Windows Vista security event ids

  • Thread starter Thread starter Joe K
  • Start date Start date
J

Joe K

I'm trying to understand the change in Windows Vista security events. The
event ids for common security events (e.g. 529: unknown name or password)
seem to be different. It seems the event ids correlate pretty closely to
Windows 2003/2000, but have 4096 added to them (e.g. event 529 in Windows
2000/2003 = event 4625 in Vista).

Is there any documentation on this?

Joe
 
I'm trying to understand the change in Windows Vista security events. The
event ids for common security events (e.g. 529: unknown name or password)
seem to be different. It seems the event ids correlate pretty closely to
Windows 2003/2000, but have 4096 added to them (e.g. event 529 in Windows
2000/2003 = event 4625 in Vista).
Click to expand...

I don't think there is any documentation on this yet (except for what I put
into the "Windows Vista Security" book,
http://www.amazon.com/gp/product/04...mp=1789&creative=9325&creativeASIN=0470101555,
but that's neither official nor particularly extensive).

You are correct, many events have 4096 added to them. The reason is that
many of the events have different information in them. Event log management
(ELM) systems are more or less universally driven by event IDs and if they
get an event ID back, but the information in it does not match what they
expected to get back strange things can happen. To avoid breaking every ELM
on the market the events that were modified were renumbered. This permits the
ELM to contain a different parser for the old and new versions of the events.
 
Back
Top