This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Offset Size Description 0 4 bytes Length of the event record, or size of the record in bytes 4 4 bytes Reserved; magic number LfLe
8 4 bytes Record number 12 4 bytes Time generated; measured in UNIX time, or the number of seconds
elapsed since 00:00:00 1 Jan 1970, in Universal Coordinated Time(UTC)
16 4 bytes Time written; measured in UNIX time, or the number of secondelapsed since 00:00:00 1 Jan 1970, in UTC
20 4 bytes Event ID, which is specific to the event source and uniquelyidentifies the event; the event ID is used along with the sourcename to locate the appropriate description string within themessage file for the event source
26 2 bytes Number of strings 28 2 bytes Event category 30 2 bytes Reserved flags 32 4 bytes Closing record number 36 4 bytes String offset; offset to the description strings within this event record 40 4 bytes Length of the user Security Identifier (SID); size of the user SID in bytes
(if 0, no user SID is provided) 44 4 bytes Offset to the user SID within this event record 48 4 bytes Data length; length of the binary data associated with this event record 52 4 bytes Offset to the data
A significant number of new events and log files wereadded. Logging capabilities & defaults are generallysomewhat better on Vista/7/2K8 than previously.
Data Fields: User Name: %1 Supplied Realm Name: %2 User ID: %3 Service Name: %4 Service ID: %5 Ticket Options: %6 Result Code: (For an explanation of result/failure codes see the
chart on event ID 675) Ticket Encryption Type: %8 Pre-Authentication Type: %9 Client Address: %10 (source from which user authenticated) Certificate Issuer Name: %11
Certificate Serial Number: %12 Certificate Thumbprint: %13
Also logged when a computer authenticates to domain, suchas on boot. These events have hostname$ for User Name.
(logged on local system) 528/4624 - Successful Logon 529/4625 - Logon Failure - Unknown user name or bad password 530/4625 - Logon Failure - Account logon time restriction violation 531/4625 - Logon Failure - Account currently disabled 532/4625 - Logon Failure - The specified user account has expired 533/4625 - Logon Failure - User not allowed to logon at this computer 534 /4625 - Logon Failure - The user has not been granted the requested logon
type at this machine 535/4625 - Logon Failure - The specified account's password has expired
536/4625 - Logon Failure - The NetLogon component is not active 537/4625 - Logon failure - The logon attempt failed for other reasons. 538/4634 - User Logoff 539/4625 - Logon Failure - Account locked out 540/4624 - Successful Network Logon 551/4647 - User initiated logoff 552/4648 - Logon attempt using explicit credentials 576/4672 - Special privileges assigned to new logon 682/4778 - Session reconnected to winstation 683/4779 - Session disconnected from winstation 4646 - IKE DoS-prevention mode started. 4649 - A replay attack was detected 4650 - An IPsec Main Mode security association was established 4651 - An IPsec Main Mode security association was established 4652 - An IPsec Main Mode negotiation failed 4653 - An IPsec Main Mode negotiation failed 4654 - An IPsec Quick Mode negotiation failed
4655 - An IPsec Main Mode security association ended
4675 - SIDs were filtered 4800 - The workstation was locked 4801 - The workstation was unlocked 4802 - The screen saver was invoked 4803 - The screen saver was dismissed 4964 - Special groups have been assigned to a new logon 4976 - During Main Mode negotiation, IPsec received an invalid negotiation packet. 4977 - During Quick Mode negotiation, IPsec received an invalid negotiation packet. 4978 - During Extended Mode negotiation, IPsec received an invalid negotiation packet. 4979 - IPsec Main Mode and Extended Mode security associations were established. 4980 - IPsec Main Mode and Extended Mode security associations were established
4981 - IPsec Main Mode and Extended Mode security associations were established 4982 - IPsec Main Mode and Extended Mode security associations were established 4983 - An IPsec Extended Mode negotiation failed 4984 - An IPsec Extended Mode negotiation failed 5451 - An IPsec Quick Mode security association was established 5452 - An IPsec Quick Mode security association ended 5453 - An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules
(IKEEXT) service is not started 5632 - A request was made to authenticate to a wireless network 5633 - A request was made to authenticate to a wired network 6272 - Network Policy Server granted access to a user 6273 - Network Policy Server denied access to a user
6274 - Network Policy Server discarded the request for a user 6275 - Network Policy Server discarded the accounting request for a user 6276 - Network Policy Server quarantined a user 6277 - Network Policy Server granted access to a user but put it on probation because the host did not meet
the defined health policy 6278 - Network Policy Server granted full access to a user because the host met the defined health policy 6279 - Network Policy Server locked the user account due to repeated failed authentication attempts 6280 - Network Policy Server unlocked the user account
2 Interactive (logon at keyboard and screen of system) Windows2000 records Terminal Services logon as this type rather thanType 10.
