Microsoft KB Archive/274176

= Security Event for Associating Service Account Logon Events =

Article ID: 274176

Article Last Modified on 3/4/2004

-

APPLIES TO


 * Microsoft Windows XP Professional Edition

-



This article was previously published under Q274176





SUMMARY
In Windows 2000 and earlier versions of Windows, it was not possible to associate an account logon event (security event ID 528) with a process creation event for many processes, such as services. However, an administrator can use security event ID 600 (included with Windows XP) to make this association. This article describes how to interpret the security event log so you can understand these events.



MORE INFORMATION
If you are auditing account logon events, logon events, and process tracking, the following five events are logged when a service is started with a user account:
 * Kerberos Ticket Request

(672 Account Logon)
 * Kerberos Ticket Granted

(673 Account Logon)
 * Account Logs on

(528 Logon/Logoff)
 * Service Process starts

(592 Detailed Tracking)
 * Account that started service logged

(600 Detailed Tracking)

The following sample events occur where the License Logging service is started by using a domain account.

Kerberos Ticket Request
Event Type: Success Audit Event Source: Security Event Category: Account Logon Event ID:        672 Date:   08/14/2000 Time:   05:13:02 User:   NT AUTHORITY\SYSTEM Computer: Description: Authentication Ticket Request: User Name: Supplied Realm Name: User ID:                 \ Service Name: Service ID:   \ Ticket Options:   0x40810010 Result Code:   - Ticket Encryption Type: 0x17 Pre-Authentication Type: 2 Client Address:   127.0.0.1

Kerberos Ticket Granted
Event Type: Success Audit Event Source: Security Event Category: Account Logon Event ID:        673 Date:   08/14/2000 Time:   05:13:02 User:   NT AUTHORITY\SYSTEM Computer: Description: Service Ticket Granted: User Name: User Domain: Service Name:   $ Service ID:   \ $ Ticket Options:   0x40810010 Ticket Encryption Type: 0x17 Client Address:   127.0.0.1

Account Logs On
Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID:        528 Date:   08/14/2000 Time:   05:13:02 User:   \ Computer: Description: Successful Logon: User Name: Domain: Logon ID:   (0x0,0x1CBC6A) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate Workstation Name:

Service Process Starts
Event Type: Success Audit Event Source: Security Event Category: Detailed Tracking Event ID:        592 Date:   08/14/2000 Time:   05:13:02 User:   NT AUTHORITY\SYSTEM Computer: Description: A new process has been created: New Process ID: 2064 Image File Name: C:\WINDOWS\system32\llssrv.exe Creator Process ID: 264 User Name: $ Domain: Logon ID:   (0x0,0x3E7)

Account That Started Service Logged
Event Type: Success Audit Event Source: Security Event Category: Detailed Tracking Event ID:        600 Date:   08/14/2000 Time:   05:13:02 User:   NT AUTHORITY\SYSTEM Computer: Description: A process was assigned a primary token. Process ID: 2064 Image File Name: C:\WINDOWS\system32\llssrv.exe User Name: Domain: Logon ID:   (0x0,0x1CBC6A)

Keywords: kbinfo KB274176

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.