old instance of this event using a new viewer.
;//
MessageId=0x0225 SymbolicName=SE_AUDITID_ALL_SIDS_FILTERED Language=English Logon Failure:%n %tReason: %tAll sids were filtered out%n %tUser Name:%t%1%n %tDomain:%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package%t: %5%n %tWorkstation Name:%t%6 .
;//
;//
;// SE_AUDITID_IPSEC_IKE_NOTIFICATION
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - Notification Message
;//
MessageId=0x0226 SymbolicName=SE_AUDITID_IPSEC_IKE_NOTIFICATION Language=English %1%n .
;//
;//
;// SE_AUDITID_BEGIN_LOGOFF
;//
;// Category: SE_CATEGID_LOGON
;//
;// Event Type : success
;//
;// Description:
;// This event is generated when a user initiates logoff.
;//
;// Notes:
;// When the logoff process is complete, SE_AUDITID_LOGOFF event is generated.
;// A logoff is considered complete when the associated logon session object
;// is deleted. This happens only after all tokens associated with it are closed.
;// This can take arbitrarily long time therefore there can be a substantial
;// time difference between the two events.
;//
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon ID string
;//
;//
MessageId=0x0227 SymbolicName=SE_AUDITID_BEGIN_LOGOFF Language=English User initiated logoff:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n .
;//
;//
;// SE_AUDITID_LOGON_USING_EXPLICIT_CREDENTIALS
;//
;// Category: SE_CATEGID_LOGON
;//
;// Event Type : success
;//
;// Description:
;// This event is generated when someone tries to logon using
;// explicit credentials while already logged on as a different user.
;//
;// Notes:
;// This is generated on the client machine from which logon request originates.
;//
;//
MessageId=0x0228 SymbolicName=SE_AUDITID_LOGON_USING_EXPLICIT_CREDENTIALS Language=English Logon attempt using explicit credentials:%n Logged on user:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tLogon GUID:%t%4%n User whose credentials were used:%n %tTarget User Name:%t%5%n %tTarget Domain:%t%6%n %tTarget Logon GUID: %7%n%n Target Server Name:%t%8%n Target Server Info:%t%9%n Caller Process ID:%t%10%n Source Network Address:%t%11%n Source Port:%t%12%n .
;//
;//
;// SE_AUDITID_AUTH_REPLAY_DETECTED
;//
;// Category: SE_CATEGID_LOGON
;//
;// Event Type : failure
;//
;// Description:
;// This event is generated when an auth package detects replay attack.
;//
;// Notes:
;// This is generated by the computer running kdc or the server machine
;// that is receiving the auth request. For kerberos, Request Type is one of
;// the KRB_XXX_REQ or whatever request depending on the specific auth protocol.
;//
;//
MessageId=0x0229 SymbolicName=SE_AUDITID_AUTH_REPLAY_DETECTED Language=English %tUser Name:%t%1%n %tDomain:%t%%t%2%n %tRequest Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6%n %tCaller User Name:%t%7%n %tCaller Domain:%t%8%n %tCaller Logon ID:%t%9%n %tCaller Process ID: %10%n %tTransited Services: %11%n .
; ;/////////////////////////////////////////////////////////////////////////////
;// //
;// //
;// Messages for Category: SE_CATEGID_OBJECT_ACCESS //
;// //
;// Event IDs: //
;// SE_AUDITID_OPEN_HANDLE //
;// SE_AUDITID_CLOSE_HANDLE //
;// SE_AUDITID_OPEN_OBJECT_FOR_DELETE //
;// SE_AUDITID_DELETE_OBJECT //
;// SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE //
;// SE_AUDITID_OBJECT_OPERATION //
;// SE_AUDITID_OBJECT_ACCESS //
;// SE_AUDITID_HARDLINK_CREATION //
;// //
;// //
;/////////////////////////////////////////////////////////////////////////////
;//
;//
;// SE_AUDITID_OPEN_HANDLE
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Object Type string
;//
;// 2 - Object name
;//
;// 3 - New handle ID string
;//
;// 4 - Object server name
;//
;// 5 - Process ID string
;//
;// 6 - Primary user account name
;//
;// 7 - Primary authenticating domain name
;//
;// 8 - Primary logon ID string
;//
;// 9 - Client user account name ("-" if no client)
;//
;// 10 - Client authenticating domain name ("-" if no client)
;//
;// 11 - Client logon ID string ("-" if no client)
;//
;// 12 - Access names
;//
;//
;//
;//
MessageId=0x0230 SymbolicName=SE_AUDITID_OPEN_HANDLE Language=English Object Open:%n %tObject Server:%t%1%n %tObject Type:%t%2%n %tObject Name:%t%3%n %tHandle ID:%t%4%n %tOperation ID:%t{%5,%6}%n %tProcess ID:%t%7%n %tImage File Name:%t%8%n %tPrimary User Name:%t%9%n %tPrimary Domain:%t%10%n %tPrimary Logon ID:%t%11%n %tClient User Name:%t%12%n %tClient Domain:%t%13%n %tClient Logon ID:%t%14%n %tAccesses:%t%15%n %tPrivileges:%t%16%n %tRestricted Sid Count:%t%17%n %tAccess Mask:%t%18%n .
;//
;//
;// SE_AUDITID_CLOSE_HANDLE
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Object server name
;//
;// 2 - Handle ID string
;//
;// 3 - Process ID string
;//
;//
;//
;//
MessageId=0x0232 SymbolicName=SE_AUDITID_CLOSE_HANDLE Language=English Handle Closed:%n %tObject Server:%t%1%n %tHandle ID:%t%2%n %tProcess ID:%t%3%n %tImage File Name:%t%4%n .
;//
;//
;// SE_AUDITID_OPEN_OBJECT_FOR_DELETE
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Object Type string
;//
;// 2 - Object name
;//
;// 3 - New handle ID string
;//
;// 4 - Object server name
;//
;// 5 - Process ID string
;//
;// 6 - Primary user account name
;//
;// 7 - Primary authenticating domain name
;//
;// 8 - Primary logon ID string
;//
;// 9 - Client user account name ("-" if no client)
;//
;// 10 - Client authenticating domain name ("-" if no client)
;//
;// 11 - Client logon ID string ("-" if no client)
;//
;// 12 - Access names
;//
;//
;//
;//
MessageId=0x0233 SymbolicName=SE_AUDITID_OPEN_OBJECT_FOR_DELETE Language=English Object Open for Delete:%n %tObject Server:%t%1%n %tObject Type:%t%2%n %tObject Name:%t%3%n %tHandle ID:%t%4%n %tOperation ID:%t{%5,%6}%n %tProcess ID:%t%7%n %tPrimary User Name:%t%8%n %tPrimary Domain:%t%9%n %tPrimary Logon ID:%t%10%n %tClient User Name:%t%11%n %tClient Domain:%t%12%n %tClient Logon ID:%t%13%n %tAccesses:%t%t%14%n %tPrivileges:%t%t%15%n %tAccess Mask:%t%16%n .
;//
;//
;// SE_AUDITID_DELETE_OBJECT
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Object server name
;//
;// 2 - Handle ID string
;//
;// 3 - Process ID string
;//
;//
;//
;//
MessageId=0x0234 SymbolicName=SE_AUDITID_DELETE_OBJECT Language=English Object Deleted:%n %tObject Server:%t%1%n %tHandle ID:%t%2%n %tProcess ID:%t%3%n %tImage File Name:%t%4%n .
;//
;//
;// SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Object Type string
;//
;// 2 - Object name
;//
;// 3 - New handle ID string
;//
;// 4 - Object server name
;//
;// 5 - Process ID string
;//
;// 6 - Primary user account name
;//
;// 7 - Primary authenticating domain name
;//
;// 8 - Primary logon ID string
;//
;// 9 - Client user account name ("-" if no client)
;//
;// 10 - Client authenticating domain name ("-" if no client)
;//
;// 11 - Client logon ID string ("-" if no client)
;//
;// 12 - Access names
;//
;// 13 - Object Type parameters
;//
;//
;//
;//
MessageId=0x0235 SymbolicName=SE_AUDITID_OPEN_HANDLE_OBJECT_TYPE Language=English Object Open:%n %tObject Server:%t%1%n %tObject Type:%t%2%n %tObject Name:%t%3%n %tHandle ID:%t%4%n %tOperation ID:%t{%5,%6}%n %tProcess ID:%t%7%n %tProcess Name:%t%8%n %tPrimary User Name:%t%9%n %tPrimary Domain:%t%10%n %tPrimary Logon ID:%t%11%n %tClient User Name:%t%12%n %tClient Domain:%t%13%n %tClient Logon ID:%t%14%n %tAccesses:%t%15%n %tPrivileges:%t%16%n%n %tProperties:%n%17%n %tAccess Mask:%t%18%n .
; ;// SE_AUDITID_OBJECT_OPERATION
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Operation Name
;//
;// 2 - Object Type
;//
;// 3 - Object name
;//
;// 4 - Handle ID
;//
;// 5 - Primary user account name
;//
;// 6 - Primary authenticating domain name
;//
;// 7 - Primary logon ID string
;//
;// 8 - Client user account name ("-" if no client)
;//
;// 9 - Client authenticating domain name ("-" if no client)
;//
;// 10 - Client logon ID string ("-" if no client)
;//
;// 11 - Requested accesses to the object
;//
;// 12 - Object properties ("-" if none)
;//
;// 13 - additional information ("-" if none)
;//
MessageId=0x0236 SymbolicName=SE_AUDITID_OBJECT_OPERATION Language=English Object Operation:%n %tObject Server:%t%1%n %tOperation Type:%t%2%n %tObject Type:%t%3%n %tObject Name:%t%4%n %tHandle ID:%t%5%n %tPrimary User Name:%t%6%n %tPrimary Domain:%t%7%n %tPrimary Logon ID:%t%8%n %tClient User Name:%t%9%n %tClient Domain:%t%10%n %tClient Logon ID:%t%11%n %tAccesses:%t%12%n %tProperties:%n%t%13%n %tAdditional Info:%t%14%n %tAdditional Info2:%t%15%n %tAccess Mask:%t%16%n .
;//
;//
;// SE_AUDITID_OBJECT_ACCESS
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Object server name
;//
;// 2 - Handle ID string
;//
;// 3 - Process ID string
;//
;// 4 - List of Accesses
;//
;//
MessageId=0x0237 SymbolicName=SE_AUDITID_OBJECT_ACCESS Language=English Object Access Attempt:%n %tObject Server:%t%1%n %tHandle ID:%t%2%n %tObject Type:%t%3%n %tProcess ID:%t%4%n %tImage File Name:%t%5%n %tAccesses:%t%6%n %tAccess Mask:%t%7%n .
;//
;//
;// SE_AUDITID_HARDLINK_CREATION
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Object server name
;//
;// 2 - Handle ID string
;//
;// 3 - Process ID string
;//
;//
;//
;//
MessageId=0x0238 SymbolicName=SE_AUDITID_HARDLINK_CREATION Language=English Hard link creation attempt:%n %tPrimary User Name:%t%1%n %tPrimary Domain:%t%2%n %tPrimary Logon ID:%t%3%n %tFile Name:%t%4%n %tLink Name:%t%5%n .
;//
;//
;// SE_AUDITID_AZ_CLIENTCONTEXT_CREATION
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Application name
;//
;// 2 - Application instance id
;//
;// 3 - Client name
;//
;// 4 - Client domain name
;//
;// 5 - Client Logon id
;//
;// 6 - Error status
;//
;//
;// Description: This audit is generated when the resource manager in AZ
;// creates a client context. Currently, the only creation supported is
;// from a Nt Token. To track back to the identity of the client, use the Client
;// context Id and match it with the Logon Id in the Token Creation audit.
;//
;//
MessageId=0x0239 SymbolicName=SE_AUDITID_AZ_CLIENTCONTEXT_CREATION Language=English Application client context creation attempt:%n %tApplication Name:%t%1%n %tApplication Instance ID:%t%2%n %tClient Name:%t%3%n %tClient Domain:%t%4%n %tClient Context ID:%t%5%n %tStatus:%t%6%n .
;//
;//
;// SE_AUDITID_AZ_ACCESSCHECK
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Application Name
;//
;// 2 - Application instance luid
;//
;// 3 - Object Name
;//
;// 4 - Scope name to which the object belongs
;// Scopes are not nested in V1. In V2, this will be a comma
;// separated list.
;//
;// 5 - Client name
;//
;// 6 - Client domain name
;//
;// 7 - Client Logon Id
;//
;// 8 - Role information
;// Role because of which the client was granted access.
;//
;// 9 - Group Information
;// Groups because of which the client belonged to the role.
;// This is a comma separated list.
;//
;// 10 - Operation name
;// Name of the operation e.g. Read general information
;//
;// 11 - Operation Id
;// DWORD internal representation of the operation.
;//
;//
;// Desription: This audit is generated when the client accesses an object.
;// One audit (success/failure) is generated per every Operation asked for.
;// Ex: Asked for Op1, Op2, Op3.
;// Granted Op1; Denied Op2, Op3
;// Will generate one success and 2 failure audits.
;//
MessageId=0x023A SymbolicName=SE_AUDITID_AZ_ACCESSCHECK Language=English Application operation attempt:%n %tApplication Name:%t%1%n %tApplication Instance ID:%t%2%n %tObject Name:%t%3%n %tScope Names:%t%4%n %tClient Name:%t%5%n %tClient Domain:%t%6%n %tClient Context ID:%t%7%n %tRole:%t%8%n %tGroups:%t%9%n %tOperation Name:%t%10 (%11)%n .
;//
;//
;// SE_AUDITID_AZ_CLIENTCONTEXT_DELETION
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Application name
;//
;// 2 - Application instance luid
;//
;// 3 - Client name
;//
;// 4 - Client domain name
;//
;// 5 - Client login Id
;//
;// Description: This audit is generated when the client context is deleted by
;// the AZ app. Tie this with the client context creation audit.
;//
;//
;//
MessageId=0x023B SymbolicName=SE_AUDITID_AZ_CLIENTCONTEXT_DELETION Language=English Application client context deletion:%n %tApplication Name:%t%1%n %tApplication Instance ID:%t%2%n %tClient Name:%t%3%n %tClient Domain:%t%4%n %tClient Context ID:%t%5%n .
;//
;//
;// SE_AUDITID_AZ_APPLICATION_INITIALIZATION
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Application name
;//
;// 2 - Application instance luid
;//
;// 3 - Client name
;//
;// 4 - Client domain name
;//
;// 5 - Client logon id
;//
;// 6 - Policy store url
;//
;// Description: This audit is generated when the admin manager initializes the
;// app. The applciation name and instance Id help to tie the future audits.
