LsaSrv
88 events across 6 channels
Event ID 100: The security package does not cache the credentials needed to authenticate to the server.
#Event ID 200: A security package received a network logon request after the logoff completed.
#Description
A security package received a network logon request after the logoff completed.
Message #
Fields #
| Name | Description |
|---|---|
UserName UnicodeString | |
DomainName UnicodeString | |
LogonId HexInt64 | |
LogoffTime SYSTEMTIME | |
PID UInt32 | |
Program UnicodeString | |
PrincipalName UnicodeString | |
ServerName UnicodeString | |
PackageName UnicodeString | |
CallType UnicodeString | |
ErrorCode HexInt32 |
Event ID 300: Groups assigned to a new logon.
#Description
Groups assigned to a new logon.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
TargetUserSid SID | [New Logon] Security ID. | 4 detection rules |
TargetUserName UnicodeString | [New Logon] Account Name. | |
TargetDomainName UnicodeString | [New Logon] Account Domain. | |
TargetLogonId HexInt64 | [New Logon] Logon ID. | |
TargetLogonGuid GUID | [New Logon] Logon GUID. | |
EventOrginal UInt32 | [New Logon] Event in sequence. | |
EventCountTotal UInt32 | ||
SidList UnicodeString | [New Logon] Group Membership. | 4 detection rules |
Example Event #
{
"system": {
"provider": "LsaSrv",
"guid": "{199FE037-2B82-40A9-82AC-E1D46C792B99}",
"event_source_name": "",
"event_id": 300,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-06-13T14:10:44.2128156+00:00",
"event_record_id": 7244,
"correlation": {},
"execution": {
"process_id": 896,
"thread_id": 3036
},
"channel": "Microsoft-Windows-LSA/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"TargetUserSid": "S-1-5-18",
"TargetUserName": "TELEMETRY-DC-C$",
"TargetDomainName": "cell-c",
"TargetLogonId": "0x2993ea9",
"TargetLogonGuid": "{00000000-0000-0000-0000-000000000000}",
"EventOrginal": "1",
"EventCountTotal": "1",
"SidList": "\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-1-0}\n\t\t%{S-1-5-32-554}\n\t\t%{S-1-5-32-545}\n\t\t%{S-1-5-32-560}\n\t\t%{S-1-5-2}\n\t\t%{S-1-5-11}\n\t\t%{S-1-5-15}\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-1001}\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-516}\n\t\t%{S-1-5-9}\n\t\t%{S-1-18-1}\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-572}"
},
"message": "Groups assigned to a new logon.\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tTELEMETRY-DC-C$\r\n\tAccount Domain:\t\tcell-c\r\n\tLogon ID:\t\t0x2993EA9\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nEvent in sequence:\t\t1 of 1\r\n\r\nGroup Membership:\t\t\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-554}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-560}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-1001}\r\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-516}\r\n\t\t%{S-1-5-9}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-1006758700-2167138679-1475694448-572}"
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
TargetUserSid | starts_with | S-1-5-21- | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Event ID 301: Claims assigned to a new logon.
#Description
Claims assigned to a new logon.
Message #
Fields #
| Name | Description |
|---|---|
TargetUserSid SID | SID of the target account. |
TargetUserName UnicodeString | Account name of the target. |
TargetDomainName UnicodeString | Domain or machine name of the target account. |
TargetLogonId HexInt64 | Logon session identifier (LUID) for the target. |
TargetLogonGuid GUID | |
LogonType UInt32 | Logon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive). Logon type reference |
EventIdx UInt32 | |
EventCountTotal UInt32 | |
UserClaims UnicodeString | |
DeviceClaims UnicodeString |
Event ID 302: User UserSid logged off notification is received.
#Description
User UserSid logged off notification is received.
Message #
Fields #
| Name | Description |
|---|---|
UserSid SID | |
LogonId HexInt64 | |
AuthorityName UnicodeString | |
AccountName UnicodeString | |
Elapse UInt32 |
Example Event #
{
"system": {
"provider": "LsaSrv",
"guid": "199FE037-2B82-40A9-82AC-E1D46C792B99",
"event_source_name": "",
"event_id": 302,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-14T21:58:13.455090+00:00",
"event_record_id": 4682,
"correlation": {},
"execution": {
"process_id": 940,
"thread_id": 3528
},
"channel": "Microsoft-Windows-LSA/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"LogonId": "0xc979b",
"AuthorityName": "ludus",
"AccountName": "domainadmin",
"Elapse": 30
},
"message": ""
}
Event ID 303: The security package does not cache the user's sign on credentials.
