Vista - Windows Vista security event ids

03-21-2007

I'm trying to understand the change in Windows Vista security events. The
event ids for common security events (e.g. 529: unknown name or password)
seem to be different. It seems the event ids correlate pretty closely to
Windows 2003/2000, but have 4096 added to them (e.g. event 529 in Windows
2000/2003 = event 4625 in Vista).

Is there any documentation on this?

Joe

03-21-2007

> I'm trying to understand the change in Windows Vista security events. The
> event ids for common security events (e.g. 529: unknown name or password)
> seem to be different. It seems the event ids correlate pretty closely to
> Windows 2003/2000, but have 4096 added to them (e.g. event 529 in Windows
> 2000/2003 = event 4625 in Vista).

I don't think there is any documentation on this yet (except for what I put
into the "Windows Vista Security" book,
http://www.amazon.com/gp/product/047...SIN=0470101555,
but that's neither official nor particularly extensive).

You are correct, many events have 4096 added to them. The reason is that
many of the events have different information in them. Event log management
(ELM) systems are more or less universally driven by event IDs and if they
get an event ID back, but the information in it does not match what they
expected to get back strange things can happen. To avoid breaking every ELM
on the market the events that were modified were renumbered. This permits the
ELM to contain a different parser for the old and new versions of the events.

03-21-2007	#1 (permalink)
Joe K n/a posts	Windows Vista security event ids I'm trying to understand the change in Windows Vista security events. The event ids for common security events (e.g. 529: unknown name or password) seem to be different. It seems the event ids correlate pretty closely to Windows 2003/2000, but have 4096 added to them (e.g. event 529 in Windows 2000/2003 = event 4625 in Vista). Is there any documentation on this? Joe
My System Specs

03-21-2007	#2 (permalink)
Jesper n/a posts	RE: Windows Vista security event ids > I'm trying to understand the change in Windows Vista security events. The > event ids for common security events (e.g. 529: unknown name or password) > seem to be different. It seems the event ids correlate pretty closely to > Windows 2003/2000, but have 4096 added to them (e.g. event 529 in Windows > 2000/2003 = event 4625 in Vista). I don't think there is any documentation on this yet (except for what I put into the "Windows Vista Security" book, http://www.amazon.com/gp/product/047...SIN=0470101555, but that's neither official nor particularly extensive). You are correct, many events have 4096 added to them. The reason is that many of the events have different information in them. Event log management (ELM) systems are more or less universally driven by event IDs and if they get an event ID back, but the information in it does not match what they expected to get back strange things can happen. To avoid breaking every ELM on the market the events that were modified were renumbered. This permits the ELM to contain a different parser for the old and new versions of the events.
My System Specs

Similar Threads
Thread	Forum
Capturing interactive logons from Security Event Log	VB Script
Event viewer security audit failures	Software
how to i export eventviewer security logs, event id = xx	PowerShell
Re: Security Event Log Audit Failure 5038 in Vista SP1 tcpip.sys	Vista General
Security Event Log Audit Failure 5038 in Vista SP1 tcpip.sys	Vista General