on 06-22-2015 11:58 AM
Hi mates,
We restarted our application servers last week without restarting the main central production server. After that we tried to start the application servers they are not starting and load balancing is not happening in our PRD system and we are facing performance.
However when i tried to start the services i am getting error:1067 which i have attached below. We had faced the same problem last time and that time the logon user of the service had changed to local admin anh hence we corrected the user and changed it to SAPservice user.However this time the user has not changed but the problem exists and the management console is also not starting. I am in serious need of some solution.Anyone who knows abou this error please do help..
Regards,
Adarsh
Hi Adarsh
On your application go to folder under \usr\SAP\SID\Dxx\exe, You can find the two files
SAPStartSrv.exe & SAPStartSrv.exe.new
rename the file from sapstartsrv.exe to sapstartsrv.exe.old
rename the file from sapstartsrv.exe.new to sapstartsrv.exe
rename the file from sapstartsrv.exe.old to sapstartsrv.exe.new
and then check the windows services
Regards
SS
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI Adarsh,
Can you please share the logs from windows event viewer on why the startup of this service failed ?
Also, refer below KBA and see if that helps.
2155767 - SAP Service SAP<SID>_NN fails to start: Error 13 EACCES*: Permission denied OR: The data is invalid
Regards,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sir,
I am attaching the event log files.Please do go through this..
--------------------------------------------------------------------------------------------------------------------------------------------
Level | Date and Time | Source | Event ID | Task Category | |
Information | 22-06-2015 16:51:44 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Information | 22-06-2015 16:51:41 | Microsoft-Windows-WMI-Activity | 5857 | None | WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3856; ProviderPath = C:\Windows\System32\wbem\WmiPerfInst.dll |
Information | 22-06-2015 16:51:40 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8ACE245 |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Error | 22-06-2015 16:51:28 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Information | 22-06-2015 16:51:28 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:51:28 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:51:28 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:51:28 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8ACE245 |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:51:28 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8ACE245 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:51:28 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:51:28 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Error | 22-06-2015 16:51:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:51:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Information | 22-06-2015 16:50:43 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Information | 22-06-2015 16:50:41 | Microsoft-Windows-WMI-Activity | 5857 | None | WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3856; ProviderPath = C:\Windows\System32\wbem\WmiPerfInst.dll |
Information | 22-06-2015 16:50:40 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8ACA790 |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Error | 22-06-2015 16:50:28 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Information | 22-06-2015 16:50:28 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:50:28 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:50:28 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:50:28 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8ACA790 |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:50:28 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8ACA790 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:50:28 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:50:28 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Error | 22-06-2015 16:50:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:50:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Information | 22-06-2015 16:49:42 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Information | 22-06-2015 16:49:41 | Microsoft-Windows-WMI-Activity | 5857 | None | WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3856; ProviderPath = C:\Windows\System32\wbem\WmiPerfInst.dll |
Information | 22-06-2015 16:49:40 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8AC3DC9 |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Error | 22-06-2015 16:49:28 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Information | 22-06-2015 16:49:28 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:49:28 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:49:28 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:49:28 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8AC3DC9 |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:49:28 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8AC3DC9 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:49:28 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:49:28 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Error | 22-06-2015 16:49:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:49:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Information | 22-06-2015 16:48:41 | Microsoft-Windows-WMI-Activity | 5857 | None | CIMWin32 provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\cimwin32.dll |
Information | 22-06-2015 16:48:41 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Information | 22-06-2015 16:48:41 | Microsoft-Windows-WMI-Activity | 5857 | None | WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3856; ProviderPath = C:\Windows\System32\wbem\WmiPerfInst.dll |