#Description
The security package does not cache the user's sign on credentials.
Message #
Fields #
| Name | Description |
|---|---|
PackageName UnicodeString | |
UserName UnicodeString | |
DomainName UnicodeString | |
ProtectedUser UInt32 |
Example Event #
{
"system": {
"provider": "LsaSrv",
"guid": "199FE037-2B82-40A9-82AC-E1D46C792B99",
"event_source_name": "",
"event_id": 303,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:06:34.507918+00:00",
"event_record_id": 51,
"correlation": {
"ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
},
"execution": {
"process_id": 968,
"thread_id": 7780
},
"channel": "Microsoft-Windows-LSA/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PackageName": "CREDSSP",
"UserName": "LAB-DC01$",
"DomainName": "ludus",
"ProtectedUser": 0
},
"message": ""
}
Event ID 320: Automatic restart sign on successfully configured the autologon credentials for: Account Name: Account_Name Account Domain: Account_Domain.
#Event ID 321: Automatic restart sign on failed to configure the autologon credentials with error.
#Description
Automatic restart sign on failed to configure the autologon credentials with error.
Message #
Fields #
| Name | Description |
|---|---|
Error UnicodeString |
Example Event #
{
"system": {
"provider": "LsaSrv",
"guid": "199FE037-2B82-40A9-82AC-E1D46C792B99",
"event_source_name": "",
"event_id": 321,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-14T01:38:46.851959+00:00",
"event_record_id": 7296,
"correlation": {
"ActivityID": "C5FDF330-93D8-4242-8AA4-AC8874FCA611"
},
"execution": {
"process_id": 984,
"thread_id": 6436
},
"channel": "Microsoft-Windows-LSA/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Error": "\"{Access Denied}\r\nA process has requested access to an object, but has not been granted those access rights.\r\n (0xc0000022)\""
},
"message": ""
}
Event ID 322: Automatic restart sign on successfully deleted autologon credentials from LSA memory
#Description
Automatic restart sign on successfully deleted autologon credentials from LSA memory.
Message #
Event ID 5000: The security package Package generated an exception.
#Event ID 6025: Could not upgrade the Trusted domain object for domain {Domain}.
#Event ID 6027: Could not upgrade the global secret Secret.
#Description
Could not upgrade the global secret Secret. Please check the status of all services in the system.
Message #
Fields #
| Name | Description |
|---|---|
Secret UnicodeString | |
__binLength UInt32 | |
status Binary | NTSTATUS reference |
Event ID 6029: LSA could not update domain information in the registry to match the DS.
#Event ID 6031: The database contains invalid information for trusted domain {Domain}.
#Event ID 6033: An anonymous session connected from Client has attempted to open an LSA policy handle on this machine.
#Description
An anonymous session connected from Client has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day.
Message #
Fields #
| Name | Description |
|---|---|
Client UnicodeString |
Event ID 6034: The new top level name; {TopLevelName}; has been added to the forest {Forestname}.
#Event ID 6035: During a logon attempt, the user's security context accumulated too many security IDs.
#Description
During a logon attempt, the user's security context accumulated too many security IDs. This is a very unusual situation. Remove the user from some global or local groups to reduce the number of security IDs to incorporate into the security context. User's SID is SID If this is the Administrator account, logging on in safe mode will enable Administrator to log on by automatically restricting group memberships.
Message #
Fields #
| Name | Description |
|---|---|
SID SID |
Event ID 6036: The program Program, with the assigned Process ID PID, supplied a NULL or empty target name for the pszTargetName parameter when calling the InitializeSe...
#Description
The program Program, with the assigned Process ID PID, supplied a NULL or empty target name for the pszTargetName parameter when calling the InitializeSecurityContext API to initiate an outbound NTLM security context. This is a security risk when mutual authentication is required. To help protect against a malicious attack, make your code more secure. To do this, change the program so that it specifies a target name in the pszTargetName parameter field, and then recompile the code.
Message #
Fields #
| Name | Description |
|---|---|
PID UnicodeString | |
Program UnicodeString |
Event ID 6037: The program Data_1, with the assigned process ID Data_0, could not authenticate locally by using the target name Data_2.
