What's a big difference in the Vista security log? Here's your clue ...
1000 in Base 16/Hex
1000000000000 in Base 2/Binary
4096 in Base 10
If you scan through your security log in Vista, you're going to see some very unfamiliar Event IDs.... 4616 (System Time Changed), 4624 (Successful Logon), etc.
Let's do some quick math:
4616 - 4096 = Our old friend Event ID 520
4624 - 4096 = Our old friend Event ID 528
For fun (I'm sure they had a more legitimate reason, right?), Microsoft decided to add 4096 to quite a few of the old well-known Security Event IDs in Vista. Now bear in mind this "subtract 4096" trick doesn't work for every event, and also understand that some of your favorite Event IDs have gone missing.
Missing Event IDs? Sure.
Like 540 (Successful Network Logon) ... he's been forced to reside with his first cousin 528 (Successful Logon) at 4624 No Caps Lock Drive.
Don't feel bad for 540 though. Just ask those naughty logon failure IDs of yesteryear, like 530 (Account Logon Time Restriction Violation) and 535 (The account password has expired). They - and several of their siblings - now have to live at 4625 Fat Fingers Boulevard.
For all those folks out there using scripts for security log management ... you have some updating to do.