View
the different lists
You obtain the list by double clicking a leaf of the tree of the first
panel or with the Display/refresh list choice of the context menu.
You can stop the list generation by clicking on the list panel.
You can sort the columns by clicking the header of each column.
You can reverse the order by clicking again on the header.
You can print the list by clicking on the
button or have a print preview by clicking on the
button. The column width on the printout is proportional with the width seen on the
screen.
For each event, you can see the properties by double clicking on the line.
You obtain a tree tabs window:
- One with the general information and the description.
- One with the data in 3 formats: bytes, words and ASCII.
- One with the parameters of the description.
Some specific fields:
- Num: it's the order number in the log.
- Description: If you list the events of a remote computer, the event description is decoded from this remote computer.
If it fails, the description is decoded from the local computer and the word local is added at the end of the description.
The description will only show if the software or service is installed.
- Parameters: this is the specific data of the current event (for example, an error code), which completes the description.
I have notice that for some descriptions, all
these parameters are not used (for example the time service of the service
pack).
This list is built with the 528 and 540 events for the beginning, and the 538 event
for the end of the session of the security log, security source logon/logoff category.
For each session, you can have the details by double clicking on the line
Some specific fields:
- User: name of the user of the session.
The name is in parenthesis if the user field of the event is empty, and it is the user that has generated the event.
- Open session process: it can be one of these:
KSecDD | ksecdd.sys, the security device driver |
User32 or WinLogon\MSGina | winlogon.exe & msgina.dll, the authentication user interface |
SCMgr | The Service Control Manager |
LAN Manager Workstation Service | |
advapi | API call to LogonUser |
IIS | Internet Information Server |
NtLmSsp | NT LAN Manager Security Support Provider |
- Authentication: in general MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
- Session type: a number which means
2 | Interactive session |
3 | Network session (net use, net view or file manager session) |
4 | Batch session |
5 | Service |
6 | Proxy |
7 | Unlock Workstation |
- Domain\user: domain and user name that generated the event.
This list is build with the failure audit type event of the security log, security source logon/logoff category.
For each session, you can have the details by double clicking on the line.
Some specific fields:
- User: name of the user of the session.
The name is in parenthesis if the user field of the event is empty, and it is the user that has generated the event.
- Open session process: it can be one of these:
KSecDD | ksecdd.sys, the security device driver |
User32 ou WinLogon\MSGina | winlogon.exe & msgina.dll, the authentication user interface |
SCMgr | The Service Control Manager |
LAN Manager Workstation Service | |
advapi | API call to LogonUser |
IIS | Internet Information Server |
NtLmSsp | NT LAN Manager Security Support Provider |
- Authentication: in general MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
- Session type: a number which means
2 | Interactive session |
3 | Network session (net use, net view or file manager session) |
4 | Batch session |
5 | Service |
6 | Proxy |
7 | Unlock Workstation |
- Domain\user: domain and user name that generated the event.
- Reason: reason of the session failure.
It is the description of the event, the reason is at the beginning.
This list is build with the 20050 event of the system log, RemoteAccess source.
Under Windows 2000, this event seems not to be generated.
I need your eventlog to implement the new events. Please send me your eventlog.
For each session, you can have the details by double clicking on the line
Some specific fields:
- Domain\user: domain and user name that generated the event.
This list is build with the 10 event of the system logon Print source.
For each print, you can have the details by double clicking on the line.
Some specific fields:
- Domain\user: domain and user name that generated the event.