#Description
The program Program, with the assigned process ID PID, could not authenticate locally by using the target name TargetName. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name. Try a different target name.
Message #
Fields #
| Name | Description |
|---|---|
PID UnicodeString | |
Program UnicodeString | |
TargetName UnicodeString |
Example Event #
{
"system": {
"provider": "LsaSrv",
"guid": "{199fe037-2b82-40a9-82ac-e1d46c792b99}",
"event_source_name": "LsaSrv",
"event_id": 6037,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-15T05:52:15.004853+00:00",
"event_record_id": 13485,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "System",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "12832",
"Data_1": "svchost.exe",
"Data_2": "HOST/.",
"Binary": ""
},
"message": ""
}
Event ID 6038: Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server.
#Description
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server. NTLM is a weaker authentication mechanism. Please check: Which applications are using NTLM authentication? Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication? If NTLM must be supported, is Extended Protection configured? Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.
Message #
Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "LsaSrv",
"guid": "{199FE037-2B82-40A9-82AC-E1D46C792B99}",
"event_source_name": "",
"event_id": 6038,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-29T16:38:34.5584199+00:00",
"event_record_id": 6842,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.\r\n \r\nNTLM is a weaker authentication mechanism. Please check:\r\n \r\n Which applications are using NTLM authentication?\r\n Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?\r\n If NTLM must be supported, is Extended Protection configured?\r\n \r\nDetails on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699."
}
Detection Patterns #
Lateral Movement: Pass the Hash
1 rule
Event ID 6039: Microsoft Windows Server has detected that NTLM authentication is being used between clients and this server.
#Description
Microsoft Windows Server has detected that NTLM authentication is being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server. NTLM is a weaker authentication mechanism. Please check: Which applications are using NTLM authentication? Are there configuration issue preventing the use stronger authentication such as Kerberos authentication? If NTLM must be supported, is Extended Protection configured? Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.
Message #
Detection Patterns #
Lateral Movement: Pass the Hash
1 rule
Event ID 6040: An authentication request for package Package was rejected because the target information was invalid.
#Event ID 6041: A CredSSP authentication to TargetName failed to negotiate a common protocol version.
#Event ID 6144: A secret object private to LSA was queried by a client.
#Description
A secret object private to LSA was queried by a client. This object was returned in encrypted format for security reasons.
Message #
Example Event #
{
"system": {
"provider": "LsaSrv",
"guid": "199FE037-2B82-40A9-82AC-E1D46C792B99",
"event_source_name": "",
"event_id": 6144,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T00:56:02.886908+00:00",
"event_record_id": 2014,
"correlation": {
"ActivityID": "4FECCB45-5562-44FC-B3DC-6A5D82E66B8A"
},
"execution": {
"process_id": 764,
"thread_id": 6788
},
"channel": "System",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
Event ID 6145: An error occurred while retrieving new Central Access Policies for this machine.
#Event ID 6146: An error occurred while processing new Central Access Policies for this machine.
#Description
An error occurred while processing new Central Access Policies for this machine. Validation failed for the following Central Access Rule referenced by one or more of the Central Access Policies.
Message #
Fields #
| Name | Description |
|---|---|
Error UnicodeString | [An error occurred while processing new Central Access Policies for this machine. Validation failed for the following Central Access Rule referenced by one or more of the Central Access Policies] Error. |
CAPEName UnicodeString | |
CAPEDesc UnicodeString |
Event ID 6147: Credential Guard is configured to run, but is not licensed.
#Description
Credential Guard is configured to run, but is not licensed. Credential Guard was not started.
Message #
Event ID 6148: The PDC completed an automatic trust scan operation for all trusts with no errors.
#Description
The PDC completed an automatic trust scan operation for all trusts with no errors.
Message #
Example Event #
{
"system": {
"provider": "LsaSrv",
"guid": "{199FE037-2B82-40A9-82AC-E1D46C792B99}",
"event_source_name": "",
"event_id": 6148,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-29T23:47:51.1974213+00:00",
"event_record_id": 6878,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 5768
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "The PDC completed an automatic trust scan operation for all trusts with no errors.\r\n\r\nMore information can be found at https://go.microsoft.com/fwlink/?linkid=2162089."
