Friday, April 13, 2007

4096 Security Events Lane

What's a big difference in the Vista security log? Here's your clue ...

1000 in Base 16/Hex
1000000000000 in Base 2/Binary
4096 in Base 10

If you scan through your security log in Vista, you're going to see some very unfamiliar Event IDs.... 4616 (System Time Changed), 4624 (Successful Logon), etc.

Let's do some quick math:

4616 - 4096 = Our old friend Event ID 520
4624 - 4096 = Our old friend Event ID 528

For fun (I'm sure they had a more legitimate reason, right?), Microsoft decided to add 4096 to quite a few of the old well-known Security Event IDs in Vista. Now bear in mind this "subtract 4096" trick doesn't work for every event, and also understand that some of your favorite Event IDs have gone missing.

Missing Event IDs? Sure.

Like 540 (Successful Network Logon) ... he's been forced to reside with his first cousin 528 (Successful Logon) at 4624 No Caps Lock Drive.

Don't feel bad for 540 though. Just ask those naughty logon failure IDs of yesteryear, like 530 (Account Logon Time Restriction Violation) and 535 (The account password has expired). They - and several of their siblings - now have to live at 4625 Fat Fingers Boulevard.

For all those folks out there using scripts for security log management ... you have some updating to do.


Kay-K said...

Sadly , i belong to the 'script users for security log management' club, and i am finding it hard to come to terms with the changes for lack of proper documentation on Microsoft's side. Well... in case you happen to catch hold of some reference stating all changes in vista logs.. help our cause by shouting it loud.

Eric Fitzgerald said...

Shouting it out loud on the DorianSoft blog doesn't let Microsoft know about the problem...