Donat Was Here

DonatShell
Server IP : 180.180.241.3 / Your IP : 216.73.216.252
Web Server : Microsoft-IIS/7.5
System : Windows NT NETWORK-NHRC 6.1 build 7601 (Windows Server 2008 R2 Standard Edition Service Pack 1) i586
User : IUSR ( 0)
PHP Version : 5.3.28
Disable Function : NONE
MySQL : ON | cURL : ON | WGET : OFF | Perl : OFF | Python : OFF | Sudo : OFF | Pkexec : OFF
Directory : /Windows/System32/
Upload File :
[ HOME SHELL ]
Current File : /Windows/System32//adtschema.dll
MZÿÿ¸@¸º´	Í!¸LÍ!This program cannot be run in DOS mode.

$uõÙE›ŠE›ŠE›ŠLlŠD›ŠLl
ŠD›ŠRichE›ŠPEL·^à!	ˆ
@ 
“Ö
@È†
.rsrcÈ†
ˆ
@@L€0€0€H€`€x€€¨€À€Ø€	ð			 à•
èXÜ‚¹<Ç`´
WEVT_TEMPLATEMUI´4VS_VERSION_INFO½ïþá_±á_±?StringFileInfoî040904B0LCompanyNameMicrosoft Corporation\FileDescriptionSecurity Audit Schema DLL€0FileVersion6.1.7601.24545 (win7sp1_ldr_escrow.200102-1707)<InternalNameadtschema.dll€.LegalCopyright© Microsoft Corporation. All rights reserved.DOriginalFilenameadtschema.dllj%ProductNameMicrosoft® Windows® Operating SystemBProductVersion6.1.7601.24545DVarFileInfo$Translation	°Hd`


 (:&<ä<>CŠP^—`cÌ¿ep8ÇrÜºàüÀÃDÐÑ²ÙÙ¤µ$ ¹&&´à(.lá00ˆî@IÌðPZÔý\^$`e¸py ¡üS£«ÈT»¤\ÀÎhs¼”$œ't·00˜×ÐÙ@D|áFMhìP\Ø_bøehPkm8Œ$PP*8-€3€‰l5$tÿÿ`|00À|PPÔ|0p0pô|1p1pä}2p2pP3p3px4p4p0‚5p5pÔ‚6p6p\„7p7pà…8p8pô†ÿpÿpˆPˆ°°Àˆ.°.°¸Œ0°0°<‘5°5°•P°P°Ì˜Ð°Ð°<£°°X¤°°È¤$°%°¬¦K°L°ð¬°°œµ€°°p¸ìWindows is starting up.%n%nThis event is logged when LSASS.EXE starts and the auditing subsystem is initialized.

°Windows is shutting down.%nAll logon sessions will be terminated by this shutdown.

|An authentication package has been loaded by the Local Security Authority.%nThis authentication package will be used to authenticate logon attempts.%n%nAuthentication Package Name:%t%1

(A trusted logon process has been registered with the Local Security Authority.%nThis logon process will be trusted to submit logon requests.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Process Name:%t%t%5

¼Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.%n%nNumber of audit messages discarded:%t%1%n%nThis event is generated when audit queues are filled and events must be discarded.  This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped.

dA notification package has been loaded by the Security Account Manager.%nThis package will be notified of any account or password changes.%n%nNotification Package Name:%t%1

àInvalid use of LPC port.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tPID:%t%t%t%7%n%tName:%t%t%t%8%n%nInvalid Use:%t%t%5%n%nLPC Server Port Name:%t%6%n%nWindows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA's use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel.

ìThe system time was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tProcess ID:%t%7%n%tName:%t%t%8%n%nPrevious Time:%t%t%5%nNew Time:%t%t%6%n%nThis event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.

A monitored security event pattern has occurred.%n%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%nAlert Information:%n%tComputer:%t%t%2%n%tEvent ID:%t%t%1%n%tNumber of Events:%t%7%n%tDuration:%t%t%8%n%nThis event is generated when Windows is configured to generate alerts in accordance with the Common Criteria Security Audit Analysis requirements (FAU_SAA) and an auditable event pattern occurs.

<Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.%n%nValue of CrashOnAuditFail:%t%1%n%nThis event is logged after a system reboots following CrashOnAuditFail.

ÌA security package has been loaded by the Local Security Authority.%n%nSecurity Package Name:%t%1

ŒAn account was successfully logged on.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Type:%t%t%t%9%n%nNew Logon:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%tLogon GUID:%t%t%13%n%nProcess Information:%n%tProcess ID:%t%t%17%n%tProcess Name:%t%t%18%n%nNetwork Information:%n%tWorkstation Name:%t%12%n%tSource Network Address:%t%19%n%tSource Port:%t%t%20%n%nDetailed Authentication Information:%n%tLogon Process:%t%t%10%n%tAuthentication Package:%t%11%n%tTransited Services:%t%14%n%tPackage Name (NTLM only):%t%15%n%tKey Length:%t%t%16%n%nThis event is generated when a logon session is created. It is generated on the computer that was accessed.%n%nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.%n%nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).%n%nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.%n%nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.%n%nThe authentication information fields provide detailed information about this specific logon request.%n%t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.%n%t- Transited services indicate which intermediate services have participated in this logon request.%n%t- Package name indicates which sub-protocol was used among the NTLM protocols.%n%t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

dAn account failed to log on.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Type:%t%t%t%11%n%nAccount For Which Logon Failed:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%nFailure Information:%n%tFailure Reason:%t%t%9%n%tStatus:%t%t%t%8%n%tSub Status:%t%t%10%n%nProcess Information:%n%tCaller Process ID:%t%18%n%tCaller Process Name:%t%19%n%nNetwork Information:%n%tWorkstation Name:%t%14%n%tSource Network Address:%t%20%n%tSource Port:%t%t%21%n%nDetailed Authentication Information:%n%tLogon Process:%t%t%12%n%tAuthentication Package:%t%13%n%tTransited Services:%t%15%n%tPackage Name (NTLM only):%t%16%n%tKey Length:%t%t%17%n%nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.%n%nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.%n%nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).%n%nThe Process Information fields indicate which account and process on the system requested the logon.%n%nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.%n%nThe authentication information fields provide detailed information about this specific logon request.%n%t- Transited services indicate which intermediate services have participated in this logon request.%n%t- Package name indicates which sub-protocol was used among the NTLM protocols.%n%t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

ÌAn account was logged off.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLogon Type:%t%t%t%5%n%nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

%1%n

,User initiated logoff:%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nThis event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.

ÄA logon was attempted using explicit credentials.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tLogon GUID:%t%t%5%n%nAccount Whose Credentials Were Used:%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon GUID:%t%t%8%n%nTarget Server:%n%tTarget Server Name:%t%9%n%tAdditional Information:%t%10%n%nProcess Information:%n%tProcess ID:%t%t%11%n%tProcess Name:%t%t%12%n%nNetwork Information:%n%tNetwork Address:%t%13%n%tPort:%t%t%t%14%n%nThis event is generated when a process attempts to log on an account by explicitly specifying that account s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

<A replay attack was detected.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCredentials Which Were Replayed:%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%nProcess Information:%n%tProcess ID:%t%t%12%n%tProcess Name:%t%t%13%n%nNetwork Information:%n%tWorkstation Name:%t%10%n%nDetailed Authentication Information:%n%tRequest Type:%t%t%7%n%tLogon Process:%t%t%8%n%tAuthentication Package:%t%9%n%tTransited Services:%t%11%n%nThis event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration.

ˆAn IPsec main mode security association was established. Extended mode was not enabled.  Certificate authentication was not used.%n%nLocal Endpoint:%n%tPrincipal Name:%t%1%n%tNetwork Address:%t%3%n%tKeying Module Port:%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%2%n%tNetwork Address:%t%5%n%tKeying Module Port:%t%6%n%nSecurity Association Information:%n%tLifetime (minutes):%t%12%n%tQuick Mode Limit:%t%13%n%tMain Mode SA ID:%t%17%n%nCryptographic Information:%n%tCipher Algorithm:%t%9%n%tIntegrity Algorithm:%t%10%n%tDiffie-Hellman Group:%t%11%n%nAdditional Information:%n%tKeying Module Name:%t%7%n%tAuthentication Method:%t%8%n%tRole:%t%14%n%tImpersonation State:%t%15%n%tMain Mode Filter ID:%t%16

ìAn IPsec main mode security association was established. Extended mode was not enabled.  A certificate was used for authentication.%n%nLocal Endpoint:%n%tPrincipal Name:%t%1%n%tNetwork Address:%t%9%n%tKeying Module Port:%t%10%n%nLocal Certificate:%n%tSHA Thumbprint:%t%2%n%tIssuing CA:%t%t%3%n%tRoot CA:%t%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%5%n%tNetwork Address:%t%11%n%tKeying Module Port:%t%12%n%nRemote Certificate:%n%tSHA thumbprint: %t%6%n%tIssuing CA:%t%t%7%n%tRoot CA:%t%t%8%n%nCryptographic Information:%n%tCipher Algorithm:%t%15%n%tIntegrity Algorithm:%t%16%n%tDiffie-Hellman Group:%t%17%n%nSecurity Association Information:%n%tLifetime (minutes):%t%18%n%tQuick Mode Limit:%t%19%n%tMain Mode SA ID:%t%23%n%nAdditional Information:%n%tKeying Module Name:%t%13%n%tAuthentication Method:%t%14%n%tRole:%t%20%n%tImpersonation State:%t%21%n%tMain Mode Filter ID:%t%22

 An IPsec main mode negotiation failed.%n%n%nLocal Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%9%n%tKeying Module Port:%t%10%n%nLocal Certificate:%n%tSHA Thumbprint:%t%2%n%tIssuing CA:%t%t%3%n%tRoot CA:%t%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%5%n%tNetwork Address:%t%11%n%tKeying Module Port:%t%12%n%nRemote Certificate:%n%tSHA thumbprint:%t%t%6%n%tIssuing CA:%t%t%7%n%tRoot CA:%t%t%8%n%nAdditional Information:%n%tKeying Module Name:%t%13%n%tAuthentication Method:%t%16%n%tRole:%t%t%t%18%n%tImpersonation State:%t%19%n%tMain Mode Filter ID:%t%20%n%nFailure Information:%n%tFailure Point:%t%t%14%n%tFailure Reason:%t%t%15%n%tState:%t%t%t%17%n%tInitiator Cookie:%t%t%21%n%tResponder Cookie:%t%22

DAn IPsec main mode negotiation failed.%n%nLocal Endpoint:%n%tLocal Principal Name:%t%1%n%tNetwork Address:%t%3%n%tKeying Module Port:%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%2%n%tNetwork Address:%t%5%n%tKeying Module Port:%t%6%n%nAdditional Information:%n%tKeying Module Name:%t%7%n%tAuthentication Method:%t%10%n%tRole:%t%t%t%12%n%tImpersonation State:%t%13%n%tMain Mode Filter ID:%t%14%n%nFailure Information:%n%tFailure Point:%t%t%8%n%tFailure Reason:%t%t%9%n%tState:%t%t%t%11%n%tInitiator Cookie:%t%t%15%n%tResponder Cookie:%t%16

An IPsec quick mode negotiation failed.%n%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tNetwork Address mask:%t%2%n%tPort:%t%t%t%3%n%tTunnel Endpoint:%t%t%4%n%nRemote Endpoint:%n%tNetwork Address:%t%5%n%tAddress Mask:%t%t%6%n%tPort:%t%t%t%7%n%tTunnel Endpoint:%t%t%8%n%tPrivate Address:%t%t%10%n%nAdditional Information:%n%tProtocol:%t%t%9%n%tKeying Module Name:%t%11%n%tVirtual Interface Tunnel ID:%t%20%n%tTraffic Selector ID:%t%21%n%tMode:%t%t%t%14%n%tRole:%t%t%t%16%n%tQuick Mode Filter ID:%t%18%n%tMain Mode SA ID:%t%19%n%nFailure Information:%n%tState:%t%t%t%15%n%tMessage ID:%t%t%17%n%tFailure Point:%t%t%12%n%tFailure Reason:%t%t%13

HAn IPsec main mode security association ended.%n%nLocal Network Address:%t%t%1%nRemote Network Address:%t%2%nKeying Module Name:%t%t%3%nMain Mode SA ID:%t%t%4

øA handle to an object was requested.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tObject Type:%t%t%6%n%tObject Name:%t%t%7%n%tHandle ID:%t%t%8%n%nProcess Information:%n%tProcess ID:%t%t%15%n%tProcess Name:%t%t%16%n%nAccess Request Information:%n%tTransaction ID:%t%t%9%n%tAccesses:%t%t%10%n%tAccess Reasons:%t%t%11%n%tAccess Mask:%t%t%12%n%tPrivileges Used for Access Check:%t%13%n%tRestricted SID Count:%t%14

TA registry value was modified.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Name:%t%t%5%n%tObject Value Name:%t%6%n%tHandle ID:%t%t%7%n%tOperation Type:%t%t%8%n%nProcess Information:%n%tProcess ID:%t%t%13%n%tProcess Name:%t%t%14%n%nChange Information:%n%tOld Value Type:%t%t%9%n%tOld Value:%t%t%10%n%tNew Value Type:%t%t%11%n%tNew Value:%t%t%12

The handle to an object was closed.%n%nSubject :%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tHandle ID:%t%t%6%n%nProcess Information:%n%tProcess ID:%t%t%7%n%tProcess Name:%t%t%8

dA handle to an object was requested with intent to delete.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%13%n%nAccess Request Information:%n%tTransaction ID:%t%9%n%tAccesses:%t%10%n%tAccess Mask:%t%11%n%tPrivileges Used for Access Check:%t%12

An object was deleted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tHandle ID:%t%6%n%nProcess Information:%n%tProcess ID:%t%7%n%tProcess Name:%t%8%n%tTransaction ID:%t%9

A handle to an object was requested.%n%nSubject :%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%16%n%tProcess Name:%t%17%n%nAccess Request Information:%n%tTransaction ID:%t%9%n%tAccesses:%t%10%n%tAccess Reasons:%t%t%11%n%tAccess Mask:%t%12%n%tPrivileges Used for Access Check:%t%13%n%tProperties:%t%14%n%tRestricted SID Count:%t%15

PAn operation was performed on an object.%n%nSubject :%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tObject Type:%t%t%6%n%tObject Name:%t%t%7%n%tHandle ID:%t%t%9%n%nOperation:%n%tOperation Type:%t%t%8%n%tAccesses:%t%t%10%n%tAccess Mask:%t%t%11%n%tProperties:%t%t%12%n%nAdditional Information:%n%tParameter 1:%t%t%13%n%tParameter 2:%t%t%14

èAn attempt was made to access an object.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nAccess Request Information:%n%tAccesses:%t%9%n%tAccess Mask:%t%10

ÌAn attempt was made to create a hard link.%n%nSubject:%n%tAccount Name:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nLink Information:%n%tFile Name:%t%5%n%tLink Name:%t%6%n%tTransaction ID:%t%7

ôAn attempt was made to create an application client context.%n%nSubject:%n%tClient Name:%t%t%3%n%tClient Domain:%t%t%4%n%tClient Context ID:%t%5%n%nApplication Information:%n%tApplication Name:%t%1%n%tApplication Instance ID:%t%2%n%nStatus:%t%6

ØAn application attempted an operation:%n%nSubject:%n%tClient Name:%t%t%5%n%tClient Domain:%t%t%6%n%tClient Context ID:%t%7%n%nObject:%n%tObject Name:%t%t%3%n%tScope Names:%t%t%4%n%nApplication Information:%n%tApplication Name:%t%1%n%tApplication Instance ID:%t%2%n%nAccess Request Information:%n%tRole:%t%t%t%8%n%tGroups:%t%t%t%9%n%tOperation Name:%t%10 (%11)

°An application client context was deleted.%n%nSubject:%n%tClient Name:%t%t%3%n%tClient Domain:%t%t%4%n%tClient Context ID:%t%5%n%nApplication Information:%n%tApplication Name:%t%1%n%tApplication Instance ID:%t%2

ìAn application was initialized.%n%nSubject:%n%tClient Name:%t%3%n%tClient Domain:%t%4%n%tClient ID:%t%5%n%nApplication Information:%n%tApplication Name:%t%1%n%tApplication Instance ID:%t%2%n%nAdditional Information:%n%tPolicy Store URL:%t%6

üPermissions on an object were changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nPermissions Change:%n%tOriginal Security Descriptor:%t%9%n%tNew Security Descriptor:%t%10

€An application attempted to access a blocked ordinal through the TBS.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nOrdinal:%t%5

PSpecial privileges assigned to new logon.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nPrivileges:%t%t%5

HA privileged service was called.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nService:%n%tServer:%t%5%n%tService Name:%t%6%n%nProcess:%n%tProcess ID:%t%8%n%tProcess Name:%t%9%n%nService Request Information:%n%tPrivileges:%t%t%7

An operation was attempted on a privileged object.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tObject Handle:%t%8%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nRequested Operation:%n%tDesired Access:%t%9%n%tPrivileges:%t%t%10

ðSIDs were filtered.%n%nTarget Account:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%nTrust Information:%n%tTrust Direction:%t%4%n%tTrust Attributes:%t%5%n%tTrust Type:%t%6%n%tTDO Domain SID:%t%7%n%nFiltered SIDs:%t%8

¬
A new process has been created.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tNew Process ID:%t%t%5%n%tNew Process Name:%t%6%n%tToken Elevation Type:%t%7%n%tCreator Process ID:%t%8%n%tProcess Command Line:%t%9%n%nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.%n%nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.%n%nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.%n%nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

¨A process has exited.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tProcess ID:%t%6%n%tProcess Name:%t%7%n%tExit Status:%t%5

€An attempt was made to duplicate a handle to an object.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nSource Handle Information:%n%tSource Handle ID:%t%5%n%tSource Process ID:%t%6%n%nNew Handle Information:%n%tTarget Handle ID:%t%7%n%tTarget Process ID:%t%8

pIndirect access to an object was requested.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Type:%t%5%n%tObject Name:%t%6%n%nProcess Information:%n%tProcess ID:%t%9%n%nAccess Request Information:%n%tAccesses:%t%7%n%tAccess Mask:%t%8

HBackup of data protection master key was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nKey Information:%n%tKey Identifier:%t%5%n%tRecovery Server:%t%6%n%tRecovery Key ID:%t%7%n%nStatus Information:%n%tStatus Code:%t%8

|Recovery of data protection master key was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nKey Information:%n%tKey Identifier:%t%5%n%tRecovery Server:%t%6%n%tRecovery Key ID:%t%8%n%tRecovery Reason:%t%7%n%nStatus Information:%n%tStatus Code:%t%9

Protection of auditable protected data was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProtected Data:%n%tData Description:%t%6%n%tKey Identifier:%t%5%n%tProtected Data Flags:%t%7%n%tProtection Algorithms:%t%8%n%nStatus Information:%n%tStatus Code:%t%9

”Unprotection of auditable protected data was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProtected Data:%n%tData Description:%t%6%n%tKey Identifier:%t%5%n%tProtected Data Flags:%t%7%n%tProtection Algorithms:%t%8%n%nStatus Information:%n%tStatus Code:%t%9

$A primary token was assigned to process.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nTarget Process:%n%tTarget Process ID:%t%9%n%tTarget Process Name:%t%10%n%nNew Token Information:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8

PA service was installed in the system.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nService Information:%n%tService Name: %t%t%5%n%tService File Name:%t%6%n%tService Type: %t%t%7%n%tService Start Type:%t%8%n%tService Account: %t%t%9

œA scheduled task was created.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTask Information:%n%tTask Name: %t%t%5%n%tTask Content: %t%t%6%n%t

œA scheduled task was deleted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTask Information:%n%tTask Name: %t%t%5%n%tTask Content: %t%t%6%n%t

œA scheduled task was enabled.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTask Information:%n%tTask Name: %t%t%5%n%tTask Content: %t%t%6%n%t

œA scheduled task was disabled.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTask Information:%n%tTask Name: %t%t%5%n%tTask Content: %t%t%6%n%t

¤A scheduled task was updated.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTask Information:%n%tTask Name: %t%t%5%n%tTask New Content: %t%t%6%n%t

¤A user right was assigned.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTarget Account:%n%tAccount Name:%t%t%5%n%nNew Right:%n%tUser Right:%t%t%6

¨A user right was removed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTarget Account:%n%tAccount Name:%t%t%5%n%nRemoved Right:%n%tUser Right:%t%t%6

ˆA new trust was created to a domain.%n%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%nTrusted Domain:%n%tDomain Name:%t%t%1%n%tDomain ID:%t%t%2%n%nTrust Information:%n%tTrust Type:%t%t%7%n%tTrust Direction:%t%t%8%n%tTrust Attributes:%t%t%9%n%tSID Filtering:%t%t%10

˜A trust to a domain was removed.%n%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%nDomain Information:%n%tDomain Name:%t%t%1%n%tDomain ID:%t%t%2

¨The IPsec Policy Agent service was started.%n%n%1%n%nPolicy Source: %t%2%n%n%3

xThe IPsec Policy Agent service was disabled.%n%n%1%n%2

%1

ŒIPsec Policy Agent encountered a potentially serious failure.%n%1

Kerberos policy was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nChanges Made:%n('--' means no changes, otherwise each change is shown as:%n(Parameter Name):%t(new value) (old value))%n%5

ìData Recovery Agent group policy for Encrypting File System (EFS) has changed. The new changes have been applied.

øThe audit policy (SACL) on an object was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain: %t%3%n%tLogon ID: %t%t%4%n%nAudit Policy Change:%n%tOriginal Security Descriptor: %t%5%n%tNew Security Descriptor: %t%t%6

˜Trusted domain information was modified.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTrusted Domain:%n%tDomain Name:%t%t%5%n%tDomain ID:%t%t%6%n%nNew Trust Information:%n%tTrust Type:%t%t%7%n%tTrust Direction:%t%t%8%n%tTrust Attributes:%t%t%9%n%tSID Filtering:%t%t%10

äSystem security access was granted to an account.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAccount Modified:%n%tAccount Name:%t%t%5%n%nAccess Granted:%n%tAccess Right:%t%t%6

èSystem security access was removed from an account.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAccount Modified:%n%tAccount Name:%t%t%5%n%nAccess Removed:%n%tAccess Right:%t%t%6

ìSystem audit policy was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAudit Policy Change:%n%tCategory:%t%t%5%n%tSubcategory:%t%t%6%n%tSubcategory GUID:%t%7%n%tChanges:%t%t%8

ÐA user account was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nNew Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tDisplay Name:%t%t%10%n%tUser Principal Name:%t%11%n%tHome Directory:%t%t%12%n%tHome Drive:%t%t%13%n%tScript Path:%t%t%14%n%tProfile Path:%t%t%15%n%tUser Workstations:%t%16%n%tPassword Last Set:%t%17%n%tAccount Expires:%t%t%18%n%tPrimary Group ID:%t%19%n%tAllowed To Delegate To:%t%20%n%tOld UAC Value:%t%t%21%n%tNew UAC Value:%t%t%22%n%tUser Account Control:%t%23%n%tUser Parameters:%t%24%n%tSID History:%t%t%25%n%tLogon Hours:%t%t%26%n%nAdditional Information:%n%tPrivileges%t%t%8

¼A user account was enabled.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2

LAn attempt was made to change an account's password.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges%t%t%8

ìAn attempt was made to reset an account's password.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2

ÀA user account was disabled.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2

A user account was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges%t%8

¬A security-enabled global group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nNew Group:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

¬A member was added to a security-enabled global group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10

´A member was removed from a security-enabled global group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10

4A security-enabled global group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nDeleted Group:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8

¨A security-enabled local group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nNew Group:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

¨A member was added to a security-enabled local group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10

°A member was removed from a security-enabled local group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10

$A security-enabled local group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8

°A security-enabled local group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

´A security-enabled global group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

äA user account was changed.%n%nSubject:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%nTarget Account:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%nChanged Attributes:%n%tSAM Account Name:%t%10%n%tDisplay Name:%t%t%11%n%tUser Principal Name:%t%12%n%tHome Directory:%t%t%13%n%tHome Drive:%t%t%14%n%tScript Path:%t%t%15%n%tProfile Path:%t%t%16%n%tUser Workstations:%t%17%n%tPassword Last Set:%t%18%n%tAccount Expires:%t%t%19%n%tPrimary Group ID:%t%20%n%tAllowedToDelegateTo:%t%21%n%tOld UAC Value:%t%t%22%n%tNew UAC Value:%t%t%23%n%tUser Account Control:%t%24%n%tUser Parameters:%t%25%n%tSID History:%t%t%26%n%tLogon Hours:%t%t%27%n%nAdditional Information:%n%tPrivileges:%t%t%9

,Domain Policy was changed.%n%nChange Type:%t%t%1 modified%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nDomain:%n%tDomain Name:%t%t%2%n%tDomain ID:%t%t%3%n%nChanged Attributes:%n%tMin. Password Age:%t%9%n%tMax. Password Age:%t%10%n%tForce Logoff:%t%t%11%n%tLockout Threshold:%t%12%n%tLockout Observation Window:%t%13%n%tLockout Duration:%t%14%n%tPassword Properties:%t%15%n%tMin. Password Length:%t%16%n%tPassword History Length:%t%17%n%tMachine Account Quota:%t%18%n%tMixed Domain Mode:%t%19%n%tDomain Behavior Version:%t%20%n%tOEM Information:%t%21%n%nAdditional Information:%n%tPrivileges:%t%t%8

A user account was locked out.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nAccount That Was Locked Out:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%nAdditional Information:%n%tCaller Computer Name:%t%2