Information | 22-06-2015 16:48:40 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8AC18DD |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Error | 22-06-2015 16:48:28 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Information | 22-06-2015 16:48:28 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:48:28 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:48:28 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:48:28 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8AC18DD |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:48:28 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8AC18DD | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:48:28 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:48:28 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Error | 22-06-2015 16:48:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:48:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Information | 22-06-2015 16:47:42 | Service Control Manager | 7036 | None | The WMI Performance Adapter service entered the running state. |
Information | 22-06-2015 16:47:42 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | SYSTEM | ||
Account Domain: | NT AUTHORITY | ||
Logon ID: | 0x3E7 |
Privileges: | SeAssignPrimaryTokenPrivilege | ||||
SeTcbPrivilege | |||||
SeSecurityPrivilege | |||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeAuditPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:47:42 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | SYSTEM | ||
Account Name: | SYSTEM | ||
Account Domain: | NT AUTHORITY | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | |||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:47:42 | Service Control Manager | 7036 | None | The WMI Performance Adapter service entered the stopped state. |
Information | 22-06-2015 16:47:42 | Service Control Manager | 7036 | None | The WMI Performance Adapter service entered the running state. |
Information | 22-06-2015 16:47:42 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | SYSTEM | ||
Account Domain: | NT AUTHORITY | ||
Logon ID: | 0x3E7 |
Privileges: | SeAssignPrimaryTokenPrivilege | ||||
SeTcbPrivilege | |||||
SeSecurityPrivilege | |||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeAuditPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:47:42 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | SYSTEM | ||
Account Name: | SYSTEM | ||
Account Domain: | NT AUTHORITY | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | |||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:47:42 | Service Control Manager | 7036 | None | The WMI Performance Adapter service entered the stopped state. |
Information | 22-06-2015 16:47:42 | vmStatsProvider | 256 | General | "The ""vmStatsProvider"" is successfully initialized for this Virtual Machine. WMI namespace: ""root\cimv2""." |
Information | 22-06-2015 16:47:42 | vmStatsProvider | 258 | Guest Library API | "The ""vmGuestLibrary"" is successfully initialized for this Virtual Machine." |
Information | 22-06-2015 16:47:42 | vmStatsProvider | 256 | General | "The ""vmStatsProvider"" is successfully initialized for this Virtual Machine. WMI namespace: ""root\cimv2""." |
Information | 22-06-2015 16:47:42 | vmStatsProvider | 258 | Guest Library API | "The ""vmGuestLibrary"" is successfully initialized for this Virtual Machine." |
Information | 22-06-2015 16:47:41 | Microsoft-Windows-WMI-Activity | 5857 | None | WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3856; ProviderPath = C:\Windows\System32\wbem\WmiPerfInst.dll |
Information | 22-06-2015 16:47:40 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Information | 22-06-2015 16:47:40 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8ABC86E |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Error | 22-06-2015 16:47:28 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Information | 22-06-2015 16:47:28 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:47:28 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:47:28 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:47:28 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8ABC86E |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:47:28 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8ABC86E | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:47:28 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:47:28 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Error | 22-06-2015 16:47:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:47:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Information | 22-06-2015 16:46:40 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8ABAD11 |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Information | 22-06-2015 16:46:40 | Microsoft-Windows-WMI-Activity | 5857 | None | CIMWin32 provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\cimwin32.dll |
Information | 22-06-2015 16:46:40 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Error | 22-06-2015 16:46:28 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Information | 22-06-2015 16:46:28 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:46:28 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:46:28 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:46:28 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8ABAD11 |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:46:28 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8ABAD11 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:46:28 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:46:28 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Error | 22-06-2015 16:46:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:46:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Information | 22-06-2015 16:45:42 | Microsoft-Windows-WMI-Activity | 5857 | None | WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3856; ProviderPath = C:\Windows\System32\wbem\WmiPerfInst.dll |
Information | 22-06-2015 16:45:41 | Microsoft-Windows-WMI-Activity | 5857 | None | WMIProv provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 2508; ProviderPath = %systemroot%\system32\wbem\wmiprov.dll |
Information | 22-06-2015 16:45:41 | Service Control Manager | 7036 | None | The WMI Performance Adapter service entered the running state. |