;//
;//
;//
MessageId=0x023C SymbolicName=SE_AUDITID_AZ_APPLICATION_INITIALIZATION Language=English Application Initialized%n %tApplication Name:%t%1%n %tApplication Instance ID:%t%2%n %tClient Name:%t%3%n %tClient Domain:%t%4%n %tClient ID:%t%5%n %tPolicy Store URL:%t%6%n .
;//
;//
;// SE_AUDITID_GENERIC_AUDIT_EVENT
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - source name
;//
;// 2 - event ID specific to this source
;//
;// 3 - 27 : insertion strings
;//
;//
;// Description:
;// This audit is generated when a process generates non-system audit event
;// using the AuthZ audit API. Parameters supplied by the process are converted
;// to strings and inserted as strings %3 through %27.
;//
;//
;//
MessageId=0x023D SymbolicName=SE_AUDITID_GENERIC_AUDIT_EVENT Language=English %nApplication-specific security event.%n %tEvent Source:%t%1%n %tEvent ID:%t%2%n %t%t%3%n %t%t%4%n %t%t%5%n %t%t%6%n %t%t%7%n %t%t%8%n %t%t%9%n %t%t%10%n %t%t%11%n %t%t%12%n %t%t%13%n %t%t%14%n %t%t%15%n %t%t%16%n %t%t%17%n %t%t%18%n %t%t%19%n %t%t%20%n %t%t%21%n %t%t%22%n %t%t%23%n %t%t%24%n %t%t%25%n %t%t%26%n %t%t%27%n .
; ;/////////////////////////////////////////////////////////////////////////////
;// //
;// //
;// Messages for Category: SE_CATEGID_PRIVILEGE_USE //
;// //
;// Event IDs: //
;// SE_AUDITID_ASSIGN_SPECIAL_PRIV //
;// SE_AUDITID_PRIVILEGED_SERVICE //
;// SE_AUDITID_PRIVILEGED_OBJECT //
;// //
;// //
;// //
;/////////////////////////////////////////////////////////////////////////////
;//
;//
;// SE_AUDITID_ASSIGN_SPECIAL_PRIV
;//
;// Category: SE_CATEGID_PRIVILEGE_USE
;//
;// Description:
;// When a user logs on, if any one of the following privileges is added
;// to his/her token, this event is generated.
;//
;// - SeChangeNotifyPrivilege
;// - SeAuditPrivilege
;// - SeCreateTokenPrivilege
;// - SeAssignPrimaryTokenPrivilege
;// - SeBackupPrivilege
;// - SeRestorePrivilege
;// - SeDebugPrivilege
;//
;//
;// Parameter Strings -
;//
;// 1 - User name
;//
;// 2 - domain name
;//
;// 3 - Logon ID string
;//
;// 4 - Privilege names (as 1 string, with formatting)
;//
;//
;//
;//
MessageId=0x0240 SymbolicName=SE_AUDITID_ASSIGN_SPECIAL_PRIV Language=English Special privileges assigned to new logon:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tPrivileges:%t%4 .
;//
;//
;// SE_AUDITID_PRIVILEGED_SERVICE
;//
;// Category: SE_CATEGID_PRIVILEGE_USE
;//
;// Description:
;// This event is generated when a user makes an attempt to perform
;// a privileged system service operation.
;//
;// Parameter Strings -
;//
;// 1 - server name
;//
;// 2 - service name
;//
;// 3 - Primary User name
;//
;// 4 - Primary domain name
;//
;// 5 - Primary Logon ID string
;//
;// 6 - Client User name (or "-" if not impersonating)
;//
;// 7 - Client domain name (or "-" if not impersonating)
;//
;// 8 - Client Logon ID string (or "-" if not impersonating)
;//
;// 9 - Privilege names (as 1 string, with formatting)
;//
;//
;//
;//
MessageId=0x0241 SymbolicName=SE_AUDITID_PRIVILEGED_SERVICE Language=English Privileged Service Called:%n %tServer:%t%t%1%n %tService:%t%t%2%n %tPrimary User Name:%t%3%n %tPrimary Domain:%t%4%n %tPrimary Logon ID:%t%5%n %tClient User Name:%t%6%n %tClient Domain:%t%7%n %tClient Logon ID:%t%8%n %tPrivileges:%t%9 .
;//
;//
;// SE_AUDITID_PRIVILEGED_OBJECT
;//
;// Category: SE_CATEGID_PRIVILEGE_USE
;//
;// Parameter Strings -
;//
;// 1 - object server
;//
;// 2 - object handle (if available)
;//
;// 3 - process ID string
;//
;// 4 - Primary User name
;//
;// 5 - Primary domain name
;//
;// 6 - Primary Logon ID string
;//
;// 7 - Client User name (or "-" if not impersonating)
;//
;// 8 - Client domain name (or "-" if not impersonating)
;//
;// 9 - Client Logon ID string (or "-" if not impersonating)
;//
;// 10 - Privilege names (as 1 string, with formatting)
;//
;//
MessageId=0x0242 SymbolicName=SE_AUDITID_PRIVILEGED_OBJECT Language=English Privileged object operation:%n %tObject Server:%t%1%n %tObject Handle:%t%2%n %tProcess ID:%t%3%n %tPrimary User Name:%t%4%n %tPrimary Domain:%t%5%n %tPrimary Logon ID:%t%6%n %tClient User Name:%t%7%n %tClient Domain:%t%8%n %tClient Logon ID:%t%9%n %tPrivileges:%t%10 .
; ;/////////////////////////////////////////////////////////////////////////////
;// //
;// //
;// Messages for Category: SE_CATEGID_DETAILED_TRACKING //
;// //
;// Event IDs: //
;// SE_AUDITID_PROCESS_CREATED //
;// SE_AUDITID_PROCESS_EXIT //
;// SE_AUDITID_DUPLICATE_HANDLE //
;// SE_AUDITID_INDIRECT_REFERENCE //
;// SE_AUDITID_DPAPI_BACKUP //
;// SE_AUDITID_DPAPI_RECOVERY //
;// SE_AUDITID_DPAPI_PROTECT //
;// SE_AUDITID_DPAPI_UNPROTECT //
;// SE_AUDITID_ASSIGN_TOKEN //
;// SE_AUDITID_SERVICE_INSTALL //
;// SE_AUDITID_JOB_CREATED //
;// //
;// //
;/////////////////////////////////////////////////////////////////////////////
;//
;//
;// SE_AUDITID_PROCESS_CREATED
;//
;// Category: SE_CATEGID_DETAILED_TRACKING
;//
;// Parameter Strings -
;//
;// 1 - process ID string
;//
;// 2 - Image file name (if available - otherwise "-")
;//
;// 3 - Creating process's ID
;//
;// 4 - User name (of new process)
;//
;// 5 - domain name (of new process)
;//
;// 6 - Logon ID string (of new process)
;//
MessageId=0x0250 SymbolicName=SE_AUDITID_PROCESS_CREATED Language=English A new process has been created:%n %tNew Process ID:%t%1%n %tImage File Name:%t%2%n %tCreator Process ID:%t%3%n %tUser Name:%t%4%n %tDomain:%t%t%5%n %tLogon ID:%t%t%6%n .
;//
;//
;// SE_AUDITID_PROCESS_EXIT
;//
;// Category: SE_CATEGID_DETAILED_TRACKING
;//
;// Parameter Strings -
;//
;// 1 - process ID string
;//
;// 2 - image name
;//
;// 3 - User name
;//
;// 4 - domain name
;//
;// 5 - Logon ID string
;//
;//
;//
;//
MessageId=0x0251 SymbolicName=SE_AUDITID_PROCESS_EXIT Language=English A process has exited:%n %tProcess ID:%t%1%n %tImage File Name:%t%2%n %tUser Name:%t%3%n %tDomain:%t%t%4%n %tLogon ID:%t%t%5%n .
;//
;//
;// SE_AUDITID_DUPLICATE_HANDLE
;//
;// Category: SE_CATEGID_DETAILED_TRACKING
;//
;// Parameter Strings -
;//
;// 1 - Origin (source) handle ID string
;//
;// 2 - Origin (source) process ID string
;//
;// 3 - New (Target) handle ID string
;//
;// 4 - Target process ID string
;//
;//
;//
MessageId=0x0252 SymbolicName=SE_AUDITID_DUPLICATE_HANDLE Language=English A handle to an object has been duplicated:%n %tSource Handle ID:%t%1%n %tSource Process ID:%t%2%n %tTarget Handle ID:%t%3%n %tTarget Process ID:%t%4%n .
;//
;//
;// SE_AUDITID_INDIRECT_REFERENCE
;//
;// Category: SE_CATEGID_DETAILED_TRACKING
;//
;// Parameter Strings -
;//
;// 1 - Object type
;//
;// 2 - object name (if available - otherwise "-")
;//
;// 3 - ID string of handle used to gain access
;//
;// 3 - server name
;//
;// 4 - process ID string
;//
;// 5 - primary User name
;//
;// 6 - primary domain name
;//
;// 7 - primary logon ID
;//
;// 8 - client User name
;//
;// 9 - client domain name
;//
;// 10 - client logon ID
;//
;// 11 - granted access names (with formatting)
;//
;//
MessageId=0x0253 SymbolicName=SE_AUDITID_INDIRECT_REFERENCE Language=English Indirect access to an object has been obtained:%n %tObject Type:%t%1%n %tObject Name:%t%2%n %tProcess ID:%t%3%n %tPrimary User Name:%t%4%n %tPrimary Domain:%t%5%n %tPrimary Logon ID:%t%6%n %tClient User Name:%t%7%n %tClient Domain:%t%8%n %tClient Logon ID:%t%9%n %tAccesses:%t%10%n %tAccess Mask:%t%11%n .
;//
;//
;// SE_AUDITID_DPAPI_BACKUP
;//
;// Category: SE_CATEGID_DETAILED_TRACKING
;//
;// Parameter Strings -
;//
;// 1 - Master key GUID
;//
;// 2 - Recovery Server
;//
;// 3 - GUID identifier of the recovery key
;//
;// 4 - Failure reason
;//
MessageId=0x0254 SymbolicName=SE_AUDITID_DPAPI_BACKUP Language=English Backup of data protection master key. %n %tKey Identifier:%t%t%1%n %tRecovery Server:%t%t%2%n %tRecovery Key ID:%t%t%3%n %tFailure Reason:%t%t%4%n .
;//
;//
;// SE_AUDITID_DPAPI_RECOVERY
;//
;// Category: SE_CATEGID_DETAILED_TRACKING
;//
;// Parameter Strings -
;//
;// 1 - Master key GUID
;//
;// 2 - Recovery Server
;//
;// 3 - Reason for the backup
;//
;// 4 - GUID identifier of the recovery key
;//
;// 5 - Failure reason
;//
MessageId=0x0255 SymbolicName=SE_AUDITID_DPAPI_RECOVERY Language=English Recovery of data protection master key. %n %tKey Identifier:%t%t%1%n %tRecovery Reason:%t%t%3%n %tRecovery Server:%t%t%2%n %tRecovery Key ID:%t%t%4%n %tFailure Reason:%t%t%5%n .
;//
;//
;// SE_AUDITID_DPAPI_PROTECT
;//
;// Category: SE_CATEGID_DETAILED_TRACKING
;//
;// Parameter Strings -
;//
;//
;// 1 - Master key GUID
;//
;// 2 - Data Description
;//
;// 3 - Protected data flags
;//
;// 4 - Algorithms
;//
;// 5 - failure reason
;//
MessageId=0x0256 SymbolicName=SE_AUDITID_DPAPI_PROTECT Language=English Protection of auditable protected data. %n %tData Description:%t%t%2%n %tKey Identifier:%t%t%1%n %tProtected Data Flags:%t%3%n %tProtection Algorithms:%t%4%n %tFailure Reason:%t%t%5%n .
;//
;//
;// SE_AUDITID_DPAPI_UNPROTECT
;//
;// Category: SE_CATEGID_DETAILED_TRACKING
;//
;// Parameter Strings -
;//
;//
;// 1 - Master key GUID
;//
;// 2 - Data Description
;//
;// 3 - Protected data flags
;//
;// 4 - Algorithms
;//
;// 5 - failure reason
;//
MessageId=0x0257 SymbolicName=SE_AUDITID_DPAPI_UNPROTECT Language=English Unprotection of auditable protected data. %n %tData Description:%t%t%2%n %tKey Identifier:%t%t%1%n %tProtected Data Flags:%t%3%n %tProtection Algorithms:%t%4%n %tFailure Reason:%t%t%5%n .
;//
;//
;// SE_AUDITID_ASSIGN_TOKEN
;//
;// Category: SE_CATEGID_DETAILED_TRACKING
;//
;// Parameter Strings -
;//
;// 1. Current Process ID (the process doing the assignment
;// 2. Current Image File Name
;// 3. Current User Name
;// 4. Current Domain
;// 5. Current Logon ID
;//
;// 6. Process ID (of new process)
;// 7. Image Name (of new process)
;// 8. User name (of new process)
;// 9. domain name (of new process)
;// 10. Logon ID string (of new process)
;//
MessageId=0x0258 SymbolicName=SE_AUDITID_ASSIGN_TOKEN Language=English A process was assigned a primary token.%n Assigning Process Information:%n %tProcess ID:%t%1%n %tImage File Name:%t%2%n %tPrimary User Name:%t%3%n %tPrimary Domain:%t%4%n %tPrimary Logon ID:%t%5%n New Process Information:%n %tProcess ID:%t%6%n %tImage File Name:%t%7%n %tTarget User Name:%t%8%n %tTarget Domain:%t%9%n %tTarget Logon ID:%t%10%n .
;//
;//
;// SE_AUDITID_SERVICE_INSTALL
;//
;// Category: SE_CATEGID_DETAILED_TRACKING
;//
;// Event type: success/failure
;//
;// Description:
;// This event is generated when a service is installed
;//
;// Note:
;//
MessageId=0x0259 SymbolicName=SE_AUDITID_SERVICE_INSTALL Language=English Attempt to install service:%n %tService Name:%t%1%n %tService File Name:%t%2%n %tService Type:%t%3%n %tService Start Type:%t%4%n %tService Account:%t%5%n By:%n %tUser Name:%t%6%n %tDomain:%t%t%7%n %tLogon ID:%t%t%8%n .
;//
;//
;// SE_AUDITID_JOB_CREATED
;//
;// Category: SE_CATEGID_DETAILED_TRACKING
;//
;// Event type: success/failure
;//
;// Description:
;// This event is generated when a scheduler job is created
;// File Name is the name of the file in the Tasks folder.
;// Task Time, Days of Month, Days of Week, Flags and Commandline
;// are taken from the AT_INFO structure.