XA computer account was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nNew Computer Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tDisplay Name:%t%t%10%n%tUser Principal Name:%t%11%n%tHome Directory:%t%t%12%n%tHome Drive:%t%t%13%n%tScript Path:%t%t%14%n%tProfile Path:%t%t%15%n%tUser Workstations:%t%16%n%tPassword Last Set:%t%17%n%tAccount Expires:%t%t%18%n%tPrimary Group ID:%t%19%n%tAllowedToDelegateTo:%t%20%n%tOld UAC Value:%t%t%21%n%tNew UAC Value:%t%t%22%n%tUser Account Control:%t%23%n%tUser Parameters:%t%24%n%tSID History:%t%t%25%n%tLogon Hours:%t%t%26%n%tDNS Host Name:%t%t%27%n%tService Principal Names:%t%28%n%nAdditional Information:%n%tPrivileges%t%t%8

ˆA computer account was changed.%n%nSubject:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%nComputer Account That Was Changed:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%nChanged Attributes:%n%tSAM Account Name:%t%10%n%tDisplay Name:%t%t%11%n%tUser Principal Name:%t%12%n%tHome Directory:%t%t%13%n%tHome Drive:%t%t%14%n%tScript Path:%t%t%15%n%tProfile Path:%t%t%16%n%tUser Workstations:%t%17%n%tPassword Last Set:%t%18%n%tAccount Expires:%t%t%19%n%tPrimary Group ID:%t%20%n%tAllowedToDelegateTo:%t%21%n%tOld UAC Value:%t%t%22%n%tNew UAC Value:%t%t%23%n%tUser Account Control:%t%24%n%tUser Parameters:%t%25%n%tSID History:%t%t%26%n%tLogon Hours:%t%t%27%n%tDNS Host Name:%t%t%28%n%tService Principal Names:%t%29%n%nAdditional Information:%n%tPrivileges:%t%t%9

(A computer account was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Computer:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8

¬A security-disabled local group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nNew Group:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

´A security-disabled local group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

¬A member was added to a security-disabled local group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10

´A member was removed from a security-disabled local group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10

$A security-disabled local group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8

¤A security-disabled global group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

´A security-disabled global group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

¬A member was added to a security-disabled global group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10

´A member was removed from a security-disabled global group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10

(A security-disabled global group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8

¨A security-enabled universal group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

¸A security-enabled universal group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

¸A member was added to a security-enabled universal group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10

¸A member was removed from a security-enabled universal group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10

,A security-enabled universal group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8

¬A security-disabled universal group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

¼A security-disabled universal group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nChanged Attributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

´A member was added to a security-disabled universal group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10

¼A member was removed from a security-disabled universal group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10

,A security-disabled universal group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tGroup Name:%t%t%1%n%tGroup Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8

4A group s type was changed.%n%nSubject:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%nChange Type:%t%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%4%n%tGroup Name:%t%t%2%n%tGroup Domain:%t%t%3%n%nAdditional Information:%n%tPrivileges:%t%t%9

ÜSID History was added to an account.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nTarget Account:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%nSource Account:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nAdditional Information:%n%tPrivileges:%t%t%10%n%tSID List:%t%t%t%11

”An attempt to add SID History to an account failed.%n%nSubject:%n%tSecurity ID:%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%nSource Account%n%tAccount Name:%t%t%1%n%nAdditional Information:%n%tPrivileges:%t%t%8

ÀA user account was unlocked.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2

ôA Kerberos authentication ticket (TGT) was requested.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tSupplied Realm Name:%t%2%n%tUser ID:%t%t%t%3%n%nService Information:%n%tService Name:%t%t%4%n%tService ID:%t%t%5%n%nNetwork Information:%n%tClient Address:%t%t%10%n%tClient Port:%t%t%11%n%nAdditional Information:%n%tTicket Options:%t%t%6%n%tResult Code:%t%t%7%n%tTicket Encryption Type:%t%8%n%tPre-Authentication Type:%t%9%n%nCertificate Information:%n%tCertificate Issuer Name:%t%t%12%n%tCertificate Serial Number:%t%13%n%tCertificate Thumbprint:%t%t%14%n%nCertificate information is only provided if a certificate was used for pre-authentication.%n%nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

TA Kerberos service ticket was requested.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%tLogon GUID:%t%t%10%n%nService Information:%n%tService Name:%t%t%3%n%tService ID:%t%t%4%n%nNetwork Information:%n%tClient Address:%t%t%7%n%tClient Port:%t%t%8%n%nAdditional Information:%n%tTicket Options:%t%t%5%n%tTicket Encryption Type:%t%6%n%tFailure Code:%t%t%9%n%tTransited Services:%t%11%n%nThis event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.%n%nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.%n%nTicket options, encryption types, and failure codes are defined in RFC 4120.

$A Kerberos service ticket was renewed.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nService Information:%n%tService Name:%t%t%3%n%tService ID:%t%t%4%n%nNetwork Information:%n%tClient Address:%t%t%7%n%tClient Port:%t%t%8%n%nAdditional Information:%n%tTicket Options:%t%t%5%n%tTicket Encryption Type:%t%6%n%nTicket options and encryption types are defined in RFC 4120.

$Kerberos pre-authentication failed.%n%nAccount Information:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nService Information:%n%tService Name:%t%t%3%n%nNetwork Information:%n%tClient Address:%t%t%7%n%tClient Port:%t%t%8%n%nAdditional Information:%n%tTicket Options:%t%t%4%n%tFailure Code:%t%t%5%n%tPre-Authentication Type:%t%6%n%nCertificate Information:%n%tCertificate Issuer Name:%t%t%9%n%tCertificate Serial Number: %t%10%n%tCertificate Thumbprint:%t%t%11%n%nCertificate information is only provided if a certificate was used for pre-authentication.%n%nPre-authentication types, ticket options and failure codes are defined in RFC 4120.%n%nIf the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

èA Kerberos authentication ticket request failed.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tSupplied Realm Name:%t%2%n%nService Information:%n%tService Name:%t%3%n%nNetwork Information:%n%tClient Address:%t%6%n%tClient Port:%t%7%n%nAdditional Information:%n%tTicket Options:%t%4%n%tFailure Code:%t%5%n%nTicket options and failure codes are defined in RFC 4120.

ÔA Kerberos service ticket request failed.%n%nAccount Information:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nService Information:%n%tService Name:%t%3%n%nNetwork Information:%n%tClient Address:%t%6%n%tClient Port:%t%7%n%nAdditional Information:%n%tTicket Options:%t%4%n%tFailure Code:%t%5%n%nTicket options and failure codes are defined in RFC 4120.

ÐAn account was mapped for logon.%n%nAuthentication Package:%t%1%nAccount UPN:%t%2%nMapped Name:%t%3

ÈAn account could not be mapped for logon.%n%nAuthentication Package:%t%t%1%nAccount Name:%t%t%2

HThe computer attempted to validate the credentials for an account.%n%nAuthentication Package:%t%1%nLogon Account:%t%2%nSource Workstation:%t%3%nError Code:%t%4

TThe domain controller failed to validate the credentials for an account.%n%nAuthentication Package:%t%1%nLogon Account:%t%2%nSource Workstation:%t%3%nError Code:%t%4

,A session was reconnected to a Window Station.%n%nSubject:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%tLogon ID:%t%t%3%n%nSession:%n%tSession Name:%t%t%4%n%nAdditional Information:%n%tClient Name:%t%t%5%n%tClient Address:%t%t%6%n%nThis event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching.

HA session was disconnected from a Window Station.%n%nSubject:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%tLogon ID:%t%t%3%n%nSession:%n%tSession Name:%t%t%4%n%nAdditional Information:%n%tClient Name:%t%t%5%n%tClient Address:%t%t%6%n%n%nThis event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.

ÜThe ACL was set on accounts which are members of administrators groups.%n%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nTarget Account:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8%n%nEvery hour, the Windows domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the AdminSDHolder object.  If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.

dThe name of an account was changed:%n%nSubject:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%6%n%tAccount Domain:%t%t%7%n%tLogon ID:%t%t%8%n%nTarget Account:%n%tSecurity ID:%t%t%4%n%tAccount Domain:%t%t%3%n%tOld Account Name:%t%1%n%tNew Account Name:%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%9

°The password hash an account was accessed.%n%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%nTarget Account:%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2

 A basic application group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

 A basic application group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

 A member was added to a basic application group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10

¨A member was removed from a basic application group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tGroup Name:%t%t%3%n%tGroup Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10

 A non-member was added to a basic application group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10%n%nA non-member is an account that is explicitly excluded from membership in a basic application group.  Even if the account is specified as a member of the application group, either explicitly or through nested group membership, the account will not be treated as a group member if it is listed as a non-member.

(A non-member was removed from a basic application group.%n%nSubject:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%nMember:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%1%n%nGroup:%n%tSecurity ID:%t%t%5%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%nAdditional Information:%n%tPrivileges:%t%t%10%n%nA non-member is an account that is explicitly excluded from membership in a basic application group.  Even if the account is specified as a member of the application group, either explicitly or through nested group membership, the account will not be treated as a group member if it is listed as a non-member.

 A basic application group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8

”An LDAP query group was created.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

 A basic application group was changed.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAttributes:%n%tSAM Account Name:%t%9%n%tSID History:%t%t%10%n%nAdditional Information:%n%tPrivileges:%t%t%8

An LDAP query group was deleted.%n%nSubject:%n%tSecurity ID:%t%t%4%n%tAccount Name:%t%t%5%n%tAccount Domain:%t%t%6%n%tLogon ID:%t%t%7%n%nGroup:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%1%n%tAccount Domain:%t%t%2%n%nAdditional Information:%n%tPrivileges:%t%t%8

 The Password Policy Checking API was called.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAdditional Information:%n%tCaller Workstation:%t%5%n%tProvided Account Name (unauthenticated):%t%6%n%tStatus Code:%t%7

An attempt was made to set the Directory Services Restore Mode%nadministrator password.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nAdditional Information:%n%tCaller Workstation:%t%5%n%tStatus Code:%t%6

0The workstation was locked.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tSession ID:%t%5

4The workstation was unlocked.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tSession ID:%t%5

4The screen saver was invoked.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tSession ID:%t%5

8The screen saver was dismissed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tSession ID:%t%5

RPC detected an integrity violation while decrypting an incoming message.%n%nPeer Name:%t%1%nProtocol Sequence:%t%2%nSecurity Error:%t%3

tAuditing settings on object were changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%nAuditing Settings:%n%tOriginal Security Descriptor:%t%8%n%tNew Security Descriptor:%t%t%9

|A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group.%n%nSubject:%n%tUser Name:%t%1%n%tDomain:%t%t%2%n%tLogon ID:%t%3%n%nAdditional Information:%n%tClient Address:%t%4%n%n%nThis event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.

xA namespace collision was detected.%n%nTarget Type:%t%1%nTarget Name:%t%2%nForest Root:%t%3%nTop Level Name:%t%4%nDNS Name:%t%5%nNetBIOS Name:%t%6%nSecurity ID:%t%t%7%nNew Flags:%t%8

ÈA trusted forest information entry was added.%n%nSubject:%n%tSecurity ID:%t%t%10%n%tAccount Name:%t%t%11%n%tAccount Domain:%t%t%12%n%tLogon ID:%t%t%13%n%nTrust Information:%n%tForest Root:%t%1%n%tForest Root SID:%t%2%n%tOperation ID:%t%3%n%tEntry Type:%t%4%n%tFlags:%t%5%n%tTop Level Name:%t%6%n%tDNS Name:%t%7%n%tNetBIOS Name:%t%8%n%tDomain SID:%t%9

ÌA trusted forest information entry was removed.%n%nSubject:%n%tSecurity ID:%t%t%10%n%tAccount Name:%t%t%11%n%tAccount Domain:%t%t%12%n%tLogon ID:%t%t%13%n%nTrust Information:%n%tForest Root:%t%1%n%tForest Root SID:%t%2%n%tOperation ID:%t%3%n%tEntry Type:%t%4%n%tFlags:%t%5%n%tTop Level Name:%t%6%n%tDNS Name:%t%7%n%tNetBIOS Name:%t%8%n%tDomain SID:%t%9

ÌA trusted forest information entry was modified.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTrust Information:%n%tForest Root:%t%5%n%tForest Root SID:%t%6%n%tOperation ID:%t%7%n%tEntry Type:%t%8%n%tFlags:%t%9%n%tTop Level Name:%t%10%n%tDNS Name:%t%11%n%tNetBIOS Name:%t%12%n%tDomain SID:%t%13

°The certificate manager denied a pending certificate request.%n%t%nRequest ID:%t%1

´Certificate Services received a resubmitted certificate request.%n%t%nRequest ID:%t%1

¬Certificate Services revoked a certificate.%n%t%nSerial Number:%t%1%nReason:%t%2

8Certificate Services received a request to publish the certificate revocation list (CRL).%n%t%nNext Update:%t%1%nPublish Base:%t%2%nPublish Delta:%t%3

PCertificate Services published the certificate revocation list (CRL).%n%t%nBase CRL:%t%1%nCRL Number:%t%2%nKey Container:%t%3%nNext Publish:%t%4%nPublish URLs:%t%5

àA certificate request extension changed.%n%t%nRequest ID:%t%1%nName:%t%2%nType:%t%3%nFlags:%t%4%nData:%t%5

¼One or more certificate request attributes changed.%n%t%nRequest ID:%t%1%nAttributes:%t%2

tCertificate Services received a request to shut down.

|Certificate Services backup started.%n%nBackup Type:%t%1

XCertificate Services backup completed.

TCertificate Services restore started.

XCertificate Services restore completed.

0Certificate Services started.%n%t%nCertificate Database Hash:%t%1%nPrivate Key Usage Count:%t%2%nCA Certificate Hash:%t%3%nCA Public Key Hash:%t%4

0Certificate Services stopped.%n%t%nCertificate Database Hash:%t%1%nPrivate Key Usage Count:%t%2%nCA Certificate Hash:%t%3%nCA Public Key Hash:%t%4

The security permissions for Certificate Services changed.%n%t%n%1

”Certificate Services retrieved an archived key.%n%t%nRequest ID:%t%1

ÔCertificate Services imported a certificate into its database.%n%t%nCertificate:%t%1%nRequest ID:%t%2

The audit filter for Certificate Services changed.%n%t%nFilter:%t%1

àCertificate Services received a certificate request.%n%t%nRequest ID:%t%1%nRequester:%t%2%nAttributes:%t%3

hCertificate Services approved a certificate request and issued a certificate.%n%t%nRequest ID:%t%1%nRequester:%t%2%nAttributes:%t%3%nDisposition:%t%4%nSKI:%t%t%5%nSubject:%t%6

4Certificate Services denied a certificate request.%n%t%nRequest ID:%t%1%nRequester:%t%2%nAttributes:%t%3%nDisposition:%t%4%nSKI:%t%t%5%nSubject:%t%6

`Certificate Services set the status of a certificate request to pending.%n%t%nRequest ID:%t%1%nRequester:%t%2%nAttributes:%t%3%nDisposition:%t%4%nSKI:%t%t%5%nSubject:%t%6

¼The certificate manager settings for Certificate Services changed.%n%t%nEnable:%t%1%n%n%2

ÄA configuration entry changed in Certificate Services.%n%t%nNode:%t%1%nEntry:%t%2%nValue:%t%3

ÌA property of Certificate Services changed.%n%t%nProperty:%t%1%nIndex:%t%2%nType:%t%3%nValue:%t%4

ÀCertificate Services archived a key.%n%t%nRequest ID:%t%1%nRequester:%t%2%nKRA Hashes:%t%3

˜Certificate Services imported and archived a key.%n%t%nRequest ID:%t%1

0Certificate Services published the CA certificate to Active Directory Domain Services.%n%t%nCertificate Hash:%t%1%nValid From:%t%2%nValid To:%t%t%3

ôOne or more rows have been deleted from the certificate database.%n%t%nTable ID:%t%1%nFilter:%t%2%nRows Deleted:%t%3

DRole separation enabled:%t%1

¤Certificate Services loaded a template.%n%n%1 v%2 (Schema V%3)%n%4%n%5%n%nTemplate Information:%n%tTemplate Content:%t%t%7%n%tSecurity Descriptor:%t%t%8%n%nAdditional Information:%n%tDomain Controller:%t%6

ÄA Certificate Services template was updated.%n%n%1 v%2 (Schema V%3)%n%4%n%5%n%nTemplate Change Information:%n%tOld Template Content:%t%8%n%tNew Template Content:%t%t%7%n%nAdditional Information:%n%tDomain Controller:%t%6

\Certificate Services template security was updated.%n%n%1 v%2 (Schema V%3)%n%4%n%5%n%nTemplate Change Information:%n%tOld Template Content:%t%t%9%n%tNew Template Content:%t%7%n%tOld Security Descriptor:%t%t%10%n%tNew Security Descriptor:%t%t%8%n%nAdditional Information:%n%tDomain Controller:%t%6

¸The Per-user audit policy table was created.%n%nNumber of Elements:%t%1%nPolicy ID:%t%2

(An attempt was made to register a security event source.%n%nSubject :%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess:%n%tProcess ID:%t%7%n%tProcess Name:%t%8%n%nEvent Source:%n%tSource Name:%t%5%n%tEvent Source ID:%t%6

(An attempt was made to unregister a security event source.%n%nSubject%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess:%n%tProcess ID:%t%7%n%tProcess Name:%t%8%n%nEvent Source:%n%tSource Name:%t%5%n%tEvent Source ID:%t%6

¤The CrashOnAuditFail value has changed.%n%nNew Value of CrashOnAuditFail:%t%1

Auditing settings on object were changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%11%n%tProcess Name:%t%12%n%nAuditing Settings:%n%tOriginal Security Descriptor:%t%9%n%tNew Security Descriptor:%t%t%10

àSpecial Groups Logon table modified.%n%nSpecial Groups:%t%1%n%nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.

àThe local policy settings for the TBS were changed.%n%nOld Blocked Ordinals:%t%1%nNew Blocked Ordinals:%t%2

LThe group policy settings for the TBS were changed.%n%nGroup Policy Setting:%t%tIgnore Default Settings%n%tOld Value:%t%t%1%n%tNew Value:%t%t%2%n%nGroup Policy Setting:%t%tIgnore Local Settings%n%tOld Value:%t%t%3%n%tNew Value:%t%t%4%n%nOld Blocked Ordinals:%t%5%nNew Blocked Ordinals:%t%6

DPer User Audit Policy was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nPolicy For Account:%n%tSecurity ID:%t%t%5%n%nPolicy Change Details:%n%tCategory:%t%6%n%tSubcategory:%t%7%n%tSubcategory GUID:%t%8%n%tChanges:%t%9

xAn Active Directory replica source naming context was established.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nSource Address:%t%3%nNaming Context:%t%4%nOptions:%t%t%5%nStatus Code:%t%6

pAn Active Directory replica source naming context was removed.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nSource Address:%t%3%nNaming Context:%t%4%nOptions:%t%t%5%nStatus Code:%t%6

tAn Active Directory replica source naming context was modified.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nSource Address:%t%3%nNaming Context:%t%4%nOptions:%t%t%5%nStatus Code:%t%6

ˆAn Active Directory replica destination naming context was modified.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nDestination Address:%t%3%nNaming Context:%t%4%nOptions:%t%t%5%nStatus Code:%t%6

„Synchronization of a replica of an Active Directory naming context has begun.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nNaming Context:%t%3%nOptions:%t%t%4%nSession ID:%t%5%nStart USN:%t%6

¤Synchronization of a replica of an Active Directory naming context has ended.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nNaming Context:%t%3%nOptions:%t%t%4%nSession ID:%t%5%nEnd USN:%t%6%nStatus Code:%t%7

hAttributes of an Active Directory object were replicated.%n%nSession ID:%t%1%nObject:%t%t%2%nAttribute:%t%3%nType of change:%t%4%nNew Value:%t%5%nUSN:%t%t%6%nStatus Code:%t%7

¤Replication failure begins.%n%nReplication Event:%t%1%nAudit Status Code:%t%2

ÜReplication failure ends.%n%nReplication Event:%t%1%nAudit Status Code:%t%2%nReplication Status Code:%t%3

A lingering object was removed from a replica.%n%nDestination DRA:%t%1%nSource DRA:%t%2%nObject:%t%3%nOptions:%t%4%nStatus Code:%t%5

€The following policy was active when the Windows Firewall started.%n%nGroup Policy Applied:%t%1%nProfile Used:%t%2%nOperational mode:%t%3%nAllow Remote Administration:%t%4%nAllow Unicast Responses to Multicast/Broadcast Traffic:%t%5%nSecurity Logging:%n%tLog Dropped Packets:%t%6%n%tLog Successful Connections:%t%7

øA rule was listed when the Windows Firewall started.%n%t%nProfile used:%t%1%n%nRule:%n%tRule ID:%t%2%n%tRule Name:%t%3

8A change was made to the Windows Firewall exception list. A rule was added.%n%t%nProfile Changed:%t%1%n%nAdded Rule:%n%tRule ID:%t%2%n%tRule Name:%t%3

DA change was made to the Windows Firewall exception list. A rule was modified.%n%t%nProfile Changed:%t%1%n%nModified Rule:%n%tRule ID:%t%2%n%tRule Name:%t%3

@A change was made to the Windows Firewall exception list. A rule was deleted.%n%t%nProfile Changed:%t%1%n%nDeleted Rule:%n%tRule ID:%t%2%n%tRule Name:%t%3

ˆWindows Firewall settings were restored to the default values.

äA Windows Firewall setting was changed.%n%t%nChanged Profile:%t%1%n%nNew Setting:%n%tType:%t%2%n%tValue:%t%3

(Windows Firewall ignored a rule because its major version number is not recognized.%n%t%nProfile:%t%1%n%nIgnored Rule:%n%tID:%t%2%n%tName:%t%3

 Windows Firewall ignored parts of a rule because its minor version number is not recognized. Other parts of the rule will be enforced.%n%t%nProfile:%t%1%n%nPartially Ignored Rule:%n%tID:%t%2%n%tName:%t%3

(Windows Firewall ignored a rule because it could not be parsed.%n%t%nProfile:%t%1%n%nReason for Rejection:%t%2%n%nRule:%n%tID:%t%3%n%tName:%t%4

ÀGroup Policy settings for Windows Firewall were changed, and the new settings were applied.

˜Windows Firewall changed the active profile.%n%nNew Active Profile:%t%1

HWindows Firewall did not apply the following rule:%n%nRule Information:%n%tID:%t%1%n%tName:%t%2%n%nError Information:%n%tReason:%t%3 resolved to an empty set.

´Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:%n%nRule Information:%n%tID:%t%1%n%tName:%t%2%n%nError Information:%n%tError:%t%3%n%tReason:%t%4

pIPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.%n%nRemote Network Address:%t%1%nInbound SA SPI:%t%t%2

”IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.%n%nRemote Network Address:%t%1%nInbound SA SPI:%t%t%2

ŒIPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.%n%nRemote Network Address:%t%1%nInbound SA SPI:%t%t%2

IPsec dropped an inbound clear text packet that should have been secured. If the remote computer is configured with a Request Outbound IPsec policy, this might be benign and expected.  This can also be caused by the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.%n%nRemote Network Address:%t%1%nInbound SA SPI:%t%t%2

”Special groups have been assigned to a new logon.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%tLogon GUID:%t%5%n%nNew Logon:%n%tSecurity ID:%t%t%6%n%tAccount Name:%t%t%7%n%tAccount Domain:%t%t%8%n%tLogon ID:%t%t%9%n%tLogon GUID:%t%10%n%tSpecial Groups Assigned:%t%11

(IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.%n%nRemote Network Address:%t%1%nInbound SA SPI:%t%t%2

(During main mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.%n%nLocal Network Address:%t%1%nRemote Network Address:%t%2%nKeying Module Name:%t%3

,During quick mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.%n%nLocal Network Address:%t%1%nRemote Network Address:%t%2%nKeying Module Name:%t%3

0During extended mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.%n%nLocal Network Address:%t%1%nRemote Network Address:%t%2%nKeying Module Name:%t%3

äIPsec main mode and extended mode security associations were established.%n%nMain Mode Local Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%3%n%tKeying Module Port:%t%4%n%nMain Mode Remote Endpoint:%n%tPrincipal Name:%t%2%n%tNetwork Address:%t%5%n%tKeying Module Port:%t%6%n%nMain Mode Cryptographic Information:%n%tCipher Algorithm:%t%8%n%tIntegrity Algorithm:%t%9%n%tDiffie-Hellman Group:%t%10%n%nMain Mode Security Association:%n%tLifetime (minutes):%t%11%n%tQuick Mode Limit:%t%12%n%tMain Mode SA ID:%t%16%n%t%nMain Mode Additional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%t%7%n%tRole:%t%t%t%13%n%tImpersonation State:%t%14%n%tMain Mode Filter ID:%t%15%n%nExtended Mode Information:%n%tLocal Principal Name:%t%17%n%tRemote Principal Name:%t%18%n%tAuthentication Method:%t%19%n%tImpersonation State:%t%20%n%tQuick Mode Filter ID:%t%21

èIPsec main mode and extended mode security associations were established.%n%nMain Mode Local Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%3%n%tKeying Module Port:%t%4%n%nMain Mode Remote Endpoint:%n%tPrincipal Name:%t%2%n%tNetwork Address:%t%5%n%tKeying Module Port:%t%6%n%nMain Mode Cryptographic Information:%n%tCipher Algorithm:%t%8%n%tIntegrity Algorithm:%t%9%n%tDiffie-Hellman Group:%t%10%n%nMain Mode Security Association:%n%tLifetime (minutes):%t%11%n%tQuick Mode Limit:%t%12%n%tMain Mode SA ID:%t%16%n%t%nMain Mode Additional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%t%7%n%tRole:%t%t%t%13%n%tImpersonation State:%t%14%n%tMain Mode Filter ID:%t%15%n%nExtended Mode Local Endpoint:%n%tPrincipal Name:%t%17%n%tCertificate SHA Thumbprint:%t%18%n%tCertificate Issuing CA:%t%19%n%tCertificate Root CA:%t%20%n%nExtended Mode Remote Endpoint:%n%tPrincipal Name:%t%21%n%tCertificate SHA Thumbprint:%t%22%n%tCertificate Issuing CA:%t%23%n%tCertificate Root CA:%t%24%n%nExtended Mode Additional Information:%n%tAuthentication Method:%tSSL%n%tImpersonation State:%t%25%n%tQuick Mode Filter ID:%t%26

øIPsec main mode and extended mode security associations were established.%n%nLocal Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%9%n%tKeying Module Port:%t%10%n%nLocal Certificate:%n%tSHA Thumbprint:%t%2%n%tIssuing CA:%t%t%3%n%tRoot CA:%t%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%5%n%tNetwork Address:%t%11%n%tKeying Module Port:%t%12%n%nRemote Certificate:%n%tSHA Thumbprint:%t%6%n%tIssuing CA:%t%t%7%n%tRoot CA:%t%t%8%n%nCryptographic Information:%n%tCipher Algorithm:%t%13%n%tIntegrity Algorithm:%t%14%n%tDiffie-Hellman Group:%t%15%n%nSecurity Association Information:%n%tLifetime (minutes):%t%16%n%tQuick Mode Limit:%t%17%n%tMain Mode SA ID:%t%21%n%nAdditional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%tSSL%n%tRole:%t%t%t%18%n%tImpersonation State:%t%19%n%tMain Mode Filter ID:%t%20%n%t%nExtended Mode Information:%n%tLocal Principal Name:%t%22%n%tRemote Principal Name:%t%23%n%tAuthentication Method:%t%24%n%tImpersonation State:%t%25%n%tQuick Mode Filter ID:%t%26

ü	IPsec main mode and extended mode security associations were established.%n%nLocal Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%n%tKeying Module Port:%t%9%n%nLocal Certificate:%n%tSHA Thumbprint:%t%2%n%tIssuing CA:%t%t%3%n%tRoot CA:%t%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%5%n%tNetwork Address:%t%11%n%tKeying Module Port:%t%12%n%nRemote Certificate:%n%tSHA Thumbprint:%t%6%n%tIssuing CA:%t%t%7%n%tRoot CA:%t%t%8%n%nCryptographic Information:%n%tCipher Algorithm:%t%12%n%tIntegrity Algorithm:%t%13%n%tDiffie-Hellman Group:%t%14%n%nSecurity Association Information:%n%tLifetime (minutes):%t%15%n%tQuick Mode Limit:%t%16%n%tMain Mode SA ID:%t%20%n%nAdditional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%tSSL%n%tRole:%t%t%t%17%n%tImpersonation State:%t%18%n%tMain Mode Filter ID:%t%19%n%t%nExtended Mode Local Endpoint:%n%tPrincipal Name:%t%t%21%n%tCertificate SHA Thumbprint:%t%22%n%tCertificate Issuing CA:%t%23%n%tCertificate Root CA:%t%24%n%nExtended Mode Remote Endpoint:%n%tPrincipal Name:%t%t%25%n%tCertificate SHA Thumbprint:%t%26%n%tCertificate Issuing CA:%t%27%n%tCertificate Root CA:%t%28%nExtended Mode Additional Information:%n%tAuthentication Method:%tSSL%n%tImpersonation State:%t%29%n%tQuick Mode Filter ID:%t%30

ÈAn IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.%n%n%nLocal Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%9%n%tKeying Module Port:%t%10%n%nLocal Certificate:%n%tSHA Thumbprint:%t%2%n%tIssuing CA:%t%t%3%n%tRoot CA:%t%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%5%n%tNetwork Address:%t%11%n%tKeying Module Port:%t%12%n%nRemote Certificate:%n%tSHA Thumbprint:%t%6%n%tIssuing CA:%t%t%7%n%tRoot CA:%t%t%8%n%nAdditional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%tSSL%n%tRole:%t%t%t%16%n%tImpersonation State:%t%17%n%tQuick Mode Filter ID:%t%18%n%nFailure Information:%n%tFailure Point:%t%t%13%n%tFailure Reason:%t%t%14%n%tState:%t%t%t%15

dAn IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted.%n%nLocal Endpoint:%n%tPrincipal Name:%t%t%1%n%tNetwork Address:%t%3%n%tKeying Module Port:%t%4%n%nRemote Endpoint:%n%tPrincipal Name:%t%t%2%n%tNetwork Address:%t%5%n%tKeying Module Port:%t%6%n%nAdditional Information:%n%tKeying Module Name:%tAuthIP%n%tAuthentication Method:%t%9%n%tRole:%t%t%t%11%n%tImpersonation State:%t%12%n%tQuick Mode Filter ID:%t%13%n%nFailure Information:%n%tFailure Point:%t%t%7%n%tFailure Reason:%t%t%8%n%tState:%t%t%t%10

pThe state of a transaction has changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nTransaction Information:%n%tRM Transaction ID:%t%5%n%tNew State:%t%t%6%n%tResource Manager:%t%7%n%nProcess Information:%n%tProcess ID:%t%t%8%n%tProcess Name:%t%t%9

pThe Windows Firewall service started successfully.

\The Windows Firewall service was stopped.

lThe Windows Firewall service was unable to retrieve the security policy from the local storage. Windows Firewall will continue to enforce the current policy.%n%nError Code:%t%1

(Windows Firewall was unable to parse the new security policy. Windows Firewall will continue to enforce the current policy.%n%nError Code:%t%1

(The Windows Firewall service failed to initialize the driver. Windows Firewall will continue to enforce the current policy.%n%nError Code:%t%1

ŒThe Windows Firewall service failed to start.%n%nError Code:%t%1

Windows Firewall blocked an application from accepting incoming connections on the network.%n%nProfiles:%t%t%1%nApplication:%t%t%2

4Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.%n%nError Code:%t%1

lThe Windows Firewall Driver started successfully.

\The Windows Firewall Driver was stopped.

ˆThe Windows Firewall Driver failed to start.%n%nError Code:%t%1

ÈThe Windows Firewall Driver detected a critical runtime error, terminating.%n%nError Code:%t%1

¸Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.%n%nFile Name:%t%1%t

A registry key was virtualized.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tKey Name:%t%t%5%n%tVirtual Key Name:%t%t%6%n%nProcess Information:%n%tProcess ID:%t%t%7%n%tProcess Name:%t%t%8

HA change was made to IPsec settings. An authentication set was added.%n%t%nProfile Changed:%t%t%1%n%nAdded Authentication Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3

TA change was made to IPsec settings. An authentication set was modified.%n%t%nProfile Changed:%t%t%1%n%nModified Authentication Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3

PA change was made to IPsec settings. An authentication set was deleted.%n%t%nProfile Changed:%t%t%1%n%nDeleted Authentication Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3

\A change was made to IPsec settings. A connection security rule was added.%n%t%nProfile Changed:%t%t%1%n%nAdded Connection Security Rule:%n%tID:%t%t%t%2%n%tName:%t%t%t%3

dA change was made to IPsec settings. A connection security rule was modified.%n%t%nProfile Changed:%t%1%n%nModified Connection Security Rule:%n%tID:%t%t%t%2%n%tName:%t%t%t%3

`A change was made to IPsec settings. A connection security rule was deleted.%n%t%nProfile Changed:%t%1%n%nDeleted Connection Security Rule:%n%tID:%t%t%t%2%n%tName:%t%t%t%3

 A change was made to IPsec settings. A crypto set was added.%n%t%nProfile Changed:%t%1%n%nAdded Crypto Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3

,A change was made to IPsec settings. A crypto set was modified.%n%t%nProfile Changed:%t%1%n%nModified Crypto Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3

(A change was made to IPsec settings. A crypto set was deleted.%n%t%nProfile Changed:%t%1%n%nDeleted Crypto Set:%n%tID:%t%t%t%2%n%tName:%t%t%t%3

ðAn IPsec security association was deleted.%n%t%nProfile Changed:%t%1%n%nDeleted SA:%n%tID:%t%t%t%2%n%tName:%t%t%t%3

´An attempt to programmatically disable Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected because this API is not supported on this version of Windows. This is most likely due to a program that is incompatible with this version of Windows. Please contact the program's manufacturer to make sure you have a compatible program version.%n%nError Code:%t%tE_NOTIMPL%nCaller Process Name:%t%t%1%nProcess Id:%t%t%2%nPublisher:%t%t%3

A file was virtualized.%n%nSubject:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%t%4%n%nObject:%n%tFile Name:%t%t%t%5%n%tVirtual File Name:%t%6%n%nProcess Information:%n%tProcess ID:%t%t%t%7%n%tProcess Name:%t%t%t%8

pA cryptographic self test was performed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nModule:%t%t%5%n%nReturn Code:%t%6

DA cryptographic primitive operation failed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Parameters:%n%tProvider Name:%t%t%5%n%tAlgorithm Name:%t%6%n%nFailure Information:%n%tReason:%t%t%t%7%n%tReturn Code:%t%t%8

ŒKey file operation.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Parameters:%n%tProvider Name:%t%5%n%tAlgorithm Name:%t%6%n%tKey Name:%t%7%n%tKey Type:%t%8%n%nKey File Operation Information:%n%tFile Path:%t%9%n%tOperation:%t%10%n%tReturn Code:%t%11

`Key migration operation.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Parameters:%n%tProvider Name:%t%5%n%tAlgorithm Name:%t%6%n%tKey Name:%t%7%n%tKey Type:%t%8%n%nAdditional Information:%n%tOperation:%t%9%n%tReturn Code:%t%10

`Verification operation failed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Parameters:%n%tProvider Name:%t%5%n%tAlgorithm Name:%t%6%n%tKey Name:%t%7%n%tKey Type:%t%8%n%nFailure Information:%n%tReason:%t%9%n%tReturn Code:%t%10

dCryptographic operation.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Parameters:%n%tProvider Name:%t%5%n%tAlgorithm Name:%t%6%n%tKey Name:%t%7%n%tKey Type:%t%8%n%nCryptographic Operation:%n%tOperation:%t%9%n%tReturn Code:%t%10

¸A kernel-mode cryptographic self test was performed.%n%nModule:%t%1%n%nReturn Code:%t%2

ðA cryptographic provider operation was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCryptographic Provider:%n%tName:%t%5%n%tModule:%t%6%n%nOperation:%t%7%n%nReturn Code:%t%8

øA cryptographic context operation was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%nOperation:%t%7%n%nReturn Code:%t%8

PA cryptographic context modification was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%nChange Information:%n%tOld Value:%t%7%n%tNew Value:%t%8%n%nReturn Code:%t%9

dA cryptographic function operation was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%tInterface:%t%7%n%tFunction:%t%8%n%tPosition:%t%9%n%nOperation:%t%10%n%nReturn Code:%t%11

œA cryptographic function modification was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%tInterface:%t%7%n%tFunction:%t%8%n%nChange Information:%n%tOld Value:%t%9%n%tNew Value:%t%10%n%nReturn Code:%t%11

œA cryptographic function provider operation was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%tInterface:%t%7%n%tFunction:%t%8%n%tProvider:%t%9%n%tPosition:%t%10%n%nOperation:%t%11%n%nReturn Code:%t%12

”A cryptographic function property operation was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%tInterface:%t%7%n%tFunction:%t%8%n%tProperty:%t%9%n%nOperation:%t%10%n%nValue:%t%11%n%nReturn Code:%t%12

ÐA cryptographic function property modification was attempted.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nConfiguration Parameters:%n%tScope:%t%5%n%tContext:%t%6%n%tInterface:%t%7%n%tFunction:%t%8%n%tProperty:%t%9%n%nChange Information:%n%tOld Value:%t%10%n%tNew Value:%t%11%n%nReturn Code:%t%12

HOCSP Responder Service Started.

HOCSP Responder Service Stopped.

äA Configuration entry changed in the OCSP Responder Service.%n%nCA Configuration ID:%t%t%1%nNew Value:%t%t%2

ØA configuration entry changed in the OCSP Responder Service.%n%nProperty Name:%t%t%1%nNew Value:%t%t%2

 A security setting was updated on OCSP Responder Service.%n%nNew Value:%t%1

A request was submitted to OCSP Responder Service. %n%nCertificate Serial Number: %1%nIssuer CA Name: %2%nRevocation Status: %3

(Signing Certificate was automatically updated by the OCSP Responder Service.%n%nCA Configuration ID:%t%t%1%nNew Signing Certificate Hash:%t%t%2

LThe OCSP Revocation Provider successfully updated the revocation information.%n%nCA Configuration ID:%t%t%1%nBase CRL Number:%t%t%2%nBase CRL This Update:%t%t%3%nBase CRL Hash:%t%t%4%nDelta CRL Number:%t%t%5%nDelta CRL Indicator:%t%t%6%nDelta CRL This Update:%t%t%7%nDelta CRL Hash:%t%t%8

DA directory service object was modified.%n%t%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%nDirectory Service:%n%tName:%t%7%n%tType:%t%8%n%t%nObject:%n%tDN:%t%9%n%tGUID:%t%10%n%tClass:%t%11%n%t%nAttribute:%n%tLDAP Display Name:%t%12%n%tSyntax (OID):%t%13%n%tValue:%t%14%n%t%nOperation:%n%tType:%t%15%n%tCorrelation ID:%t%1%n%tApplication Correlation ID:%t%2

ˆA directory service object was created.%n%t%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%t%nDirectory Service:%n%tName:%t%7%n%tType:%t%8%n%t%nObject:%n%tDN:%t%9%n%tGUID:%t%10%n%tClass:%t%11%n%t%nOperation:%n%tCorrelation ID:%t%1%n%tApplication Correlation ID:%t%2

´A directory service object was undeleted.%n%t%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%t%nDirectory Service:%n%tName:%t%7%n%tType:%t%8%n%t%nObject:%n%tOld DN:%t%9%n%tNew DN:%t%10%n%tGUID:%t%11%n%tClass:%t%12%n%t%nOperation:%n%tCorrelation ID:%t%1%n%tApplication Correlation ID:%t%2

ÈA directory service object was moved.%n%t%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%t%nDirectory Service:%n%tName:%t%t%7%n%tType:%t%t%8%n%t%nObject:%n%tOld DN:%t%t%9%n%tNew DN:%t%10%n%tGUID:%t%t%11%n%tClass:%t%t%12%n%t%nOperation:%n%tCorrelation ID:%t%t%t%1%n%tApplication Correlation ID:%t%2

üA network share object was accessed.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nNetwork Information:%t%n%tObject Type:%t%t%5%n%tSource Address:%t%t%6%n%tSource Port:%t%t%7%n%t%nShare Information:%n%tShare Name:%t%t%8%n%tShare Path:%t%t%9%n%nAccess Request Information:%n%tAccess Mask:%t%t%10%n%tAccesses:%t%t%11%n

´A directory service object was deleted.%n%t%nSubject:%n%tSecurity ID:%t%t%3%n%tAccount Name:%t%t%4%n%tAccount Domain:%t%t%5%n%tLogon ID:%t%t%6%n%t%nDirectory Service:%n%tName:%t%7%n%tType:%t%8%n%t%nObject:%n%tDN:%t%9%n%tGUID:%t%10%n%tClass:%t%11%n%t%nOperation:%n%tTree Delete:%t%12%n%tCorrelation ID:%t%1%n%tApplication Correlation ID:%t%2

 A network share object was added.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nShare Information:%t%n%tShare Name:%t%t%5%n%tShare Path:%t%t%6

<A network share object was modified.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nShare Information:%n%tObject Type:%t%t%5%n%tShare Name:%t%t%6%n%tShare Path:%t%t%7%n%tOld Remark:%t%t%8%n%tNew Remark:%t%t%9%n%tOld MaxUsers:%t%t%10%n%tNew Maxusers:%t%t%11%n%tOld ShareFlags:%t%t%12%n%tNew ShareFlags:%t%t%13%n%tOld SD:%t%t%t%14%n%tNew SD:%t%t%t%15%n

¤A network share object was deleted.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nShare Information:%t%n%tShare Name:%t%t%5%n%tShare Path:%t%t%6

ØA network share object was checked to see whether client can be granted desired access.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nNetwork Information:%t%n%tObject Type:%t%t%5%n%tSource Address:%t%t%6%n%tSource Port:%t%t%7%n%t%nShare Information:%n%tShare Name:%t%t%8%n%tShare Path:%t%t%9%n%tRelative Target Name:%t%10%n%nAccess Request Information:%n%tAccess Mask:%t%t%11%n%tAccesses:%t%t%12%nAccess Check Results:%n%t%13%n

tThe Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.%n%nNetwork Information:%n%tType:%t%t%1

The DoS attack has subsided and normal processing is being resumed.%n%nNetwork Information:%n%tType:%t%t%1%n%tPackets Discarded:%t%t%t%2

ÈThe Windows Filtering Platform has blocked a packet.%n%nNetwork Information:%n%tDirection:%t%t%1%n%tSource Address:%t%t%2%n%tDestination Address:%t%3%n%tEtherType:%t%t%4%n%tEncapMethod:%t%t%5%n%tSnapControl:%t%t%6%n%tSnapOui:%t%t%7%n%tVlanTag:%t%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11

øA more restrictive Windows Filtering Platform filter has blocked a packet.%n%nNetwork Information:%n%tDirection:%t%t%1%n%tSource Address:%t%t%t%2%n%tDestination Address:%t%3%n%tEtherType:%t%t%4%n%tEncapMethod:%t%t%5%n%tSnapControl:%t%t%6%n%tSnapOui:%t%t%7%n%tVlanTag:%t%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11

The Windows Filtering Platform has blocked a packet.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11

DA more restrictive Windows Filtering Platform filter has blocked a packet.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11

üThe Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tSource Address:%t%t%3%n%tSource Port:%t%t%4%n%tProtocol:%t%t%5%n%nFilter Information:%n%tFilter Run-Time ID:%t%6%n%tLayer Name:%t%t%7%n%tLayer Run-Time ID:%t%8

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tSource Address:%t%t%3%n%tSource Port:%t%t%4%n%tProtocol:%t%t%5%n%nFilter Information:%n%tFilter Run-Time ID:%t%6%n%tLayer Name:%t%t%7%n%tLayer Run-Time ID:%t%8

$The Windows Filtering Platform has permitted a connection.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11

 The Windows Filtering Platform has blocked a connection.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11

œThe Windows Filtering Platform has permitted a bind to a local port.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tSource Address:%t%t%3%n%tSource Port:%t%t%4%n%tProtocol:%t%t%5%n%nFilter Information:%n%tFilter Run-Time ID:%t%6%n%tLayer Name:%t%t%7%n%tLayer Run-Time ID:%t%8

˜The Windows Filtering Platform has blocked a bind to a local port.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tSource Address:%t%t%3%n%tSource Port:%t%t%4%n%tProtocol:%t%t%5%n%nFilter Information:%n%tFilter Run-Time ID:%t%6%n%tLayer Name:%t%t%7%n%tLayer Run-Time ID:%t%8

8Spn check for SMB/SMB2 fails.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nSPN:%t%n%tSPN Name:%t%t%5%n%tError Code:%t%t%6%n%nServer Information:%n%tServer Names:%t%t%7%n%tConfigured Names:%t%t%8%n%tIP Addresses:%t%t%9

˜Credential Manager credentials were backed up.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nThis event occurs when a user backs up their own Credential Manager credentials. A user (even an Administrator) cannot back up the credentials of an account other than his own.

ÄCredential Manager credentials were restored from a backup.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nThis event occurs when a user restores his Credential Manager credentials from a backup. A user (even an Administrator) cannot restore the credentials of an account other than his own.

PThe requested credentials delegation was disallowed by policy.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nCredential Delegation Information:%n%tSecurity Package:%t%5%n%tUser's UPN:%t%6%n%tTarget Server:%t%7%n%tCredential Type:%t%8

|The following callout was present when the Windows Filtering Platform Base Filtering Engine started.%n%nProvider Information:%t%n%tID:%t%t%1%n%tName:%t%t%2%n%nCallout Information:%n%tID:%t%t%3%n%tName:%t%t%4%n%tType:%t%t%5%n%tRun-Time ID:%t%6%n%nLayer Information:%n%tID:%t%t%7%n%tName:%t%t%8%n%tRun-Time ID:%t%9

€The following filter was present when the Windows Filtering Platform Base Filtering Engine started.%n%nProvider Information:%t%n%tID:%t%t%1%n%tName:%t%t%2%n%nFilter Information:%n%tID:%t%t%3%n%tName:%t%t%4%n%tType:%t%t%5%n%tRun-Time ID:%t%6%n%nLayer Information:%n%tID:%t%t%7%n%tName:%t%t%8%n%tRun-Time ID:%t%9%n%tWeight:%t%t%10%n%t%nAdditional Information:%n%tConditions:%t%11%n%tFilter Action:%t%12%n%tCallout ID:%t%13%n%tCallout Name:%t%14

PThe following provider was present when the Windows Filtering Platform Base Filtering Engine started.%n%t%nProvider ID:%t%1%nProvider Name:%t%2%nProvider Type:%t%3

ÜThe following provider context was present when the Windows Filtering Platform Base Filtering Engine started.%n%t%nProvider ID:%t%1%nProvider Name:%t%2%nProvider Context ID:%t%3%nProvider Context Name:%t%4%nProvider Context Type:%t%5

ÄThe following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.%n%t%nProvider ID:%t%1%nProvider Name:%t%2%nSub-layer ID:%t%3%nSub-layer Name:%t%4%nSub-layer Type:%t%5%nWeight:%t%t%6

DA Windows Filtering Platform callout has been changed.%n%t%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%nProcess Information:%n%tProcess ID:%t%1%n%nProvider Information:%n%tID:%t%t%4%n%tName:%t%t%5%n%nChange Information:%n%tChange Type:%t%6%n%nCallout Information:%n%tID:%t%t%7%n%tName:%t%t%8%n%tType:%t%t%9%n%tRun-Time ID:%t%10%n%nLayer Information:%n%tID:%t%t%11%n%tName:%t%t%12%n%tRun-Time ID:%t%13

\A Windows Filtering Platform filter has been changed.%n%t%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%nProcess Information:%n%tProcess ID:%t%1%n%nProvider Information:%n%tID:%t%t%4%n%tName:%t%t%5%n%nChange Information:%n%tChange Type:%t%6%n%nFilter Information:%n%tID:%t%t%7%n%tName:%t%t%8%n%tType:%t%t%9%n%tRun-Time ID:%t%10%n%nLayer Information:%n%tID:%t%t%11%n%tName:%t%t%12%n%tRun-Time ID:%t%13%n%nCallout Information:%n%tID:%t%t%17%n%tName:%t%t%18%n%nAdditional Information:%n%tWeight:%t%14%t%n%tConditions:%t%15%n%tFilter Action:%t%16

$A Windows Filtering Platform provider has been changed.%n%t%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%nProcess Information:%n%tProcess ID:%t%1%n%nChange Information:%n%tChange Type:%t%4%n%nProvider Information:%n%tID:%t%t%5%n%tName:%t%t%6%n%tType:%t%t%7

¤A Windows Filtering Platform provider context has been changed.%n%t%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%nProcess Information:%n%tProcess ID:%t%1%n%nProvider Information:%n%tProvider ID:%t%4%n%tProvider Name:%t%5%n%nChange Information:%n%tChange Type:%t%6%n%nProvider Context:%n%tID:%t%7%n%tName:%t%8%n%tType:%t%9

4A Windows Filtering Platform sub-layer has been changed.%n%t%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%nProcess Information:%n%tProcess ID:%t%1%n%nProvider Information:%n%tProvider ID:%t%4%n%tProvider Name:%t%5%n%nChange Information:%n%tChange Type:%t%6%n%nSub-layer Information:%n%tSub-layer ID:%t%7%n%tSub-layer Name:%t%8%n%tSub-layer Type:%t%9%n%nAdditional Information:%n%tWeight:%t%10

äAn IPsec quick mode security association was established.%n%t%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tNetwork Address mask:%t%2%n%tPort:%t%t%t%3%n%tTunnel Endpoint:%t%t%4%n%nRemote Endpoint:%n%tNetwork Address:%t%5%n%tNetwork Address Mask:%t%6%n%tPort:%t%t%t%7%n%tPrivate Address:%t%t%8%n%tTunnel Endpoint:%t%t%9%n%n%tProtocol:%t%t%10%n%tKeying Module Name:%t%11%n%nCryptographic Information:%n%tIntegrity Algorithm - AH:%t%12%n%tIntegrity Algorithm - ESP:%t%13%n%tEncryption Algorithm:%t%14%n%nSecurity Association Information:%n%tLifetime - seconds:%t%15%n%tLifetime - data:%t%t%16%n%tLifetime - packets:%t%17%n%tMode:%t%t%t%18%n%tRole:%t%t%t%19%n%tQuick Mode Filter ID:%t%20%n%tMain Mode SA ID:%t%21%n%tQuick Mode SA ID:%t%22%n%nAdditional Information:%n%tInbound SPI:%t%t%23%n%tOutbound SPI:%t%t%24%n%tVirtual Interface Tunnel ID:%t%t%25%n%tTraffic Selector ID:%t%t%26

àAn IPsec quick mode security association ended.%n%t%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tPort:%t%t%t%2%n%tTunnel Endpoint:%t%t%3%n%nRemote Endpoint:%n%tNetwork Address:%t%4%n%tPort:%t%t%t%5%n%tTunnel Endpoint:%t%t%6%n%nAdditional Information:%n%tProtocol:%t%t%7%n%tQuick Mode SA ID:%t%8%n%tVirtual Interface Tunnel ID:%t%t%9%n%tTraffic Selector ID:%t%t%10

An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

ÐIPsec Policy Agent applied Active Directory storage IPsec policy on the computer.%n%nPolicy:%t%t%1

üIPsec Policy Agent failed to apply Active Directory storage IPsec policy on the computer.%n%nDN:%t%t%1%nError code:%t%t%2

üIPsec Policy Agent applied locally cached copy of Active Directory storage IPsec policy on the computer.%n%nPolicy:%t%t%1

4IPsec Policy Agent failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.%n%nPolicy:%t%t%1%nError Code:%t%t%2

ÌIPsec Policy Agent applied local registry storage IPsec policy on the computer.%n%nPolicy:%t%t%1

IPsec Policy Agent failed to apply local registry storage IPsec policy on the computer.%n%nPolicy:%t%t%1%nError Code:%t%t%2

€IPsec Policy Agent failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.%n%nPolicy:%t%t%1%nError Code:%t%t%2

¼IPsec Policy Agent polled for changes to the active IPsec policy and detected no changes.

