JSI Tip 5478. How do I interpret security auditing events related to user authentication?JSI Tip 5478. How do I interpret security auditing events related to user authentication?JSI Tip 5478. How do I interpret security auditing events related to user authentication?
Jerold Schulman
June 25, 2002
1 Min Read
ITPro Today logo in a gray background | ITPro Today
Tip 4108 and links contains Windows 2000 Security Event Descriptions.
The security auditing events related to user authentication appear in the Security event log. The relevant Event IDs are:
EventID Description 514 An authentication package has been loaded by the LSA. 515 A trusted logon process has registered with the LSA. 518 A notification package has been loaded by the Security Account Manager. 528 Successful Logon. 529 Logon Failure: Unknown user name or bad password. 530 Logon Failure: Account logon time restriction violation. 531 Logon Failure: Account currently disabled. 532 Logon Failure: The specified user account has expired. 533 Logon Failure: User not allowed to logon at this computer. 534 Logon Failure: The user has not been granted the requested logon type at this machine. 535 Logon Failure: The specified account's password has expired. 536 Logon Failure: The NetLogon component is not active. 537 Logon Failure: An unexpected error occurred during logon. 538 User Logoff. 539 Logon Failure: Account locked out. 644 User Account Locked Out.
Some security events report a SID instead of a user name. Use the SidToName freeware to decode a SID into a user-friendly username.
The reported Logon Type will be one of the following:
2 Interactive 3 Network 4 Batch 5 Service 6 Proxy 7 Unlock WorkstationThe Logon Process will be one the following:
"msv1_0" or "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0": msv1_0.dll, the default authentication package "KSecDD": ksecdd.sys, the security device driver "User32" or "WinLogonMSGina": winlogon.exe & msgina.dll, the authentication user interface "SCMgr": The Service Control Manager "LAN Manager Workstation Service" "advapi" API call to LogonUser "MS.RADIU": The RADIUS authentication package; a part of the Microsoft Internet Authentication Services (IAS).About the Author
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
You May Also Like
Exclusive ITPro Resources
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Enterprise Connect 2026 – All In on What’s Next