Information | 22-06-2015 16:45:41 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | SYSTEM | ||
Account Domain: | NT AUTHORITY | ||
Logon ID: | 0x3E7 |
Privileges: | SeAssignPrimaryTokenPrivilege | ||||
SeTcbPrivilege | |||||
SeSecurityPrivilege | |||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeAuditPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:45:41 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | SYSTEM | ||
Account Name: | SYSTEM | ||
Account Domain: | NT AUTHORITY | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | |||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:45:41 | vmStatsProvider | 256 | General | "The ""vmStatsProvider"" is successfully initialized for this Virtual Machine. WMI namespace: ""root\cimv2""." |
Information | 22-06-2015 16:45:41 | vmStatsProvider | 258 | Guest Library API | "The ""vmGuestLibrary"" is successfully initialized for this Virtual Machine." |
Information | 22-06-2015 16:45:40 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8AB62C4 |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Information | 22-06-2015 16:45:39 | Microsoft-Windows-WMI-Activity | 5857 | None | CIMWin32 provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\cimwin32.dll |
Information | 22-06-2015 16:45:39 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Error | 22-06-2015 16:45:28 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Information | 22-06-2015 16:45:28 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:45:28 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:45:28 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:45:28 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8AB62C4 |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:45:28 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8AB62C4 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:45:28 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:45:28 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Error | 22-06-2015 16:45:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:45:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Information | 22-06-2015 16:44:41 | Microsoft-Windows-WMI-Activity | 5857 | None | WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3856; ProviderPath = C:\Windows\System32\wbem\WmiPerfInst.dll |
Information | 22-06-2015 16:44:40 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A88272 |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Information | 22-06-2015 16:44:38 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Error | 22-06-2015 16:44:28 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Error | 22-06-2015 16:44:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:44:28 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Information | 22-06-2015 16:44:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:44:27 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:44:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:44:27 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A88272 |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:44:27 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A88272 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:44:27 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:44:27 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Information | 22-06-2015 16:43:41 | Microsoft-Windows-WMI-Activity | 5857 | None | WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3856; ProviderPath = C:\Windows\System32\wbem\WmiPerfInst.dll |
Information | 22-06-2015 16:43:39 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A85FFD |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Information | 22-06-2015 16:43:37 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Error | 22-06-2015 16:43:27 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Information | 22-06-2015 16:43:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:43:27 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:43:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:43:27 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A85FFD |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:43:27 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A85FFD | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:43:27 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:43:27 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Error | 22-06-2015 16:43:27 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:43:27 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Information | 22-06-2015 16:42:41 | Microsoft-Windows-WMI-Activity | 5857 | None | WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3856; ProviderPath = C:\Windows\System32\wbem\WmiPerfInst.dll |
Information | 22-06-2015 16:42:39 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A82A85 |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Information | 22-06-2015 16:42:36 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Error | 22-06-2015 16:42:27 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Information | 22-06-2015 16:42:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:42:27 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:42:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:42:27 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A82A85 |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:42:27 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A82A85 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:42:27 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:42:27 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Error | 22-06-2015 16:42:27 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:42:27 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Information | 22-06-2015 16:41:41 | Microsoft-Windows-WMI-Activity | 5857 | None | WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3856; ProviderPath = C:\Windows\System32\wbem\WmiPerfInst.dll |