;// Target Name and Target Domain are the user account the job
;// is to run as. This event is generated by the task scheduler
;// through for example the AT command.
;//
;// Note:
;//
MessageId=0x025A SymbolicName=SE_AUDITID_JOB_CREATED Language=English Scheduled Task created:%n %tFile Name:%t%1%n %tCommand:%t%2%n %tTriggers:%t%t%3%n %tTime:%t%t%4 %5%n %tFlags:%t%t%6%n %tTarget User:%t%7%n By:%n %tUser:%t%t%8%n %tDomain:%t%t%9%n %tLogon ID:%t%t%10%n .
; ;/////////////////////////////////////////////////////////////////////////////
;// //
;// //
;// Messages for Category: SE_CATEGID_POLICY_CHANGE //
;// //
;// Event IDs: //
;// SE_AUDITID_USER_RIGHT_ASSIGNED //
;// SE_AUDITID_USER_RIGHT_REMOVED //
;// SE_AUDITID_TRUSTED_DOMAIN_ADD //
;// SE_AUDITID_TRUSTED_DOMAIN_REM //
;// SE_AUDITID_TRUSTED_DOMAIN_MOD //
;// SE_AUDITID_POLICY_CHANGE //
;// SE_AUDITID_IPSEC_POLICY_START //
;// SE_AUDITID_IPSEC_POLICY_DISABLED //
;// SE_AUDITID_IPSEC_POLICY_CHANGED //
;// SE_AUDITID_IPSEC_POLICY_FAILURE //
;// SE_AUDITID_SYSTEM_ACCESS_CHANGE //
;// SE_AUDITID_NAMESPACE_COLLISION //
;// SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_ADD //
;// SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_REM //
;// SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_MOD //
;// SE_AUDITID_PER_USER_AUDIT_TABLE_CREATION //
;// SE_AUDITID_PER_USER_AUDIT_TABLE_ELEMENT_CREATION //
;// //
;// //
;/////////////////////////////////////////////////////////////////////////////
;//
;//
;// SE_AUDITID_USER_RIGHT_ASSIGNED
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Parameter Strings -
;//
;// 1 - User right name
;//
;// 2 - SID string of account assigned the user right
;//
;// 3 - User name of subject assigning the right
;//
;// 4 - Domain name of subject assigning the right
;//
;// 5 - Logon ID string of subject assigning the right
;//
;//
;//
MessageId=0x0260 SymbolicName=SE_AUDITID_USER_RIGHT_ASSIGNED Language=English User Right Assigned:%n %tUser Right:%t%1%n %tAssigned To:%t%2%n %tAssigned By:%n %t User Name:%t%3%n %t Domain:%t%t%4%n %t Logon ID:%t%5%n .
;//
;//
;// SE_AUDITID_USER_RIGHT_REMOVED
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Parameter Strings -
;//
;// 1 - User right name
;//
;// 2 - SID string of account from which the user
;// right was removed
;//
;// 3 - User name of subject removing the right
;//
;// 4 - Domain name of subject removing the right
;//
;// 5 - Logon ID string of subject removing the right
;//
;//
MessageId=0x0261 SymbolicName=SE_AUDITID_USER_RIGHT_REMOVED Language=English User Right Removed:%n %tUser Right:%t%1%n %tRemoved From:%t%2%n %tRemoved By:%n %t User Name:%t%3%n %t Domain:%t%t%4%n %t Logon ID:%t%5%n .
;//
;//
;// SE_AUDITID_TRUSTED_DOMAIN_ADD
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Event type: success/failure
;//
;// Description:
;// This event is generated when somebody creates a trust relationship
;// with another domain.
;//
;// Note:
;// It is recorded on the domain controller on which
;// the trusted domain object (TDO) is created and not on any other
;// domain controller to which the TDO creation replicates.
;//
MessageId=0x0262 SymbolicName=SE_AUDITID_TRUSTED_DOMAIN_ADD Language=English New Trusted Domain:%n %tDomain Name:%t%1%n %tDomain ID:%t%2%n %tEstablished By:%n %t User Name:%t%3%n %t Domain:%t%t%4%n %t Logon ID:%t%5%n %tTrust Type:%t%6%n %tTrust Direction:%t%7%n %tTrust Attributes:%t%8%n %tSID Filtering:%t%9%n .
;//
;//
;// SE_AUDITID_TRUSTED_DOMAIN_REM
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Event type: success/failure
;//
;// Description:
;// This event is generated when somebody removes a trust relationship
;// with another domain.
;//
;// Note:
;// It is recorded on the domain controller on which
;// the trusted domain object (TDO) is deleted and not on any other
;// domain controller to which the TDO deletion replicates.
;//
MessageId=0x0263 SymbolicName=SE_AUDITID_TRUSTED_DOMAIN_REM Language=English Trusted Domain Removed:%n %tDomain Name:%t%1%n %tDomain ID:%t%2%n %tRemoved By:%n %t User Name:%t%3%n %t Domain:%t%t%4%n %t Logon ID:%t%5%n .
;//
;//
;// SE_AUDITID_POLICY_CHANGE
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Parameter Strings -
;//
;// 1 - System success audit status ("+" or "-")
;// 2 - System failure audit status ("+" or "-")
;//
;// 3 - Logon/Logoff success audit status ("+" or "-")
;// 4 - Logon/Logoff failure audit status ("+" or "-")
;//
;// 5 - Object Access success audit status ("+" or "-")
;// 6 - Object Access failure audit status ("+" or "-")
;//
;// 7 - Detailed Tracking success audit status ("+" or "-")
;// 8 - Detailed Tracking failure audit status ("+" or "-")
;//
;// 9 - Privilege Use success audit status ("+" or "-")
;// 10 - Privilege Use failure audit status ("+" or "-")
;//
;// 11 - Policy Change success audit status ("+" or "-")
;// 12 - Policy Change failure audit status ("+" or "-")
;//
;// 13 - Account Management success audit status ("+" or "-")
;// 14 - Account Management failure audit status ("+" or "-")
;//
;// 15 - Directory Service access success audit status ("+" or "-")
;// 16 - Directory Service access failure audit status ("+" or "-")
;//
;// 17 - Account Logon success audit status ("+" or "-")
;// 18 - Account Logon failure audit status ("+" or "-")
;//
;// 19 - Account Name of user that changed the policy
;//
;// 20 - Domain of user that changed the policy
;//
;// 21 - Logon ID of user that changed the policy
;//
;//
MessageId=0x0264 SymbolicName=SE_AUDITID_POLICY_CHANGE Language=English Audit Policy Change:%n New Policy:%n %tSuccess%tFailure%n %t %3%t %4%tLogon/Logoff%n %t %5%t %6%tObject Access%n %t %7%t %8%tPrivilege Use%n %t %13%t %14%tAccount Management%n %t %11%t %12%tPolicy Change%n %t %1%t %2%tSystem%n %t %9%t %10%tDetailed Tracking%n %t %15%t %16%tDirectory Service Access%n %t %17%t %18%tAccount Logon%n%n Changed By:%n %t User Name:%t%19%n %t Domain Name:%t%20%n %t Logon ID:%t%21 .
;//
;//
;// SE_AUDITID_IPSEC_POLICY_START
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Parameter Strings -
;//
;// 1 - Ipsec Policy Agent
;//
;// 2 - Policy Source
;//
;// 3 - Event Data
;//
;//
MessageId=0x0265 SymbolicName=SE_AUDITID_IPSEC_POLICY_START Language=English IPSec Services started: %t%1%n Policy Source: %t%2%n %3%n .
;//
;//
;// SE_AUDITID_IPSEC_POLICY_DISABLED
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Parameter Strings -
;//
;// 1 - Ipsec Policy Agent
;//
;// 2 - Event Data
;//
;//
MessageId=0x0266 SymbolicName=SE_AUDITID_IPSEC_POLICY_DISABLED Language=English IPSec Services disabled: %t%1%n %2%n .
;//
;//
;// SE_AUDITID_IPSEC_POLICY_CHANGED
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Parameter Strings -
;//
;// 1 - Event Data
;//
;//
MessageId=0x0267 SymbolicName=SE_AUDITID_IPSEC_POLICY_CHANGED Language=English IPSec Services: %t%1%n .
;//
;//
;// SE_AUDITID_IPSEC_POLICY_FAILURE
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Parameter Strings -
;//
;// 1 - Event Data
;//
;//
MessageId=0x0268 SymbolicName=SE_AUDITID_IPSEC_POLICY_FAILURE Language=English IPSec Services encountered a potentially serious failure.%n %1%n .
;//
;//
;// SE_AUDITID_KERBEROS_POLICY_CHANGE
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Parameter Strings -
;//
;// 1 - user account name
;//
;// 2 - domain name of user
;//
;// 3 - logon ID of user
;//
;// 4 - description of the change made
;//
;//
MessageId=0x0269 SymbolicName=SE_AUDITID_KERBEROS_POLICY_CHANGE Language=English Kerberos Policy Changed:%n Changed By:%n %t User Name:%t%1%n %t Domain Name:%t%2%n %t Logon ID:%t%3%n Changes made:%n ('--' means no changes, otherwise each change is shown as:%n <ParameterName>: <new value> (<old value>))%n %4%n .
;//
;//
;// SE_AUDITID_EFS_POLICY_CHANGE
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Parameter Strings -
;//
;// 1 - user account name
;//
;// 2 - domain name of user
;//
;// 3 - logon ID of user
;//
;// 4 - description of the change made
;//
;//
MessageId=0x026a SymbolicName=SE_AUDITID_EFS_POLICY_CHANGE Language=English Encrypted Data Recovery Policy Changed:%n Changed By:%n %t User Name:%t%1%n %t Domain Name:%t%2%n %t Logon ID:%t%3%n Changes made:%n ('--' means no changes, otherwise each change is shown as:%n <ParameterName>: <new value> (<old value>))%n %4%n .
;//
;//
;// SE_AUDITID_TRUSTED_DOMAIN_MOD
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Event type: success/failure
;//
;// Description:
;// This event is generated when somebody modifies a trust relationship
;// with another domain.
;//
;// Note:
;// It is recorded on the domain controller on which
;// the trusted domain object (TDO) is modified and not on any other
;// domain controller to which the TDO modification replicates.
;//
MessageId=0x026C SymbolicName=SE_AUDITID_TRUSTED_DOMAIN_MOD Language=English Trusted Domain Information Modified:%n %tDomain Name:%t%1%n %tDomain ID:%t%2%n %tModified By:%n %t User Name:%t%3%n %t Domain:%t%t%4%n %t Logon ID:%t%5%n %tTrust Type:%t%6%n %tTrust Direction:%t%7%n %tTrust Attributes:%t%8%n %tSID Filtering:%t%9%n .
;//
;//
;// SE_AUDITID_SYSTEM_ACCESS_GRANTED
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Parameter Strings -
;//
;// 1 - User right name
;//
;// 2 - SID string of account for which the user
;// right was affected
;//
;// 3 - User name of subject changing the right
;//
;// 4 - Domain name of subject changing the right
;//
;// 5 - Logon ID string of subject changing the right
;//
;//
MessageId=0x026d SymbolicName=SE_AUDITID_SYSTEM_ACCESS_GRANTED Language=English System Security Access Granted:%n %tAccess Granted:%t%4%n %tAccount Modified:%t%5%n %tAssigned By:%n %t User Name:%t%1%n %t Domain:%t%t%2%n %t Logon ID:%t%3%n .
;//
;//
;// SE_AUDITID_SYSTEM_ACCESS_REMOVED
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Parameter Strings -
;//
;// 1 - User right name
;//
;// 2 - SID string of account for which the user
;// right was affected
;//
;// 3 - User name of subject changing the right
;//
;// 4 - Domain name of subject changing the right
;//
;// 5 - Logon ID string of subject changing the right
;//
;//
MessageId=0x026e SymbolicName=SE_AUDITID_SYSTEM_ACCESS_REMOVED Language=English System Security Access Removed:%n %tAccess Removed:%t%4%n %tAccount Modified:%t%5%n %tRemoved By:%n %t User Name:%t%1%n %t Domain:%t%t%2%n %t Logon ID:%t%3%n .
;//
;//
;// SE_AUDITID_NAMESPACE_COLLISION
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Event type: success
;//
;// Description:
;// When a namespace element in one forest overlaps a namespace element in
;// some other forest, it can lead to ambiguity in resolving a name
;// belonging to one of the namespace elements. This overlap is also called
;// a collision.This event is generated when such a collision is detected.
;//
;// Note:
;// Not all fields are valid for each entry type.
;// For example, fields like DNS name, NetBIOS name and SID are not valid
;// for an entry of type 'TopLevelName'.
;//
MessageId=0x0300 SymbolicName=SE_AUDITID_NAMESPACE_COLLISION Language=English Namespace collision detected:%n %tTarget type:%t%1%n %tTarget name:%t%2%n %tForest Root:%t%3%n %tTop Level Name:%t%4%n %tDNS Name:%t%5%n %tNetBIOS Name:%t%6%n %tSID:%t%t%7%n %tNew Flags:%t%8%n .
;//
;//
;// SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_ADD
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Event type: success
;//
;// Description:
;// This event is generated when the forest trust information is updated and
;// one or more entries get added. One such audit event is generated
;// per added entry. If multiple entries get added, deleted or modified
;// in a single update of the forest trust information, all the generated
;// audit events will have a single unique identifier called OperationID.
;// This allows one to determine that the multiple generated audits are
;// the result of a single operation.
;//
;// Note:
;// Not all fields are valid for each entry type.
;// For example, fields like DNS name, NetBIOS name and SID are not valid
;// for an entry of type 'TopLevelName'.
;//
MessageId=0x0301 SymbolicName=SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_ADD Language=English Trusted Forest Information Entry Added:%n %tForest Root:%t%1%n %tForest Root SID:%t%2%n %tOperation ID:%t{%3,%4}%n %tEntry Type:%t%5%n %tFlags:%t%t%6%n %tTop Level Name:%t%7%n %tDNS Name:%t%8%n %tNetBIOS Name:%t%9%n %tDomain SID:%t%10%n %tAdded by%t:%n %tClient User Name:%t%11%n %tClient Domain:%t%12%n %tClient Logon ID:%t%13%n .
;//
;//
;// SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_REM
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Event type: success
;//
;// Description:
;// This event is generated when the forest trust information is updated and
;// one or more entries get deleted. One such audit event is generated
;// per deleted entry. If multiple entries get added, deleted or modified
;// in a single update of the forest trust information, all the generated
;// audit events will have a single unique identifier called OperationID.
;// This allows one to determine that the multiple generated audits are
;// the result of a single operation.
