EventIDs 512, 513 in the Security Event Log ------------------------------------------- EventID 512 is logged when the Windows OS is started. EventID 513 is SUPPOSED TO BE LOGGED when the Windows OS is stopped. However, inspite of all the Windows documentation stating that it is logged, it is still NOT logged in all versions of Windows. EventID 517 in the Security Event Log ------------------------------------- EventID 517 is logged when the event logs are cleared. There is no indication as to which log is being cleared. To be checked: Clearing one event log will produce one EventID 517 entry, clearing all 3 event logs will also produce one EventID 517 entry. EventID 528 in the Security Event Log ------------------------------------- EventID 528 is logged when a "user" logs in successfully. If the logon type is: 2 - Local/interactive logon, eg. log in through the console or through Terminal Services Client (true for Win2K but not for Win2003). In Win2003, Terminal Services Client is logon type 10. Logon type 2 is also produced when IIS logs on as the anonymous user or iwam user to execute a .ASP file. 3 - Network logon, eg. connecting to a network share. Also produced by IIS when the anonymous user or authenticated user accesses a virtual directory. Logon type 3 is ALWAYS logged as EventID 540 with logon type 3. It is NEVER logged as EventID 528 with logon type 3. 4 - Batch job logon, eg. the user executing a task scheduler job. 7 - Unlocking a locked console/Terminal Services screen (either by manually keyboard locking or timeout screensaver locking) 10 - Terminal Services logon (only for Win2003). Refer to logon type 2. EventID 538 in the Security Event Log ------------------------------------- EventId 538 is logged when a "user" logs out. It is logged following EventID 528 or EventID 540. However, due to a long-standing bug in ALL versions of Windows, some EventID 538 are not logged. Therefore, there is no guarantee that there is a corresponding EventID 538 for every EventID 528 and EventID 540. EventID 540 in the Security Event Log ------------------------------------- EventID 540 is logged when a "user" logs in successfully through the network to make a connection to a network resource on the local machine. Refer to EventID 528, logon type 3 for more info. EventID 624 in the System Event Log ----------------------------------- EventID 624 is logged when a new local user is created. EventID 630 in the System Event Log ----------------------------------- EventID 630 is logged when a local user is deleted. EventID 635 in the Security Event Log ------------------------------------- EventID 635 is logged when a new local group is created. EventID 636 in the Security Event Log ------------------------------------- EventID 636 is logged when a local group member is added to the group. EventID 637 in the Security Event Log ------------------------------------- EventID 637 is logged when a local group member is removed from the group. EventID 638 in the Security Event Log ------------------------------------- EventID 638 is logged when a local group is deleted. EventIDs 6005, 6006, 6009 in the System Event Log ------------------------------------------------- EventID 6005 is logged when the EventLog service is started. EventID 6006 is logged when the EventLog service is stopped. EventID 6009 is logged when the machine is started. Other notes on EventIDs 528, 540, 538 and IIS ---------------------------------------------- When IIS accesses a file (either .htm or .asp), it accesses it as an anonymous user or the authenticated user. If the anonymous user or the authenticated user has not logged on to the server and have an existing session on the server, it will do so and log an EventID 528 or EventID 540 before accessing/executing the file requested through the browser. If the anonymous or authenticated user has already logged on to the server, ie. the user has an existing session on the server, eg. when this is a subsequent access/execution of a file requested through the browser, nothing will be logged in ANY of the Event Logs. If "Allow IIS to Control Password" is selected: If the anonymous/authenticated user doesn't have any existing session on the server and the first access through the browser is for a .htm file, then EventID 540 with logon type 3 is logged in the Security Event Log. Or else, if the first access through the browser is for a .asp file, then EventID 528 with logon type 4 is logged in the Security Event Log and the user is NOT the anonymous user but IWAM_. If "Allow IIS to Control Password" is not selected: If the anonymous/authenticated user doesn't have any existing session on the server and the first access through the browser is for a .htm or a .asp file, then EventID 528 with logon type 2 is logged in the Security Event Log and the user is the anonymous/authenticated user. After the initial access and either EventID 528 or EventID 540 has been logged, subsequent accesses/executions of files will NOT produce any more entries in ANY of the Event Logs regardless whether .htm or .asp files are requested. That is because once the anonymous/authenticated user has logged onto the server and has an existing session on the server, the session will be last as long as there still are accesses/executions through that user's identity. The session will be alive until there are no more accesses for the past 25 - 30 mins, then, the user will be automatically logged out by the system and an EventID 538 will be logged. Accessing files through network shares and EventID 540 ------------------------------------------------------ When a file is accessed through a network share (either by statically mapping it to a local drive letter or typing \\\ at Start->Run) will cause the client to login to the server of the network share with the client machine's account at regular intervals. This will happen even if you type \\\ at Start->Run, access the file on the share, close the file and close the Window to the share. The local client will log that a file that resides on another machine has been accessed and will log in to the remote machine at regular intervals just to make sure that the file was access is still accessible. To get rid of these "unwanted" logons to the server of the shared resource, go to "Settings->Taskbar and Start Menu" and click "Clear" to remove the records of recently accessed documents, programs, and Web sites. If a static mapping to a local drive letter has been done, then the static mapping will have to be removed first, before clearing the records of the recently accessed documents. The difference between "Logon Events" and "Account Logon Events" ---------------------------------------------------------------- "Logon Events" will log ALL attempts to logon to the target machine at the target machine. As long as "Logon Events" is audited at the targeted machine, an entry will appear in the Security Event Log. However, it will not cause anything to be logged in the Security Event Log of the domain controller even if "Logon Events" is audited at the domain controller. When a domain credential is used to logon to the target machine and "Account Logon Events" is audited on the domain controller, then an entry will appear at the domain controller but not on that of the target machine, unless "Logon Events" is audited on the target machine. "Account Logon Events" will log an entry into the domain controller but not the target machine (unless "Logon Events" is also audited on the target machine) because a domain credential is used and domain accounts are created on the domain controller and not on the target machine. If a local credential is used to logon to the target machine and "Account Logon Events" is audited on the target machine, then an entry will appear in the Security Event Log of the target machine and NOT on the domain controller even if "Logon Events" is NOT audited on the target machine and "Account Logon Events" IS audited on the domain controller because local accounts are created on the target machine and not on the domain controller.