ÔIPsec Policy Agent polled for changes to the active IPsec policy, detected changes, and applied them.

ðIPsec Policy Agent received a control for forced reloading of IPsec policy and processed the control successfully.

`IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.

èIPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.

IPsec Policy Agent polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.

¸IPsec Policy Agent loaded local storage IPsec policy on the computer.%n%nPolicy:%t%t%1

ìIPsec Policy Agent failed to load local storage IPsec policy on the computer.%n%nPolicy:%t%t%1%nError Code:%t%t%2

ÀIPsec Policy Agent loaded directory storage IPsec policy on the computer.%n%nPolicy:%t%t%1

ôIPsec Policy Agent failed to load directory storage IPsec policy on the computer.%n%nPolicy:%t%t%1%nError Code:%t%t%2

ÐIPsec Policy Agent failed to add quick mode filter.%n%nQuick Mode Filter:%t%t%1%nError Code:%t%t%2

`The IPsec Policy Agent service was started.

dThe IPsec Policy Agent service was stopped. Stopping this service can put the computer at greater risk of network attack or expose the computer to potential security risks.

TIPsec Policy Agent failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

The IPsec Policy Agent service failed to initialize its RPC server. The service could not be started.%n%nError Code:%t%t%1

äThe IPsec Policy Agent service experienced a critical failure and has shut down. The shutdown of this service can put the computer at greater risk of network attack or expose the computer to potential security risks.%n%nError Code:%t%t%1

pIPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

xA request was made to authenticate to a wireless network.%n%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%tLogon ID:%t%t%5%n%nNetwork Information:%n%tName (SSID):%t%t%1%n%tInterface GUID:%t%t%8%n%tLocal MAC Address:%t%7%n%tPeer MAC Address:%t%6%n%nAdditional Information:%n%tReason Code:%t%t%10 (%9)%n%tError Code:%t%t%11%n%tEAP Reason Code:%t%12%n%tEAP Root Cause String:%t%13%n%tEAP Error Code:%t%t%14

A request was made to authenticate to a wired network.%n%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%tLogon ID:%t%t%5%n%nInterface:%n%tName:%t%t%t%1%n%nAdditional Information%n%tReason Code:%t%t%7 (%6)%n%tError Code:%t%t%8

 A Remote Procedure Call (RPC) was attempted.%n%nSubject:%n%tSID:%t%t%t%1%n%tName:%t%t%t%2%n%tAccount Domain:%t%t%3%n%tLogonId:%t%t%4%n%nProcess Information:%n%tPID:%t%t%t%5%n%tName:%t%t%t%6%n%nNetwork Information:%n%tRemote IP Address:%t%7%n%tRemote Port:%t%t%8%n%nRPC Attributes:%n%tInterface UUID:%t%t%9%n%tProtocol Sequence:%t%10%n%tAuthentication Service:%t%11%n%tAuthentication Level:%t%12

øAn object in the COM+ Catalog was modified.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tCOM+ Catalog Collection:%t%5%n%tObject Name:%t%t%t%6%n%tObject Properties Modified:%t%7

pAn object was deleted from the COM+ Catalog.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tCOM+ Catalog Collection:%t%5%n%tObject Name:%t%t%t%6%n%tObject Details:%t%t%t%7%nThis event occurs when an object is deleted from the COM+ catalog.

àAn object was added to the COM+ Catalog.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tCOM+ Catalog Collection:%t%5%n%tObject Name:%t%t%t%6%n%tObject Details:%t%t%t%7

ìSecurity policy in the group policy objects has been applied successfully. %n%nReturn Code:%t%1%n%nGPO List:%n%2

One or more errors occured while processing security policy in the group policy objects.%n%nError Code:%t%1%nGPO List:%n%2

Network Policy Server granted access to a user.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%tLogging Results:%t%t%t%27%n%nQuarantine Information:%n%tResult:%t%t%t%t%25%n%tSession Identifier:%t%t%t%26%n

ÜNetwork Policy Server denied access to a user.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%tLogging Results:%t%t%t%27%n%tReason Code:%t%t%t%25%n%tReason:%t%t%t%t%26%n

´Network Policy Server discarded the request for a user.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%tReason Code:%t%t%t%25%n%tReason:%t%t%t%t%26%n

ÈNetwork Policy Server discarded the accounting request for a user.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%tReason Code:%t%t%t%25%n%tReason:%t%t%t%t%26%n

˜Network Policy Server quarantined a user.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%nQuarantine Information:%n%tResult:%t%t%t%t%25%n%tExtended-Result:%t%t%t%26%n%tSession Identifier:%t%t%t%27%n%tHelp URL:%t%t%t%28%n%tSystem Health Validator Result(s):%t%29%n

„	Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%nQuarantine Information:%n%tResult:%t%t%t%t%25%n%tExtended-Result:%t%t%t%26%n%tSession Identifier:%t%t%t%27%n%tHelp URL:%t%t%t%28%n%tSystem Health Validator Result(s):%t%29%n%tQuarantine Grace Time:%t%t%30%n

xNetwork Policy Server granted full access to a user because the host met the defined health policy.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tConnection Request Policy Name:%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%nQuarantine Information:%n%tResult:%t%t%t%t%25%n%tExtended-Result:%t%t%t%26%n%tSession Identifier:%t%t%t%27%n%tHelp URL:%t%t%t%28%n%tSystem Health Validator Result(s):%t%29%n

¼Network Policy Server locked the user account due to repeated failed authentication attempts.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n

dNetwork Policy Server unlocked the user account.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.%n%nFile Name:%t%1%t

XBranchCache: Received an incorrectly formatted response while discovering availability of content. %n%nIP address of the client that sent this response:%t%t%t%1%n%t%n

BranchCache: Received invalid data from a peer. Data discarded. %n%nIP address of the client that sent this data:%t%t%t%1%n%t%n

@BranchCache: The message to the hosted cache offering it data is incorrectly formatted. %n%nIP address of the client that sent this message: %t%t%t%1%n%t%n

TBranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data. %n%nDomain name of the hosted cache is:%t%t%t%1%n%t%n

XBranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. %n%nDomain name of the hosted cache:%t%t%t%1%n%t%nError Code:%t%t%t%2%n%t%n

xBranchCache: %2 instance(s) of event id %1 occurred.%n

¨%1 registered to Windows Firewall to control filtering for the following: %n%2.

%1

ÀRegistered product %1 failed and Windows Firewall is now controlling the filtering for %2.

`Highest System-Defined Audit Message Value.

Info

 Information

4Security State Change

<Security System Extension

,System Integrity

$IPsec Driver

0Other System Events

Logon

Logoff

(Account Lockout

(IPsec Main Mode

$Special Logon

,IPsec Quick Mode

0IPsec Extended Mode

<Other Logon/Logoff Events

4Network Policy Server

 File System

Registry

$Kernel Object

SAM

@Other Object Access Events

8Certification Services

4Application Generated

0Handle Manipulation

 File Share

HFiltering Platform Packet Drop

DFiltering Platform Connection

0Detailed File Share

8Sensitive Privilege Use

@Non Sensitive Privilege Use

@Other Privilege Use Events

,Process Creation

0Process Termination

(DPAPI Activity

 RPC Events

0Audit Policy Change

DAuthentication Policy Change

@Authorization Policy Change

HMPSSVC Rule-Level Policy Change

LFiltering Platform Policy Change

@Other Policy Change Events

8User Account Management

@Computer Account Management

<Security Group Management

DDistribution Group Management

DApplication Group Management

HOther Account Management Events

<Directory Service Access

<Directory Service Changes

DDirectory Service Replication

XDetailed Directory Service Replication

4Credential Validation

PKerberos Service Ticket Operations

@Other Account Logon Events

HKerberos Authentication Service

PSubcategory could not be determined

TMicrosoft Windows security auditing.

Security

øThe system time was changed.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tProcess ID:%t%9%n%tName:%t%t%10%n%nPrevious Time:%t%t%6 %5%nNew Time:%t%t%8 %7%n%nThis event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.

„An IPsec quick mode negotiation failed.%n%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tNetwork Address mask:%t%2%n%tPort:%t%t%t%3%n%tTunnel Endpoint:%t%t%4%n%nRemote Endpoint:%n%tNetwork Address:%t%5%n%tAddress Mask:%t%t%6%n%tPort:%t%t%t%7%n%tTunnel Endpoint:%t%t%8%n%tPrivate Address:%t%t%10%n%nAdditional Information:%n%tProtocol:%t%t%9%n%tKeying Module Name:%t%11%n%tMode:%t%t%t%14%n%tRole:%t%t%t%16%n%tQuick Mode Filter ID:%t%18%n%tMain Mode SA ID:%t%19%n%nFailure Information:%n%tState:%t%t%t%15%n%tMessage ID:%t%t%17%n%tFailure Point:%t%t%12%n%tFailure Reason:%t%t%13

ÄA handle to an object was requested.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%t%5%n%tObject Type:%t%t%6%n%tObject Name:%t%t%7%n%tHandle ID:%t%t%8%n%nProcess Information:%n%tProcess ID:%t%t%14%n%tProcess Name:%t%t%15%n%nAccess Request Information:%n%tTransaction ID:%t%t%9%n%tAccesses:%t%t%10%n%tAccess Mask:%t%t%11%n%tPrivileges Used for Access Check:%t%12%n%tRestricted SID Count:%t%13

ÌA handle to an object was requested.%n%nSubject :%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nObject:%n%tObject Server:%t%5%n%tObject Type:%t%6%n%tObject Name:%t%7%n%tHandle ID:%t%8%n%nProcess Information:%n%tProcess ID:%t%15%n%tProcess Name:%t%16%n%nAccess Request Information:%n%tTransaction ID:%t%9%n%tAccesses:%t%10%n%tAccess Mask:%t%11%n%tPrivileges Used for Access Check:%t%12%n%tProperties:%t%13%n%tRestricted SID Count:%t%14

p
A new process has been created.%n%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nProcess Information:%n%tNew Process ID:%t%t%5%n%tNew Process Name:%t%6%n%tToken Elevation Type:%t%7%n%tCreator Process ID:%t%8%n%nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.%n%nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.%n%nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.%n%nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

RPC detected an integrity violation while decrypting an incoming message.%n%nPeer Name:%t%1%nProtocol Sequence:%t%2%nSecurity Error:%t%3

pA request was submitted to OCSP Responder Service.

äA network share object was accessed.%n%t%nSubject:%n%tSecurity ID:%t%t%1%n%tAccount Name:%t%t%2%n%tAccount Domain:%t%t%3%n%tLogon ID:%t%t%4%n%nNetwork Information:%t%n%tSource Address:%t%t%5%n%tSource Port:%t%t%6%n%t%nShare Name:%t%t%t%7

$The Windows Filtering Platform has permitted a connection.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11

 The Windows Filtering Platform has blocked a connection.%n%nApplication Information:%n%tProcess ID:%t%t%1%n%tApplication Name:%t%2%n%nNetwork Information:%n%tDirection:%t%t%3%n%tSource Address:%t%t%4%n%tSource Port:%t%t%5%n%tDestination Address:%t%6%n%tDestination Port:%t%t%7%n%tProtocol:%t%t%8%n%nFilter Information:%n%tFilter Run-Time ID:%t%9%n%tLayer Name:%t%t%10%n%tLayer Run-Time ID:%t%11

XAn IPsec quick mode security association was established.%n%t%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tNetwork Address mask:%t%2%n%tPort:%t%t%t%3%n%tTunnel Endpoint:%t%t%4%n%nRemote Endpoint:%n%tNetwork Address:%t%5%n%tNetwork Address Mask:%t%6%n%tPort:%t%t%t%7%n%tPrivate Address:%t%t%8%n%tTunnel Endpoint:%t%t%9%n%n%tProtocol:%t%t%10%n%tKeying Module Name:%t%11%n%nCryptographic Information:%n%tIntegrity Algorithm - AH:%t%12%n%tIntegrity Algorithm - ESP:%t%13%n%tEncryption Algorithm:%t%14%n%nSecurity Association Information:%n%tLifetime - seconds:%t%15%n%tLifetime - data:%t%t%16%n%tLifetime - packets:%t%17%n%tMode:%t%t%t%18%n%tRole:%t%t%t%19%n%tQuick Mode Filter ID:%t%20%n%tMain Mode SA ID:%t%21%n%tQuick Mode SA ID:%t%22%n%nAdditional Information:%n%tInbound SPI:%t%t%23%n%tOutbound SPI:%t%t%24

TAn IPsec quick mode security association ended.%n%t%nLocal Endpoint:%n%tNetwork Address:%t%1%n%tPort:%t%t%t%2%n%tTunnel Endpoint:%t%t%3%n%nRemote Endpoint:%n%tNetwork Address:%t%4%n%tPort:%t%t%t%5%n%tTunnel Endpoint:%t%t%6%n%nAdditional Information:%n%tProtocol:%t%t%7%n%tQuick Mode SA ID:%t%8

ÔA request was made to authenticate to a wireless network.%n%nSubject:%n%tSecurity ID:%t%t%2%n%tAccount Name:%t%t%3%n%tAccount Domain:%t%t%4%n%tLogon ID:%t%t%5%n%nNetwork Information:%n%tName (SSID):%t%t%1%n%tInterface GUID:%t%t%8%n%tLocal MAC Address:%t%7%n%tPeer MAC Address:%t%6%n%nAdditional Information:%n%tReason Code:%t%t%10 (%9)%n%tError Code:%t%t%11

@Network Policy Server granted access to a user.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tProxy Policy Name:%t%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%nQuarantine Information:%n%tResult:%t%t%t%t%25%n%tSession Identifier:%t%t%t%26%n

ŒNetwork Policy Server denied access to a user.%n%nContact the Network Policy Server administrator for more information.%n%nUser:%n%tSecurity ID:%t%t%t%1%n%tAccount Name:%t%t%t%2%n%tAccount Domain:%t%t%t%3%n%tFully Qualified Account Name:%t%4%n%nClient Machine:%n%tSecurity ID:%t%t%t%5%n%tAccount Name:%t%t%t%6%n%tFully Qualified Account Name:%t%7%n%tOS-Version:%t%t%t%8%n%tCalled Station Identifier:%t%t%9%n%tCalling Station Identifier:%t%t%10%n%nNAS:%n%tNAS IPv4 Address:%t%t%11%n%tNAS IPv6 Address:%t%t%12%n%tNAS Identifier:%t%t%t%13%n%tNAS Port-Type:%t%t%t%14%n%tNAS Port:%t%t%t%15%n%nRADIUS Client:%n%tClient Friendly Name:%t%t%16%n%tClient IP Address:%t%t%t%17%n%nAuthentication Details:%n%tProxy Policy Name:%t%t%18%n%tNetwork Policy Name:%t%t%19%n%tAuthentication Provider:%t%t%20%n%tAuthentication Server:%t%t%21%n%tAuthentication Type:%t%t%22%n%tEAP Type:%t%t%t%23%n%tAccount Session Identifier:%t%t%24%n%tReason Code:%t%t%t%25%n%tReason:%t%t%t%t%26%n

CRIM€¹%–„TxT”I¥º>;(Ã
$WEVT\¹ŒÀœZÌZ[€ooCHAN4¨
SecurityTTBLÜYsTEMP€½‰-ø€p"@#!Õˆœÿÿ~D‚	EventDataAÿÿ]ŠoDataEK•NameAuthenticationPackageName
”8AuthenticationPackageNameTEMP¬>Ž‹Dµ}¯æ.Þ(™Úÿÿ¬D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿKŠoData3K•NameLogonProcessName
4X€¤$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId(LogonProcessNameTEMPØlB}§º¿7yêËŽY29GÿÿjD‚	EventDataAÿÿIŠoData1K•NameAuditsDiscarded
€$AuditsDiscardedTEMPøT+eÝÕ—Yw"@3MÚxÿÿzD‚	EventDataAÿÿYŠoDataAK•NameNotificationPackageName
h4NotificationPackageNameTEMPhT	»Æ;w`×>›ùÿ†þ¯ÿÿ„D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿIŠoData1K•NameInvalidCallName
AÿÿGŠoData/K•NameServerPortName
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
ô	
<
d
ˆ
¬
Ð
è
$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId$InvalidCallName$ServerPortNameProcessIdProcessNameTEMP(

4>¡¨§p¼:?3Ã¼I'~¿ÿÿúD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NamePreviousDate
AÿÿCŠoData+K•NamePreviousTime
Aÿÿ9ŠoData!K•NameNewDate
Aÿÿ9ŠoData!K•NameNewTime
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
	ü Dl°Ðäø$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PreviousDate PreviousTimeNewDateNewTimeProcessIdProcessNameTEMP@Ð	·C…^Å9Ó”ÞÙõ|>¦ÿÿpD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NamePreviousTime
Aÿÿ9ŠoData!K•NameNewTime
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
p”¸à$8P$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PreviousTimeNewTimeProcessIdProcessNameTEMP,9pj'$nf§Z¥þÆ˜¹ÿÿdD‚	EventDataAÿÿ9ŠoData!K•NameEventId
AÿÿCŠoData+K•NameComputerName
AÿÿEŠoData-K•Name
TargetUserSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetUserDomain
AÿÿEŠoData-K•Name
TargetLogonId
Aÿÿ?ŠoData'K•Name
EventCount
Aÿÿ;ŠoData#K•NameDuration
¤¸ØøDd€EventId ComputerName TargetUserSid$TargetUserName(TargetUserDomain TargetLogonIdEventCountDurationTEMPðDñì£Ëíál²²ÑW?Ò=ÿÿvD‚	EventDataAÿÿUŠoData=K•NameCrashOnAuditFailValue
X0CrashOnAuditFailValueTEMPè0»¸9ÿeIç‰€CÙf·ÿÿrD‚	EventDataAÿÿQŠoData9K•NameSecurityPackageName
D,SecurityPackageNameTEMPt
¼ ï:ÚÁ¹öÇ¬r›fË8(ÿÿD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
TargetUserSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿEŠoData-K•Name
TargetLogonId
Aÿÿ=ŠoData%K•Name	LogonType
AÿÿKŠoData3K•NameLogonProcessName
	Aÿÿ]ŠoDataEK•NameAuthenticationPackageName
AÿÿIŠoData1K•NameWorkstationName
Aÿÿ=ŠoData%K•Name	LogonGuid
AÿÿQŠoData9K•NameTransmittedServices

AÿÿEŠoData-K•Name
LmPackageName
Aÿÿ=ŠoData%K•Name	KeyLength
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
Aÿÿ=ŠoData%K•Name	IpAddress
Aÿÿ7ŠoDataK•NameIpPort
L"p"”"¼"à"#$#L#l#„#¬#ä#$ $L$l$„$œ$¸$Ð$$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdLogonType(LogonProcessName8AuthenticationPackageName$WorkstationNameLogonGuid,TransmittedServices LmPackageNameKeyLengthProcessIdProcessNameIpAddressIpPortTEMPØ
l+z¢ðúGü~6Ýú_ž¶¿	ÿÿTD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
TargetUserSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ7ŠoDataK•NameStatus
AÿÿEŠoData-K•Name
FailureReason
Aÿÿ=ŠoData%K•Name	SubStatus
	Aÿÿ=ŠoData%K•Name	LogonType
AÿÿKŠoData3K•NameLogonProcessName
Aÿÿ]ŠoDataEK•NameAuthenticationPackageName
AÿÿIŠoData1K•NameWorkstationName

AÿÿQŠoData9K•NameTransmittedServices
AÿÿEŠoData-K•Name
LmPackageName
Aÿÿ=ŠoData%K•Name	KeyLength
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
Aÿÿ=ŠoData%K•Name	IpAddress
Aÿÿ7ŠoDataK•NameIpPort
-4-X-€-¤-Ä-è-.$.D.\.t.œ.Ô.ø.$/D/\/t//¨/$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId TargetUserSid$TargetUserName(TargetDomainNameStatus FailureReasonSubStatusLogonType(LogonProcessName8AuthenticationPackageName$WorkstationName,TransmittedServices LmPackageNameKeyLengthProcessIdProcessNameIpAddressIpPortTEMPÔˆ1˜gèjn‡-P‹ÿv‘‹ÿÿ–D‚	EventDataAÿÿEŠoData-K•Name
TargetUserSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿEŠoData-K•Name
TargetLogonId
Aÿÿ=ŠoData%K•Name	LogonType
ì1202X2x2 TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdLogonTypeTEMPÌ(3é/e)¾<F~=¨ÈÐ—ºRÿÿdD‚	EventDataAÿÿCŠoData+K•Namenotification
<3 notificationTEMPdä4-{NŽ¯EßÄ•34èÉ¦ÿÿRD‚	EventDataAÿÿEŠoData-K•Name
TargetUserSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿEŠoData-K•Name
TargetLogonId
45T5x5 5 TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdTEMP@(:`/skbðhP3å'vÿÿ4D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ=ŠoData%K•Name	LogonGuid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿIŠoData1K•NameTargetLogonGuid
AÿÿKŠoData3K•NameTargetServerName
Aÿÿ?ŠoData'K•Name
TargetInfo
	Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
Aÿÿ=ŠoData%K•Name	IpAddress
Aÿÿ7ŠoDataK•NameIpPort

@;d;ˆ;°;Ô;ì;<8<\<„< <¸<Ô<ì<$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdLogonGuid$TargetUserName(TargetDomainName$TargetLogonGuid(TargetServerNameTargetInfoProcessIdProcessNameIpAddressIpPortTEMP4

XA!  OAxýv;3Æîÿÿ$D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿAŠoData)K•NameRequestType
AÿÿKŠoData3K•NameLogonProcessName
AÿÿUŠoData=K•NameAuthenticationPackage
AÿÿIŠoData1K•NameWorkstationName
	AÿÿQŠoData9K•NameTransmittedServices
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
\B€B¤BÌBðBC<CXC€C°CÔCDD$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId$TargetUserName(TargetDomainNameRequestType(LogonProcessName0AuthenticationPackage$WorkstationName,TransmittedServicesProcessIdProcessNameTEMP°tIÀÊUíá$Z.’ÈÈ©ßÿÿD‚	EventDataAÿÿSŠoData;K•NameLocalMMPrincipalName
AÿÿUŠoData=K•NameRemoteMMPrincipalName
AÿÿCŠoData+K•NameLocalAddress
AÿÿIŠoData1K•NameLocalKeyModPort
AÿÿEŠoData-K•Name
RemoteAddress
AÿÿKŠoData3K•NameRemoteKeyModPort
Aÿÿ?ŠoData'K•Name
KeyModName
AÿÿCŠoData+K•NameMMAuthMethod
AÿÿAŠoData)K•NameMMCipherAlg
AÿÿGŠoData/K•NameMMIntegrityAlg
	Aÿÿ9ŠoData!K•NameDHGroup
Aÿÿ?ŠoData'K•Name
MMLifetime
Aÿÿ9ŠoData!K•NameQMLimit
Aÿÿ3ŠoDataK•NameRole

AÿÿSŠoData;K•NameMMImpersonationState
Aÿÿ?ŠoData'K•Name
MMFilterID

Aÿÿ7ŠoDataK•NameMMSAID

ÈJøJ(KHKlKŒK´KÐKðKL0LDL`LtL„L

´L

ÐL0LocalMMPrincipalName0RemoteMMPrincipalName LocalAddress$LocalKeyModPort RemoteAddress(RemoteKeyModPortKeyModName MMAuthMethodMMCipherAlg$MMIntegrityAlgDHGroupMMLifetimeQMLimitRole0MMImpersonationStateMMFilterIDMMSAIDTEMPìTåP{@¢˜¶v0)ÿÿîD‚	EventDataAÿÿSŠoData;K•NameLocalMMPrincipalName
AÿÿIŠoData1K•NameLocalMMCertHash
AÿÿKŠoData3K•NameLocalMMIssuingCA
AÿÿEŠoData-K•Name
LocalMMRootCA
AÿÿUŠoData=K•NameRemoteMMPrincipalName
AÿÿKŠoData3K•NameRemoteMMCertHash
AÿÿMŠoData5K•NameRemoteMMIssuingCA
AÿÿGŠoData/K•NameRemoteMMRootCA
AÿÿCŠoData+K•NameLocalAddress
AÿÿIŠoData1K•NameLocalKeyModPort
	AÿÿEŠoData-K•Name
RemoteAddress
AÿÿKŠoData3K•NameRemoteKeyModPort
Aÿÿ?ŠoData'K•Name
KeyModName
AÿÿCŠoData+K•NameMMAuthMethod