Information | 22-06-2015 16:41:39 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A8062C |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Information | 22-06-2015 16:41:35 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Error | 22-06-2015 16:41:27 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Information | 22-06-2015 16:41:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:41:27 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:41:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:41:27 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A8062C |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:41:27 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A8062C | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:41:27 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:41:27 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Error | 22-06-2015 16:41:27 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:41:27 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Information | 22-06-2015 16:40:41 | Microsoft-Windows-WMI-Activity | 5857 | None | WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3856; ProviderPath = C:\Windows\System32\wbem\WmiPerfInst.dll |
Information | 22-06-2015 16:40:39 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A7E1CE |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Information | 22-06-2015 16:40:35 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Error | 22-06-2015 16:40:27 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Information | 22-06-2015 16:40:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:40:27 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:40:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:40:27 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A7E1CE |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:40:27 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A7E1CE | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:40:27 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:40:27 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Error | 22-06-2015 16:40:27 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:40:27 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Information | 22-06-2015 16:39:41 | Microsoft-Windows-WMI-Activity | 5857 | None | WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3856; ProviderPath = C:\Windows\System32\wbem\WmiPerfInst.dll |
Information | 22-06-2015 16:39:39 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A7BE19 |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Information | 22-06-2015 16:39:34 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Error | 22-06-2015 16:39:27 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Information | 22-06-2015 16:39:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:39:27 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:39:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:39:27 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A7BE19 |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:39:27 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A7BE19 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:39:27 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:39:27 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Error | 22-06-2015 16:39:27 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:39:27 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Information | 22-06-2015 16:38:41 | Microsoft-Windows-WMI-Activity | 5857 | None | WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3856; ProviderPath = C:\Windows\System32\wbem\WmiPerfInst.dll |
Information | 22-06-2015 16:38:39 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A79662 |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Information | 22-06-2015 16:38:33 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Error | 22-06-2015 16:38:27 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Information | 22-06-2015 16:38:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:38:27 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:38:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:38:27 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A79662 |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:38:27 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A79662 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:38:27 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:38:27 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Error | 22-06-2015 16:38:27 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:38:27 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Information | 22-06-2015 16:37:41 | Microsoft-Windows-WMI-Activity | 5857 | None | WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3856; ProviderPath = C:\Windows\System32\wbem\WmiPerfInst.dll |
Information | 22-06-2015 16:37:39 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A7572B |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Information | 22-06-2015 16:37:37 | Microsoft-Windows-TaskScheduler | 102 | Task completed | "Task Scheduler successfully finished ""{7C1BBD23-9AAA-4471-B93C-A6BB6A8D0C35}"" instance of the ""\Microsoft\Windows\CertificateServicesClient\UserTask"" task for user ""MIGPRDAPP2\Administrator""." |
Information | 22-06-2015 16:37:37 | Microsoft-Windows-TaskScheduler | 201 | Action completed | "Task Scheduler successfully completed task ""\Microsoft\Windows\CertificateServicesClient\UserTask"" , instance ""{7C1BBD23-9AAA-4471-B93C-A6BB6A8D0C35}"" , action ""Certificate Services Client Task Handler"" with return code 0." |
Information | 22-06-2015 16:37:37 | Microsoft-Windows-TaskScheduler | 200 | Action started | "Task Scheduler launched action ""Certificate Services Client Task Handler"" in instance ""{7C1BBD23-9AAA-4471-B93C-A6BB6A8D0C35}"" of task ""\Microsoft\Windows\CertificateServicesClient\UserTask""." |
Information | 22-06-2015 16:37:37 | Microsoft-Windows-TaskScheduler | 100 | Task Started | "Task Scheduler started ""{7C1BBD23-9AAA-4471-B93C-A6BB6A8D0C35}"" instance of the ""\Microsoft\Windows\CertificateServicesClient\UserTask"" task for user ""MIGPRDAPP2\Administrator""." |