;//
;// Note:
;// Not all fields are valid for each entry type.
;// For example, fields like DNS name, NetBIOS name and SID are not valid
;// for an entry of type 'TopLevelName'.
;//
MessageId=0x0302 SymbolicName=SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_REM Language=English Trusted Forest Information Entry Removed:%n %tForest Root:%t%1%n %tForest Root SID:%t%2%n %tOperation ID:%t{%3,%4}%n %tEntry Type:%t%5%n %tFlags:%t%t%6%n %tTop Level Name:%t%7%n %tDNS Name:%t%8%n %tNetBIOS Name:%t%9%n %tDomain SID:%t%10%n %tRemoved by%t:%n %tClient User Name:%t%11%n %tClient Domain:%t%12%n %tClient Logon ID:%t%13%n .
;//
;//
;// SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_MOD
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Event type: success
;//
;// Description:
;// This event is generated when the forest trust information is updated and
;// one or more entries get modified. One such audit event is generated
;// per modified entry. If multiple entries get added, deleted or modified
;// in a single update of the forest trust information, all the generated
;// audit events will have a single unique identifier called OperationID.
;// This allows one to determine that the multiple generated audits are
;// the result of a single operation.
;//
;// Note:
;// Not all fields are valid for each entry type.
;// For example, fields like DNS name, NetBIOS name and SID are not valid
;// for an entry of type 'TopLevelName'.
;//
MessageId=0x0303 SymbolicName=SE_AUDITID_TRUSTED_FOREST_INFO_ENTRY_MOD Language=English Trusted Forest Information Entry Modified:%n %tForest Root:%t%1%n %tForest Root SID:%t%2%n %tOperation ID:%t{%3,%4}%n %tEntry Type:%t%5%n %tFlags:%t%t%6%n %tTop Level Name:%t%7%n %tDNS Name:%t%8%n %tNetBIOS Name:%t%9%n %tDomain SID:%t%10%n %tModified by%t:%n %tClient User Name:%t%11%n %tClient Domain:%t%12%n %tClient Logon ID:%t%13%n .
;//
;//
;// SE_AUDITID_SECURITY_LOG_CONFIG
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Event type: success
;//
;// Description:
;// This event is generated when the eventlog service reads security log
;// configuration from the registry key:
;// SYSTEM\CurrentControlSet\Services\Eventlog\Security
;// This event is generated in the context in which eventlog runs. The
;// registry key has a SACL so that it is possible to find out the user
;// who changed the key.
;//
;// Parameters:
;// 1 : max size in KB
;//
;// 2 : Action to take on reaching max log size
;// 1 --> overwrite events as needed
;// 2 --> overwrite events older than the limit specified
;// in parameter 3
;// 3 --> do not overwrite
;//
;// 3 : Event age limit. Applicable only if value param 2 is 2
;//
;// Note:
;//
MessageId=0x0325 SymbolicName=SE_AUDITID_SECURITY_LOG_CONFIG Language=English Configuration of security log for this session: %tMaximum Log Size (KB): %1%n %tAction to take on reaching max log size: %2%n %tEvent age limit in days: %3%n .
;//
;//
;// SE_AUDITID_PER_USER_AUDIT_TABLE_CREATION
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Event type: success
;//
;// Description:
;// This event is generated when the LSA per user audit policy is
;// created or recreated.
;//
MessageId=0x0326 SymbolicName=SE_AUDITID_PER_USER_AUDIT_TABLE_CREATION Language=English Per User Audit Policy was refreshed.%n %tNumber of elements:%t%1%n %tPolicy ID:%t%2%n .
;//
;//
;// SE_AUDITID_PER_USER_AUDIT_TABLE_ELEMENT_CREATION
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Event type: success
;//
;// Description:
;// This event is generated when the per user audit policy table is
;// created. An instance of the audit is generated for each element
;// contained in the peruser table.
;//
;// Note:
;//
MessageId=0x0327 SymbolicName=SE_AUDITID_PER_USER_AUDIT_TABLE_ELEMENT_CREATION Language=English Per user auditing policy set for user:%n %tTarget user:%t%1%n %tPolicy ID:%t%2%n %tCategory Settings:%n %t System:%t%3%n %t Logon:%t%4%n %t Object Access%t%5%n %t Privilege Use:%t%6%n %t Detailed Tracking:%t%7%n %t Policy Change:%t%8%n %t Account Management:%t%9%n %t DS Access:%t%10%n %t Account Logon:%t%11%n .
;//
;//
;// SE_AUDITID_SECURITY_EVENT_SOURCE_REGISTERED
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Event type: success
;//
;// Description:
;//
;// Note:
;//
MessageId=0x0328 SymbolicName=SE_AUDITID_SECURITY_EVENT_SOURCE_REGISTERED Language=English A security event source has attempted to register.%n %tPrimary User Name:%t%1%n %tPrimary Domain:%t%2%n %tPrimary Logon ID:%t%3%n %tClient User Name:%t%4%n %tClient Domain:%t%5%n %tClient Logon ID:%t%6%n %tSource Name:%t%7%n %tProcess Id:%t%8%n %tEvent Source Id:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_EVENT_SOURCE_UNREGISTERED
;//
;// Category: SE_CATEGID_POLICY_CHANGE
;//
;// Event type: success
;//
;// Description:
;//
;// Note:
;//
MessageId=0x0329 SymbolicName=SE_AUDITID_SECURITY_EVENT_SOURCE_UNREGISTERED Language=English A security event source has attempted to unregister.%n %tPrimary User Name:%t%1%n %tPrimary Domain:%t%2%n %tPrimary Logon ID:%t%3%n %tClient User Name:%t%4%n %tClient Domain:%t%5%n %tClient Logon ID:%t%6%n %tSource Name:%t%7%n %tProcess Id:%t%8%n %tEvent Source Id:%t%9%n .
; ;/////////////////////////////////////////////////////////////////////////////
;// //
;// //
;// Messages for Category: SE_CATEGID_ACCOUNT_MANAGEMENT //
;// //
;// Event IDs: //
;// SE_AUDITID_USER_CREATED //
;// SE_AUDITID_USER_CHANGE //
;// SE_AUDITID_ACCOUNT_TYPE_CHANGE //
;// SE_AUDITID_USER_ENABLED //
;// SE_AUDITID_USER_PWD_CHANGED //
;// SE_AUDITID_USER_PWD_SET //
;// SE_AUDITID_USER_DISABLED //
;// SE_AUDITID_USER_DELETED //
;// //
;// SE_AUDITID_COMPUTER_CREATED //
;// SE_AUDITID_COMPUTER_CHANGE //
;// SE_AUDITID_COMPUTER_DELETED //
;// //
;// SE_AUDITID_GLOBAL_GROUP_CREATED //
;// SE_AUDITID_GLOBAL_GROUP_CHANGE //
;// SE_AUDITID_GLOBAL_GROUP_ADD //
;// SE_AUDITID_GLOBAL_GROUP_REM //
;// SE_AUDITID_GLOBAL_GROUP_DELETED //
;// SE_AUDITID_LOCAL_GROUP_CREATED //
;// SE_AUDITID_LOCAL_GROUP_CHANGE //
;// SE_AUDITID_LOCAL_GROUP_ADD //
;// SE_AUDITID_LOCAL_GROUP_REM //
;// SE_AUDITID_LOCAL_GROUP_DELETED //
;// //
;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED //
;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE //
;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD //
;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM //
;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED //
;// //
;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED //
;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CHANGE //
;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD //
;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM //
;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_DELETED //
;// //
;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CREATED //
;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE //
;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD //
;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM //
;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_DELETED //
;// //
;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CREATED //
;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CHANGE //
;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD //
;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM //
;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_DELETED //
;// //
;// SE_AUDITID_APP_BASIC_GROUP_CREATED //
;// SE_AUDITID_APP_BASIC_GROUP_CHANGE //
;// SE_AUDITID_APP_BASIC_GROUP_ADD //
;// SE_AUDITID_APP_BASIC_GROUP_REM //
;// SE_AUDITID_APP_BASIC_GROUP_NM_ADD //
;// SE_AUDITID_APP_BASIC_GROUP_NM_REM //
;// SE_AUDITID_APP_BASIC_GROUP_DELETED //
;// //
;// SE_AUDITID_APP_QUERY_GROUP_CREATED //
;// SE_AUDITID_APP_QUERY_GROUP_CHANGE //
;// SE_AUDITID_APP_QUERY_GROUP_DELETED //
;// //
;// SE_AUDITID_GROUP_TYPE_CHANGE //
;// //
;// SE_AUDITID_ADD_SID_HISTORY //
;// //
;// SE_AUDITID_OTHER_ACCT_CHANGE //
;// SE_AUDITID_DOMAIN_POLICY_CHANGE //
;// SE_AUDITID_ACCOUNT_AUTO_LOCKED //
;// SE_AUDITID_ACCOUNT_UNLOCKED //
;// SE_AUDITID_SECURE_ADMIN_GROUP //
;// //
;// SE_AUDITID_PASSWORD_POLICY_API_CALLED //
;// //
;// SE_AUDITID_DSRM_PASSWORD_SET //
;/////////////////////////////////////////////////////////////////////////////
;//
;//
;// SE_AUDITID_USER_CREATED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of new user account
;//
;// 2 - domain of new user account
;//
;// 3 - SID string of new user account
;//
;// 4 - User name of subject creating the user account
;//
;// 5 - Domain name of subject creating the user account
;//
;// 6 - Logon ID string of subject creating the user account
;//
;// 7 - Privileges used to create the user account
;//
;//
MessageId=0x0270 SymbolicName=SE_AUDITID_USER_CREATED Language=English User Account Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges%t%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tDisplay Name:%t%9%n %tUser Principal Name:%t%10%n %tHome Directory:%t%11%n %tHome Drive:%t%12%n %tScript Path:%t%13%n %tProfile Path:%t%14%n %tUser Workstations:%t%15%n %tPassword Last Set:%t%16%n %tAccount Expires:%t%17%n %tPrimary Group ID:%t%18%n %tAllowedToDelegateTo:%t%19%n %tOld UAC Value:%t%20%n %tNew UAC Value:%t%21%n %tUser Account Control:%t%22%n %tUser Parameters:%t%23%n %tSid History:%t%24%n %tLogon Hours:%t%25%n .
;//
;//
;// SE_AUDITID_ACCOUNT_TYPE_CHANGE
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// MessageId 0x271 unused
;//
;//
;//
;// SE_AUDITID_USER_ENABLED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target user account
;//
;// 2 - domain of target user account
;//
;// 3 - SID string of target user account
;//
;// 4 - User name of subject changing the user account
;//
;// 5 - Domain name of subject changing the user account
;//
;// 6 - Logon ID string of subject changing the user account
;//
;//
MessageId=0x0272 SymbolicName=SE_AUDITID_USER_ENABLED Language=English User Account Enabled:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n .
;//
;//
;// SE_AUDITID_USER_PWD_CHANGED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target user account
;//
;// 2 - domain of target user account
;//
;// 3 - SID string of target user account
;//
;// 4 - User name of subject changing the user account
;//
;// 5 - Domain name of subject changing the user account
;//
;// 6 - Logon ID string of subject changing the user account
;//
;//
MessageId=0x0273 SymbolicName=SE_AUDITID_USER_PWD_CHANGED Language=English Change Password Attempt:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n .
;//
;//
;// SE_AUDITID_USER_PWD_SET
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target user account
;//
;// 2 - domain of target user account
;//
;// 3 - SID string of target user account
;//
;// 4 - User name of subject changing the user account
;//
;// 5 - Domain name of subject changing the user account
;//
;// 6 - Logon ID string of subject changing the user account
;//
;//
MessageId=0x0274 SymbolicName=SE_AUDITID_USER_PWD_SET Language=English User Account password set:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n .
;//
;//
;// SE_AUDITID_USER_DISABLED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target user account
;//
;// 2 - domain of target user account
;//
;// 3 - SID string of target user account
;//
;// 4 - User name of subject changing the user account
;//
;// 5 - Domain name of subject changing the user account
;//
;// 6 - Logon ID string of subject changing the user account
;//
;//
MessageId=0x0275 SymbolicName=SE_AUDITID_USER_DISABLED Language=English User Account Disabled:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n .
;//
;//
;// SE_AUDITID_USER_DELETED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0276 SymbolicName=SE_AUDITID_USER_DELETED Language=English User Account Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n .
;//
;//
;// SE_AUDITID_GLOBAL_GROUP_CREATED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of new group account
;//
;// 2 - domain of new group account
;//
;// 3 - SID string of new group account
;//
;// 4 - User name of subject creating the account
;//
;// 5 - Domain name of subject creating the account
;//
;// 6 - Logon ID string of subject creating the account
;//
;//
MessageId=0x0277 SymbolicName=SE_AUDITID_GLOBAL_GROUP_CREATED Language=English Security Enabled Global Group Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_GLOBAL_GROUP_ADD
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - SID string of member being added
;//
;// 2 - name of target account
;//
;// 3 - domain of target account
;//
;// 4 - SID string of target account
;//
;// 5 - User name of subject changing the account
;//
;// 6 - Domain name of subject changing the account
;//
;// 7 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0278 SymbolicName=SE_AUDITID_GLOBAL_GROUP_ADD Language=English Security Enabled Global Group Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_GLOBAL_GROUP_REM
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - SID string of member being removed
;//
;// 2 - name of target account
;//
;// 3 - domain of target account
;//
;// 4 - SID string of target account
;//
;// 5 - User name of subject changing the account
;//
;// 6 - Domain name of subject changing the account
;//
;// 7 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0279 SymbolicName=SE_AUDITID_GLOBAL_GROUP_REM Language=English Security Enabled Global Group Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_GLOBAL_GROUP_DELETED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x027A SymbolicName=SE_AUDITID_GLOBAL_GROUP_DELETED Language=English Security Enabled Global Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n .
;//
;//
;// SE_AUDITID_LOCAL_GROUP_CREATED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of new group account
;//
;// 2 - domain of new group account
;//
;// 3 - SID string of new group account
;//
;// 4 - User name of subject creating the account
;//
;// 5 - Domain name of subject creating the account
;//
;// 6 - Logon ID string of subject creating the account
;//
;//
MessageId=0x027B SymbolicName=SE_AUDITID_LOCAL_GROUP_CREATED Language=English Security Enabled Local Group Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_LOCAL_GROUP_ADD
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - SID string of member being added
;//
;// 2 - name of target account
;//
;// 3 - domain of target account
;//
;// 4 - SID string of target account
;//
;// 5 - User name of subject changing the account
;//
;// 6 - Domain name of subject changing the account
;//
;// 7 - Logon ID string of subject changing the account
;//
;//
MessageId=0x027C SymbolicName=SE_AUDITID_LOCAL_GROUP_ADD Language=English Security Enabled Local Group Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_LOCAL_GROUP_REM
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - SID string of member being removed
;//
;// 2 - name of target account
;//
;// 3 - domain of target account
;//
;// 4 - SID string of target account
;//
;// 5 - User name of subject changing the account
;//
;// 6 - Domain name of subject changing the account
;//
;// 7 - Logon ID string of subject changing the account
;//
;//
MessageId=0x027D SymbolicName=SE_AUDITID_LOCAL_GROUP_REM Language=English Security Enabled Local Group Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_LOCAL_GROUP_DELETED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x027E SymbolicName=SE_AUDITID_LOCAL_GROUP_DELETED Language=English Security Enabled Local Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n .