}
Event ID 6149: The PDC completed an automatic trust scan operation for all trusts and encountered at least one error.
#Description
The PDC completed an automatic trust scan operation for all trusts and encountered at least one error.
Message #
Event ID 6150: The PDC completed an administrator-requested trust scan operation for the trust 'TrustName' with no errors.
#Event ID 6151: The PDC was unable to find the specified trust 'TrustName' to scan.
#Event ID 6152: The PDC completed an administrator-requested trust scan operation for the trust 'TrustName' and encountered an error.
#Event ID 6153: The PDC encountered an error trying to scan the named trust.
#Event ID 6154: Possible use of roaming Credential Manager credentials with Credential Guard detected.
#Description
Possible use of roaming Credential Manager credentials with Credential Guard detected. This feature is unsupported. Refer to Credential Guard documentation for more details.
Message #
Event ID 6155: LSA package is not signed as expected.
#Description
LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.
Message #
Fields #
| Name | Description |
|---|---|
PackageName UnicodeString |
Example Event #
{
"system": {
"provider": "LsaSrv",
"guid": "199FE037-2B82-40A9-82AC-E1D46C792B99",
"event_source_name": "",
"event_id": 6155,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T06:25:27.966390+00:00",
"event_record_id": 1665,
"correlation": {
"ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
},
"execution": {
"process_id": 808,
"thread_id": 812
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PackageName": "msv1_0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6156: Credential Guard auto enablement status.
#Description
Credential Guard auto enablement status.
Message #
Fields #
| Name | Description |
|---|---|
HardwareChecks UInt32 | Hardware Requirements. |
ADDomainJoin UInt32 | Domain Joined. |
AADDomainJoin UInt32 | Azure AD Joined. |
IsLicensed | |
DomainController |
Example Event #
{
"system": {
"provider": "LsaSrv",
"guid": "{199FE037-2B82-40A9-82AC-E1D46C792B99}",
"event_source_name": "",
"event_id": 6156,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T13:53:47.1899515+00:00",
"event_record_id": 2663,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 972
},
"channel": "System",
"computer": "telemetry-W11-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HardwareChecks": "1",
"ADDomainJoin": "1",
"AADDomainJoin": "0",
"IsLicensed": "1",
"DomainController": "0"
},
"message": "Credential Guard auto enablement status.\r\n\r\nHardware Requirements for Virtualization Based Security:\t1\r\nDomain Joined:\t1\r\nAzure AD Joined:\t0\r\n Licensed for Credential Guard:\t1\r\nDomain Controller:\t0"
}
Event ID 6157: The PDC completed a background trust scan operation of the named trust.
#Event ID 6158: Error reading Credential Guard.
#Description
Error reading Credential Guard (LsaIso.exe) UEFI configuration: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
Event ID 6160: LsaIso.
#Description
LsaIso.exe, the host process for Credential Guard and Key Guard, failed to launch: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
Event ID 6161: Credential Guard configuration: Config, IsTestConfig, AutoEnabled.
#Event ID 6162: Key Guard was started and will protect VSM-isolated keys.
#Description
Key Guard was started and will protect VSM-isolated keys.
Message #
Event ID 6163: Credential Guard was started and will protect LSA credentials.
#Description
Credential Guard was started and will protect LSA credentials.
Message #
Event ID 6164: Credential Guard is configured but the secure kernel is not running; continuing without Credential Guard.
#Description
Credential Guard is configured but the secure kernel is not running; continuing without Credential Guard.
Message #
Event ID 6165: VBS bound machine secret is present but falling back to LSA bound secret.
#Event ID 6166: Machine Identity Isolation status.
#Event ID 6167: There is a partial mismatch in the machine ID.
#Description
There is a partial mismatch in the machine ID. This indicates that the ticket has either been manipulated or it belongs to a different boot session. Failing authentication.
Message #
Event ID 6167: There is a partial mismatch in the machine ID
#Description
There is a partial mismatch in the machine ID. This indicates that the ticket has either been manipulated or it belongs to a different boot session. Failing authentication.
Event ID 6182: LogonSession alive after interactive user logoff.