3 Network (i.e. connection to shared folder on this computerfrom elsewhere on network or IIS logon - Never logged by528 on W2k and forward. See event 540)
4 Batch (i.e. scheduled task) 5 Service (Service startup) 7 Unlock (i.e. unnattended workstation with password protected
screen saver) 8 NetworkCleartext (Logon with credentials sent in clear text.
Most often indicates a logon to IIS with "basic authentication") 9 NewCredentials
10 RemoteInteractive (Terminal Services, Remote Desktop orRemote Assistance) 11 CachedInteractive (logon with cached domain credentials such
as when logging on to a laptop when away from the network)
1 0x1 Client's entry in database has expired 2 0x2 Server's entry in database has expired 3 0x3 Requested protocol version # not supported 4 0x4 Client's key encrypted in old master key 5 0x5 Server's key encrypted in old master key 6 0x6 Client not found in Kerberos database Bad user name, or new computer/user account has not
replicated to DC yet (common) 7 0x7 Server not found in Kerberos database New computer account has not replicated yet or
computer is pre-w2k (common) 8 0x8 Multiple principal entries in database 9 0x9 The client or server has a null key administrator should reset the password on the account 10 0xA Ticket not eligible for postdating 11 0xB Requested start time is later than end time 12 0xC KDC policy rejects request Workstation/logon time restriction (common) 13 0xD KDC cannot accommodate requested option 14 0xE KDC has no support for encryption type 15 0xF KDC has no support for checksum type 16 0x10 KDC has no support for padata type
17 0x11 KDC has no support for transited type 18 0x12 Clients credentials have been revoked Account disabled, expired, or locked out.
(common) 19 0x13 Credentials for server have been revoked 20 0x14 TGT has been revoked 21 0x15 Client not yet valid - try again later 22 0x16 Server not yet valid - try again later 23 0x17 Password has expired The users password has expired. (common) 24 0x18 Pre-authentication information was invalid Usually means bad password (common) 25 0x19 Additional pre-authentication required*
31 0x1F Integrity check on decrypted field failed 32 0x20 Ticket expired Frequently logged by computer accounts 33 0x21 Ticket not yet valid 33 0x21 Ticket not yet valid 34 0x22 Request is a replay 35 0x23 The ticket isn't for us 36 0x24 Ticket and authenticator don't match
37 0x25 Clock skew too great Workstations clock too far out of sync with the DCs (common) 38 0x26 Incorrect net address IP address change?
39 0x27 Protocol version mismatch 40 0x28 Invalid msg type 41 0x29 Message stream modified 42 0x2A Message out of order 44 0x2C Specified version of key is not available 45 0x2D Service key not available 46 0x2E Mutual authentication failed may be a memory allocation failure 47 0x2F Incorrect message direction 48 0x30 Alternative authentication method required* 49 0x31 Incorrect sequence number in message 50 0x32 Inappropriate type of checksum in message 60 0x3C Generic error (description in e-text) 61 0x3D Field is too long for this implementation
Decimal Hex Reason 3221225572 C0000064 user name does not exist 3221225578 C000006A user name is correct but the
password is wrong 3221226036 C0000234 user is currently locked out
3221225586 C0000072 account is currently disabled 3221225583 C000006F user tried to logon outside his day
of week or time of day restrictions 3221225584 C0000070 workstation restriction 3221225875 C0000193 account expiration 3221225585 C0000071 expired password
3221226020 C0000224 user is required to change passwordat next logon 3221226021 C0000225 evidently a bug in Windows and not
The official XMP specification defines only Keywords,PDFVersion, Producer and Trapped. The other tags areincluded because they have been observed in PDF files
Machine Type Time Stamp (compiled) PE Type Linker Version Code Size
Initialized Data Size Uninitialized Data Size Entry Point OS Version Image Version Subsystem Version Subsystem (GUI/DOS/Native) File Version Number Product Version Number File Flags Mask
File Flags File OS Object File Type (app/dll) File Subtype Language Code
Character Set Company Name File Description File Version Internal Name Legal Copyright Original Filename Product Name Product Version Product Date
Single, centrally stored file for each user Thumbcache_32.db (small) Thumbcache_96.db (medium) Thumbcache_256.db (large) Thumbcache_1024.db (extra large)
Thumbcache_idx.db Thumbcache_sr.db
Located in<profile>\AppData\Local\Microsoft\Windows\Explorer
All created when a folder is switched to thumbnailmode or views pictures in a slideshow
Even stores thumbnails for pictures/docs/media onremovable media, network shares, or encryptedcontainers
Numbered files store actual images, linking to files isdone by idx file.