AÿÿAŠoData)K•NameMMCipherAlg
AÿÿGŠoData/K•NameMMIntegrityAlg
Aÿÿ9ŠoData!K•NameDHGroup
Aÿÿ?ŠoData'K•Name
MMLifetime
Aÿÿ9ŠoData!K•NameQMLimit
Aÿÿ3ŠoDataK•NameRole
AÿÿSŠoData;K•NameMMImpersonationState
Aÿÿ?ŠoData'K•Name
MMFilterID

Aÿÿ7ŠoDataK•NameMMSAID

ÔUV(VPVpV VÈVðVW4WXWxW W¼WÜWøWX0XLX`XpX

 X

¼X0LocalMMPrincipalName$LocalMMCertHash(LocalMMIssuingCA LocalMMRootCA0RemoteMMPrincipalName(RemoteMMCertHash(RemoteMMIssuingCA$RemoteMMRootCA LocalAddress$LocalKeyModPort RemoteAddress(RemoteKeyModPortKeyModName MMAuthMethodMMCipherAlg$MMIntegrityAlgDHGroupMMLifetimeQMLimitRole0MMImpersonationStateMMFilterIDMMSAIDTEMP°Ì_Æ±ï%»(J5ÁªnÍa#zÂÿÿÆD‚	EventDataAÿÿSŠoData;K•NameLocalMMPrincipalName
AÿÿIŠoData1K•NameLocalMMCertHash
AÿÿKŠoData3K•NameLocalMMIssuingCA
AÿÿEŠoData-K•Name
LocalMMRootCA
AÿÿUŠoData=K•NameRemoteMMPrincipalName
AÿÿKŠoData3K•NameRemoteMMCertHash
AÿÿMŠoData5K•NameRemoteMMIssuingCA
AÿÿGŠoData/K•NameRemoteMMRootCA
AÿÿCŠoData+K•NameLocalAddress
AÿÿIŠoData1K•NameLocalKeyModPort
	AÿÿEŠoData-K•Name
RemoteAddress
AÿÿKŠoData3K•NameRemoteKeyModPort
Aÿÿ?ŠoData'K•Name
KeyModName
AÿÿCŠoData+K•NameFailurePoint

AÿÿEŠoData-K•Name
FailureReason
AÿÿCŠoData+K•NameMMAuthMethod
Aÿÿ5ŠoDataK•NameState
Aÿÿ3ŠoDataK•NameRole
AÿÿSŠoData;K•NameMMImpersonationState
Aÿÿ?ŠoData'K•Name
MMFilterID

AÿÿIŠoData1K•NameInitiatorCookie
AÿÿIŠoData1K•NameResponderCookie
„a´aØab bPbxb bÄbäbc(cPclcŒc¬cÌcÜcìc

d8d\d0LocalMMPrincipalName$LocalMMCertHash(LocalMMIssuingCA LocalMMRootCA0RemoteMMPrincipalName(RemoteMMCertHash(RemoteMMIssuingCA$RemoteMMRootCA LocalAddress$LocalKeyModPort RemoteAddress(RemoteKeyModPortKeyModName FailurePoint FailureReason MMAuthMethodStateRole0MMImpersonationStateMMFilterID$InitiatorCookie$ResponderCookieTEMPt˜iáý¨Ñá,çZJ)Þò8xÿÿäD‚	EventDataAÿÿSŠoData;K•NameLocalMMPrincipalName
AÿÿUŠoData=K•NameRemoteMMPrincipalName
AÿÿCŠoData+K•NameLocalAddress
AÿÿIŠoData1K•NameLocalKeyModPort
AÿÿEŠoData-K•Name
RemoteAddress
AÿÿKŠoData3K•NameRemoteKeyModPort
Aÿÿ?ŠoData'K•Name
KeyModName
AÿÿCŠoData+K•NameFailurePoint
AÿÿEŠoData-K•Name
FailureReason
AÿÿCŠoData+K•NameMMAuthMethod
	Aÿÿ5ŠoDataK•NameState
Aÿÿ3ŠoDataK•NameRole
AÿÿSŠoData;K•NameMMImpersonationState
Aÿÿ?ŠoData'K•Name
MMFilterID


AÿÿIŠoData1K•NameInitiatorCookie
AÿÿIŠoData1K•NameResponderCookie
Øjk8kXk|kœkÄkàkl l@lPl`l

l¬lÐl0LocalMMPrincipalName0RemoteMMPrincipalName LocalAddress$LocalKeyModPort RemoteAddress(RemoteKeyModPortKeyModName FailurePoint FailureReason MMAuthMethodStateRole0MMImpersonationStateMMFilterID$InitiatorCookie$ResponderCookieTEMPp	¬r›O{NCs>–EDD5e:Pÿÿ‚D‚	EventDataAÿÿCŠoData+K•NameLocalAddress
AÿÿKŠoData3K•NameLocalAddressMask
Aÿÿ=ŠoData%K•Name	LocalPort
AÿÿQŠoData9K•NameLocalTunnelEndpoint
AÿÿEŠoData-K•Name
RemoteAddress
AÿÿMŠoData5K•NameRemoteAddressMask
Aÿÿ?ŠoData'K•Name
RemotePort
AÿÿSŠoData;K•NameRemoteTunnelEndpoint
Aÿÿ;ŠoData#K•NameProtocol
AÿÿSŠoData;K•NameRemotePrivateAddress
	Aÿÿ?ŠoData'K•Name
KeyModName
AÿÿCŠoData+K•NameFailurePoint
AÿÿEŠoData-K•Name
FailureReason
Aÿÿ3ŠoDataK•NameMode

Aÿÿ5ŠoDataK•NameState
Aÿÿ3ŠoDataK•NameRole
Aÿÿ=ŠoData%K•Name	MessageID
Aÿÿ?ŠoData'K•Name
QMFilterID

Aÿÿ7ŠoDataK•NameMMSAID

(tHtptˆt´tÔtütuHu`uu¬uÌuìuüuvv

4v

Pv LocalAddress(LocalAddressMaskLocalPort,LocalTunnelEndpoint RemoteAddress(RemoteAddressMaskRemotePort0RemoteTunnelEndpointProtocol0RemotePrivateAddressKeyModName FailurePoint FailureReasonModeStateRoleMessageIDQMFilterIDMMSAIDTEMPl
°|9/žnió`¸|#ÉÚÿÿD‚	EventDataAÿÿCŠoData+K•NameLocalAddress
AÿÿKŠoData3K•NameLocalAddressMask
Aÿÿ=ŠoData%K•Name	LocalPort
AÿÿQŠoData9K•NameLocalTunnelEndpoint
AÿÿEŠoData-K•Name
RemoteAddress
AÿÿMŠoData5K•NameRemoteAddressMask
Aÿÿ?ŠoData'K•Name
RemotePort
AÿÿSŠoData;K•NameRemoteTunnelEndpoint
Aÿÿ;ŠoData#K•NameProtocol
AÿÿSŠoData;K•NameRemotePrivateAddress
	Aÿÿ?ŠoData'K•Name
KeyModName
AÿÿCŠoData+K•NameFailurePoint
AÿÿEŠoData-K•Name
FailureReason
Aÿÿ3ŠoDataK•NameMode

Aÿÿ5ŠoDataK•NameState
Aÿÿ3ŠoDataK•NameRole
Aÿÿ=ŠoData%K•Name	MessageID
Aÿÿ?ŠoData'K•Name
QMFilterID

Aÿÿ7ŠoDataK•NameMMSAID

Aÿÿ;ŠoData#K•NameTunnelId

AÿÿMŠoData5K•NameTrafficSelectorId

T~t~œ~´~à~(DtŒ¼Øø€(€8€H€

`€

|€

€

¨€ LocalAddress(LocalAddressMaskLocalPort,LocalTunnelEndpoint RemoteAddress(RemoteAddressMaskRemotePort0RemoteTunnelEndpointProtocol0RemotePrivateAddressKeyModName FailurePoint FailureReasonModeStateRoleMessageIDQMFilterIDMMSAIDTunnelId(TrafficSelectorIdTEMP(8‚:úÎe¨>Çç‚!ÃÏ‡ÿÿ4D‚	EventDataAÿÿCŠoData+K•NameLocalAddress
AÿÿEŠoData-K•Name
RemoteAddress
Aÿÿ?ŠoData'K•Name
KeyModName
Aÿÿ7ŠoDataK•NameMMSAID

ˆ‚¨‚È‚

ä‚ LocalAddress RemoteAddressKeyModNameMMSAIDTEMP´¤‡¹+tïiÒRMT(êF1âÒÿÿxD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameObjectServer
Aÿÿ?ŠoData'K•Name
ObjectType
Aÿÿ?ŠoData'K•Name
ObjectName
Aÿÿ;ŠoData#K•NameHandleId
AÿÿEŠoData-K•Name
TransactionId
Aÿÿ?ŠoData'K•Name
AccessList
	Aÿÿ?ŠoData'K•Name
AccessMask
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿOŠoData7K•NameRestrictedSidCount
Aÿÿ=ŠoData%K•Name	ProcessId

AÿÿAŠoData)K•NameProcessName
Ðˆôˆ‰@‰d‰„‰ ‰¼‰Ô‰ô‰Š,ŠLŠxŠŠ$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleId TransactionIdAccessListAccessMask PrivilegeList,RestrictedSidCountProcessIdProcessNameTEMP4¤!N*´Útó‘T…pòÀÁÿÿÂD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameObjectServer
Aÿÿ?ŠoData'K•Name
ObjectType
Aÿÿ?ŠoData'K•Name
ObjectName
Aÿÿ;ŠoData#K•NameHandleId
AÿÿEŠoData-K•Name
TransactionId
Aÿÿ?ŠoData'K•Name
AccessList
	AÿÿCŠoData+K•NameAccessReason
Aÿÿ?ŠoData'K•Name
AccessMask
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿOŠoData7K•NameRestrictedSidCount

Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
ä‘,‘T‘x‘˜‘´‘Ð‘è‘’$’D’`’€’¬’Ä’$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleId TransactionIdAccessList AccessReasonAccessMask PrivilegeList,RestrictedSidCountProcessIdProcessNameTEMP 8—úŸô(S¢“¶Í¿%Óÿÿ"D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ?ŠoData'K•Name
ObjectName
AÿÿIŠoData1K•NameObjectValueName
Aÿÿ;ŠoData#K•NameHandleId
AÿÿEŠoData-K•Name
OperationType
AÿÿCŠoData+K•NameOldValueType
Aÿÿ;ŠoData#K•NameOldValue
	AÿÿCŠoData+K•NameNewValueType
Aÿÿ;ŠoData#K•NameNewValue
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName

P˜t˜˜˜À˜ä˜™$™<™\™|™”™´™Ì™ä™$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdObjectName$ObjectValueNameHandleId OperationType OldValueTypeOldValue NewValueTypeNewValueProcessIdProcessNameTEMPH¨œcJùxå}ESñã]²çÅÿÿrD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameObjectServer
Aÿÿ;ŠoData#K•NameHandleId
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
Hl¸Üüž,ž$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerHandleIdProcessIdProcessNameTEMP¨

X¢ÝåHè°¬`I®‡!ÇnFÿÿÚD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameObjectServer
Aÿÿ?ŠoData'K•Name
ObjectType
Aÿÿ?ŠoData'K•Name
ObjectName
Aÿÿ;ŠoData#K•NameHandleId
AÿÿEŠoData-K•Name
TransactionId
Aÿÿ?ŠoData'K•Name
AccessList
	Aÿÿ?ŠoData'K•Name
AccessMask
AÿÿEŠoData-K•Name
PrivilegeList
Aÿÿ=ŠoData%K•Name	ProcessId
\£€£¤£Ì£ð£¤,¤H¤`¤€¤œ¤¸¤Ø¤$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleId TransactionIdAccessListAccessMask PrivilegeListProcessIdTEMPÈ		ä§ÜíG›µ;økÿV¢ßÿö˜ÿÿ¾D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameObjectServer
Aÿÿ;ŠoData#K•NameHandleId
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
AÿÿEŠoData-K•Name
TransactionId
˜¨¼¨à¨©,©L©d©|©˜©$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerHandleIdProcessIdProcessName TransactionIdTEMP,¬®°Òàt+‚dóìvÖs#ÿÿ¾D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameObjectServer
Aÿÿ?ŠoData'K•Name
ObjectType
Aÿÿ?ŠoData'K•Name
ObjectName
Aÿÿ;ŠoData#K•NameHandleId
AÿÿEŠoData-K•Name
TransactionId
Aÿÿ?ŠoData'K•Name
AccessList
	Aÿÿ?ŠoData'K•Name
AccessMask
AÿÿEŠoData-K•Name
PrivilegeList
Aÿÿ?ŠoData'K•Name
Properties
AÿÿOŠoData7K•NameRestrictedSidCount

Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
ì¯°4°\°€° °¼°Ø°ð°±,±H±h±„±°±È±$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleId TransactionIdAccessListAccessMask PrivilegeListProperties,RestrictedSidCountProcessIdProcessNameTEMP¨ ·Ý¤ñ‡Hïap« w<•êÿÿD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameObjectServer
Aÿÿ?ŠoData'K•Name
ObjectType
Aÿÿ?ŠoData'K•Name
ObjectName
Aÿÿ;ŠoData#K•NameHandleId
AÿÿEŠoData-K•Name
TransactionId
Aÿÿ?ŠoData'K•Name
AccessList
	AÿÿCŠoData+K•NameAccessReason
Aÿÿ?ŠoData'K•Name
AccessMask
AÿÿEŠoData-K•Name
PrivilegeList
Aÿÿ?ŠoData'K•Name
Properties

AÿÿOŠoData7K•NameRestrictedSidCount
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
t¸˜¸¼¸ä¸¹(¹D¹`¹x¹˜¹´¹Ô¹ð¹º,ºXºpº$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleId TransactionIdAccessList AccessReasonAccessMask PrivilegeListProperties,RestrictedSidCountProcessIdProcessNameTEMP<ð¾km<zI·[‚A5Ñx	ÿÿ.D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameObjectServer
Aÿÿ?ŠoData'K•Name
ObjectType
Aÿÿ?ŠoData'K•Name
ObjectName
AÿÿEŠoData-K•Name
OperationType
Aÿÿ;ŠoData#K•NameHandleId
Aÿÿ?ŠoData'K•Name
AccessList
	Aÿÿ?ŠoData'K•Name
AccessMask
Aÿÿ?ŠoData'K•Name
Properties
AÿÿGŠoData/K•NameAdditionalInfo
AÿÿIŠoData1K•NameAdditionalInfo2

À,ÀPÀxÀœÀ¼ÀØÀôÀÁ,ÁHÁdÁ€Á¤Á$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectName OperationTypeHandleIdAccessListAccessMaskProperties$AdditionalInfo$AdditionalInfo2TEMP ˆÅÖÊTæ-
âFÊ™X4-UpÿÿŠD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameObjectServer
Aÿÿ?ŠoData'K•Name
ObjectType
Aÿÿ?ŠoData'K•Name
ObjectName
Aÿÿ;ŠoData#K•NameHandleId
Aÿÿ?ŠoData'K•Name
AccessList
Aÿÿ?ŠoData'K•Name
AccessMask
	Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
xÆœÆÀÆèÆÇ,ÇHÇdÇ|Ç˜Ç´ÇÌÇ$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleIdAccessListAccessMaskProcessIdProcessNameTEMPÐHÊ¢´^Dõ¥›–ŒòFÔé‚òÀÿÿ*D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ;ŠoData#K•NameFileName
Aÿÿ;ŠoData#K•NameLinkName
AÿÿEŠoData-K•Name
TransactionId
ÔÊøÊËDËhË€Ë˜Ë$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdFileNameLinkName TransactionIdTEMP¨Í¸jxv– ‰SäJ(\Å‰Èÿÿ¼D‚	EventDataAÿÿ9ŠoData!K•NameAppName
AÿÿAŠoData)K•NameAppInstance

Aÿÿ?ŠoData'K•Name
ClientName
AÿÿCŠoData+K•NameClientDomain
AÿÿEŠoData-K•Name
ClientLogonId

Aÿÿ7ŠoDataK•NameStatus
 Î

4ÎPÎlÎ

ŒÎ¬ÎAppNameAppInstanceClientName ClientDomain ClientLogonIdStatusTEMP@Ò/ï’Ñè‰^(¸!7iÿÿD‚	EventDataAÿÿ9ŠoData!K•NameAppName
AÿÿAŠoData)K•NameAppInstance

Aÿÿ?ŠoData'K•Name
ObjectName
Aÿÿ=ŠoData%K•Name	ScopeName
Aÿÿ?ŠoData'K•Name
ClientName
AÿÿCŠoData+K•NameClientDomain
AÿÿEŠoData-K•Name
ClientLogonId

Aÿÿ3ŠoDataK•NameRole
Aÿÿ5ŠoDataK•NameGroup
AÿÿEŠoData-K•Name
OperationName
	AÿÿAŠoData)K•NameOperationId
äÒ

øÒÓ0ÓHÓdÓ

„Ó¤Ó´ÓÄÓäÓAppNameAppInstanceObjectNameScopeNameClientName ClientDomain ClientLogonIdRoleGroup OperationNameOperationIdTEMP¤´ÕÿåóPŸuæŽÆ5ýüýþÏÿÿ~D‚	EventDataAÿÿ9ŠoData!K•NameAppName
AÿÿAŠoData)K•NameAppInstance

Aÿÿ?ŠoData'K•Name
ClientName
AÿÿCŠoData+K•NameClientDomain
AÿÿEŠoData-K•Name
ClientLogonId

Ö

,ÖHÖdÖ

„ÖAppNameAppInstanceClientName ClientDomain ClientLogonIdTEMP˜Øë0©‚
öq¬ø2ne•ÁÿÿÀD‚	EventDataAÿÿ9ŠoData!K•NameAppName
AÿÿAŠoData)K•NameAppInstance

Aÿÿ?ŠoData'K•Name
ClientName
AÿÿCŠoData+K•NameClientDomain
AÿÿEŠoData-K•Name
ClientLogonId

Aÿÿ;ŠoData#K•NameStoreUrl
Ù

$Ù@Ù\Ù

|ÙœÙAppNameAppInstanceClientName ClientDomain ClientLogonIdStoreUrlTEMPô`ÝTØ®b¨ãb]ÁhËº‘ÿÿvD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameObjectServer
Aÿÿ?ŠoData'K•Name
ObjectType
Aÿÿ?ŠoData'K•Name
ObjectName
Aÿÿ;ŠoData#K•NameHandleId
Aÿÿ5ŠoDataK•NameOldSd
Aÿÿ5ŠoDataK•NameNewSd
	Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
PÞtÞ˜ÞÀÞäÞß ß<ßTßdßtßŒß$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleIdOldSdNewSdProcessIdProcessNameTEMPô„á®x«C‚Å“Â-žÿÿ¦D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
èáâ0âXâ|â$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPÀ		Œål§38P„ÙÖ°½`”H?ÄLÿÿ¼D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameObjectServer
Aÿÿ9ŠoData!K•NameService
AÿÿEŠoData-K•Name
PrivilegeList
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
@ædæˆæ°æÔæôæç(ç@ç$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerService PrivilegeListProcessIdProcessNameTEMP( ëÐ§1Ù¾6(Î]çÞÃ6êåÿÿD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameObjectServer
Aÿÿ?ŠoData'K•Name
ObjectType
Aÿÿ?ŠoData'K•Name
ObjectName
Aÿÿ;ŠoData#K•NameHandleId
Aÿÿ?ŠoData'K•Name
AccessMask
AÿÿEŠoData-K•Name
PrivilegeList
	Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
ì4ìXì€ì¤ìÄìàìüìí0íPíhí$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleIdAccessMask PrivilegeListProcessIdProcessNameTEMPðD•
[Ã¤É“¡—”Ý=ÿÿZD‚	EventDataAÿÿEŠoData-K•Name
TargetUserSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿCŠoData+K•NameTdoDirection
AÿÿEŠoData-K•Name
TdoAttributes
Aÿÿ9ŠoData!K•NameTdoType
Aÿÿ7ŠoDataK•NameTdoSid
Aÿÿ9ŠoData!K•NameSidList
´ðÔðøð ñ@ñ`ñtñˆñ TargetUserSid$TargetUserName(TargetDomainName TdoDirection TdoAttributesTdoTypeTdoSidSidListTEMP|\ô?Ã:[ø5‡ŠÛ·¤6Y§ÿÿŒD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameNewProcessId
AÿÿGŠoData/K•NameNewProcessName
AÿÿOŠoData7K•NameTokenElevationType
Aÿÿ=ŠoData%K•Name	ProcessId
üô õDõlõõ°õÔõö$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId NewProcessId$NewProcessName,TokenElevationTypeProcessIdTEMPô		 ù²|{ú‰µ‹{eßûÒoß[‚ÿÿÔD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameNewProcessId
AÿÿGŠoData/K•NameNewProcessName
AÿÿOŠoData7K•NameTokenElevationType
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameCommandLine
ÔùøùúDúhúˆú¬úØúðú$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId NewProcessId$NewProcessName,TokenElevationTypeProcessIdCommandLineTEMPÀdý«ÀTï(¶F 4Ì‡‚?Yÿÿ$D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ7ŠoDataK•NameStatus
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
ðýþ8þ`þ„þ˜þ°þ$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdStatusProcessIdProcessNameTEMP˜>1&tjp¨ÏÍ`?ØçóH—ÿÿ–D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿGŠoData/K•NameSourceHandleId
AÿÿIŠoData1K•NameSourceProcessId
AÿÿGŠoData/K•NameTargetHandleId
AÿÿIŠoData1K•NameTargetProcessId
8\€¨Ìð8$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId$SourceHandleId$SourceProcessId$TargetHandleId$TargetProcessIdTEMP¼		H¢âTèíÊ=ÑÆPÍó‘»ÿÿ¶D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ?ŠoData'K•Name
ObjectType
Aÿÿ?ŠoData'K•Name
ObjectName
Aÿÿ?ŠoData'K•Name
AccessList
Aÿÿ?ŠoData'K•Name
AccessMask
Aÿÿ=ŠoData%K•Name	ProcessId
ü Dl¬Èä$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdObjectTypeObjectNameAccessListAccessMaskProcessIdTEMPpÔ
»¯ä=
e“_¦6i1ÿÿˆD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿAŠoData)K•NameMasterKeyId
AÿÿGŠoData/K•NameRecoveryServer
AÿÿEŠoData-K•Name
RecoveryKeyId
AÿÿEŠoData-K•Name
FailureReason
t˜¼ä$Hh$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdMasterKeyId$RecoveryServer RecoveryKeyId FailureReasonTEMPè		Œh`Ef‰Ü¼oÎ9‡€ÿÿÎD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿAŠoData)K•NameMasterKeyId
AÿÿGŠoData/K•NameRecoveryReason
AÿÿGŠoData/K•NameRecoveryServer
AÿÿEŠoData-K•Name
RecoveryKeyId
Aÿÿ=ŠoData%K•Name	FailureId
@dˆ°Ôð8X$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdMasterKeyId$RecoveryReason$RecoveryServer RecoveryKeyIdFailureIdTEMP		Œƒ·—¤Óø>i\RÐûÍÿÿæD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿIŠoData1K•NameDataDescription
AÿÿAŠoData)K•NameMasterKeyId
AÿÿOŠoData7K•NameProtectedDataFlags
AÿÿKŠoData3K•NameCryptoAlgorithms
AÿÿEŠoData-K•Name
FailureReason
@dˆ°Ôø@h$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId$DataDescriptionMasterKeyId,ProtectedDataFlags(CryptoAlgorithms FailureReasonTEMP		¤ƒ·—¤Óø>i\RÐûÍÿÿæD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿIŠoData1K•NameDataDescription
AÿÿAŠoData)K•NameMasterKeyId
AÿÿOŠoData7K•NameProtectedDataFlags
AÿÿKŠoData3K•NameCryptoAlgorithms
AÿÿEŠoData-K•Name
FailureReason
X| Èì,X€$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId$DataDescriptionMasterKeyId,ProtectedDataFlags(CryptoAlgorithms FailureReasonTEMPˆ˜ûŒPt7.Í|a#Ç•vÿÿÂD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
TargetUserSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿEŠoData-K•Name
TargetLogonId
AÿÿIŠoData1K•NameTargetProcessId
AÿÿMŠoData5K•NameTargetProcessName
	Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
ˆ ¬ Ð ø !<!`!ˆ!¨!Ì!ô!"$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId TargetUserSid$TargetUserName(TargetDomainName TargetLogonId$TargetProcessId(TargetProcessNameProcessIdProcessNameTEMP		8%ùÕ\;Ò=Ê³P·4£{ÏÿÿÚD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿAŠoData)K•NameServiceName
AÿÿIŠoData1K•NameServiceFileName
AÿÿAŠoData)K•NameServiceType
AÿÿKŠoData3K•NameServiceStartType
AÿÿGŠoData/K•NameServiceAccount
ì%&4&\&€&œ&À&Ü&'$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdServiceName$ServiceFileNameServiceType(ServiceStartType$ServiceAccountTEMPX@)j¿æÌ7»l›3¡;§Öá6ÿÿäD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ;ŠoData#K•NameTaskName
AÿÿAŠoData)K•NameTaskContent
¸)Ü)*(*L*d*$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTaskNameTaskContentTEMPX˜,j¿æÌ7»l›3¡;§Öá6ÿÿäD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ;ŠoData#K•NameTaskName
AÿÿAŠoData)K•NameTaskContent
-4-X-€-¤-¼-$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTaskNameTaskContentTEMPXð/j¿æÌ7»l›3¡;§Öá6ÿÿäD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ;ŠoData#K•NameTaskName
AÿÿAŠoData)K•NameTaskContent
h0Œ0°0Ø0ü01$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTaskNameTaskContentTEMPXH3j¿æÌ7»l›3¡;§Öá6ÿÿäD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ;ŠoData#K•NameTaskName
AÿÿAŠoData)K•NameTaskContent
À3ä3404T4l4$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTaskNameTaskContentTEMPh¨6Ë;â&•Ôò3í‚!ó„Ž_ÿÿêD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ;ŠoData#K•NameTaskName
AÿÿGŠoData/K•NameTaskContentNew
 7D7h77´7Ì7$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTaskName$TaskContentNewTEMPd:w,ÍWˆ¼ª$™|Ý\Š½ŠÿÿêD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿEŠoData-K•Name
PrivilegeList
ˆ:¬:Ð:ø:;4;$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTargetSid PrivilegeListTEMPdt=w,ÍWˆ¼ª$™|Ý\Š½ŠÿÿêD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿEŠoData-K•Name
PrivilegeList
ì=>4>\>€>˜>$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTargetSid PrivilegeListTEMPX

BG-¯qŸÄš–ofIÝþgÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
DomainName
Aÿÿ=ŠoData%K•Name	DomainSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ9ŠoData!K•NameTdoType
AÿÿCŠoData+K•NameTdoDirection
AÿÿEŠoData-K•Name
TdoAttributes
AÿÿQŠoData9K•NameSidFilteringEnabled
	ÈBäBüB CDClCC¤CÄCäCDomainNameDomainSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTdoType TdoDirection TdoAttributes,SidFilteringEnabledTEMPX(FÀÝ&²´¥ÌŠOÐMriyÿÿäD‚	EventDataAÿÿ?ŠoData'K•Name
DomainName
Aÿÿ=ŠoData%K•Name	DomainSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
 F¼FÔFøFGDGDomainNameDomainSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP€pH²¤Á{vEê`QØi^ž_ãÿÿÔD‚	EventDataAÿÿ7ŠoDataK•Nameparam1
Aÿÿ7ŠoDataK•Nameparam2
Aÿÿ7ŠoDataK•Nameparam3
¬HÀHÔHparam1param2param3TEMP´I¥Ù©c¢opó1G¸HîcÉÿÿ–D‚	EventDataAÿÿ7ŠoDataK•Nameparam1
Aÿÿ7ŠoDataK•Nameparam2
ÜIðIparam1param2TEMP´J¤N”&@¿F&ÃÁ*ÏNžÿÿXD‚	EventDataAÿÿ7ŠoDataK•Nameparam1
¤Jparam1TEMP´DK¤N”&@¿F&ÃÁ*ÏNžÿÿXD‚	EventDataAÿÿ7ŠoDataK•Nameparam1
XKparam1TEMPTMù÷¤GåJ³•o®/]Šæÿÿ´D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿSŠoData;K•NameKerberosPolicyChange
¸MÜMN(NLN$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId0KerberosPolicyChangeTEMPü\P×É„é§I¥Q9§ÛŒŒ÷ÿÿªD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿIŠoData1K•NameEfsPolicyChange
ÀPäPQ0QTQ$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId$EfsPolicyChangeTEMP4€S£a{1Êpêl £F¦‰4«ÿÿÒD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ5ŠoDataK•NameOldSd
Aÿÿ5ŠoDataK•NameNewSd
øST@ThTŒTœT$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdOldSdNewSdTEMPX

ôWaYŠS¬é½õ¥#ÉÚ^BÿÿD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ?ŠoData'K•Name
DomainName
Aÿÿ=ŠoData%K•Name	DomainSid
Aÿÿ9ŠoData!K•NameTdoType
AÿÿCŠoData+K•NameTdoDirection
AÿÿEŠoData-K•Name
TdoAttributes
AÿÿQŠoData9K•NameSidFilteringEnabled
	¼XàXY,YPYlY„Y˜Y¸YØY$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdDomainNameDomainSidTdoType TdoDirection TdoAttributes,SidFilteringEnabledTEMPd$\tzR1{áM9ož™XgÿÿêD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿEŠoData-K•Name
AccessGranted
œ\À\ä\]0]H]$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTargetSid AccessGrantedTEMPdˆ_o¨Ð_×\u°4'©ñ;¥Ë=ÿÿêD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿEŠoData-K•Name
AccessRemoved
`$`H`p`”`¬`$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTargetSid AccessRemovedTEMPˆ”cmO¥«?ð²öYOrGÿÿ’D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ?ŠoData'K•Name
CategoryId
AÿÿEŠoData-K•Name
SubcategoryId
AÿÿIŠoData1K•NameSubcategoryGuid
AÿÿOŠoData7K•NameAuditPolicyChanges
4dXd|d¤dÈdäde(e$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdCategoryId SubcategoryId$SubcategoryGuid,AuditPolicyChangesTEMP”
pmvÜ ZNî`øl7Ð¶ÿÿæD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
AÿÿAŠoData)K•NameDisplayName
	AÿÿMŠoData5K•NameUserPrincipalName
AÿÿEŠoData-K•Name
HomeDirectory
Aÿÿ;ŠoData#K•NameHomePath
Aÿÿ?ŠoData'K•Name
ScriptPath

AÿÿAŠoData)K•NameProfilePath
AÿÿKŠoData3K•NameUserWorkstations
AÿÿIŠoData1K•NamePasswordLastSet
AÿÿGŠoData/K•NameAccountExpires
AÿÿGŠoData/K•NamePrimaryGroupId
AÿÿQŠoData9K•NameAllowedToDelegateTo
AÿÿAŠoData)K•NameOldUacValue
AÿÿAŠoData)K•NameNewUacValue
AÿÿOŠoData7K•NameUserAccountControl
AÿÿGŠoData/K•NameUserParameters
Aÿÿ?ŠoData'K•Name
SidHistory
Aÿÿ?ŠoData'K•Name
LogonHours
xoœoÄoÜop$pLpppp´pÐpøpq0qLqhqq´qØqüq(rDr`rŒr°rÌr$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameDisplayName(UserPrincipalName HomeDirectoryHomePathScriptPathProfilePath(UserWorkstations$PasswordLastSet$AccountExpires$PrimaryGroupId,AllowedToDelegateToOldUacValueNewUacValue,UserAccountControl$UserParametersSidHistoryLogonHoursTEMPø\up!Ë† ¯}9Žw´§ÿÿ>D‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
èuv4vLvpv”v¼v$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPx yNÄsM÷¨ûl‹ŒªªsÿÿŠD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
@zdzŒz¤zÈzìz{8{$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPøÌ}p!Ë† ¯}9Žw´§ÿÿ>D‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
X~|~¤~¼~à~,$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPøÄp!Ë† ¯}9Žw´§ÿÿ>D‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
P‚t‚œ‚´‚Ø‚ü‚$ƒ$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPx†NÄsM÷¨ûl‹ŒªªsÿÿŠD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
¨†Ì†ô†‡0‡T‡|‡ ‡$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPt

‹;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	Ü‹Œ(Œ@ŒdŒˆŒ°ŒÔŒôŒ$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMP\

|8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	D‘`‘x‘œ‘Ä‘Ü‘’$’L’p’MemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP\

Ø•8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	 –¼–Ô–ø– —8—\—€—¨—Ì—MemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPx¬šNÄsM÷¨ûl‹ŒªªsÿÿŠD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
L›p›˜›°›Ô›ø› œDœ$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPt

¸Ÿ;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	€ ¤ Ì ä ¡,¡T¡x¡˜¡¼¡$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMP\

 ¥8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	è¥¦¦@¦h¦€¦¤¦È¦ð¦§MemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP\

|ª8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	D«`«x«œ«Ä«Ü«¬$¬L¬p¬MemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPxP¯NÄsM÷¨ûl‹ŒªªsÿÿŠD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
ð¯°<°T°x°œ°Ä°è°$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPt

\´;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	$µHµpµˆµ¬µÐµøµ¶<¶`¶$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMPt

Ð¹;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	˜º¼ºäºüº »D»l»»°»Ô»$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMPô
HÄxÆaus³>¡±#rúBŠCÿÿ"D‚	EventDataAÿÿ5ŠoDataK•NameDummy
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
	AÿÿAŠoData)K•NameDisplayName
AÿÿMŠoData5K•NameUserPrincipalName
AÿÿEŠoData-K•Name
HomeDirectory
Aÿÿ;ŠoData#K•NameHomePath

Aÿÿ?ŠoData'K•Name
ScriptPath
AÿÿAŠoData)K•NameProfilePath
AÿÿKŠoData3K•NameUserWorkstations
AÿÿIŠoData1K•NamePasswordLastSet
AÿÿGŠoData/K•NameAccountExpires
AÿÿGŠoData/K•NamePrimaryGroupId
AÿÿQŠoData9K•NameAllowedToDelegateTo
AÿÿAŠoData)K•NameOldUacValue
AÿÿAŠoData)K•NameNewUacValue
AÿÿOŠoData7K•NameUserAccountControl
AÿÿGŠoData/K•NameUserParameters
Aÿÿ?ŠoData'K•Name
SidHistory
Aÿÿ?ŠoData'K•Name
LogonHours
dÆtÆ˜ÆÀÆØÆüÆ ÇHÇlÇŒÇ°ÇÌÇôÇÈ,ÈHÈdÈŒÈ°ÈÔÈøÈ$É@É\ÉˆÉ¬ÉÈÉDummy$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameDisplayName(UserPrincipalName HomeDirectoryHomePathScriptPathProfilePath(UserWorkstations$PasswordLastSet$AccountExpires$PrimaryGroupId,AllowedToDelegateToOldUacValueNewUacValue,UserAccountControl$UserParametersSidHistoryLogonHoursTEMPÄàÐÓ£¤ðõ	„11<ª—ÿÿÈD‚	EventDataAÿÿQŠoData9K•NameDomainPolicyChanged
Aÿÿ?ŠoData'K•Name
DomainName
Aÿÿ=ŠoData%K•Name	DomainSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameMinPasswordAge
AÿÿGŠoData/K•NameMaxPasswordAge
	AÿÿAŠoData)K•NameForceLogoff
AÿÿKŠoData3K•NameLockoutThreshold
Aÿÿ[ŠoDataCK•NameLockoutObservationWindow
AÿÿIŠoData1K•NameLockoutDuration

AÿÿOŠoData7K•NamePasswordProperties
AÿÿMŠoData5K•NameMinPasswordLength
AÿÿUŠoData=K•NamePasswordHistoryLength
AÿÿQŠoData9K•NameMachineAccountQuota
AÿÿIŠoData1K•NameMixedDomainMode
AÿÿUŠoData=K•NameDomainBehaviorVersion
AÿÿGŠoData/K•NameOemInformation
„Ò°ÒÌÒäÒÓ,ÓTÓxÓ˜Ó¼ÓàÓüÓ$Ô\Ô€Ô¬ÔÔÔÕ0ÕTÕ„Õ,DomainPolicyChangedDomainNameDomainSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$MinPasswordAge$MaxPasswordAgeForceLogoff(LockoutThreshold8LockoutObservationWindow$LockoutDuration,PasswordProperties(MinPasswordLength0PasswordHistoryLength,MachineAccountQuota$MixedDomainMode0DomainBehaviorVersion$OemInformationTEMPøØp!Ë† ¯}9Žw´§ÿÿ>D‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
¨ØÌØôØÙ0ÙTÙ|Ù$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP¬`âsìrìÇ< ËëeŒÞ•øéÿÿŠD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
AÿÿAŠoData)K•NameDisplayName
	AÿÿMŠoData5K•NameUserPrincipalName
AÿÿEŠoData-K•Name
HomeDirectory
Aÿÿ;ŠoData#K•NameHomePath
Aÿÿ?ŠoData'K•Name
ScriptPath

AÿÿAŠoData)K•NameProfilePath
AÿÿKŠoData3K•NameUserWorkstations
AÿÿIŠoData1K•NamePasswordLastSet
AÿÿGŠoData/K•NameAccountExpires
AÿÿGŠoData/K•NamePrimaryGroupId
AÿÿQŠoData9K•NameAllowedToDelegateTo
AÿÿAŠoData)K•NameOldUacValue
AÿÿAŠoData)K•NameNewUacValue
AÿÿOŠoData7K•NameUserAccountControl
AÿÿGŠoData/K•NameUserParameters
Aÿÿ?ŠoData'K•Name
SidHistory
Aÿÿ?ŠoData'K•Name
LogonHours
AÿÿAŠoData)K•NameDnsHostName
AÿÿUŠoData=K•NameServicePrincipalNames
ä´äÜäôäå<ådåˆå¨åÌåèåæ0æHædæ€æ¨æÌæðæç@ç\çxç¤çÈçäçèè$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameDisplayName(UserPrincipalName HomeDirectoryHomePathScriptPathProfilePath(UserWorkstations$PasswordLastSet$AccountExpires$PrimaryGroupId,AllowedToDelegateToOldUacValueNewUacValue,UserAccountControl$UserParametersSidHistoryLogonHoursDnsHostName0ServicePrincipalNamesTEMPLhñ<Ç²JÝ}wJäÅÑ/£ÿÿæD‚	EventDataAÿÿUŠoData=K•NameComputerAccountChange
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
	AÿÿAŠoData)K•NameDisplayName
AÿÿMŠoData5K•NameUserPrincipalName
AÿÿEŠoData-K•Name
HomeDirectory
Aÿÿ;ŠoData#K•NameHomePath

Aÿÿ?ŠoData'K•Name
ScriptPath
AÿÿAŠoData)K•NameProfilePath
AÿÿKŠoData3K•NameUserWorkstations
AÿÿIŠoData1K•NamePasswordLastSet
AÿÿGŠoData/K•NameAccountExpires
AÿÿGŠoData/K•NamePrimaryGroupId
AÿÿQŠoData9K•NameAllowedToDelegateTo
AÿÿAŠoData)K•NameOldUacValue
AÿÿAŠoData)K•NameNewUacValue
AÿÿOŠoData7K•NameUserAccountControl
AÿÿGŠoData/K•NameUserParameters
Aÿÿ?ŠoData'K•Name
SidHistory
Aÿÿ?ŠoData'K•Name
LogonHours
AÿÿAŠoData)K•NameDnsHostName
AÿÿUŠoData=K•NameServicePrincipalNames
¬óÜóô(ô@ôdôˆô°ôÔôôôõ4õ\õ|õ”õ°õÌõôõö<ö`öŒö¨öÄöðö÷0÷L÷h÷0ComputerAccountChange$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameDisplayName(UserPrincipalName HomeDirectoryHomePathScriptPathProfilePath(UserWorkstations$PasswordLastSet$AccountExpires$PrimaryGroupId,AllowedToDelegateToOldUacValueNewUacValue,UserAccountControl$UserParametersSidHistoryLogonHoursDnsHostName0ServicePrincipalNamesTEMPxXúNÄsM÷¨ûl‹ŒªªsÿÿŠD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
øúûDû\û€û¤ûÌûðû$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPt

dÿ;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	,Px´Ø$Dh$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMPt

Ø;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	 Äì(Lt˜¸Ü$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMP\

@
8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	$<`ˆ Äè4MemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP\

œ8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	d€˜¼äü DlMemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPxpNÄsM÷¨ûl‹ŒªªsÿÿŠD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
4\t˜¼ä$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPt

|;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	Dh¨Ìð<\€$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMPt

ð;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	¸Ü  @ d Œ ° Ð ô $TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMP\

X$8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	 %<%T%x% %¸%Ü%&(&L&MemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP\

´)8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	|*˜*°*Ô*ü*+8+\+„+¨+MemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPxˆ.NÄsM÷¨ûl‹ŒªªsÿÿŠD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
(/L/t/Œ/°/Ô/ü/ 0$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPt

”3;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	\4€4¨4À4ä4505T5t5˜5$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMPt

9;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	Ð9ô9:4:X:|:¤:È:è:;$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMP\

p>8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	8?T?l??¸?Ð?ô?@@@d@MemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP\

ÌC8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	”D°DÈDìDE,EPEtEœEÀEMemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPx HNÄsM÷¨ûl‹ŒªªsÿÿŠD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
@IdIŒI¤IÈIìIJ8J$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPt

¬M;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	tN˜NÀNØNüN OHOlOŒO°O$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMPt

 S;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	èST4TLTpT”T¼TàTU$U$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMP\

ˆX8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	PYlY„Y¨YÐYèYZ0ZXZ|ZMemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP\

ä]8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	¬^È^à^_,_D_h_Œ_´_Ø_MemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPx¸bNÄsM÷¨ûl‹ŒªªsÿÿŠD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
Xc|c¤c¼càcd,dPd$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP		€gði¥ÆžånçÕ¯ËR+N»ÿÿÚD‚	EventDataAÿÿIŠoData1K•NameGroupTypeChange
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
4hXh|h¤h¼hàhi,iPi$GroupTypeChange$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPÔm*äX~;a#îcZòËÿÿ\D‚	EventDataAÿÿGŠoData/K•NameSourceUserName
Aÿÿ=ŠoData%K•Name	SourceSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	Aÿÿ9ŠoData!K•NameSidList
Ümnn<ndn|n nÄnìno0o$SourceUserNameSourceSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListSidListTEMPxr¦÷~ñek?éïì¥#;™ÆÿÿŠD‚	EventDataAÿÿGŠoData/K•NameSourceUserName
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
¤rÈrìrs,sPsxsœs$SourceUserName$TargetUserName(TargetDomainNameTargetSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPø0vp!Ë† ¯}9Žw´§ÿÿ>D‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
¼vàvw wDwhww$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP,|‡*?„|5±:ä³_uFþwÿÿ(D‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿAŠoData)K•NameServiceName
Aÿÿ?ŠoData'K•Name
ServiceSid
AÿÿEŠoData-K•Name
TicketOptions
Aÿÿ7ŠoDataK•NameStatus
AÿÿSŠoData;K•NameTicketEncryptionType
AÿÿAŠoData)K•NamePreAuthType
Aÿÿ=ŠoData%K•Name	IpAddress
	Aÿÿ7ŠoDataK•NameIpPort
AÿÿGŠoData/K•NameCertIssuerName
AÿÿKŠoData3K•NameCertSerialNumber
AÿÿGŠoData/K•NameCertThumbprint

(}L}t}Œ}¨}Ä}ä}ø}(~D~\~p~”~¼~$TargetUserName(TargetDomainNameTargetSidServiceNameServiceSid TicketOptionsStatus0TicketEncryptionTypePreAuthTypeIpAddressIpPort$CertIssuerName(CertSerialNumber$CertThumbprintTEMP´`‚þß/¾ªYú8õ[ø)šÿÿJD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿAŠoData)K•NameServiceName
Aÿÿ?ŠoData'K•Name
ServiceSid
AÿÿEŠoData-K•Name
TicketOptions
AÿÿSŠoData;K•NameTicketEncryptionType
Aÿÿ=ŠoData%K•Name	IpAddress
Aÿÿ7ŠoDataK•NameIpPort
Aÿÿ7ŠoDataK•NameStatus
Aÿÿ=ŠoData%K•Name	LogonGuid
	AÿÿQŠoData9K•NameTransmittedServices
<ƒ`ƒˆƒ¤ƒÀƒàƒ„(„<„P„h„$TargetUserName(TargetDomainNameServiceNameServiceSid TicketOptions0TicketEncryptionTypeIpAddressIpPortStatusLogonGuid,TransmittedServicesTEMPD8‡sÇRI¡/Sƒã÷ŠA…ÿÿpD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿAŠoData)K•NameServiceName
Aÿÿ?ŠoData'K•Name
ServiceSid
AÿÿEŠoData-K•Name
TicketOptions
AÿÿSŠoData;K•NameTicketEncryptionType
Aÿÿ=ŠoData%K•Name	IpAddress
Aÿÿ7ŠoDataK•NameIpPort
Ø‡ü‡$ˆ@ˆ\ˆ|ˆ¬ˆÄˆ$TargetUserName(TargetDomainNameServiceNameServiceSid TicketOptions0TicketEncryptionTypeIpAddressIpPortTEMPŒDŒÌ%A9ÇªôƒK*<™ÿÿ6D‚	EventDataAÿÿGŠoData/K•NameTargetUserName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿAŠoData)K•NameServiceName
AÿÿEŠoData-K•Name
TicketOptions
Aÿÿ7ŠoDataK•NameStatus
AÿÿAŠoData)K•NamePreAuthType
Aÿÿ=ŠoData%K•Name	IpAddress
Aÿÿ7ŠoDataK•NameIpPort
AÿÿGŠoData/K•NameCertIssuerName
AÿÿKŠoData3K•NameCertSerialNumber
	AÿÿGŠoData/K•NameCertThumbprint
 D\x˜¬ÈàôŽ@Ž$TargetUserNameTargetSidServiceName TicketOptionsStatusPreAuthTypeIpAddressIpPort$CertIssuerName(CertSerialNumber$CertThumbprintTEMP¨°xÍ•‘T‚Ý²¿·ŠLZ«ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿAŠoData)K•NameServiceName
AÿÿEŠoData-K•Name
TicketOptions
AÿÿAŠoData)K•NameFailureCode
Aÿÿ=ŠoData%K•Name	IpAddress
Aÿÿ7ŠoDataK•NameIpPort
<‘`‘ˆ‘¤‘Ä‘à‘ø‘$TargetUserName(TargetDomainNameServiceName TicketOptionsFailureCodeIpAddressIpPortTEMP¨X”xÍ•‘T‚Ý²¿·ŠLZ«ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿAŠoData)K•NameServiceName
AÿÿEŠoData-K•Name
TicketOptions
AÿÿAŠoData)K•NameFailureCode
Aÿÿ=ŠoData%K•Name	IpAddress
Aÿÿ7ŠoDataK•NameIpPort
ä”•0•L•l•ˆ• •$TargetUserName(TargetDomainNameServiceName TicketOptionsFailureCodeIpAddressIpPortTEMP¼Ü–cKUœ7è¾'–wÕ5³èûÿÿòD‚	EventDataAÿÿ=ŠoData%K•Name	MappingBy
AÿÿGŠoData/K•NameClientUserName
Aÿÿ?ŠoData'K•Name
MappedName
—0—T—MappingBy$ClientUserNameMappedNameTEMPDP˜P<ˆ¯zwØÛÐ\á£îÿÿ¬D‚	EventDataAÿÿGŠoData/K•NameClientUserName
Aÿÿ=ŠoData%K•Name	MappingBy
x˜œ˜$ClientUserNameMappingByTEMP, šñ,ÀåÈhk¼ä&`ó£cÂÿÿ6D‚	EventDataAÿÿAŠoData)K•NamePackageName
AÿÿGŠoData/K•NameTargetUserName
AÿÿAŠoData)K•NameWorkstation
Aÿÿ7ŠoDataK•NameStatus
pšŒš°šÌšPackageName$TargetUserNameWorkstationStatusTEMP8Pœ$¨=Éit·>å@ª¼ÿÿ<D‚	EventDataAÿÿGŠoData/K•NameClientUserName
AÿÿGŠoData/K•NameTargetUserName
AÿÿAŠoData)K•NameWorkstation
Aÿÿ7ŠoDataK•NameStatus
 œÄœèœ$ClientUserName$TargetUserNameWorkstationStatusTEMPŸ>ŽÐýtýðƒÚœnFÿÿÈD‚	EventDataAÿÿAŠoData)K•NameAccountName
AÿÿEŠoData-K•Name
AccountDomain
Aÿÿ9ŠoData!K•NameLogonID
AÿÿAŠoData)K•NameSessionName
Aÿÿ?ŠoData'K•Name
ClientName
AÿÿEŠoData-K•Name
ClientAddress
ŒŸ¨ŸÈŸÜŸøŸ AccountName AccountDomainLogonIDSessionNameClientName ClientAddressTEMP0¢>ŽÐýtýðƒÚœnFÿÿÈD‚	EventDataAÿÿAŠoData)K•NameAccountName
AÿÿEŠoData-K•Name
AccountDomain
Aÿÿ9ŠoData!K•NameLogonID
AÿÿAŠoData)K•NameSessionName
Aÿÿ?ŠoData'K•Name
ClientName
AÿÿEŠoData-K•Name
ClientAddress
¨¢Ä¢ä¢ø¢£0£AccountName AccountDomainLogonIDSessionNameClientName ClientAddressTEMP0À¤7¹]£µU©=1Ò@"ÿÿ:D‚	EventDataAÿÿAŠoData)K•NameAccountName
AÿÿEŠoData-K•Name
AccountDomain
Aÿÿ9ŠoData!K•NameLogonID
AÿÿEŠoData-K•Name
ClientAddress
¥,¥L¥`¥AccountName AccountDomainLogonID ClientAddressTEMPx@¨NÄsM÷¨ûl‹ŒªªsÿÿŠD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
à¨©,©D©h©Œ©´©Ø©$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP		x8èq0Ï}‡ñº:ÿÿäD‚	EventDataAÿÿMŠoData5K•NameOldTargetUserName
AÿÿMŠoData5K•NameNewTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
Äì®<®T®x®œ®Ä®è®(OldTargetUserName(NewTargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPˆ8±Õ¸¸ýk¯¯û0á'Bd`JÿÿúD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
°±Ô±ü± ²D²l²$TargetUserName(TargetDomainName$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPt

äµ;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	¬¶Ð¶ø¶·4·X·€·¤·Ä·è·$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMPt

X»;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	 ¼D¼l¼„¼¨¼Ì¼ô¼½8½\½$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMP\

ÀÀ8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	ˆÁ¤Á¼ÁàÁÂ ÂDÂhÂÂ´ÂMemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP\