#Event ID 6225: CATEGORY_LSA_LOGON
#Example Event #
{
"system": {
"provider": "LsaSrv",
"guid": "{199FE037-2B82-40A9-82AC-E1D46C792B99}",
"event_source_name": "",
"event_id": 6225,
"version": 0,
"level": 4,
"task": 5,
"opcode": 1,
"keywords": "0x4000000000000000",
"time_created": "2026-06-02T05:18:30.747+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{1A90F6D3-7DD5-4248-8637-2C16285553BB}"
},
"execution": {
"process_id": 1132,
"thread_id": 20716
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "CATEGORY_LSA_LOGON"
}
Event ID 6226: CATEGORY_LSA_LOGON
#Example Event #
{
"system": {
"provider": "LsaSrv",
"guid": "{199FE037-2B82-40A9-82AC-E1D46C792B99}",
"event_source_name": "",
"event_id": 6226,
"version": 0,
"level": 4,
"task": 5,
"opcode": 2,
"keywords": "0x4000000000000000",
"time_created": "2026-06-02T05:18:30.748+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{1A90F6D3-7DD5-4248-8637-2C16285553BB}"
},
"execution": {
"process_id": 1132,
"thread_id": 20716
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "CATEGORY_LSA_LOGON"
}
Event ID 6227: LSASID_NameLookupStart
#Event ID 6228: LSASID_NameLookupStop
#Event ID 6229: LSASID_NameLookupStart6229
#Event ID 6230: LSASID_NameLookupStop6230
#Event ID 6231: SecurityPackageManagerStart
#Event ID 6232: SecurityPackageManagerStop
#Event ID 29186: Moving the existing logon scripts from {OldScripts} to {NewScripts} failed.
#Event ID 29187: Running the Security Configuration Editor over the Domain Controller encountered a non-fatal error.
#Event ID 29188: An existing; incompatible trust object was found on the parent server for domain {DomainName}.
#Event ID 29216: Failed to disable auto logon following the successful upgrade of a domain controller.
#Event ID 29217: Failed to set the default logon domain to {DomainName}.
#Event ID 29221: During the demotion operation; the trust object on {ParentName} could not be removed.
#Event ID 29241: Dcpromo failed to configure the new starttype of {Flags} for the service {ServiceName} during forced demotion.
#Event ID 29242: Dcpromo failed to remove the dependency of {ServiceName} on {Dependency} during forced demotion.
#Event ID 32768: The interdomain trust account for the domain {Domain} could not be deleted.
#Event ID 32772: The interdomain trust account for the domain {Domain} could not be created.
#Event ID 32773: A lookup request was made that required connectivity to a domain controller in domain Domain.
#Description
A lookup request was made that required connectivity to a domain controller in domain Domain. The LSA was unable to find a domain controller in the domain and thus failed the request. Please check connectivity and secure channel setup from this domain controller to the domain TargetDomain.
Message #
Fields #
| Name | Description |
|---|---|
Domain UnicodeString | |
TargetDomain UnicodeString | |
__binLength UInt32 | |
status Binary | NTSTATUS reference |
Event ID 32774: A lookup request was made that required connectivity to the domain controller Domain.
#Description
A lookup request was made that required connectivity to the domain controller Domain. The local LSA was unable to contact the LSA on the remote domain controller. Please check connectivity and secure channel setup from this domain controller to the domain controller TargetDomain.
Message #
Fields #
| Name | Description |
|---|---|
Domain UnicodeString | |
TargetDomain UnicodeString | |
__binLength UInt32 | |
status Binary | NTSTATUS reference |
Event ID 32775: A lookup request was made that required the lookup services on the remote domain controller Domain.
#Description
A lookup request was made that required the lookup services on the remote domain controller Domain. The remote domain controller failed the request thus the local LSA failed the original lookup request. Please check connectivity and secure channel setup from this domain controller to the domain controller TargetDomain.
Message #
Fields #
| Name | Description |
|---|---|
Domain UnicodeString | |
TargetDomain UnicodeString | |
__binLength UInt32 | |
status Binary | NTSTATUS reference |
Event ID 32777: The LSA was unable to register its RPC interface over the TCP/IP interface.
#Description
The LSA was unable to register its RPC interface over the TCP/IP interface. Please make sure that the protocol is properly installed.
Message #
Event ID 32778: The name {Name} was translated to SID {SID} from the trusted forest {Forest}.
#Event ID 32780: The LSA was unable to notify UBPM during startup with status Status.
#Description
The LSA was unable to notify UBPM during startup with status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 40960: The Security System detected an authentication error for the server Target.