Information | 22-06-2015 16:37:37 | Microsoft-Windows-TaskScheduler | 129 | Created Task Process | "Task Scheduler launch task ""\Microsoft\Windows\CertificateServicesClient\UserTask"" , instance ""taskhost.exe"" with process ID 2172." |
Information | 22-06-2015 16:37:37 | Microsoft-Windows-TaskScheduler | 119 | Task triggered on logon | "Task Scheduler launched ""{7C1BBD23-9AAA-4471-B93C-A6BB6A8D0C35}"" instance of task ""\Microsoft\Windows\CertificateServicesClient\UserTask"" due to user ""MIGPRDAPP2\Administrator"" logon." |
Information | 22-06-2015 16:37:32 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Error | 22-06-2015 16:37:27 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Information | 22-06-2015 16:37:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:37:27 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:37:27 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:37:27 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A7572B |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:37:27 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A7572B | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:37:27 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:37:27 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Error | 22-06-2015 16:37:27 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:37:27 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Information | 22-06-2015 16:36:42 | Service Control Manager | 7036 | None | The WMI Performance Adapter service entered the stopped state. |
Information | 22-06-2015 16:36:41 | Microsoft-Windows-WMI-Activity | 5857 | None | WmiPerfInst provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 3856; ProviderPath = C:\Windows\System32\wbem\WmiPerfInst.dll |
Information | 22-06-2015 16:36:38 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A72178 |
Logon Type: | 5 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Information | 22-06-2015 16:36:31 | Microsoft-Windows-TaskScheduler | 329 | Task stopping due to timeout reached | "Task Scheduler terminated ""{9BE4A5FB-3EC9-4081-9D0B-8F7A3C40FADA}"" instance of the ""\Microsoft\Windows\Shell\CreateObjectTask"" task due to exceeding the time allocated for execution, as configured in the task definition. User Action: Increase the configured task timeout or investigate external reasons for the delay." |
Information | 22-06-2015 16:36:31 | Microsoft-Windows-WMI-Activity | 5857 | None | CIMWin32 provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\cimwin32.dll |
Information | 22-06-2015 16:36:31 | Microsoft-Windows-WMI-Activity | 5857 | None | MSVDS__PROVIDER provider started with result code 0x0. HostProcess = wmiprvse.exe; ProcessID = 4000; ProviderPath = %systemroot%\system32\wbem\vdswmi.dll |
Error | 22-06-2015 16:36:27 | Service Control Manager | 7031 | None | The SAPMIP_14 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. |
Information | 22-06-2015 16:36:26 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004_Classes. |
Information | 22-06-2015 16:36:26 | Microsoft-Windows-User Profiles Service | 67 | None | "Logon type: Regular |
Local profile location: C:\Users\SAPServiceMIP
Profile type: Regular"
Information | 22-06-2015 16:36:26 | Microsoft-Windows-User Profiles Service | 5 | None | Registry file C:\Users\SAPServiceMIP\ntuser.dat is loaded at HKU\S-1-5-21-3992712574-2069093884-2571569125-1004. |
Information | 22-06-2015 16:36:26 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A72178 |
Privileges: | SeSecurityPrivilege | ||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:36:26 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 5 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\SAPServiceMIP | ||
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A72178 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:36:26 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | SAPServiceMIP | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x1fc | ||
Process Name: | C:\Windows\System32\services.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:36:26 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | SAPServiceMIP | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Error | 22-06-2015 16:36:26 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Initialization failed. Service not started. [D:/depot/bas/740_REL/src/proj/ntserv/ntservmain.cpp 1562]
"
Error | 22-06-2015 16:36:26 | SAP???_?? | 0 | None | "The description for Event ID 0 from source SAP???_?? cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. |
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Cannot open Profile \\MIGPRD\sapmnt\MIP\SYS\profile\MIP_D14_MIGPRDAPP2. (Error 5 EIO*: Input/output error OR: Access is denied.) [D:/depot/bas/740_REL/src/proj/ntserv/ntservstart.cpp 1085]
"
Error | 22-06-2015 16:36:03 | Microsoft-Windows-TerminalServices-Printers | 1111 | None | Driver Microsoft XPS Document Writer required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again. |
Error | 22-06-2015 16:36:03 | Microsoft-Windows-TerminalServices-Printers | 1111 | None | Driver FMPrinter required for printer FMPrinter is unknown. Contact the administrator to install the driver before you log in again. |
Information | 22-06-2015 16:36:02 | Microsoft-Windows-DeviceSetupManager | 300 | None | The device container '{B0C9E24A-95CF-6468-1816-CD1F688506E6}' has entered the ready state |
Information | 22-06-2015 16:36:02 | Microsoft-Windows-DeviceSetupManager | 112 | None | Device 'Fax (redirected 3)' ({B0C9E24A-95CF-6468-1816-CD1F688506E6}) has been serviced, processed 6 tasks, wrote 34 properties, active worktime was 0 milliseconds. |
Warning | 22-06-2015 16:36:02 | Microsoft-Windows-DeviceSetupManager | 201 | None | A connection to the Windows Metadata and Internet Services (WMIS) could not be established. |
Warning | 22-06-2015 16:36:02 | Microsoft-Windows-DeviceSetupManager | 202 | None | The Network List Manager reports no connectivity to the internet. |
Warning | 22-06-2015 16:36:02 | Microsoft-Windows-DeviceSetupManager | 200 | None | A connection to the Windows Update service could not be established. |