;//
;//
;// SE_AUDITID_LOCAL_GROUP_CHANGE
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x027F SymbolicName=SE_AUDITID_LOCAL_GROUP_CHANGE Language=English Security Enabled Local Group Changed:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_OTHER_ACCOUNT_CHANGE
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - Type of change (sigh, this isn't localizable)
;//
;// 2 - Type of changed object
;//
;// 3 - SID string (of changed object)
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0280 SymbolicName=SE_AUDITID_OTHER_ACCOUNT_CHANGE Language=English General Account Database Change:%n %tType of change:%t%1%n %tObject Type:%t%2%n %tObject Name:%t%3%n %tObject ID:%t%4%n %tCaller User Name:%t%5%n %tCaller Domain:%t%6%n %tCaller Logon ID:%t%7%n .
;//
;//
;// SE_AUDITID_GLOBAL_GROUP_CHANGE
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0281 SymbolicName=SE_AUDITID_GLOBAL_GROUP_CHANGE Language=English Security Enabled Global Group Changed:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_USER_CHANGE
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target user account
;//
;// 2 - domain of target user account
;//
;// 3 - SID string of target user account
;//
;// 4 - User name of subject changing the user account
;//
;// 5 - Domain name of subject changing the user account
;//
;// 6 - Logon ID string of subject changing the user account
;//
;//
MessageId=0x0282 SymbolicName=SE_AUDITID_USER_CHANGE Language=English User Account Changed:%n %tTarget Account Name:%t%2%n %tTarget Domain:%t%3%n %tTarget Account ID:%t%4%n %tCaller User Name:%t%5%n %tCaller Domain:%t%6%n %tCaller Logon ID:%t%7%n %tPrivileges:%t%8%n Changed Attributes:%n %tSam Account Name:%t%9%n %tDisplay Name:%t%10%n %tUser Principal Name:%t%11%n %tHome Directory:%t%12%n %tHome Drive:%t%13%n %tScript Path:%t%14%n %tProfile Path:%t%15%n %tUser Workstations:%t%16%n %tPassword Last Set:%t%17%n %tAccount Expires:%t%18%n %tPrimary Group ID:%t%19%n %tAllowedToDelegateTo:%t%20%n %tOld UAC Value:%t%21%n %tNew UAC Value:%t%22%n %tUser Account Control:%t%23%n %tUser Parameters:%t%24%n %tSid History:%t%25%n %tLogon Hours:%t%26%n .
;//
;//
;// SE_AUDITID_DOMAIN_POLICY_CHANGE
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - (unused)
;//
;// 2 - domain of target user account
;//
;// 3 - SID string of target user account
;//
;// 4 - User name of subject changing the user account
;//
;// 5 - Domain name of subject changing the user account
;//
;// 6 - Logon ID string of subject changing the user account
;//
;//
MessageId=0x0283 SymbolicName=SE_AUDITID_DOMAIN_POLICY_CHANGE Language=English Domain Policy Changed: %1 modified%n %tDomain Name:%t%t%2%n %tDomain ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tMin. Password Age:%t%8%n %tMax. Password Age:%t%9%n %tForce Logoff:%t%10%n %tLockout Threshold:%t%11%n %tLockout Observation Window:%t%12%n %tLockout Duration:%t%13%n %tPassword Properties:%t%14%n %tMin. Password Length:%t%15%n %tPassword History Length:%t%16%n %tMachine Account Quota:%t%17%n %tMixed Domain Mode:%t%18%n %tDomain Behavior Version:%t%19%n %tOEM Information:%t%20%n .
;//
;//
;// SE_AUDITID_ACCOUNT_AUTO_LOCKED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Type: success / failure
;//
;// Description: This event is generated when an account is auto locked. This happens
;// when a user attempts to log in unsuccessfully multiple times. The exact
;// number of times is specified by the administrator.
;//
;// Parameter Strings -
;//
;// 1 - name of target user account
;//
;// 2 - domain of target user account
;//
;// 3 - SID string of target user account
;//
;// 4 - User name of subject changing the user account
;//
;// 5 - Domain name of subject changing the user account
;//
;// 6 - Logon ID string of subject changing the user account
;//
;//
MessageId=0x0284 SymbolicName=SE_AUDITID_ACCOUNT_AUTO_LOCKED Language=English User Account Locked Out:%n %tTarget Account Name:%t%1%n %tTarget Account ID:%t%3%n %tCaller Machine Name:%t%2%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n .
;//
;//
;// SE_AUDITID_COMPUTER_CREATED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of new computer account
;//
;// 2 - domain of new computer account
;//
;// 3 - SID string of new computer account
;//
;// 4 - User name of subject creating the computer account
;//
;// 5 - Domain name of subject creating the computer account
;//
;// 6 - Logon ID string of subject creating the computer account
;//
;// 7 - Privileges used to create the computer account
;//
;//
MessageId=0x0285 SymbolicName=SE_AUDITID_COMPUTER_CREATED Language=English Computer Account Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges%t%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tDisplay Name:%t%9%n %tUser Principal Name:%t%10%n %tHome Directory:%t%11%n %tHome Drive:%t%12%n %tScript Path:%t%13%n %tProfile Path:%t%14%n %tUser Workstations:%t%15%n %tPassword Last Set:%t%16%n %tAccount Expires:%t%17%n %tPrimary Group ID:%t%18%n %tAllowedToDelegateTo:%t%19%n %tOld UAC Value:%t%20%n %tNew UAC Value:%t%21%n %tUser Account Control:%t%22%n %tUser Parameters:%t%23%n %tSid History:%t%24%n %tLogon Hours:%t%25%n %tDNS Host Name:%t%26%n %tService Principal Names:%t%27%n .
;//
;//
;// SE_AUDITID_COMPUTER_CHANGE
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target computer account
;//
;// 2 - domain of target computer account
;//
;// 3 - SID string of target computer account
;//
;// 4 - User name of subject changing the computer account
;//
;// 5 - Domain name of subject changing the computer account
;//
;// 6 - Logon ID string of subject changing the computer account
;//
;//
MessageId=0x0286 SymbolicName=SE_AUDITID_COMPUTER_CHANGE Language=English Computer Account Changed:%n %t%1%n %tTarget Account Name:%t%2%n %tTarget Domain:%t%3%n %tTarget Account ID:%t%4%n %tCaller User Name:%t%5%n %tCaller Domain:%t%6%n %tCaller Logon ID:%t%7%n %tPrivileges:%t%8%n Changed Attributes:%n %tSam Account Name:%t%9%n %tDisplay Name:%t%10%n %tUser Principal Name:%t%11%n %tHome Directory:%t%12%n %tHome Drive:%t%13%n %tScript Path:%t%14%n %tProfile Path:%t%15%n %tUser Workstations:%t%16%n %tPassword Last Set:%t%17%n %tAccount Expires:%t%18%n %tPrimary Group ID:%t%19%n %tAllowedToDelegateTo:%t%20%n %tOld UAC Value:%t%21%n %tNew UAC Value:%t%22%n %tUser Account Control:%t%23%n %tUser Parameters:%t%24%n %tSid History:%t%25%n %tLogon Hours:%t%26%n %tDNS Host Name:%t%27%n %tService Principal Names:%t%28%n .
;//
;//
;// SE_AUDITID_COMPUTER_DELETED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0287 SymbolicName=SE_AUDITID_COMPUTER_DELETED Language=English Computer Account Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n .
;//
;//
;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0288 SymbolicName=SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED Language=English Security Disabled Local Group Created:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0289 SymbolicName=SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE Language=English Security Disabled Local Group Changed:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - SID string of member being added
;//
;// 2 - name of target account
;//
;// 3 - domain of target account
;//
;// 4 - SID string of target account
;//
;// 5 - User name of subject changing the account
;//
;// 6 - Domain name of subject changing the account
;//
;// 7 - Logon ID string of subject changing the account
;//
;//
MessageId=0x028A SymbolicName=SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD Language=English Security Disabled Local Group Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - SID string of member being removed
;//
;// 2 - name of target account
;//
;// 3 - domain of target account
;//
;// 4 - SID string of target account
;//
;// 5 - User name of subject changing the account
;//
;// 6 - Domain name of subject changing the account
;//
;// 7 - Logon ID string of subject changing the account
;//
;//
MessageId=0x028B SymbolicName=SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM Language=English Security Disabled Local Group Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x028C SymbolicName=SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED Language=English Security Disabled Local Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n .
;//
;//
;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of new group account
;//
;// 2 - domain of new group account
;//
;// 3 - SID string of new group account
;//
;// 4 - User name of subject creating the account
;//
;// 5 - Domain name of subject creating the account
;//
;// 6 - Logon ID string of subject creating the account
;//
;//
MessageId=0x028D SymbolicName=SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED Language=English Security Disabled Global Group Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CHANGE
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x028E SymbolicName=SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CHANGE Language=English Security Disabled Global Group Changed:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - SID string of member being added
;//
;// 2 - name of target account
;//
;// 3 - domain of target account
;//
;// 4 - SID string of target account
;//
;// 5 - User name of subject changing the account
;//
;// 6 - Domain name of subject changing the account
;//
;// 7 - Logon ID string of subject changing the account
;//
;//
MessageId=0x028F SymbolicName=SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD Language=English Security Disabled Global Group Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - SID string of member being removed
;//
;// 2 - name of target account
;//
;// 3 - domain of target account
;//
;// 4 - SID string of target account
;//
;// 5 - User name of subject changing the account
;//
;// 6 - Domain name of subject changing the account
;//
;// 7 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0290 SymbolicName=SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM Language=English Security Disabled Global Group Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_DELETED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0291 SymbolicName=SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_DELETED Language=English Security Disabled Global Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n .
;//
;//
;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CREATED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of new group account
;//
;// 2 - domain of new group account
;//
;// 3 - SID string of new group account
;//
;// 4 - User name of subject creating the account
;//
;// 5 - Domain name of subject creating the account
;//
;// 6 - Logon ID string of subject creating the account
;//
;//
MessageId=0x0292 SymbolicName=SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CREATED Language=English Security Enabled Universal Group Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0293 SymbolicName=SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_CHANGE Language=English Security Enabled Universal Group Changed:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - SID string of member being added
;//
;// 2 - name of target account
;//
;// 3 - domain of target account
;//
;// 4 - SID string of target account
;//
;// 5 - User name of subject changing the account
;//
;// 6 - Domain name of subject changing the account
;//
;// 7 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0294 SymbolicName=SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD Language=English Security Enabled Universal Group Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - SID string of member being removed
;//
;// 2 - name of target account
;//
;// 3 - domain of target account
;//
;// 4 - SID string of target account
;//
;// 5 - User name of subject changing the account
;//
;// 6 - Domain name of subject changing the account
;//
;// 7 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0295 SymbolicName=SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM Language=English Security Enabled Universal Group Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_DELETED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0296 SymbolicName=SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_DELETED Language=English Security Enabled Universal Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n .
;//
;//
;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CREATED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of new group account
;//
;// 2 - domain of new group account
;//
;// 3 - SID string of new group account
;//
;// 4 - User name of subject creating the account
;//
;// 5 - Domain name of subject creating the account
;//
;// 6 - Logon ID string of subject creating the account
;//
;//
MessageId=0x0297 SymbolicName=SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CREATED Language=English Security Disabled Universal Group Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CHANGE
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0298 SymbolicName=SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_CHANGE Language=English Security Disabled Universal Group Changed:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - SID string of member being added
;//
;// 2 - name of target account
;//
;// 3 - domain of target account
;//
;// 4 - SID string of target account
;//
;// 5 - User name of subject changing the account
;//
;// 6 - Domain name of subject changing the account
;//
;// 7 - Logon ID string of subject changing the account
;//
;//
MessageId=0x0299 SymbolicName=SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD Language=English Security Disabled Universal Group Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - SID string of member being removed
;//
;// 2 - name of target account
;//
;// 3 - domain of target account
;//
;// 4 - SID string of target account
;//
;// 5 - User name of subject changing the account
;//
;// 6 - Domain name of subject changing the account
;//
;// 7 - Logon ID string of subject changing the account
;//
;//
MessageId=0x029A SymbolicName=SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM Language=English Security Disabled Universal Group Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_DELETED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x029B SymbolicName=SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_DELETED Language=English Security Disabled Universal Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n .
;//
;//
;// SE_AUDITID_GROUP_TYPE_CHANGE
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - nature of group type change
;//
;// 2 - name of target account
;//
;// 3 - domain of target account
;//
;// 4 - SID string of target account
;//
;// 5 - User name of subject changing the account
;//
;// 6 - Domain name of subject changing the account
;//
;// 7 - Logon ID string of subject changing the account
;//
;//
MessageId=0x029C SymbolicName=SE_AUDITID_GROUP_TYPE_CHANGE Language=English Group Type Changed:%n %t%1%n %tTarget Account Name:%t%2%n %tTarget Domain:%t%3%n %tTarget Account ID:%t%4%n %tCaller User Name:%t%5%n %tCaller Domain:%t%6%n %tCaller Logon ID:%t%7%n %tPrivileges:%t%8%n .
;//
;//
;// SE_AUDITID_ADD_SID_HISTORY
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - SID string of the source account
;//
;// 2 - Name of the source account (including domain name)
;//
;// 3 - Name of the target account
;//
;// 4 - Domain name of subject changing the SID history
;//
;// 5 - SID String of the target account
;//
;// 6 - Logon ID string of subject changing the user account
;//
;//
MessageId=0x029D SymbolicName=SE_AUDITID_ADD_SID_HISTORY Language=English Add SID History:%n %tSource Account Name:%t%1%n %tSource Account ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n %tSidList:%t%10%n .
;//
;//
;// SE_AUDITID_ADD_SID_HISTORY_FAILURE
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Note:
;// This event is obsolete. It is not generated by Whistler.
;// It is retained in this file so that anybody viewing w2k events
;// from a whistler machine can view them correctly.