#Description
The Security System detected an authentication error for the server Target. The failure code from authentication protocol Protocol was Error.
Message #
Fields #
| Name | Description |
|---|---|
Target UnicodeString | |
Protocol UnicodeString | Known values
|
Error UnicodeString |
Event ID 40961: The Security System could not establish a secured connection with the server Target.
#Event ID 40962: The Security System was unable to authenticate to the server Target because the server has completed the authentication, but the client authentication ...
#Description
The Security System was unable to authenticate to the server Target because the server has completed the authentication, but the client authentication protocol Protocol has not.
Message #
Fields #
| Name | Description |
|---|---|
Target UnicodeString | |
Protocol UnicodeString | Known values
|
Event ID 40964: The Security System received an authentication attempt with an unknown authentication protocol.
#Description
The Security System received an authentication attempt with an unknown authentication protocol. The request has failed.
Message #
Event ID 40965: The Security System has selected Protocol for the authentication protocol to server Target.
#Event ID 40966: The Security System has received an authentication attempt, and determined that the protocol Protocol preferred by the client is acceptable.
#Description
The Security System has received an authentication attempt, and determined that the protocol Protocol preferred by the client is acceptable.
Message #
Fields #
| Name | Description |
|---|---|
Protocol UnicodeString | Known values
|
Event ID 40967: The Security System has received an authentication request directly for authentication protocol Protocol.
#Event ID 40968: The Security System has received an authentication request that could not be decoded.
#Description
The Security System has received an authentication request that could not be decoded. The request has failed.
Message #
Event ID 40969: The Security System has received an authentication attempt, and determined that the protocol Protocol is the common protocol.
#Event ID 40970: The Security System has detected a downgrade attempt when contacting the 3-part SPN.
#Description
The Security System has detected a downgrade attempt when contacting the 3-part SPN.
Message #
Fields #
| Name | Description |
|---|---|
Target UnicodeString | |
Error UnicodeString |
Example Event #
{
"system": {
"provider": "LsaSrv",
"guid": "199FE037-2B82-40A9-82AC-E1D46C792B99",
"event_source_name": "",
"event_id": 40970,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T23:06:30.699004+00:00",
"event_record_id": 12309,
"correlation": {},
"execution": {
"process_id": 936,
"thread_id": 11176
},
"channel": "System",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Target": "ldap/LAB-DC01.ludus.domain/ludus.domain@LUDUS.DOMAIN",
"Error": "\"The attempted logon is invalid. This is either due to a bad username or authentication information.\r\n (0xc000006d)\""
},
"message": ""
}
Event ID 40971: The Security System is auditing a downgrade attempt when contacting the 3-part SPN
#Event ID 45056: Logon cache was disabled.
#Description
Logon cache was disabled. Intermittent authentication failures may result during periods of network latency or interrupts. Please contact your system administrator.
Message #
Event ID 45057: A failed logon attempt has caused a logon cache entry for user Username to be deleted.
#Description
A failed logon attempt has caused a logon cache entry for user Username to be deleted. The authentication package was Package, and the error message was Error.
Message #
Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Username UnicodeString | |
Package UnicodeString | |
Error UnicodeString |
Example Event #
{
"system": {
"provider": "LsaSrv",
"guid": "{199FE037-2B82-40A9-82AC-E1D46C792B99}",
"event_source_name": "",
"event_id": 45057,
"version": 0,
"level": 4,
"task": 4,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-18T18:46:23.9415145+00:00",
"event_record_id": 3127,
"correlation": {},
"execution": {
"process_id": 1076,
"thread_id": 0
},
"channel": "System",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "domainuser@LUDUS.DOMAIN",
"Data_1": "Kerberos",
"Data_2": "\"The referenced account is currently disabled and may not be logged on to.\n (0xc0000072)\""
},
"message": "A failed logon attempt has caused a logon cache entry for user domainuser@LUDUS.DOMAIN to be deleted. The authentication package was Kerberos, and the error message was \"The referenced account is currently disabled and may not be logged on to.\r\n (0xc0000072)\"."
}
Event ID 45058: A logon cache entry for user UserName was the oldest entry and was removed.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {199FE037-2B82-40A9-82AC-E1D46C792B99}
Defined in lsasrv.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.3804, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3804, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02