Warning | 22-06-2015 16:36:02 | Microsoft-Windows-DeviceSetupManager | 202 | None | The Network List Manager reports no connectivity to the internet. |
Warning | 22-06-2015 16:36:02 | Microsoft-Windows-DeviceSetupManager | 200 | None | A connection to the Windows Update service could not be established. |
Warning | 22-06-2015 16:36:02 | Microsoft-Windows-DeviceSetupManager | 202 | None | The Network List Manager reports no connectivity to the internet. |
Information | 22-06-2015 16:36:02 | Microsoft-Windows-Kernel-PnPConfig | 4 | None | New device interface '\\?\SWD#PRINTENUM#{CFA7BD57-7F22-46A5-9849-83EDE6ED5445}#{0ecef634-6ef0-472a-8085-5ad023ecbccd}' with interface class {0ECEF634-6EF0-472A-8085-5AD023ECBCCD} has been registered. |
Information | 22-06-2015 16:36:02 | Microsoft-Windows-Kernel-PnPConfig | 1 | None | Device container {B0C9E24A-95CF-6468-1816-CD1F688506E6} is unconfigured. |
Information | 22-06-2015 16:36:02 | Microsoft-Windows-Kernel-PnPConfig | 2 | None | Property '{78C34FC8-104A-4ACA-9EA4-524D52996E57} 90' on device 'SWD\PRINTENUM\{CFA7BD57-7F22-46A5-9849-83EDE6ED5445}' changed. This may affect the value of a property on device container {B0C9E24A-95CF-6468-1816-CD1F688506E6}. |
Information | 22-06-2015 16:36:02 | Microsoft-Windows-Kernel-PnPConfig | 2 | None | Property '{78C34FC8-104A-4ACA-9EA4-524D52996E57} 84' on device 'SWD\PRINTENUM\{CFA7BD57-7F22-46A5-9849-83EDE6ED5445}' changed. This may affect the value of a property on device container {B0C9E24A-95CF-6468-1816-CD1F688506E6}. |
Information | 22-06-2015 16:36:02 | Microsoft-Windows-Kernel-PnPConfig | 2 | None | Property '{CF73BB51-3ABF-44A2-85E0-9A3DC7A12132} 2' on device 'SWD\PRINTENUM\{CFA7BD57-7F22-46A5-9849-83EDE6ED5445}' changed. This may affect the value of a property on device container {B0C9E24A-95CF-6468-1816-CD1F688506E6}. |
Information | 22-06-2015 16:36:02 | Microsoft-Windows-Kernel-PnPConfig | 2 | None | Property '{A45C254E-DF1C-4EFD-8020-67D146A850E0} 14' on device 'SWD\PRINTENUM\{CFA7BD57-7F22-46A5-9849-83EDE6ED5445}' changed. This may affect the value of a property on device container {B0C9E24A-95CF-6468-1816-CD1F688506E6}. |
Information | 22-06-2015 16:36:02 | Microsoft-Windows-Kernel-PnPConfig | 2 | None | Property '{A45C254E-DF1C-4EFD-8020-67D146A850E0} 2' on device 'SWD\PRINTENUM\{CFA7BD57-7F22-46A5-9849-83EDE6ED5445}' changed. This may affect the value of a property on device container {B0C9E24A-95CF-6468-1816-CD1F688506E6}. |
Information | 22-06-2015 16:36:02 | Microsoft-Windows-Kernel-PnPConfig | 2 | None | Property '{A45C254E-DF1C-4EFD-8020-67D146A850E0} 12' on device 'SWD\PRINTENUM\{CFA7BD57-7F22-46A5-9849-83EDE6ED5445}' changed. This may affect the value of a property on device container {B0C9E24A-95CF-6468-1816-CD1F688506E6}. |
Information | 22-06-2015 16:36:02 | Microsoft-Windows-Kernel-PnPConfig | 1 | None | Device container {B0C9E24A-95CF-6468-1816-CD1F688506E6} is unconfigured. |
Information | 22-06-2015 16:36:02 | Microsoft-Windows-Kernel-PnP | 410 | None | "Device SWD\PRINTENUM\{CFA7BD57-7F22-46A5-9849-83EDE6ED5445} was started. |
Driver Name: PrintQueue.inf
Class GUID: {1ED2BBF9-11F0-4084-B21F-AD83A8E6DCDC}
Service:
Lower Filters:
Upper Filters: "
Information | 22-06-2015 16:36:02 | Microsoft-Windows-Kernel-PnP | 400 | None | "Device SWD\PRINTENUM\{CFA7BD57-7F22-46A5-9849-83EDE6ED5445} was configured. |
Driver Name: PrintQueue.inf
Class GUID: {1ED2BBF9-11F0-4084-B21F-AD83A8E6DCDC}
Driver Date: 06/21/2006
Driver Version: 6.2.9200.16384
Driver Provider: Microsoft
Driver Section: NO_DRV_LOCAL
Driver Rank: 0x1
Matching Device ID: PRINTENUM\LocalPrintQueue
Outranked Drivers: prnms002.inf:microsoftmicrosoft_s7d14:00FF0002 c_swdevice.inf:SWD\GenericRaw:00FF3001
Device Updated: false"
Error | 22-06-2015 16:36:02 | Microsoft-Windows-TerminalServices-Printers | 1111 | None | Driver SHARP MX-2300G PCL6 required for printer !!192.168.140.99!SHARP MX-2300G PCL6 First Floor is unknown. Contact the administrator to install the driver before you log in again. |
Information | 22-06-2015 16:36:01 | Microsoft-Windows-Kernel-General | 16 | None | The access history in hive \SystemRoot\System32\config\DRIVERS was cleared updating 108 keys and creating 12 modified pages. |
Error | 22-06-2015 16:36:02 | Microsoft-Windows-TerminalServices-Printers | 1111 | None | Driver PrimoPDF required for printer PrimoPDF is unknown. Contact the administrator to install the driver before you log in again. |
Information | 22-06-2015 16:36:01 | Microsoft-Windows-TaskScheduler | 110 | Task triggered by user | "Task Scheduler launched ""{9BE4A5FB-3EC9-4081-9D0B-8F7A3C40FADA}"" instance of task ""\Microsoft\Windows\Shell\CreateObjectTask"" for user ""System"" ." |
Information | 22-06-2015 16:36:01 | Microsoft-Windows-TaskScheduler | 200 | Action started | "Task Scheduler launched action ""Shell Create Object Task Delegate"" in instance ""{9BE4A5FB-3EC9-4081-9D0B-8F7A3C40FADA}"" of task ""\Microsoft\Windows\Shell\CreateObjectTask""." |
Information | 22-06-2015 16:36:01 | Microsoft-Windows-TaskScheduler | 100 | Task Started | "Task Scheduler started ""{9BE4A5FB-3EC9-4081-9D0B-8F7A3C40FADA}"" instance of the ""\Microsoft\Windows\Shell\CreateObjectTask"" task for user ""NT AUTHORITY\SYSTEM""." |
Information | 22-06-2015 16:36:01 | Microsoft-Windows-TaskScheduler | 129 | Created Task Process | "Task Scheduler launch task ""\Microsoft\Windows\Shell\CreateObjectTask"" , instance ""taskhost.exe"" with process ID 3616." |
Information | 22-06-2015 16:36:01 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | Window Manager\DWM-4 | ||
Account Name: | DWM-4 | ||
Account Domain: | Window Manager | ||
Logon ID: | 0x8A6923B |
Logon Type: | 2 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Information | 22-06-2015 16:36:01 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | Window Manager\DWM-4 | ||
Account Name: | DWM-4 | ||
Account Domain: | Window Manager | ||
Logon ID: | 0x8A6924F |