;//
;//
;//
MessageId=0x029E SymbolicName=SE_AUDITID_ADD_SID_HISTORY_FAILURE Language=English Add SID History:%n %tSource Account Name:%t%1%n %tTarget Account Name:%t%2%n %tTarget Domain:%t%3%n %tTarget Account ID:%t%4%n %tCaller User Name:%t%5%n %tCaller Domain:%t%6%n %tCaller Logon ID:%t%7%n %tPrivileges:%t%8%n .
;//
;//
;// SE_AUDITID_ACCOUNT_UNLOCKED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target user account
;//
;// 2 - domain of target user account
;//
;// 3 - SID string of target user account
;//
;// 4 - User name of subject changing the user account
;//
;// 5 - Domain name of subject changing the user account
;//
;// 6 - Logon ID string of subject changing the user account
;//
;//
MessageId=0x029F SymbolicName=SE_AUDITID_ACCOUNT_UNLOCKED Language=English User Account Unlocked:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n .
;//
;//
;// SE_AUDITID_SECURE_ADMIN_GROUP
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - (unused)
;//
;// 2 - domain of target user account
;//
;// 3 - SID string of target user account
;//
;// 4 - User name of subject changing the user account
;//
;// 5 - Domain name of subject changing the user account
;//
;// 6 - Logon ID string of subject changing the user account
;//
;//
;//
MessageId=0x02AC SymbolicName=SE_AUDITID_SECURE_ADMIN_GROUP Language=English Set ACLs of members in administrators groups:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n .
;//
;//
;// SE_AUDITID_ACCOUNT_NAME_CHANGE
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - Account name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
;//
MessageId=0x02AD SymbolicName=SE_AUDITID_ACCOUNT_NAME_CHANGE Language=English Account Name Changed:%n %tOld Account Name:%t%1%n %tNew Account Name:%t%2%n %tTarget Domain:%t%t%3%n %tTarget Account ID:%t%4%n %tCaller User Name:%t%5%n %tCaller Domain:%t%6%n %tCaller Logon ID:%t%7%n %tPrivileges:%t%8%n .
;//
;//
;// SE_AUDITID_PASSWORD_HASH_ACCESS
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Event Type : success/failure
;//
;// Description:
;// This event is generated when user password hashes are retrieved
;// by the ADMT password filter DLL. This typically happens during
;// ADMT password migration.
;//
;// Notes:
;// To migrate passwords, a DLL (name?) gets loaded in lsass.exe as
;// a password filter. This filter registers an RPC interface used by ADMT
;// to request password migration. One SE_AUDITID_PASSWORD_HASH_ACCESS event
;// is generated per password fetched.
;//
;//
MessageId=0x02AE SymbolicName=SE_AUDITID_PASSWORD_HASH_ACCESS Language=English Password of the following user accessed:%n %tTarget User Name:%t%1%n %tTarget User Domain:%t%t%2%n By user:%n %tCaller User Name:%t%3%n %tCaller Domain:%t%t%4%n %tCaller Logon ID:%t%t%5%n .
;//
;//
;// SE_AUDITID_APP_BASIC_GROUP_CREATED
;//
;// Category: SE_AUDITID_APP_BASIC_GROUP_CREATED
;//
;// Parameter Strings -
;//
;// 1 - name of new group account
;//
;// 2 - domain of new group account
;//
;// 3 - SID string of new group account
;//
;// 4 - User name of subject creating the account
;//
;// 5 - Domain name of subject creating the account
;//
;// 6 - Logon ID string of subject creating the account
;//
;//
MessageId=0x02AF SymbolicName=SE_AUDITID_APP_BASIC_GROUP_CREATED Language=English Basic Application Group Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_APP_BASIC_GROUP_CHANGE
;//
;// Category: SE_AUDITID_APP_BASIC_GROUP_CHANGE
;//
;// Parameter Strings -
;//
;// 1 - name of group account
;//
;// 2 - domain of group account
;//
;// 3 - SID string of group account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x02B0 SymbolicName=SE_AUDITID_APP_BASIC_GROUP_CHANGE Language=English Basic Application Group Changed:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_APP_BASIC_GROUP_ADD
;//
;// Category: SE_AUDITID_APP_BASIC_GROUP_ADD
;//
;// Parameter Strings -
;//
;// 1 - name of member being added
;//
;// 2 - string SID of member being added
;//
;// 3 - name of target account
;//
;// 4 - domain of target account
;//
;// 5 - SID string of target account
;//
;// 6 - User name of subject changing the account
;//
;// 7 - Domain name of subject changing the account
;//
;// 8 - Logon ID string of subject changing the account
;//
;// 9 - Privileges
;//
;//
MessageId=0x02B1 SymbolicName=SE_AUDITID_APP_BASIC_GROUP_ADD Language=English Basic Application Group Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_APP_BASIC_GROUP_REM
;//
;// Category: SE_AUDITID_APP_BASIC_GROUP_REM
;//
;// Parameter Strings -
;//
;// 1 - name of member being removed
;//
;// 2 - string SID of member being removed
;//
;// 3 - name of target account
;//
;// 4 - domain of target account
;//
;// 5 - SID string of target account
;//
;// 6 - User name of subject changing the account
;//
;// 7 - Domain name of subject changing the account
;//
;// 8 - Logon ID string of subject changing the account
;//
;// 9 - Privileges
;//
;//
MessageId=0x02B2 SymbolicName=SE_AUDITID_APP_BASIC_GROUP_REM Language=English Basic Application Group Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_APP_BASIC_GROUP_NM_ADD
;//
;// Category: SE_AUDITID_APP_BASIC_GROUP_NM_ADD
;//
;// Parameter Strings -
;//
;// 1 - name of non-member being added
;//
;// 2 - string SID of non-member being added
;//
;// 3 - name of target account
;//
;// 4 - domain of target account
;//
;// 5 - SID string of target account
;//
;// 6 - User name of subject changing the account
;//
;// 7 - Domain name of subject changing the account
;//
;// 8 - Logon ID string of subject changing the account
;//
;// 9 - Privileges
;//
;//
MessageId=0x02B3 SymbolicName=SE_AUDITID_APP_BASIC_GROUP_NM_ADD Language=English Basic Application Group Non-Member Added:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_APP_BASIC_GROUP_NM_REM
;//
;// Category: SE_AUDITID_APP_BASIC_GROUP_NM_REM
;//
;// Parameter Strings -
;//
;// 1 - name of non-member being removed
;//
;// 2 - string SID of non-member being removed
;//
;// 3 - name of target account
;//
;// 4 - domain of target account
;//
;// 5 - SID string of target account
;//
;// 6 - User name of subject changing the account
;//
;// 7 - Domain name of subject changing the account
;//
;// 8 - Logon ID string of subject changing the account
;//
;// 9 - Privileges
;//
;//
MessageId=0x02B4 SymbolicName=SE_AUDITID_APP_BASIC_GROUP_NM_REM Language=English Basic Application Group Non-Member Removed:%n %tMember Name:%t%1%n %tMember ID:%t%2%n %tTarget Account Name:%t%3%n %tTarget Domain:%t%4%n %tTarget Account ID:%t%5%n %tCaller User Name:%t%6%n %tCaller Domain:%t%7%n %tCaller Logon ID:%t%8%n %tPrivileges:%t%9%n .
;//
;//
;// SE_AUDITID_APP_BASIC_GROUP_DELETED
;//
;// Category: SE_AUDITID_APP_BASIC_GROUP_DELETED
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x02B5 SymbolicName=SE_AUDITID_APP_BASIC_GROUP_DELETED Language=English Basic Application Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n .
;//
;//
;// SE_AUDITID_APP_QUERY_GROUP_CREATED
;//
;// Category: SE_AUDITID_APP_QUERY_GROUP_CREATED
;//
;// Parameter Strings -
;//
;// 1 - name of new group account
;//
;// 2 - domain of new group account
;//
;// 3 - SID string of new group account
;//
;// 4 - User name of subject creating the account
;//
;// 5 - Domain name of subject creating the account
;//
;// 6 - Logon ID string of subject creating the account
;//
;//
MessageId=0x02B6 SymbolicName=SE_AUDITID_APP_QUERY_GROUP_CREATED Language=English LDAP Query Group Created:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_APP_QUERY_GROUP_CHANGE
;//
;// Category: SE_AUDITID_APP_QUERY_GROUP_CHANGE
;//
;// Parameter Strings -
;//
;// 1 - name of group account
;//
;// 2 - domain of group account
;//
;// 3 - SID string of group account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x02B7 SymbolicName=SE_AUDITID_APP_QUERY_GROUP_CHANGE Language=English LDAP Query Group Changed:%n %tNew Account Name:%t%1%n %tNew Domain:%t%2%n %tNew Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n Changed Attributes:%n %tSam Account Name:%t%8%n %tSid History:%t%9%n .
;//
;//
;// SE_AUDITID_APP_QUERY_GROUP_DELETED
;//
;// Category: SE_AUDITID_APP_QUERY_GROUP_DELETED
;//
;// Parameter Strings -
;//
;// 1 - name of target account
;//
;// 2 - domain of target account
;//
;// 3 - SID string of target account
;//
;// 4 - User name of subject changing the account
;//
;// 5 - Domain name of subject changing the account
;//
;// 6 - Logon ID string of subject changing the account
;//
;//
MessageId=0x02B8 SymbolicName=SE_AUDITID_APP_QUERY_GROUP_DELETED Language=English LDAP Query Group Deleted:%n %tTarget Account Name:%t%1%n %tTarget Domain:%t%2%n %tTarget Account ID:%t%3%n %tCaller User Name:%t%4%n %tCaller Domain:%t%5%n %tCaller Logon ID:%t%6%n %tPrivileges:%t%7%n .
;//
;//
;// SE_AUDITID_PASSWORD_POLICY_API_CALLED
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - Name of the account making this call
;// 2 - Domain of the account making this call
;// 3 - Authentication ID of the logon session
;// 4 - Caller Workstation IP
;// 5 - Target AccountName
;// 6 - Status Code
;//
MessageId=0x02B9 SymbolicName=SE_AUDITID_PASSWORD_POLICY_API_CALLED Language=English Password Policy Checking API is called:%n %tCaller Username:%t%1%n %tCaller Domain:%t%2%n %tCaller Logon ID:%t%3%n %tCaller Workstation:%t%4%n %tProvided User Name (unauthenticated):%t%5%n %tStatus Code:%t%6%n .
;//
;//
;// SE_AUDITID_DSRM_PASSWORD_SET
;//
;// Category: SE_CATEGID_ACCOUNT_MANAGEMENT
;//
;// Parameter Strings -
;//
;// 1 - Name of the account making this call
;// 2 - Domain of the account making this call
;// 3 - Authentication ID of the logon session
;// 4 - Caller Workstation IP
;// 5 - Status code
;//
MessageId=0x02BA SymbolicName=SE_AUDITID_DSRM_PASSWORD_SET Language=English An attempt to set the Directory Services Restore Mode administrator password has been made.%n %tCaller Username:%t%1%n %tCaller Domain:%t%2%n %tCaller Logon ID:%t%3%n %tCaller Workstation:%t%4%n %tStatus Code:%t%5%n .
; ;/////////////////////////////////////////////////////////////////////////////
;// //
;// //
;// Messages for Category: SE_CATEGID_DS_ACCESS //
;// //
;// Event IDs: //
;// SE_AUDITID_REPLICA_SOURCE_NC_ESTABLISHED //
;// SE_AUDITID_REPLICA_SOURCE_NC_REMOVED //
;// SE_AUDITID_REPLICA_SOURCE_NC_MODIFIED //
;// SE_AUDITID_REPLICA_DEST_NC_MODIFIED //
;// SE_AUDITID_REPLICA_SOURCE_NC_SYNC_BEGINS //
;// SE_AUDITID_REPLICA_SOURCE_NC_SYNC_ENDS //
;// SE_AUDITID_REPLICA_OBJ_ATTR_REPLICATION //
;// SE_AUDITID_REPLICA_FAILURE_EVENT_BEGIN //
;// SE_AUDITID_REPLICA_FAILURE_EVENT_END //
;// SE_AUDITID_REPLICA_LINGERING_OBJECT_REMOVAL //
;// //
;/////////////////////////////////////////////////////////////////////////////
;//
;// SE_AUDITID_REPLICA_SOURCE_NC_ESTABLISHED
;//
;// Category: SE_CATEGID_DS_ACCESS
;//
;// Event Type : success/failure
;//
;// Description:
;// This is generated when a replication source reference has been added to
;// a destination naming context establishing a replication partnership.
;//
;// Note:
;// This event is always generated in the local system context.
;//
MessageId=0x0340 SymbolicName=SE_AUDITID_REPLICA_SOURCE_NC_ESTABLISHED Language=English %tDestination DRA:%t%1%n %tSource DRA:%t%2%n %tSource Addr:%t%3%n %tNaming Context:%t%4%n %tOptions:%t%5%n %tStatus Code:%t%6%n .
;//
;// SE_AUDITID_REPLICA_SOURCE_NC_REMOVED
;//
;// Category: SE_CATEGID_DS_ACCESS
;//
;// Event Type : success/failure
;//
;// Description:
;// This is generated when a replication partnership between a source and
;// the destination for a given naming context has been removed.
;//
;// Note:
;// This event is always generated in the local system context.
;//
MessageId=0x0341 SymbolicName=SE_AUDITID_REPLICA_SOURCE_NC_REMOVED Language=English %tDestination DRA:%t%1%n %tSource DRA:%t%2%n %tSource Addr:%t%3%n %tNaming Context:%t%4%n %tOptions:%t%5%n %tStatus Code:%t%6%n .
;//
;// SE_AUDITID_REPLICA_SOURCE_NC_MODIFIED
;//
;// Category: SE_CATEGID_DS_ACCESS
;//
;// Event Type : success/failure
;//
;// Description:
;// This is generated when a replication source associated with
;// a destination naming context has been modified.
;//
;// Note:
;// This event is always generated in the local system context.
;//
MessageId=0x0342 SymbolicName=SE_AUDITID_REPLICA_SOURCE_NC_MODIFIED Language=English %tDestination DRA:%t%1%n %tSource DRA:%t%2%n %tSource Addr:%t%3%n %tNaming Context:%t%4%n %tOptions:%t%5%n %tStatus Code:%t%6%n .
;//
;// SE_AUDITID_REPLICA_DEST_NC_MODIFIED
;//
;// Category: SE_CATEGID_DS_ACCESS
;//
;// Event Type : success/failure
;//
;// Description:
;// This is generated when a replication destination associated with
;// a source naming context has been modified.
;//
;// Note:
;// This event is always generated in the local system context.