Æ8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	äÆÇÇ<ÇdÇ|Ç ÇÄÇìÇÈMemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP\

xË8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	@Ì\ÌtÌ˜ÌÀÌØÌüÌ ÍHÍlÍMemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMP\

ÔÐ8+LÀ
˜$BŽâ)½€òKÿÿD‚	EventDataAÿÿ?ŠoData'K•Name
MemberName
Aÿÿ=ŠoData%K•Name	MemberSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
	œÑ¸ÑÐÑôÑÒ4ÒXÒ|Ò¤ÒÈÒMemberNameMemberSid$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPx¨ÕNÄsM÷¨ûl‹ŒªªsÿÿŠD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
HÖlÖ”Ö¬ÖÐÖôÖ×@×$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPt

´Ú;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	|Û ÛÈÛàÛÜ(ÜPÜtÜ”Ü¸Ü$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMPt

(à;2
@Œ0'¿ºW£cZ–!ÿÿD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
AÿÿGŠoData/K•NameSamAccountName
Aÿÿ?ŠoData'K•Name
SidHistory
	ðàá<áTáxáœáÄáèáâ,â$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeList$SamAccountNameSidHistoryTEMPxåNÄsM÷¨ûl‹ŒªªsÿÿŠD‚	EventDataAÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
Aÿÿ=ŠoData%K•Name	TargetSid
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
PrivilegeList
¨åÌåôåæ0æTæ|æ æ$TargetUserName(TargetDomainNameTargetSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId PrivilegeListTEMPØ$ébeB(ûÁÍ'¼cÔ'È dÿÿ.D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿAŠoData)K•NameWorkstation
AÿÿGŠoData/K•NameTargetUserName
Aÿÿ7ŠoDataK•NameStatus
°éÔéøé êDê`ê„ê$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdWorkstation$TargetUserNameStatusTEMPP¬ìcÿÈ¸Ó Ù1~gä¾æÿÿÿàD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿAŠoData)K•NameWorkstation
Aÿÿ7ŠoDataK•NameStatus
$íHílí”í¸íÔí$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdWorkstationStatusTEMPÔ´ï{¯©Þ5¬u¸»©ÿÿ–D‚	EventDataAÿÿEŠoData-K•Name
TargetUserSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿEŠoData-K•Name
TargetLogonId
Aÿÿ=ŠoData%K•Name	SessionId
ð8ð\ð„ð¤ð TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdSessionIdTEMPÔˆò{¯©Þ5¬u¸»©ÿÿ–D‚	EventDataAÿÿEŠoData-K•Name
TargetUserSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿEŠoData-K•Name
TargetLogonId
Aÿÿ=ŠoData%K•Name	SessionId
ìòó0óXóxó TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdSessionIdTEMPÔ\õ{¯©Þ5¬u¸»©ÿÿ–D‚	EventDataAÿÿEŠoData-K•Name
TargetUserSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿEŠoData-K•Name
TargetLogonId
Aÿÿ=ŠoData%K•Name	SessionId
Àõàõö,öLö TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdSessionIdTEMPÔ0ø{¯©Þ5¬u¸»©ÿÿ–D‚	EventDataAÿÿEŠoData-K•Name
TargetUserSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿEŠoData-K•Name
TargetLogonId
Aÿÿ=ŠoData%K•Name	SessionId
”ø´øØøù ù TargetUserSid$TargetUserName(TargetDomainName TargetLogonIdSessionIdTEMP€@ú²¤Á{vEê`QØi^ž_ãÿÿÔD‚	EventDataAÿÿ7ŠoDataK•Nameparam1
Aÿÿ7ŠoDataK•Nameparam2
Aÿÿ7ŠoDataK•Nameparam3
|úú¤úparam1param2param3TEMPÌèû#2:Ô¾ûûé~RžbÿÿúD‚	EventDataAÿÿ;ŠoData#K•NamePeerName
AÿÿKŠoData3K•NameProtocolSequence
AÿÿEŠoData-K•Name
SecurityError
$ü<üdüPeerName(ProtocolSequence SecurityErrorTEMPœ		`ÿšY·ÈàºW±ÝàUfÅÉÿÿ¨D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameObjectServer
Aÿÿ?ŠoData'K•Name
ObjectType
Aÿÿ?ŠoData'K•Name
ObjectName
Aÿÿ5ŠoDataK•NameOldSd
Aÿÿ5ŠoDataK•NameNewSd
8\„¨Èä$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameOldSdNewSdTEMP$¸"ïx	ÉÞÙ/ö†èòÿÿbD‚	EventDataAÿÿQŠoData9K•NameCollisionTargetType
AÿÿQŠoData9K•NameCollisionTargetName
Aÿÿ?ŠoData'K•Name
ForestRoot
AÿÿCŠoData+K•NameTopLevelName
Aÿÿ9ŠoData!K•NameDnsName
AÿÿAŠoData)K•NameNetbiosName
Aÿÿ=ŠoData%K•Name	DomainSid
Aÿÿ5ŠoDataK•NameFlags
X„°Ìì4,CollisionTargetType,CollisionTargetNameForestRoot TopLevelNameDnsNameNetbiosNameDomainSidFlagsTEMP€

D	\»\¹ê¨zFëÁ…ZÿÿÊD‚	EventDataAÿÿ?ŠoData'K•Name
ForestRoot
AÿÿEŠoData-K•Name
ForestRootSid
AÿÿAŠoData)K•NameOperationId
Aÿÿ=ŠoData%K•Name	EntryType
Aÿÿ5ŠoDataK•NameFlags
AÿÿCŠoData+K•NameTopLevelName
Aÿÿ9ŠoData!K•NameDnsName
AÿÿAŠoData)K•NameNetbiosName
Aÿÿ=ŠoData%K•Name	DomainSid
AÿÿGŠoData/K•NameSubjectUserSid
	AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
H
d
„
 
¸
È
è
ü
0Tx ForestRoot ForestRootSidOperationIdEntryTypeFlags TopLevelNameDnsNameNetbiosNameDomainSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP€

Ä\»\¹ê¨zFëÁ…ZÿÿÊD‚	EventDataAÿÿ?ŠoData'K•Name
ForestRoot
AÿÿEŠoData-K•Name
ForestRootSid
AÿÿAŠoData)K•NameOperationId
Aÿÿ=ŠoData%K•Name	EntryType
Aÿÿ5ŠoDataK•NameFlags
AÿÿCŠoData+K•NameTopLevelName
Aÿÿ9ŠoData!K•NameDnsName
AÿÿAŠoData)K•NameNetbiosName
Aÿÿ=ŠoData%K•Name	DomainSid
AÿÿGŠoData/K•NameSubjectUserSid
	AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Èä 8Hh|˜°Ôø ForestRoot ForestRootSidOperationIdEntryTypeFlags TopLevelNameDnsNameNetbiosNameDomainSid$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP€

D¿ÑqÒ˜œ÷ž+Îí @RÿÿÊD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ?ŠoData'K•Name
ForestRoot
AÿÿEŠoData-K•Name
ForestRootSid
AÿÿAŠoData)K•NameOperationId
Aÿÿ=ŠoData%K•Name	EntryType
Aÿÿ5ŠoDataK•NameFlags
AÿÿCŠoData+K•NameTopLevelName
	Aÿÿ9ŠoData!K•NameDnsName
AÿÿAŠoData)K•NameNetbiosName
Aÿÿ=ŠoData%K•Name	DomainSid
Hl¸Üø4L\|¬$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdForestRoot ForestRootSidOperationIdEntryTypeFlags TopLevelNameDnsNameNetbiosNameDomainSidTEMPä˜¬kt
méc}å<óÿÿžD‚	EventDataAÿÿ=ŠoData%K•Name	RequestId
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
ü8\„RequestId$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPä|¬kt
méc}å<óÿÿžD‚	EventDataAÿÿ=ŠoData%K•Name	RequestId
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
àø@hRequestId$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP¨Ì ™ÛÁÆÇ(oS=Q‰/®âdÿÿD‚	EventDataAÿÿYŠoDataAK•NameCertificateSerialNumber
AÿÿKŠoData3K•NameRevocationReason
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
D!x! !Ä!è!"4CertificateSerialNumber(RevocationReason$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP0Ä$@Ó¿«6°Fó„KÿÿZD‚	EventDataAÿÿ?ŠoData'K•Name
NextUpdate
AÿÿUŠoData=K•NameNextPublishForBaseCRL
AÿÿWŠoData?K•NameNextPublishForDeltaCRL
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
P%l%œ%Ð%ô%&@&NextUpdate0NextPublishForBaseCRL4NextPublishForDeltaCRL$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPœ(³Œ“;Yõt7Ðª´&E“%ÿÿ|D‚	EventDataAÿÿ=ŠoData%K•Name	IsBaseCRL
Aÿÿ=ŠoData%K•Name	CRLNumber
AÿÿCŠoData+K•NameKeyContainer
AÿÿAŠoData)K•NameNextPublish
AÿÿAŠoData)K•NamePublishURLs
x((¨(È(ä(IsBaseCRLCRLNumber KeyContainerNextPublishPublishURLsTEMP		,-z!øÞúyx{\-Üô-ÿÿäD‚	EventDataAÿÿ=ŠoData%K•Name	RequestId
AÿÿEŠoData-K•Name
ExtensionName
AÿÿMŠoData5K•NameExtensionDataType
AÿÿSŠoData;K•NameExtensionPolicyFlags
AÿÿEŠoData-K•Name
ExtensionData
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Ì,ä,-,-\-|- -Ä-ì-RequestId ExtensionName(ExtensionDataType0ExtensionPolicyFlags ExtensionData$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPX(0éÑÀí8ÃNV¹TÙî%ªÿÿäD‚	EventDataAÿÿ=ŠoData%K•Name	RequestId
Aÿÿ?ŠoData'K•Name
Attributes
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
 0¸0Ô0ø01D1RequestIdAttributes$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPè<3pÔ#Yö¿4±flUÅG8+ÿÿ D‚	EventDataAÿÿ?ŠoData'K•Name
BackupType
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
 3¼3à34,4BackupType$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPtà5%˜™( ÑüHƒ!AÇøÿÿZD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
06T6x6 6$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP¬p8'è"ÏÈ!ë4B·ò'h©ÿÿxD‚	EventDataAÿÿYŠoDataAK•NameCertificateDatabaseHash
AÿÿSŠoData;K•NamePrivateKeyUsageCount
AÿÿMŠoData5K•NameCACertificateHash
AÿÿIŠoData1K•NameCAPublicKeyHash
À8ô8$9L94CertificateDatabaseHash0PrivateKeyUsageCount(CACertificateHash$CAPublicKeyHashTEMP¬;'è"ÏÈ!ë4B·ò'h©ÿÿxD‚	EventDataAÿÿYŠoDataAK•NameCertificateDatabaseHash
AÿÿSŠoData;K•NamePrivateKeyUsageCount
AÿÿMŠoData5K•NameCACertificateHash
AÿÿIŠoData1K•NameCAPublicKeyHash
l; ;Ð;ø;4CertificateDatabaseHash0PrivateKeyUsageCount(CACertificateHash$CAPublicKeyHashTEMPt¬=%˜™( ÑüHƒ!AÇøÿÿZD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
ü= >D>l>$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPp@$~‡Ó¯ç9ÔÙ÷wÀ¬ÿÿ¬D‚	EventDataAÿÿKŠoData3K•NameSecuritySettings
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Ô@ü@ ADAlA(SecuritySettings$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPädC¬kt
méc}å<óÿÿžD‚	EventDataAÿÿ=ŠoData%K•Name	RequestId
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
ÈCàCD(DPDRequestId$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP\F<…yÎû©¡ˆdœf=0µÿÿæD‚	EventDataAÿÿAŠoData)K•NameCertificate
Aÿÿ=ŠoData%K•Name	RequestId
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
G$G<G`G„G¬GCertificateRequestId$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPì¨IÞÿÙNã%(£ùçÅ›v³šÿÿ¢D‚	EventDataAÿÿAŠoData)K•NameAuditFilter
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
J(JLJpJ˜JAuditFilter$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP¤ØK¹ãô[TU¢#û·ßOE"ÿÿèD‚	EventDataAÿÿ=ŠoData%K•Name	RequestId
Aÿÿ=ŠoData%K•Name	Requester
Aÿÿ?ŠoData'K•Name
Attributes
L,LDLRequestIdRequesterAttributesTEMP$`Ne.·¹B-û4ÏBîYÇ+úÿÿÊD‚	EventDataAÿÿ=ŠoData%K•Name	RequestId
Aÿÿ=ŠoData%K•Name	Requester
Aÿÿ?ŠoData'K•Name
Attributes
AÿÿAŠoData)K•NameDisposition
AÿÿSŠoData;K•NameSubjectKeyIdentifier
Aÿÿ9ŠoData!K•NameSubject
ØNðNO$O@OpORequestIdRequesterAttributesDisposition0SubjectKeyIdentifierSubjectTEMP$„Qe.·¹B-û4ÏBîYÇ+úÿÿÊD‚	EventDataAÿÿ=ŠoData%K•Name	RequestId
Aÿÿ=ŠoData%K•Name	Requester
Aÿÿ?ŠoData'K•Name
Attributes
AÿÿAŠoData)K•NameDisposition
AÿÿSŠoData;K•NameSubjectKeyIdentifier
Aÿÿ9ŠoData!K•NameSubject
üQR,RHRdR”RRequestIdRequesterAttributesDisposition0SubjectKeyIdentifierSubjectTEMP$¨Te.·¹B-û4ÏBîYÇ+úÿÿÊD‚	EventDataAÿÿ=ŠoData%K•Name	RequestId
Aÿÿ=ŠoData%K•Name	Requester
Aÿÿ?ŠoData'K•Name
Attributes
AÿÿAŠoData)K•NameDisposition
AÿÿSŠoData;K•NameSubjectKeyIdentifier
Aÿÿ9ŠoData!K•NameSubject
 U8UPUlUˆU¸URequestIdRequesterAttributesDisposition0SubjectKeyIdentifierSubjectTEMPÌ XÙ¥o¦4[—×pcßL~ÿÿD‚	EventDataAÿÿaŠoDataIK•NameEnableRestrictedPermissions
AÿÿUŠoData=K•NameRestrictedPermissions
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
˜XÔXY(YLYtY<EnableRestrictedPermissions0RestrictedPermissions$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPØ[pêàN‚4Oe#ÅOÛì%xÿÿD‚	EventDataAÿÿ3ŠoDataK•NameNode
Aÿÿ5ŠoDataK•NameEntry
Aÿÿ5ŠoDataK•NameValue
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
d\t\„\”\¸\Ü\]NodeEntryValue$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPpä_£õˆú++jî=½ë´9~ÿÿ†D‚	EventDataAÿÿCŠoData+K•NamePropertyName
AÿÿEŠoData-K•Name
PropertyIndex
AÿÿCŠoData+K•NamePropertyType
AÿÿEŠoData-K•Name
PropertyValue
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
„`¤`Ä`ä`a(aLata PropertyName PropertyIndex PropertyType PropertyValue$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP ´b»*¨7îuÜw·oÑtÈÿÿæD‚	EventDataAÿÿ=ŠoData%K•Name	RequestId
Aÿÿ=ŠoData%K•Name	Requester
Aÿÿ=ŠoData%K•Name	KRAHashes
ðbc cRequestIdRequesterKRAHashesTEMPäe¬kt
méc}å<óÿÿžD‚	EventDataAÿÿ=ŠoData%K•Name	RequestId
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
peˆe¬eÐeøeRequestId$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP°@gö?éN™pq	tÃ7$ÿÿîD‚	EventDataAÿÿIŠoData1K•NameCertificateHash
Aÿÿ=ŠoData%K•Name	ValidFrom
Aÿÿ9ŠoData!K•NameValidTo
|g g¸g$CertificateHashValidFromValidToTEMP¸ j®×r"¬¶çF5½W×WAIÿÿ D‚	EventDataAÿÿ9ŠoData!K•NameTableId
Aÿÿ7ŠoDataK•NameFilter
AÿÿAŠoData)K•NameRowsDeleted
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
¬jÀjÔjðjk8k`kTableIdFilterRowsDeleted$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPð0lÖž`	c¿Wð“}Ô¢Í‡ÿÿvD‚	EventDataAÿÿUŠoData=K•NameRoleSeparationEnabled
Dl0RoleSeparationEnabledTEMP¸To«PØþxUpv¥V¯ÜH®ÿÿ¬D‚	EventDataAÿÿSŠoData;K•NameTemplateInternalName
AÿÿIŠoData1K•NameTemplateVersion
AÿÿUŠoData=K•NameTemplateSchemaVersion
AÿÿAŠoData)K•NameTemplateOID
AÿÿSŠoData;K•NameTemplateDSObjectFQDN
Aÿÿ=ŠoData%K•Name	DCDNSName
AÿÿIŠoData1K•NameTemplateContent
AÿÿOŠoData7K•NameSecurityDescriptor
ôo$pHpxp”pÄpÜpq0TemplateInternalName$TemplateVersion0TemplateSchemaVersionTemplateOID0TemplateDSObjectFQDNDCDNSName$TemplateContent,SecurityDescriptorTEMPÈt"¥FÛ—ÿf¶<O9k}ÿÿ²D‚	EventDataAÿÿSŠoData;K•NameTemplateInternalName
AÿÿIŠoData1K•NameTemplateVersion
AÿÿUŠoData=K•NameTemplateSchemaVersion
AÿÿAŠoData)K•NameTemplateOID
AÿÿSŠoData;K•NameTemplateDSObjectFQDN
Aÿÿ=ŠoData%K•Name	DCDNSName
AÿÿOŠoData7K•NameNewTemplateContent
AÿÿOŠoData7K•NameOldTemplateContent
´tätu8uTu„uœuÈu0TemplateInternalName$TemplateVersion0TemplateSchemaVersionTemplateOID0TemplateDSObjectFQDNDCDNSName,NewTemplateContent,OldTemplateContentTEMP