Logon Type: | 2 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Information | 22-06-2015 16:36:01 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 132 | RemoteFX module | A channel rdpsnd has been connected between the server and the client using transport tunnel: 0. |
Information | 22-06-2015 16:36:01 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 132 | RemoteFX module | A channel AUDIO_PLAYBACK_DVC has been connected between the server and the client using transport tunnel: 0. |
Information | 22-06-2015 16:36:01 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 132 | RemoteFX module | A channel Microsoft::Windows::RDS::Geometry::v08.01 has been connected between the server and the client using transport tunnel: 0. |
Information | 22-06-2015 16:36:01 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 132 | RemoteFX module | A channel AUDIO_PLAYBACK_DVC has been connected between the server and the client using transport tunnel: 0. |
Information | 22-06-2015 16:36:01 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 132 | RemoteFX module | A channel rdpdr has been connected between the server and the client using transport tunnel: 0. |
Information | 22-06-2015 16:36:01 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 132 | RemoteFX module | A channel cliprdr has been connected between the server and the client using transport tunnel: 0. |
Information | 22-06-2015 16:36:01 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 132 | RemoteFX module | A channel Microsoft::Windows::RDS::Geometry::v08.01 has been connected between the server and the client using transport tunnel: 0. |
Information | 22-06-2015 16:36:01 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 132 | RemoteFX module | A channel Microsoft::Windows::RDS::Input has been connected between the server and the client using transport tunnel: 0. |
Information | 22-06-2015 16:36:01 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\mipadm | ||
Account Name: | mipadm | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A6A5BC |
Logon Type: | 10 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Information | 22-06-2015 16:36:01 | Microsoft-Windows-Security-Auditing | 4634 | Logoff | "An account was logged off. |
Subject:
Security ID: | MIGPRDAPP2\mipadm | ||
Account Name: | mipadm | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A6A5D7 |
Logon Type: | 10 |
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
Information | 22-06-2015 16:36:01 | Microsoft-Windows-TerminalServices-LocalSessionManager | 25 | None | "Remote Desktop Services: Session reconnection succeeded: |
User: MIGPRDAPP2\mipadm
Session ID: 3
Source Network Address: "
Information | 22-06-2015 16:36:01 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 66 | RemoteFX module | The connection RDP-Tcp#0 was assigned to session #2 |
Information | 22-06-2015 16:36:01 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | MIGPRDAPP2\mipadm | ||
Account Name: | mipadm | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A6A5BC |
Privileges: | SeAssignPrimaryTokenPrivilege | ||||
SeTcbPrivilege | |||||
SeSecurityPrivilege | |||||
SeTakeOwnershipPrivilege | |||||
SeLoadDriverPrivilege | |||||
SeBackupPrivilege | |||||
SeRestorePrivilege | |||||
SeDebugPrivilege | |||||
SeSystemEnvironmentPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:36:01 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 10 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\mipadm | ||
Account Name: | mipadm | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A6A5D7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x680 | ||
Process Name: | C:\Windows\System32\winlogon.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | 192.168.141.71 | ||
Source Port: | 0 |
Detailed Authentication Information:
Logon Process: | User32 | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:36:01 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 10 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | MIGPRDAPP2\mipadm | ||
Account Name: | mipadm | ||
Account Domain: | MIGPRDAPP2 | ||
Logon ID: | 0x8A6A5BC | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x680 | ||
Process Name: | C:\Windows\System32\winlogon.exe |
Network Information:
Workstation Name: | MIGPRDAPP2 | ||
Source Network Address: | 192.168.141.71 | ||
Source Port: | 0 |
Detailed Authentication Information:
Logon Process: | User32 | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:36:01 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | mipadm | ||
Account Domain: | MIGPRDAPP2 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x680 | ||
Process Name: | C:\Windows\System32\winlogon.exe |
Network Information:
Network Address: | 192.168.141.71 | |||
Port: | 0 |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:36:01 | Microsoft-Windows-Security-Auditing | 4776 | Credential Validation | "The computer attempted to validate the credentials for an account. |
Authentication Package: | MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 | ||||
Logon Account: | mipadm | ||||
Source Workstation: | MIGPRDAPP2 | ||||
Error Code: | 0x0" | ||||
Information | 22-06-2015 16:36:01 | Desktop Window Manager | 9009 | None | The Desktop Window Manager has exited with code (0xd00002fe) |
Information | 22-06-2015 16:36:00 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 132 | RemoteFX module | A channel rdpsnd has been connected between the server and the client using transport tunnel: 0. |
Information | 22-06-2015 16:36:00 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 132 | RemoteFX module | A channel AUDIO_PLAYBACK_DVC has been connected between the server and the client using transport tunnel: 0. |
Information | 22-06-2015 16:36:00 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 132 | RemoteFX module | A channel AUDIO_PLAYBACK_DVC has been connected between the server and the client using transport tunnel: 0. |
Information | 22-06-2015 16:36:00 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 132 | RemoteFX module | A channel rdpdr has been connected between the server and the client using transport tunnel: 0. |