;//
MessageId=0x0343 SymbolicName=SE_AUDITID_REPLICA_DEST_NC_MODIFIED Language=English %tDestination DRA:%t%1%n %tSource DRA:%t%2%n %tDest. Addr:%t%3%n %tNaming Context:%t%4%n %tOptions:%t%5%n %tStatus Code:%t%6%n .
;//
;// SE_AUDITID_REPLICA_SOURCE_NC_SYNC_BEGINS
;//
;// Category: SE_CATEGID_DS_ACCESS
;//
;// Event Type : success
;//
;// Description:
;// This event records the start of a replication protocol session between
;// the destination replica NC and one of its source replicas.
;//
;// Note:
;// This event is always generated in the local system context.
;//
MessageId=0x0344 SymbolicName=SE_AUDITID_REPLICA_SOURCE_NC_SYNC_BEGINS Language=English %tDestination DRA:%t%1%n %tSource DRA:%t%2%n %tNaming Context:%t%3%n %tOptions:%t%4%n %tSession ID:%t%5%n %tStart USN:%t%6%n .
;//
;// SE_AUDITID_REPLICA_SOURCE_NC_SYNC_ENDS
;//
;// Category: SE_CATEGID_DS_ACCESS
;//
;// Event Type : success/failure
;//
;// Description:
;// This event records the end of a replication protocol session between
;// the destination replica NC and one of its source replicas.
;//
;// Note:
;// This event is always generated in the local system context.
;//
MessageId=0x0345 SymbolicName=SE_AUDITID_REPLICA_SOURCE_NC_SYNC_ENDS Language=English %tDestination DRA:%t%1%n %tSource DRA:%t%2%n %tNaming Context:%t%3%n %tOptions:%t%4%n %tSession ID:%t%5%n %tEnd USN:%t%6%n %tStatus Code:%t%7%n .
;//
;// SE_AUDITID_REPLICA_OBJ_ATTR_REPLICATION
;//
;// Category: SE_CATEGID_DS_ACCESS
;//
;// Event Type : success/failure
;//
;// Description:
;// This event records the completion of replication of a single
;// attribute of an object.
;//
;// Note:
;// -- This event is always generated in the local system context.
;// -- This event is generated if
;// -- SE_CATEGID_DS_ACCESS is enabled AND
;// -- the value of
;// SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditDSObjectsInReplication
;// is set to 1
;//
MessageId=0x0346 SymbolicName=SE_AUDITID_REPLICA_OBJ_ATTR_REPLICATION Language=English %tSession ID:%t%1%n %tObject:%t%2%n %tAttribute:%t%3%n %tType of change:%t%4%n %tNew Value:%t%5%n %tUSN:%t%6%n %tStatus Code:%t%7%n .
;//
;// SE_AUDITID_REPLICA_FAILURE_EVENT_BEGIN
;//
;// Category: SE_CATEGID_DS_ACCESS
;//
;// Event Type : failure
;//
;// Description:
;// This event records an inability to gather enough data to succesfully
;// record *before* one of the following replication events which were not
;// executed:
;// SE_AUDITID_REPLICA_SOURCE_NC_ESTABLISHED
;// SE_AUDITID_REPLICA_SOURCE_NC_SYNC_BEGINS
;//
;// Note:
;// This event is always generated in the local system context.
;//
MessageId=0x0347 SymbolicName=SE_AUDITID_REPLICA_FAILURE_EVENT_BEGIN Language=English %tReplication Event:%t%1%n %tAudit Status Code:%t%2%n .
;//
;// SE_AUDITID_REPLICA_FAILURE_EVENT_END
;//
;// Category: SE_CATEGID_DS_ACCESS
;//
;// Event Type : success/failure
;//
;// Description:
;// This event records an inability to gather enough data to succesfully
;// record *after* one of the following replication events which may or
;// may not have executed successfully:
;// SE_AUDITID_REPLICA_SOURCE_NC_ESTABLISHED
;// SE_AUDITID_REPLICA_SOURCE_NC_REMOVED
;// SE_AUDITID_REPLICA_SOURCE_NC_MODIFIED
;// SE_AUDITID_REPLICA_DEST_NC_MODIFIED
;// SE_AUDITID_REPLICA_SOURCE_NC_SYNC_BEGINS
;// SE_AUDITID_REPLICA_SOURCE_NC_SYNC_ENDS
;// SE_AUDITID_REPLICA_OBJ_ATTR_REPLICATION
;//
;// Note:
;// This event is always generated in the local system context.
;//
MessageId=0x0348 SymbolicName=SE_AUDITID_REPLICA_FAILURE_EVENT_END Language=English %tReplication Event:%t%1%n %tAudit Status Code:%t%2%n %tReplication Status Code:%t%3%n .
;//
;// SE_AUDITID_REPLICA_LINGERING_OBJECT_REMOVAL
;//
;// Category: SE_CATEGID_DS_ACCESS
;//
;// Event Type : success/failure
;//
;// Description:
;// This event records an attempt made by the replication lingering
;// object removal mechanism to delete and garbage collect an object.
;//
;// Note:
;// This event is always generated in the local system context.
;//
MessageId=0x0349 SymbolicName=SE_AUDITID_REPLICA_LINGERING_OBJECT_REMOVALv Language=English %tDestination DRA:%t%1%n %tSource DRA:%t%2%n %tObject:%t%3%n %tOptions:%t%4%n %tStatus Code:%t%5%n .
; ;/////////////////////////////////////////////////////////////////////////////
;// //
;// //
;// Messages for Category: SE_CATEGID_ACCOUNT_LOGON //
;// //
;// Event IDs: //
;// SE_AUDITID_AS_TICKET //
;// SE_AUDITID_TGS_TICKET_REQUEST //
;// SE_AUDITID_TICKET_RENEW_SUCCESS //
;// SE_AUDITID_PREAUTH_FAILURE //
;// SE_AUDITID_TGS_TICKET_FAILURE //
;// SE_AUDITID_ACCOUNT_MAPPED //
;// SE_AUDITID_ACCOUNT_LOGON //
;// //
;/////////////////////////////////////////////////////////////////////////////
;//
;//
;// SE_AUDITID_AS_TICKET
;//
;// Category: SE_CATEGID_ACCOUNT_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User name of client
;//
;// 2 - Supplied realm name
;//
;// 3 - SID of client user
;//
;// 4 - User name of service
;//
;// 5 - SID of service
;//
;// 6 - Ticket Options
;//
;// 7 - Failure code
;//
;// 8 - Ticket Encryption Type
;//
;// 9 - Preauthentication type (i.e. PK_INIT)
;//
;// 10 - Client IP address
;//
;// 11 - Certificate Issuer Name
;//
;// 12 - Certificate Serial Number
;//
;// 13 - Certificate Thumbprint
;//
MessageId=0x02a0 SymbolicName=SE_AUDITID_AS_TICKET Language=English Authentication Ticket Request:%n %tUser Name:%t%t%1%n %tSupplied Realm Name:%t%2%n %tUser ID:%t%t%t%3%n %tService Name:%t%t%4%n %tService ID:%t%t%5%n %tTicket Options:%t%t%6%n %tResult Code:%t%t%7%n %tTicket Encryption Type:%t%8%n %tPre-Authentication Type:%t%9%n %tClient Address:%t%t%10%n %tCertificate Issuer Name:%t%11%n %tCertificate Serial Number:%t%12%n %tCertificate Thumbprint:%t%13%n .
;//
;//
;// SE_AUDITID_AS_TICKET_FAILURE
;//
;// Category: SE_CATEGID_ACCOUNT_LOGON
;//
;// Note:
;// This event is obsolete. It is not generated by Whistler.
;// It is retained in this file so that anybody viewing w2k events
;// from a whistler machine can view them correctly.
;//
;//
MessageId=0x02a4 SymbolicName=SE_AUDITID_AS_TICKET_FAILURE Language=English Authentication Ticket Request Failed:%n %tUser Name:%t%1%n %tSupplied Realm Name:%t%2%n %tService Name:%t%3%n %tTicket Options:%t%4%n %tFailure Code:%t%5%n %tClient Address:%t%6%n .
;//
;//
;// SE_AUDITID_TGS_TICKET_REQUEST
;//
;// Category: SE_CATEGID_ACCOUNT_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User name of client
;//
;// 2 - Domain name of client
;//
;// 3 - User name of service
;//
;// 4 - SID of service
;//
;// 5 - Ticket Options
;//
;// 6 - Ticket Encryption Type
;//
;// 7 - Client IP address
;//
;// 8 - Failure code (0 for success)
;//
;// 9 - logon GUID
;//
;// 10 - Transited Services
;//
MessageId=0x02a1 SymbolicName=SE_AUDITID_TGS_TICKET_REQUEST Language=English Service Ticket Request:%n %tUser Name:%t%t%1%n %tUser Domain:%t%t%2%n %tService Name:%t%t%3%n %tService ID:%t%t%4%n %tTicket Options:%t%t%5%n %tTicket Encryption Type:%t%6%n %tClient Address:%t%t%7%n %tFailure Code:%t%t%8%n %tLogon GUID:%t%t%9%n %tTransited Services:%t%10%n .
;//
;//
;// SE_AUDITID_TICKET_RENEW_SUCCESS
;//
;// Category: SE_CATEGID_ACCOUNT_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User name of client
;//
;// 2 - Domain name of client
;//
;// 3 - User name of service
;//
;// 4 - SID of service
;//
;// 5 - Ticket Options
;//
;// 6 - Ticket Encryption Type
;//
;// 7 - Client IP address
;//
MessageId=0x02a2 SymbolicName=SE_AUDITID_TICKET_RENEW_SUCCESS Language=English Service Ticket Renewed:%n %tUser Name:%t%1%n %tUser Domain:%t%2%n %tService Name:%t%3%n %tService ID:%t%4%n %tTicket Options:%t%5%n %tTicket Encryption Type:%t%6%n %tClient Address:%t%7%n .
;//
;//
;// SE_AUDITID_PREAUTH_FAILURE
;//
;// Category: SE_CATEGID_ACCOUNT_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User name of client
;//
;// 2 - SID of client user
;//
;// 3 - User name of service
;//
;// 4 - Preauth Type
;//
;// 5 - Failure code
;//
;// 6 - Client IP address
;//
;// Event type: failure
;// Description: This event is generated on a KDC when
;// preauthentication fails (user types in wrong password).
;//
MessageId=0x02a3 SymbolicName=SE_AUDITID_PREAUTH_FAILURE Language=English Pre-authentication failed:%n %tUser Name:%t%1%n %tUser ID:%t%t%2%n %tService Name:%t%3%n %tPre-Authentication Type:%t%4%n %tFailure Code:%t%5%n %tClient Address:%t%6%n .
;//
;//
;// SE_AUDITID_TGS_TICKET_FAILURE
;//
;// Category: SE_CATEGID_ACCOUNT_LOGON
;//
;// Note:
;// This event is obsolete. It is not generated by Whistler.
;// It is retained in this file so that anybody viewing w2k events
;// from a whistler machine can view them correctly.
;//
MessageId=0x02a5 SymbolicName=SE_AUDITID_TGS_TICKET_FAILURE Language=English Service Ticket Request Failed:%n %tUser Name:%t%1%n %tUser Domain:%t%2%n %tService Name:%t%3%n %tTicket Options:%t%4%n %tFailure Code:%t%5%n %tClient Address:%t%6%n .
;//
;//
;// SE_AUDITID_ACCOUNT_MAPPED
;//
;// Category: SE_CATEGID_ACCOUNT_LOGON
;//
;// Type: success / failure
;//
;// Description: An account mapping is a map of a user authenticated in an MIT realm to a
;// domain account. A mapping acts much like a logon. Hence, it is important to audit this.
;//
;// Parameter Strings -
;//
;// 1 - Source
;//
;// 2 - Client Name
;//
;// 3 - Mapped Name
;//
;//
;//
MessageId=0x02a6 SymbolicName=SE_AUDITID_ACCOUNT_MAPPED Language=English Account Mapped for Logon.%n Mapping Attempted By:%n %t%1%n Client Name:%n %t%2%n %tMapped Name:%n %t%3%n .
;//
;//
;// SE_AUDITID_ACCOUNT_NOT_MAPPED
;//
;// Category: SE_CATEGID_ACCOUNT_LOGON
;//
;// Note:
;// This event is obsolete. It is not generated by Whistler.
;// It is retained in this file so that anybody viewing w2k events
;// from a whistler machine can view them correctly.
;// Parameter Strings -
;//
MessageId=0x02a7 SymbolicName=SE_AUDITID_ACCOUNT_NOT_MAPPED Language=English The name:%n %t%2%n could not be mapped for logon by: %t%1%n .
;//
;//
;// SE_AUDITID_ACCOUNT_LOGON
;//
;// Category: SE_CATEGID_ACCOUNT_LOGON
;//
;// Type: Success / Failure
;//
;// Description: This audits a logon attempt. The audit appears on the DC.
;// This is generated by calling LogonUser.
;//
;//
MessageId=0x02a8 SymbolicName=SE_AUDITID_ACCOUNT_LOGON Language=English Logon attempt by:%t%1%n Logon account:%t%2%n Source Workstation:%t%3%n Error Code:%t%4%n .
;//
;//
;// SE_AUDITID_ACCOUNT_LOGON_FAILURE
;//
;// Category: SE_CATEGID_ACCOUNT_LOGON
;//
;// Note:
;// This event is obsolete. It is not generated by Whistler.
;// It is retained in this file so that anybody viewing w2k events
;// from a whistler machine can view them correctly.
;//
;//
MessageId=0x02a9 SymbolicName=SE_AUDITID_ACCOUNT_LOGON_FAILURE Language=English The logon to account: %2%n by: %1%n from workstation: %3%n failed. The error code was: %4%n .
;//
;//
;// SE_AUDITID_SESSION_RECONNECTED
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon ID string
;//
;// 4 - Session Name
;//
;// 5 - Client Name
;//
;// 6 - Client Address
;//
;//
MessageId=0x02aa SymbolicName=SE_AUDITID_SESSION_RECONNECTED Language=English Session reconnected to winstation:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tSession Name:%t%4%n %tClient Name:%t%5%n %tClient Address:%t%6 .
;//
;//
;// SE_AUDITID_SESSION_DISCONNECTED
;//
;// Category: SE_CATEGID_LOGON
;//
;// Parameter Strings -
;//
;// 1 - User account name
;//
;// 2 - Authenticating domain name
;//
;// 3 - Logon ID string
;//
;// 4 - Session Name
;//
;// 5 - Client Name
;//
;// 6 - Client Address
;//
;//
MessageId=0x02ab SymbolicName=SE_AUDITID_SESSION_DISCONNECTED Language=English Session disconnected from winstation:%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon ID:%t%t%3%n %tSession Name:%t%4%n %tClient Name:%t%5%n %tClient Address:%t%6 .
