EventID: Difference between revisions
Jump to navigation
Jump to search
(Created page with "Bunch of usefull/related Windows Event ID's ==shutdown== 1074,1076,12,6008,41 ==logon== 4624 {| class="wikitable" |- ! Logon Type !! Description |- | 2 || Interactive (log...") (change visibility) |
No edit summary (change visibility) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 22: | Line 22: | ||
| 10 || RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) | | 10 || RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) | ||
|} | |} | ||
<syntaxhighlight lang="text"> | |||
<QueryList> | |||
<Query Id="0" Path="security"> | |||
<Select Path="security"> | |||
*[System[(EventID='4624')]] | |||
and | |||
( *[EventData[Data[@Name='logontype'] ='2']] | |||
or | |||
*[EventData[Data[@Name='logontype'] ='10']] | |||
) | |||
</Select> | |||
</Query> | |||
</QueryList> | |||
</syntaxhighlight> | |||
| Line 27: | Line 42: | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! ID !! Description | ! ID !! oldID || impact||Description | ||
|- | |||
|4756 ||660|| Low|| A member was added to a security-enabled universal group. | |||
|- | |||
|4757|| 661|| Low|| A member was removed from a security-enabled universal group. | |||
|- | |||
|4732|| 636|| Low|| A member was added to a security-enabled local group. | |||
|- | |||
|4733|| 637|| Low|| A member was removed from a security-enabled local group. | |||
|- | |||
|4728|| 632|| Low|| A member was added to a security-enabled global group. | |||
|- | |- | ||
| | |4729|| 633|| Low|| A member was removed from a security-enabled global group. | ||
|} | |||
==ADDS== | |||
{| class="wikitable" | |||
|- | |- | ||
! ID !! Description | |||
|- | |- | ||
|5136 ||A directory service object was modified. | |5136 ||A directory service object was modified. | ||
|} | |} | ||
Latest revision as of 12:16, 31 August 2015
Bunch of usefull/related Windows Event ID's
shutdown
1074,1076,12,6008,41
logon
4624
| Logon Type | Description |
|---|---|
| 2 | Interactive (logon at keyboard and screen of system) |
| 3 | Network (i.e. connection to shared folder on this computer from elsewhere on network) |
| 4 | Batch (i.e. scheduled task) |
| 5 | Service (Service startup) |
| 10 | RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) |
<QueryList>
<Query Id="0" Path="security">
<Select Path="security">
*[System[(EventID='4624')]]
and
( *[EventData[Data[@Name='logontype'] ='2']]
or
*[EventData[Data[@Name='logontype'] ='10']]
)
</Select>
</Query>
</QueryList>
groups
| ID | oldID | impact | Description |
|---|---|---|---|
| 4756 | 660 | Low | A member was added to a security-enabled universal group. |
| 4757 | 661 | Low | A member was removed from a security-enabled universal group. |
| 4732 | 636 | Low | A member was added to a security-enabled local group. |
| 4733 | 637 | Low | A member was removed from a security-enabled local group. |
| 4728 | 632 | Low | A member was added to a security-enabled global group. |
| 4729 | 633 | Low | A member was removed from a security-enabled global group. |
ADDS
| ID | Description |
|---|---|
| 5136 | A directory service object was modified. |