Information | 22-06-2015 16:36:00 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | Window Manager\DWM-4 | ||
Account Name: | DWM-4 | ||
Account Domain: | Window Manager | ||
Logon ID: | 0x8A6924F |
Privileges: | SeAssignPrimaryTokenPrivilege | ||||
SeAuditPrivilege" | |||||
Information | 22-06-2015 16:36:00 | Microsoft-Windows-Security-Auditing | 4672 | Special Logon | "Special privileges assigned to new logon. |
Subject:
Security ID: | Window Manager\DWM-4 | ||
Account Name: | DWM-4 | ||
Account Domain: | Window Manager | ||
Logon ID: | 0x8A6923B |
Privileges: | SeAssignPrimaryTokenPrivilege | ||||
SeAuditPrivilege | |||||
SeImpersonatePrivilege" | |||||
Information | 22-06-2015 16:36:00 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 2 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | Window Manager\DWM-4 | ||
Account Name: | DWM-4 | ||
Account Domain: | Window Manager | ||
Logon ID: | 0x8A6924F | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x680 | ||
Process Name: | C:\Windows\System32\winlogon.exe |
Network Information:
Workstation Name: | |||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:36:00 | Microsoft-Windows-Security-Auditing | 4624 | Logon | "An account was successfully logged on. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 |
Logon Type: | 2 |
Impersonation Level: | Impersonation |
New Logon:
Security ID: | Window Manager\DWM-4 | ||
Account Name: | DWM-4 | ||
Account Domain: | Window Manager | ||
Logon ID: | 0x8A6923B | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Process Information:
Process ID: | 0x680 | ||
Process Name: | C:\Windows\System32\winlogon.exe |
Network Information:
Workstation Name: | |||
Source Network Address: | - | ||
Source Port: | - |
Detailed Authentication Information:
Logon Process: | Advapi | ||
Authentication Package: | Negotiate | ||
Transited Services: | - | ||
Package Name (NTLM only): | - | ||
Key Length: | 0 |
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. | |||||
- Transited services indicate which intermediate services have participated in this logon request. | |||||
- Package name indicates which sub-protocol was used among the NTLM protocols. | |||||
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." | |||||
Information | 22-06-2015 16:36:00 | Microsoft-Windows-Security-Auditing | 4648 | Logon | "A logon was attempted using explicit credentials. |
Subject:
Security ID: | SYSTEM | ||
Account Name: | MIGPRDAPP2$ | ||
Account Domain: | MILLTEC | ||
Logon ID: | 0x3E7 | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Account Whose Credentials Were Used:
Account Name: | DWM-4 | ||
Account Domain: | Window Manager | ||
Logon GUID: | {00000000-0000-0000-0000-000000000000} |
Target Server:
Target Server Name: | localhost | |
Additional Information: | localhost |
Process Information:
Process ID: | 0x680 | ||
Process Name: | C:\Windows\System32\winlogon.exe |
Network Information:
Network Address: | - | |||
Port: | - |
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
Information | 22-06-2015 16:36:00 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 132 | RemoteFX module | A channel ECHO has been connected between the server and the client using transport tunnel: 0. |
Information | 22-06-2015 16:36:00 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 163 | RemoteFX module | The client suports RDP 7.1 or lower protocol. |
Information | 22-06-2015 16:36:00 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 132 | RemoteFX module | A channel rdpinpt has been connected between the server and the client using transport tunnel: 0. |
Information | 22-06-2015 16:36:00 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 132 | RemoteFX module | A channel rdpgrfx has been connected between the server and the client using transport tunnel: 0. |
Information | 22-06-2015 16:36:00 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 33 | RemoteFX module | Remote Desktop Protocol will use the RemoteFX guest mode module to connect to the client computer. |
Information | 22-06-2015 16:36:00 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 66 | RemoteFX module | The connection RDP-Tcp#0 was assigned to session #2 |
Information | 22-06-2015 16:36:00 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 135 | RemoteFX module | The multi-transport connection finished for tunnel: 3, its transport type set to TCP: Reason Code: 1 (No Client UDP Support). |
Information | 22-06-2015 16:36:00 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 135 | RemoteFX module | The multi-transport connection finished for tunnel: 1, its transport type set to TCP: Reason Code: 1 (No Client UDP Support). |
Warning | 22-06-2015 16:36:00 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 101 | RemoteFX module | The network characteristics detection function has been disabled because of Client not supported.. |
Information | 22-06-2015 16:36:00 | Microsoft-Windows-RemoteDesktopServices-RdpCoreTS | 100 | RemoteFX module | The server has confirmed that the client's multi-transport capability. |
Thanks Adarsh but these logs are hard to read. If you would have supplied the event viewer screenshot for the is error or the log of the failure of the service, then it would have been easy.
Anyway, please read the SAP note that I have shared with you above. It tell you possible ares to check and fix.
Check Windows application log (start eventvwr.exe = Event Viewer) and look for this error:
Regards,
Hi Sir,
I checked the link provided by you and i have some doubt. Like the above thread every server should have shared folder access to SAPLOC and SAPMNT. However when i checked the Central PRD I could see both these folders are shared and this is not the same with the application servers whose services are not starting. There i could only access the SAPLOC folder.I contacted my seniors and they told these folders will be shared by default.But this is not the case with these app servers. What should i do now.Should i add them manually and are there any specific steps.
Regards,
Adarsh
User | Count |
---|---|
83 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.