;/////////////////////////////////////////////////////////////////////////////
;// //
;// //
;// Messages for Category: SE_CATEGID_OBJECT_ACCESS - CertSrv //
;// //
;// Event IDs: //
;// SE_AUDITID_CERTSRV_DENYREQUEST //
;// SE_AUDITID_CERTSRV_RESUBMITREQUEST //
;// SE_AUDITID_CERTSRV_REVOKECERT //
;// SE_AUDITID_CERTSRV_PUBLISHCRL //
;// SE_AUDITID_CERTSRV_AUTOPUBLISHCRL //
;// SE_AUDITID_CERTSRV_SETEXTENSION //
;// SE_AUDITID_CERTSRV_SETATTRIBUTES //
;// SE_AUDITID_CERTSRV_SHUTDOWN //
;// SE_AUDITID_CERTSRV_BACKUPSTART //
;// SE_AUDITID_CERTSRV_BACKUPEND //
;// SE_AUDITID_CERTSRV_RESTORESTART //
;// SE_AUDITID_CERTSRV_RESTOREEND //
;// SE_AUDITID_CERTSRV_SERVICESTART //
;// SE_AUDITID_CERTSRV_SERVICESTOP //
;// SE_AUDITID_CERTSRV_SETSECURITY //
;// SE_AUDITID_CERTSRV_GETARCHIVEDKEY //
;// SE_AUDITID_CERTSRV_IMPORTCERT //
;// SE_AUDITID_CERTSRV_SETAUDITFILTER //
;// SE_AUDITID_CERTSRV_NEWREQUEST //
;// SE_AUDITID_CERTSRV_REQUESTAPPROVED //
;// SE_AUDITID_CERTSRV_REQUESTDENIED //
;// SE_AUDITID_CERTSRV_REQUESTPENDING //
;// SE_AUDITID_CERTSRV_SETOFFICERRIGHTS //
;// SE_AUDITID_CERTSRV_SETCONFIGENTRY //
;// SE_AUDITID_CERTSRV_SETCAPROPERTY //
;// SE_AUDITID_CERTSRV_KEYARCHIVED //
;// SE_AUDITID_CERTSRV_IMPORTKEY //
;// SE_AUDITID_CERTSRV_PUBLISHCERT //
;// SE_AUDITID_CERTSRV_DELETEROW //
;// SE_AUDITID_CERTSRV_ROLESEPARATIONSTATE //
;// //
;// //
;/////////////////////////////////////////////////////////////////////////////
;//
;//
;// SE_AUDITID_CERTSRV_DENYREQUEST
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Request ID
;//
;//
MessageId=0x0304 SymbolicName=SE_AUDITID_CERTSRV_DENYREQUEST Language=English The certificate manager denied a pending certificate request.%n %n Request ID:%t%1 .
;//
;//
;// SE_AUDITID_CERTSRV_RESUBMITREQUEST
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Request ID
;//
;//
MessageId=0x0305 SymbolicName=SE_AUDITID_CERTSRV_RESUBMITREQUEST Language=English Certificate Services received a resubmitted certificate request.%n %n Request ID:%t%1 .
;//
;//
;// SE_AUDITID_CERTSRV_REVOKECERT
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Serial No.
;//
;// 2 - Reason
;//
;//
MessageId=0x0306 SymbolicName=SE_AUDITID_CERTSRV_REVOKECERT Language=English Certificate Services revoked a certificate.%n %n Serial No:%t%1%n Reason:%t%2 .
;//
;//
;// SE_AUDITID_CERTSRV_PUBLISHCRL
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Next Update
;//
;// 2 - Publish Base
;//
;// 3 - Publish Delta
;//
;//
MessageId=0x0307 SymbolicName=SE_AUDITID_CERTSRV_PUBLISHCRL Language=English Certificate Services received a request to publish the certificate revocation list (CRL).%n %n Next Update:%t%1%n Publish Base:%t%2%n Publish Delta:%t%3 .
;//
;//
;// SE_AUDITID_CERTSRV_AUTOPUBLISHCRL
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Base CRL
;//
;// 2 - CRL No.
;//
;// 3 - Key Container
;//
;// 4 - Next Publish
;//
;// 5 - Publish URLs
;//
;//
MessageId=0x0308 SymbolicName=SE_AUDITID_CERTSRV_AUTOPUBLISHCRL Language=English Certificate Services published the certificate revocation list (CRL).%n %n Base CRL:%t%1%n CRL No:%t%t%2%n Key Container:%t%3%n Next Publish:%t%4%n Publish URLs:%t%5 .
;//
;//
;// SE_AUDITID_CERTSRV_SETEXTENSION
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Request ID
;//
;// 2 - Extension Name
;//
;// 3 - Extension Type
;//
;// 4 - Flags
;//
;// 5 - Extension Data
;//
;//
MessageId=0x0309 SymbolicName=SE_AUDITID_CERTSRV_SETEXTENSION Language=English A certificate request extension changed.%n %n Request ID:%t%1%n Name:%t%2%n Type:%t%3%n Flags:%t%4%n Data:%t%5 .
;//
;//
;// SE_AUDITID_CERTSRV_SETATTRIBUTES
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Request ID
;//
;// 2 - Attributes
;//
;//
MessageId=0x030a SymbolicName=SE_AUDITID_CERTSRV_SETATTRIBUTES Language=English One or more certificate request attributes changed.%n %n Request ID:%t%1%n Attributes:%t%2 .
;//
;//
;// SE_AUDITID_CERTSRV_SHUTDOWN
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;//
MessageId=0x030b SymbolicName=SE_AUDITID_CERTSRV_SHUTDOWN Language=English Certificate Services received a request to shut down. .
;//
;//
;// SE_AUDITID_CERTSRV_BACKUPSTART
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Backup Type
;//
;//
MessageId=0x030c SymbolicName=SE_AUDITID_CERTSRV_BACKUPSTART Language=English Certificate Services backup started.%n Backup Type:%t%1 .
;//
;//
;// SE_AUDITID_CERTSRV_BACKUPEND
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;//
MessageId=0x030d SymbolicName=SE_AUDITID_CERTSRV_BACKUPEND Language=English Certificate Services backup completed. .
;//
;//
;// SE_AUDITID_CERTSRV_RESTORESTART
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;//
MessageId=0x030e SymbolicName=SE_AUDITID_CERTSRV_RESTORESTART Language=English Certificate Services restore started. .
;//
;//
;// SE_AUDITID_CERTSRV_RESTOREEND
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;//
MessageId=0x030f SymbolicName=SE_AUDITID_CERTSRV_RESTOREEND Language=English Certificate Services restore completed. .
;//
;//
;// SE_AUDITID_CERTSRV_SERVICESTART
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Certificate Database Hash
;//
;// 2 - Private Key Usage Count
;//
;// 3 - CA Certificate Hash
;//
;// 4 - CA Public Key Hash
;//
;//
MessageId=0x0310 SymbolicName=SE_AUDITID_CERTSRV_SERVICESTART Language=English Certificate Services started.%n %n Certificate Database Hash:%t%1%n Private Key Usage Count:%t%2%n CA Certificate Hash:%t%3%n CA Public Key Hash:%t%4 .
;//
;//
;// SE_AUDITID_CERTSRV_SERVICESTOP
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Certificate Database Hash
;//
;// 2 - Private Key Usage Count
;//
;// 3 - CA Certificate Hash
;//
;// 4 - CA Public Key Hash
;//
;//
MessageId=0x0311 SymbolicName=SE_AUDITID_CERTSRV_SERVICESTOP Language=English Certificate Services stopped.%n %n Certificate Database Hash:%t%1%n Private Key Usage Count:%t%2%n CA Certificate Hash:%t%3%n CA Public Key Hash:%t%4 .
;//
;//
;// SE_AUDITID_CERTSRV_SETSECURITY
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - New permissions
;//
;//
MessageId=0x0312 SymbolicName=SE_AUDITID_CERTSRV_SETSECURITY Language=English The security permissions for Certificate Services changed.%n %n %1 .
;//
;//
;// SE_AUDITID_CERTSRV_GETARCHIVEDKEY
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Request ID
;//
;//
MessageId=0x0313 SymbolicName=SE_AUDITID_CERTSRV_GETARCHIVEDKEY Language=English Certificate Services retrieved an archived key.%n %n Request ID:%t%1 .
;//
;//
;// SE_AUDITID_CERTSRV_IMPORTCERT
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Certificate
;//
;// 2 - Request ID
;//
;//
MessageId=0x0314 SymbolicName=SE_AUDITID_CERTSRV_IMPORTCERT Language=English Certificate Services imported a certificate into its database.%n %n Certificate:%t%1%n Request ID:%t%2 .
;//
;//
;// SE_AUDITID_CERTSRV_SETAUDITFILTER
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Filter
;//
;//
MessageId=0x0315 SymbolicName=SE_AUDITID_CERTSRV_SETAUDITFILTER Language=English The audit filter for Certificate Services changed.%n %n Filter:%t%1 .
;//
;//
;// SE_AUDITID_CERTSRV_NEWREQUEST
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Request ID
;//
;// 2 - Requester
;//
;// 3 - Attributes
;//
;//
MessageId=0x0316 SymbolicName=SE_AUDITID_CERTSRV_NEWREQUEST Language=English Certificate Services received a certificate request.%n %n Request ID:%t%1%n Requester:%t%2%n Attributes:%t%3 .
;//
;//
;// SE_AUDITID_CERTSRV_REQUESTAPPROVED
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Request ID
;//
;// 2 - Requester
;//
;// 3 - Attributes
;//
;// 4 - Disposition
;//
;// 5 - SKI
;//
;// 6 - Subject
;//
;//
MessageId=0x0317 SymbolicName=SE_AUDITID_CERTSRV_REQUESTAPPROVED Language=English Certificate Services approved a certificate request and issued a certificate.%n %n Request ID:%t%1%n Requester:%t%2%n Attributes:%t%3%n Disposition:%t%4%n SKI:%t%t%5%n Subject:%t%6 .
;//
;//
;// SE_AUDITID_CERTSRV_REQUESTDENIED
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Request ID
;//
;// 2 - Requester
;//
;// 3 - Attributes
;//
;// 4 - Disposition
;//
;// 5 - SKI
;//
;// 6 - Subject
;//
;//
MessageId=0x0318 SymbolicName=SE_AUDITID_CERTSRV_REQUESTDENIED Language=English Certificate Services denied a certificate request.%n %n Request ID:%t%1%n Requester:%t%2%n Attributes:%t%3%n Disposition:%t%4%n SKI:%t%t%5%n Subject:%t%6 .
;//
;//
;// SE_AUDITID_CERTSRV_REQUESTPENDING
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Request ID
;//
;// 2 - Requester
;//
;// 3 - Attributes
;//
;// 4 - Disposition
;//
;// 5 - SKI
;//
;// 6 - Subject
;//
;//
MessageId=0x0319 SymbolicName=SE_AUDITID_CERTSRV_REQUESTPENDING Language=English Certificate Services set the status of a certificate request to pending.%n %n Request ID:%t%1%n Requester:%t%2%n Attributes:%t%3%n Disposition:%t%4%n SKI:%t%t%5%n Subject:%t%6 .
;//
;//
;// SE_AUDITID_CERTSRV_SETOFFICERRIGHTS
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Enable restrictions
;//
;// 2 - Restrictions
;//
;//
MessageId=0x031a SymbolicName=SE_AUDITID_CERTSRV_SETOFFICERRIGHTS Language=English The certificate manager settings for Certificate Services changed.%n %n Enable:%t%1%n %n %2 .
;//
;//
;// SE_AUDITID_CERTSRV_SETCONFIGENTRY
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Node
;//
;// 2 - Entry
;//
;// 3 - Value
;//
;//
MessageId=0x031b SymbolicName=SE_AUDITID_CERTSRV_SETCONFIGENTRY Language=English A configuration entry changed in Certificate Services.%n %n Node:%t%1%n Entry:%t%2%n Value:%t%3 .
;//
;//
;// SE_AUDITID_CERTSRV_SETCAPROPERTY
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Property
;//
;// 2 - Index
;//
;// 3 - Type
;//
;// 4 - Value
;//
;//
MessageId=0x031c SymbolicName=SE_AUDITID_CERTSRV_SETCAPROPERTY Language=English A property of Certificate Services changed.%n %n Property:%t%1%n Index:%t%2%n Type:%t%3%n Value:%t%4 .
;//
;//
;// SE_AUDITID_CERTSRV_KEYARCHIVED
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Request ID
;//
;// 2 - Requester
;//
;// 3 - KRA Hashes
;//
;//
MessageId=0x031d SymbolicName=SE_AUDITID_CERTSRV_KEYARCHIVED Language=English Certificate Services archived a key.%n %n Request ID:%t%1%n Requester:%t%2%n KRA Hashes:%t%3 .
;//
;//
;// SE_AUDITID_CERTSRV_IMPORTKEY
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Request ID
;//
;//
MessageId=0x031e SymbolicName=SE_AUDITID_CERTSRV_IMPORTKEY Language=English Certificate Services imported and archived a key.%n %n Request ID:%t%1 .
;//
;//
;// SE_AUDITID_CERTSRV_PUBLISHCACERT
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Certificate Hash
;//
;// 2 - Valid From
;//
;// 3 - Valid To
;//
;//
MessageId=0x031f SymbolicName=SE_AUDITID_CERTSRV_PUBLISHCACERT Language=English Certificate Services published the CA certificate to Active Directory.%n %n Certificate Hash:%t%1%n Valid From:%t%2%n Valid To:%t%3 .
;//
;//
;// SE_AUDITID_CERTSRV_DELETEROW
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Table ID
;//
;// 2 - Filter
;//
;// 3 - Rows Deleted
;//
;//
MessageId=0x0320 SymbolicName=SE_AUDITID_CERTSRV_DELETEROW Language=English One or more rows have been deleted from the certificate database.%n %n Table ID:%t%1%n Filter:%t%2%n Rows Deleted:%t%3 .
;//
;//
;// SE_AUDITID_CERTSRV_ROLESEPARATIONSTATE
;//
;// Category: SE_CATEGID_OBJECT_ACCESS
;//
;// Parameter Strings -
;//
;// 1 - Role separation state
;//
;//
MessageId=0x0321 SymbolicName=SE_AUDITID_CERTSRV_ROLESEPARATIONSTATE Language=English Role separation enabled:%t%1 .
;/*lint +e767 */ // Resume checking for different macro definitions // winnt
; ; ;#endif // _MSAUDITE_
|