”yêFx ¢CuÍíïdÿÿjD‚	EventDataAÿÿSŠoData;K•NameTemplateInternalName
AÿÿIŠoData1K•NameTemplateVersion
AÿÿUŠoData=K•NameTemplateSchemaVersion
AÿÿAŠoData)K•NameTemplateOID
AÿÿSŠoData;K•NameTemplateDSObjectFQDN
Aÿÿ=ŠoData%K•Name	DCDNSName
AÿÿOŠoData7K•NameNewTemplateContent
AÿÿUŠoData=K•NameNewSecurityDescriptor
AÿÿOŠoData7K•NameOldTemplateContent
AÿÿUŠoData=K•NameOldSecurityDescriptor
	\zŒz°zàzüz,{D{p{ {Ì{0TemplateInternalName$TemplateVersion0TemplateSchemaVersionTemplateOID0TemplateDSObjectFQDNDCDNSName,NewTemplateContent0NewSecurityDescriptor,OldTemplateContent0OldSecurityDescriptorTEMP4Ô|ºìÇ'1°—`A—–—ù
ÿÿ¤D‚	EventDataAÿÿ;ŠoData#K•NamePuaCount
AÿÿAŠoData)K•NamePuaPolicyId
ü|}PuaCountPuaPolicyIdTEMPdè
ëYã™O“Oªß®@ÿÿ‚D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿIŠoData1K•NameAuditSourceName
AÿÿEŠoData-K•Name
EventSourceId
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
ˆ€¬€Ð€ø€@`x$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId$AuditSourceName EventSourceIdProcessIdProcessNameTEMPdL„
ëYã™O“Oªß®@ÿÿ‚D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿIŠoData1K•NameAuditSourceName
AÿÿEŠoData-K•Name
EventSourceId
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
ì„…4…\…€…¤…Ä…Ü…$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId$AuditSourceName EventSourceIdProcessIdProcessNameTEMPð¤†† Å8Tršmî=fØ¡B"ÿÿvD‚	EventDataAÿÿUŠoData=K•NameCrashOnAuditFailValue
¸†0CrashOnAuditFailValueTEMPô”ŠTØ®b¨ãb]ÁhËº‘ÿÿvD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameObjectServer
Aÿÿ?ŠoData'K•Name
ObjectType
Aÿÿ?ŠoData'K•Name
ObjectName
Aÿÿ;ŠoData#K•NameHandleId
Aÿÿ5ŠoDataK•NameOldSd
Aÿÿ5ŠoDataK•NameNewSd
	Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
„‹¨‹Ì‹ô‹Œ8ŒTŒpŒˆŒ˜Œ¨ŒÀŒ$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ObjectServerObjectTypeObjectNameHandleIdOldSdNewSdProcessIdProcessNameTEMP¸l_(¿«sÝ`¬'œ-”·–×?ÿÿZD‚	EventDataAÿÿ9ŠoData!K•NameSidList
€SidListTEMP		¨N£|[jŠã«qÚ3a•·~ÿÿÞD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
TargetUserSid
Aÿÿ?ŠoData'K•Name
CategoryId
AÿÿEŠoData-K•Name
SubcategoryId
AÿÿIŠoData1K•NameSubcategoryGuid
AÿÿOŠoData7K•NameAuditPolicyChanges
\‘€‘¤‘Ì‘ð‘’,’L’p’$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId TargetUserSidCategoryId SubcategoryId$SubcategoryGuid,AuditPolicyChangesTEMP””§”9UK´žfÂÝ±ÿÿÄD‚	EventDataAÿÿGŠoData/K•NameDestinationDRA
Aÿÿ=ŠoData%K•Name	SourceDRA
Aÿÿ?ŠoData'K•Name
SourceAddr
AÿÿEŠoData-K•Name
NamingContext
Aÿÿ9ŠoData!K•NameOptions
Aÿÿ?ŠoData'K•Name
StatusCode
•0•H•d•„•˜•$DestinationDRASourceDRASourceAddr NamingContextOptionsStatusCodeTEMP¬—§”9UK´žfÂÝ±ÿÿÄD‚	EventDataAÿÿGŠoData/K•NameDestinationDRA
Aÿÿ=ŠoData%K•Name	SourceDRA
Aÿÿ?ŠoData'K•Name
SourceAddr
AÿÿEŠoData-K•Name
NamingContext
Aÿÿ9ŠoData!K•NameOptions
Aÿÿ?ŠoData'K•Name
StatusCode
$˜H˜`˜|˜œ˜°˜$DestinationDRASourceDRASourceAddr NamingContextOptionsStatusCodeTEMPÄš§”9UK´žfÂÝ±ÿÿÄD‚	EventDataAÿÿGŠoData/K•NameDestinationDRA
Aÿÿ=ŠoData%K•Name	SourceDRA
Aÿÿ?ŠoData'K•Name
SourceAddr
AÿÿEŠoData-K•Name
NamingContext
Aÿÿ9ŠoData!K•NameOptions
Aÿÿ?ŠoData'K•Name
StatusCode
<›`›x›”›´›È›$DestinationDRASourceDRASourceAddr NamingContextOptionsStatusCodeTEMPÜ§”9UK´žfÂÝ±ÿÿÄD‚	EventDataAÿÿGŠoData/K•NameDestinationDRA
Aÿÿ=ŠoData%K•Name	SourceDRA
Aÿÿ?ŠoData'K•Name
SourceAddr
AÿÿEŠoData-K•Name
NamingContext
Aÿÿ9ŠoData!K•NameOptions
Aÿÿ?ŠoData'K•Name
StatusCode
Tžxžž¬žÌžàž$DestinationDRASourceDRASourceAddr NamingContextOptionsStatusCodeTEMPð 5^¿r‡°Îh/_ŒÊ¶¼Áÿÿ¾D‚	EventDataAÿÿGŠoData/K•NameDestinationDRA
Aÿÿ=ŠoData%K•Name	SourceDRA
AÿÿEŠoData-K•Name
NamingContext
Aÿÿ9ŠoData!K•NameOptions
Aÿÿ=ŠoData%K•Name	SessionID
Aÿÿ;ŠoData#K•NameStartUSN
h¡Œ¡¤¡Ä¡Ø¡ð¡$DestinationDRASourceDRA NamingContextOptionsSessionIDStartUSNTEMPx<¤ÎñŸGSo–oej’¼ç€ÿÿD‚	EventDataAÿÿGŠoData/K•NameDestinationDRA
Aÿÿ=ŠoData%K•Name	SourceDRA
AÿÿEŠoData-K•Name
NamingContext
Aÿÿ9ŠoData!K•NameOptions
Aÿÿ=ŠoData%K•Name	SessionID
Aÿÿ7ŠoDataK•NameEndUSN
Aÿÿ?ŠoData'K•Name
StatusCode
È¤ì¤¥$¥8¥P¥d¥$DestinationDRASourceDRA NamingContextOptionsSessionIDEndUSNStatusCodeTEMPP §•Èû)9H‘¢&z4ÅÄMÿÿêD‚	EventDataAÿÿ=ŠoData%K•Name	SessionID
Aÿÿ7ŠoDataK•NameObject
Aÿÿ=ŠoData%K•Name	Attribute
AÿÿCŠoData+K•NameTypeOfChange
Aÿÿ;ŠoData#K•NameNewValue
Aÿÿ1ŠoDataK•NameUSN
Aÿÿ?ŠoData'K•Name
StatusCode
,¨D¨X¨p¨¨¨¨´¨SessionIDObjectAttribute TypeOfChangeNewValueUSNStatusCodeTEMPdÀ©ÙñrS–V!BzH¼	ÿÿ¼D‚	EventDataAÿÿKŠoData3K•NameReplicationEvent
AÿÿIŠoData1K•NameAuditStatusCode
è©ª(ReplicationEvent$AuditStatusCodeTEMP€«WÙ]ò†O¢	D±r1ŸÿÿD‚	EventDataAÿÿKŠoData3K•NameReplicationEvent
AÿÿIŠoData1K•NameAuditStatusCode
AÿÿUŠoData=K•NameReplicationStatusCode
¼«ä«¬(ReplicationEvent$AuditStatusCode0ReplicationStatusCodeTEMPˆÜÛ(ò-uÕ$°A…-	dÿÿpD‚	EventDataAÿÿGŠoData/K•NameDestinationDRA
Aÿÿ=ŠoData%K•Name	SourceDRA
Aÿÿ7ŠoDataK•NameObject
Aÿÿ9ŠoData!K•NameOptions
Aÿÿ?ŠoData'K•Name
StatusCode
@®d®|®®¤®$DestinationDRASourceDRAObjectOptionsStatusCodeTEMPxt±ñ²H&456³Tu³…:ˆ\Œÿÿ€D‚	EventDataAÿÿOŠoData7K•NameGroupPolicyApplied
Aÿÿ9ŠoData!K•NameProfile
AÿÿEŠoData-K•Name
OperationMode
AÿÿOŠoData7K•NameRemoteAdminEnabled
AÿÿUŠoData=K•NameMulticastFlowsEnabled
Aÿÿ[ŠoDataCK•NameLogDroppedPacketsEnabled
AÿÿiŠoDataQK•NameLogSuccessfulConnectionsEnabled
²,²@²`²Œ²¼²ô²,GroupPolicyAppliedProfile OperationMode,RemoteAdminEnabled0MulticastFlowsEnabled8LogDroppedPacketsEnabledDLogSuccessfulConnectionsEnabledTEMPœP´Ö/{:šl9á¡¨wŒÿÿâD‚	EventDataAÿÿAŠoData)K•NameProfileUsed
Aÿÿ7ŠoDataK•NameRuleId
Aÿÿ;ŠoData#K•NameRuleName
Œ´¨´¼´ProfileUsedRuleIdRuleNameTEMP¨ðµz†`³Q«3N\ôZyw%ÙÿÿèD‚	EventDataAÿÿGŠoData/K•NameProfileChanged
Aÿÿ7ŠoDataK•NameRuleId
Aÿÿ;ŠoData#K•NameRuleName
,¶P¶d¶$ProfileChangedRuleIdRuleNameTEMP¨˜·z†`³Q«3N\ôZyw%ÙÿÿèD‚	EventDataAÿÿGŠoData/K•NameProfileChanged
Aÿÿ7ŠoDataK•NameRuleId
Aÿÿ;ŠoData#K•NameRuleName
Ô·ø·¸$ProfileChangedRuleIdRuleNameTEMP¨@¹z†`³Q«3N\ôZyw%ÙÿÿèD‚	EventDataAÿÿGŠoData/K•NameProfileChanged
Aÿÿ7ŠoDataK•NameRuleId
Aÿÿ;ŠoData#K•NameRuleName
|¹ ¹´¹$ProfileChangedRuleIdRuleNameTEMPÌüº
¥Ãã“eJ‘÷±çwg¤ÿÿúD‚	EventDataAÿÿGŠoData/K•NameProfileChanged
AÿÿAŠoData)K•NameSettingType
AÿÿCŠoData+K•NameSettingValue
8»\»x»$ProfileChangedSettingType SettingValueTEMPŒ¨¼¥ãRÆtƒhî¼¥lÎ=ÿÿÚD‚	EventDataAÿÿ9ŠoData!K•NameProfile
Aÿÿ7ŠoDataK•NameRuleId
Aÿÿ;ŠoData#K•NameRuleName
ä¼ø¼½ProfileRuleIdRuleNameTEMPŒ4¾¥ãRÆtƒhî¼¥lÎ=ÿÿÚD‚	EventDataAÿÿ9ŠoData!K•NameProfile
Aÿÿ7ŠoDataK•NameRuleId
Aÿÿ;ŠoData#K•NameRuleName
p¾„¾˜¾ProfileRuleIdRuleNameTEMP À‘¯Ü>øgXüÛ¤w‹À”ÿÿ0D‚	EventDataAÿÿ9ŠoData!K•NameProfile
AÿÿOŠoData7K•NameReasonForRejection
Aÿÿ7ŠoDataK•NameRuleId
Aÿÿ;ŠoData#K•NameRuleName
dÀxÀ¤À¸ÀProfile,ReasonForRejectionRuleIdRuleNameTEMPÐlÁß&ƒiá0Ï—HÿÿfD‚	EventDataAÿÿEŠoData-K•Name
ActiveProfile
€Á ActiveProfileTEMP°ÂJÏŸÆ^úi†?ÝÞ”#ÿÿÜD‚	EventDataAÿÿ7ŠoDataK•NameRuleId
Aÿÿ;ŠoData#K•NameRuleName
Aÿÿ;ŠoData#K•NameRuleAttr
ìÂÃÃRuleIdRuleNameRuleAttrTEMPèxÄá5YùŒ$_Šîòyíb	ÿÿD‚	EventDataAÿÿ7ŠoDataK•NameRuleId
Aÿÿ;ŠoData#K•NameRuleName
Aÿÿ5ŠoDataK•NameError
Aÿÿ7ŠoDataK•NameReason
ÈÄÜÄôÄÅRuleIdRuleNameErrorReasonTEMPÀDÆç@Ií“Á
ûF¤VÿÿöD‚	EventDataAÿÿMŠoData5K•NameCallerProcessName
Aÿÿ=ŠoData%K•Name	ProcessId
Aÿÿ=ŠoData%K•Name	Publisher
€Æ¨ÆÀÆ(CallerProcessNameProcessIdPublisherTEMP(¬Çú†‹.õ6S¸º‰ÁlMÿÿžD‚	EventDataAÿÿEŠoData-K•Name
RemoteAddress
Aÿÿ1ŠoDataK•NameSPI
ÔÇôÇ RemoteAddressSPITEMP(ÔÈú†‹.õ6S¸º‰ÁlMÿÿžD‚	EventDataAÿÿEŠoData-K•Name
RemoteAddress
Aÿÿ1ŠoDataK•NameSPI
üÈÉ RemoteAddressSPITEMP(üÉú†‹.õ6S¸º‰ÁlMÿÿžD‚	EventDataAÿÿEŠoData-K•Name
RemoteAddress
Aÿÿ1ŠoDataK•NameSPI
$ÊDÊ RemoteAddressSPITEMP($Ëú†‹.õ6S¸º‰ÁlMÿÿžD‚	EventDataAÿÿEŠoData-K•Name
RemoteAddress
Aÿÿ1ŠoDataK•NameSPI
LËlË RemoteAddressSPITEMP(LÌú†‹.õ6S¸º‰ÁlMÿÿžD‚	EventDataAÿÿEŠoData-K•Name
RemoteAddress
Aÿÿ1ŠoDataK•NameSPI
tÌ”Ì RemoteAddressSPITEMPè<ÐÑM-Êœè&“ó Š4ÜÿÿfD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ=ŠoData%K•Name	LogonGuid
AÿÿEŠoData-K•Name
TargetUserSid
AÿÿGŠoData/K•NameTargetUserName
AÿÿKŠoData3K•NameTargetDomainName
AÿÿEŠoData-K•Name
TargetLogonId
AÿÿIŠoData1K•NameTargetLogonGuid
	Aÿÿ9ŠoData!K•NameSidList
Ñ<Ñ`ÑˆÑ¬ÑÄÑäÑÒ0ÒPÒtÒ$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdLogonGuid TargetUserSid$TargetUserName(TargetDomainName TargetLogonId$TargetLogonGuidSidListTEMPÄ´ÓòS¹ŸÔöˆ©Ü¸sõ@’ÿÿöD‚	EventDataAÿÿCŠoData+K•NameLocalAddress
AÿÿEŠoData-K•Name
RemoteAddress
Aÿÿ?ŠoData'K•Name
KeyModName
ðÓÔ0Ô LocalAddress RemoteAddressKeyModNameTEMPÄxÕòS¹ŸÔöˆ©Ü¸sõ@’ÿÿöD‚	EventDataAÿÿCŠoData+K•NameLocalAddress
AÿÿEŠoData-K•Name
RemoteAddress
Aÿÿ?ŠoData'K•Name
KeyModName
´ÕÔÕôÕ LocalAddress RemoteAddressKeyModNameTEMPÄ<×òS¹ŸÔöˆ©Ü¸sõ@’ÿÿöD‚	EventDataAÿÿCŠoData+K•NameLocalAddress
AÿÿEŠoData-K•Name
RemoteAddress
Aÿÿ?ŠoData'K•Name
KeyModName
x×˜×¸× LocalAddress RemoteAddressKeyModNameTEMPpÞm°×¯÷ÝÞ
}îã=Ü‘ÿÿfD‚	EventDataAÿÿSŠoData;K•NameLocalMMPrincipalName
AÿÿUŠoData=K•NameRemoteMMPrincipalName
AÿÿCŠoData+K•NameLocalAddress
AÿÿIŠoData1K•NameLocalKeyModPort
AÿÿEŠoData-K•Name
RemoteAddress
AÿÿKŠoData3K•NameRemoteKeyModPort
AÿÿCŠoData+K•NameMMAuthMethod
AÿÿAŠoData)K•NameMMCipherAlg
AÿÿGŠoData/K•NameMMIntegrityAlg
Aÿÿ9ŠoData!K•NameDHGroup
	Aÿÿ?ŠoData'K•Name
MMLifetime
Aÿÿ9ŠoData!K•NameQMLimit
Aÿÿ3ŠoDataK•NameRole
AÿÿSŠoData;K•NameMMImpersonationState

Aÿÿ?ŠoData'K•Name
MMFilterID

Aÿÿ7ŠoDataK•NameMMSAID

AÿÿSŠoData;K•NameLocalEMPrincipalName
AÿÿUŠoData=K•NameRemoteEMPrincipalName
AÿÿCŠoData+K•NameEMAuthMethod
AÿÿSŠoData;K•NameEMImpersonationState
Aÿÿ?ŠoData'K•Name
QMFilterID

àDàtà”à¸àØàá á<á`átáá¤á´á

äá

ââDâtâ”â

Äâ0LocalMMPrincipalName0RemoteMMPrincipalName LocalAddress$LocalKeyModPort RemoteAddress(RemoteKeyModPort MMAuthMethodMMCipherAlg$MMIntegrityAlgDHGroupMMLifetimeQMLimitRole0MMImpersonationStateMMFilterIDMMSAID0LocalEMPrincipalName0RemoteEMPrincipalName EMAuthMethod0EMImpersonationStateQMFilterIDTEMPÈ
ëòØtìÁÉƒ-‰²w7ÿÿþD‚	EventDataAÿÿSŠoData;K•NameLocalMMPrincipalName
AÿÿUŠoData=K•NameRemoteMMPrincipalName
AÿÿCŠoData+K•NameLocalAddress
AÿÿIŠoData1K•NameLocalKeyModPort
AÿÿEŠoData-K•Name
RemoteAddress
AÿÿKŠoData3K•NameRemoteKeyModPort
AÿÿCŠoData+K•NameMMAuthMethod
AÿÿAŠoData)K•NameMMCipherAlg
AÿÿGŠoData/K•NameMMIntegrityAlg
Aÿÿ9ŠoData!K•NameDHGroup
	Aÿÿ?ŠoData'K•Name
MMLifetime
Aÿÿ9ŠoData!K•NameQMLimit
Aÿÿ3ŠoDataK•NameRole
AÿÿSŠoData;K•NameMMImpersonationState

Aÿÿ?ŠoData'K•Name
MMFilterID

Aÿÿ7ŠoDataK•NameMMSAID

AÿÿSŠoData;K•NameLocalEMPrincipalName
AÿÿIŠoData1K•NameLocalEMCertHash
AÿÿKŠoData3K•NameLocalEMIssuingCA
AÿÿEŠoData-K•Name
LocalEMRootCA
AÿÿUŠoData=K•NameRemoteEMPrincipalName
AÿÿKŠoData3K•NameRemoteEMCertHash
AÿÿMŠoData5K•NameRemoteEMIssuingCA
AÿÿGŠoData/K•NameRemoteEMRootCA
AÿÿSŠoData;K•NameEMImpersonationState
Aÿÿ?ŠoData'K•Name
QMFilterID

íLí|íœíÀíàíî(îDîhî|î˜î¬î¼î

ìî

ïïLïpï˜ï¸ïèïð8ð\ð

Œð0LocalMMPrincipalName0RemoteMMPrincipalName LocalAddress$LocalKeyModPort RemoteAddress(RemoteKeyModPort MMAuthMethodMMCipherAlg$MMIntegrityAlgDHGroupMMLifetimeQMLimitRole0MMImpersonationStateMMFilterIDMMSAID0LocalEMPrincipalName$LocalEMCertHash(LocalEMIssuingCA LocalEMRootCA0RemoteEMPrincipalName(RemoteEMCertHash(RemoteEMIssuingCA$RemoteEMRootCA0EMImpersonationStateQMFilterIDTEMPÈ
Üø¯êß}ö•JôP7d$@ÿÿþD‚	EventDataAÿÿSŠoData;K•NameLocalMMPrincipalName
AÿÿIŠoData1K•NameLocalMMCertHash
AÿÿKŠoData3K•NameLocalMMIssuingCA
AÿÿEŠoData-K•Name
LocalMMRootCA
AÿÿUŠoData=K•NameRemoteMMPrincipalName
AÿÿKŠoData3K•NameRemoteMMCertHash
AÿÿMŠoData5K•NameRemoteMMIssuingCA
AÿÿGŠoData/K•NameRemoteMMRootCA
AÿÿCŠoData+K•NameLocalAddress
AÿÿIŠoData1K•NameLocalKeyModPort
	AÿÿEŠoData-K•Name
RemoteAddress
AÿÿKŠoData3K•NameRemoteKeyModPort
AÿÿAŠoData)K•NameMMCipherAlg
AÿÿGŠoData/K•NameMMIntegrityAlg

Aÿÿ9ŠoData!K•NameDHGroup
Aÿÿ?ŠoData'K•Name
MMLifetime
Aÿÿ9ŠoData!K•NameQMLimit
Aÿÿ3ŠoDataK•NameRole
AÿÿSŠoData;K•NameMMImpersonationState
Aÿÿ?ŠoData'K•Name
MMFilterID

Aÿÿ7ŠoDataK•NameMMSAID

AÿÿSŠoData;K•NameLocalEMPrincipalName
AÿÿUŠoData=K•NameRemoteEMPrincipalName
AÿÿCŠoData+K•NameEMAuthMethod
AÿÿSŠoData;K•NameEMImpersonationState
Aÿÿ?ŠoData'K•Name
QMFilterID

äúû8û`û€û°ûØûü$üDühüˆü°üÌüðüý ý4ýDý

tý

ý¤ýÔýþ$þ

Tþ0LocalMMPrincipalName$LocalMMCertHash(LocalMMIssuingCA LocalMMRootCA0RemoteMMPrincipalName(RemoteMMCertHash(RemoteMMIssuingCA$RemoteMMRootCA LocalAddress$LocalKeyModPort RemoteAddress(RemoteKeyModPortMMCipherAlg$MMIntegrityAlgDHGroupMMLifetimeQMLimitRole0MMImpersonationStateMMFilterIDMMSAID0LocalEMPrincipalName0RemoteEMPrincipalName EMAuthMethod0EMImpersonationStateQMFilterIDTEMPðÌöÍ÷èé£`÷ÏTaì=ÿÿL	D‚	EventDataAÿÿSŠoData;K•NameLocalMMPrincipalName
AÿÿIŠoData1K•NameLocalMMCertHash
AÿÿKŠoData3K•NameLocalMMIssuingCA
AÿÿEŠoData-K•Name
LocalMMRootCA
AÿÿUŠoData=K•NameRemoteMMPrincipalName
AÿÿKŠoData3K•NameRemoteMMCertHash
AÿÿMŠoData5K•NameRemoteMMIssuingCA
AÿÿGŠoData/K•NameRemoteMMRootCA
AÿÿIŠoData1K•NameLocalKeyModPort
AÿÿEŠoData-K•Name
RemoteAddress
	AÿÿKŠoData3K•NameRemoteKeyModPort
AÿÿAŠoData)K•NameMMCipherAlg
AÿÿGŠoData/K•NameMMIntegrityAlg
Aÿÿ9ŠoData!K•NameDHGroup

Aÿÿ?ŠoData'K•Name
MMLifetime
Aÿÿ9ŠoData!K•NameQMLimit
Aÿÿ3ŠoDataK•NameRole
AÿÿSŠoData;K•NameMMImpersonationState
Aÿÿ?ŠoData'K•Name
MMFilterID

Aÿÿ7ŠoDataK•NameMMSAID

AÿÿSŠoData;K•NameLocalEMPrincipalName
AÿÿIŠoData1K•NameLocalEMCertHash
AÿÿKŠoData3K•NameLocalEMIssuingCA
AÿÿEŠoData-K•Name
LocalEMRootCA
AÿÿUŠoData=K•NameRemoteEMPrincipalName
AÿÿKŠoData3K•NameRemoteEMCertHash
AÿÿMŠoData5K•NameRemoteEMIssuingCA
AÿÿGŠoData/K•NameRemoteEMRootCA
AÿÿSŠoData;K•NameEMImpersonationState
Aÿÿ?ŠoData'K•Name
QMFilterID

H
x
œ
Ä
ä
<dˆ¬Ìô4Hdxˆ

¸

Ôè
<
d
„
´
Ü
(

X0LocalMMPrincipalName$LocalMMCertHash(LocalMMIssuingCA LocalMMRootCA0RemoteMMPrincipalName(RemoteMMCertHash(RemoteMMIssuingCA$RemoteMMRootCA$LocalKeyModPort RemoteAddress(RemoteKeyModPortMMCipherAlg$MMIntegrityAlgDHGroupMMLifetimeQMLimitRole0MMImpersonationStateMMFilterIDMMSAID0LocalEMPrincipalName$LocalEMCertHash(LocalEMIssuingCA LocalEMRootCA0RemoteEMPrincipalName(RemoteEMCertHash(RemoteEMIssuingCA$RemoteEMRootCA0EMImpersonationStateQMFilterIDTEMP¬	@rÇFÖ¾Meª²›?êcîÿÿ–D‚	EventDataAÿÿSŠoData;K•NameLocalEMPrincipalName
AÿÿIŠoData1K•NameLocalEMCertHash
AÿÿKŠoData3K•NameLocalEMIssuingCA
AÿÿEŠoData-K•Name
LocalEMRootCA
AÿÿUŠoData=K•NameRemoteEMPrincipalName
AÿÿKŠoData3K•NameRemoteEMCertHash
AÿÿMŠoData5K•NameRemoteEMIssuingCA
AÿÿGŠoData/K•NameRemoteEMRootCA
AÿÿCŠoData+K•NameLocalAddress
AÿÿIŠoData1K•NameLocalKeyModPort
	AÿÿEŠoData-K•Name
RemoteAddress
AÿÿKŠoData3K•NameRemoteKeyModPort
AÿÿCŠoData+K•NameFailurePoint
AÿÿEŠoData-K•Name
FailureReason

Aÿÿ5ŠoDataK•NameState
Aÿÿ3ŠoDataK•NameRole
AÿÿSŠoData;K•NameEMImpersonationState
Aÿÿ?ŠoData'K•Name
QMFilterID

¨Øü$DtœÄè,Lt”´ÄÔ

0LocalEMPrincipalName$LocalEMCertHash(LocalEMIssuingCA LocalEMRootCA0RemoteEMPrincipalName(RemoteEMCertHash(RemoteEMIssuingCA$RemoteEMRootCA LocalAddress$LocalKeyModPort RemoteAddress(RemoteKeyModPort FailurePoint FailureReasonStateRole0EMImpersonationStateQMFilterIDTEMPð

TfØ,BÕ$`gÞÐA–ó,ÿÿþD‚	EventDataAÿÿSŠoData;K•NameLocalEMPrincipalName
AÿÿUŠoData=K•NameRemoteEMPrincipalName
AÿÿCŠoData+K•NameLocalAddress
AÿÿIŠoData1K•NameLocalKeyModPort
AÿÿEŠoData-K•Name
RemoteAddress
AÿÿKŠoData3K•NameRemoteKeyModPort
AÿÿCŠoData+K•NameFailurePoint
AÿÿEŠoData-K•Name
FailureReason
AÿÿCŠoData+K•NameEMAuthMethod
Aÿÿ5ŠoDataK•NameState
	Aÿÿ3ŠoDataK•NameRole
AÿÿSŠoData;K•NameEMImpersonationState
Aÿÿ?ŠoData'K•Name
QMFilterID

Xˆ¸ØüDd„¤´Ä

ô0LocalEMPrincipalName0RemoteEMPrincipalName LocalAddress$LocalKeyModPort RemoteAddress(RemoteKeyModPort FailurePoint FailureReason EMAuthMethodStateRole0EMImpersonationStateQMFilterIDTEMP´œb;$ÒcTj4ŸÝëš¾ÿÿXD‚	EventDataAÿÿ7ŠoDataK•NamePolicy
°PolicyTEMPŒ gBÜ02ÿ`=.ÉeÉ0ÿÿ”D‚	EventDataAÿÿ7ŠoDataK•NamePolicy
Aÿÿ5ŠoDataK•NameError
´ È PolicyErrorTEMP´d!b;$ÒcTj4ŸÝëš¾ÿÿXD‚	EventDataAÿÿ7ŠoDataK•NamePolicy
x!PolicyTEMPT"gBÜ02ÿ`=.ÉeÉ0ÿÿ”D‚	EventDataAÿÿ7ŠoDataK•NamePolicy
Aÿÿ5ŠoDataK•NameError
|""PolicyErrorTEMP´,#b;$ÒcTj4ŸÝëš¾ÿÿXD‚	EventDataAÿÿ7ŠoDataK•NamePolicy
@#PolicyTEMP$gBÜ02ÿ`=.ÉeÉ0ÿÿ”D‚	EventDataAÿÿ7ŠoDataK•NamePolicy
Aÿÿ5ŠoDataK•NameError
D$X$PolicyErrorTEMP0%gBÜ02ÿ`=.ÉeÉ0ÿÿ”D‚	EventDataAÿÿ7ŠoDataK•NamePolicy
Aÿÿ5ŠoDataK•NameError
X%l%PolicyErrorTEMP´&b;$ÒcTj4ŸÝëš¾ÿÿXD‚	EventDataAÿÿ7ŠoDataK•NamePolicy
&PolicyTEMPø&gBÜ02ÿ`=.ÉeÉ0ÿÿ”D‚	EventDataAÿÿ7ŠoDataK•NamePolicy
Aÿÿ5ŠoDataK•NameError
 '4'PolicyErrorTEMP´Ð'b;$ÒcTj4ŸÝëš¾ÿÿXD‚	EventDataAÿÿ7ŠoDataK•NamePolicy
ä'PolicyTEMPÀ(gBÜ02ÿ`=.ÉeÉ0ÿÿ”D‚	EventDataAÿÿ7ŠoDataK•NamePolicy
Aÿÿ5ŠoDataK•NameError
è(ü(PolicyErrorTEMP8è)EJ\©
LR³Yƒ³NåÑmÿÿ¦D‚	EventDataAÿÿIŠoData1K•NameQuickModeFilter
Aÿÿ5ŠoDataK•NameError
*4*$QuickModeFilterErrorTEMP°Ð*Úû`¿9íôãZE3³[È“ÿÿVD‚	EventDataAÿÿ5ŠoDataK•NameError
ä*ErrorTEMP°€+Úû`¿9íôãZE3³[È“ÿÿVD‚	EventDataAÿÿ5ŠoDataK•NameError
”+ErrorTEMP4|,®ù…`œ=8iU|ß¬µ`ÿÿ¤D‚	EventDataAÿÿ;ŠoData#K•NameProfiles
AÿÿAŠoData)K•NameApplication
¤,¼,ProfilesApplicationTEMPÀl-ØpgˆTÔå;OÙòØI”tÿÿ^D‚	EventDataAÿÿ=ŠoData%K•Name	ErrorCode
€-ErrorCodeTEMPÀ,.ØpgˆTÔå;OÙòØI”tÿÿ^D‚	EventDataAÿÿ=ŠoData%K•Name	ErrorCode
@.ErrorCodeTEMPÀì.ØpgˆTÔå;OÙòØI”tÿÿ^D‚	EventDataAÿÿ=ŠoData%K•Name	ErrorCode
/ErrorCodeTEMPÀ¬/ØpgˆTÔå;OÙòØI”tÿÿ^D‚	EventDataAÿÿ=ŠoData%K•Name	ErrorCode
À/ErrorCodeTEMPÀl0ØpgˆTÔå;OÙòØI”tÿÿ^D‚	EventDataAÿÿ=ŠoData%K•Name	ErrorCode
€0ErrorCodeTEMPÀ,1ØpgˆTÔå;OÙòØI”tÿÿ^D‚	EventDataAÿÿ=ŠoData%K•Name	ErrorCode
@1ErrorCodeTEMPÀì1ØpgˆTÔå;OÙòØI”tÿÿ^D‚	EventDataAÿÿ=ŠoData%K•Name	ErrorCode
2ErrorCodeTEMP´¤2¤N”&@¿F&ÃÁ*ÏNžÿÿXD‚	EventDataAÿÿ7ŠoDataK•Nameparam1
¸2param1TEMPÌ”45µû@Üæòm¤—Ñÿÿ’D‚	EventDataAÿÿEŠoData-K•Name
CallerUserSid
AÿÿGŠoData/K•NameCallerUserName
AÿÿKŠoData3K•NameCallerDomainName
AÿÿEŠoData-K•Name
CallerLogonId
Aÿÿ9ŠoData!K•NameOrdinal
ø45<5d5„5 CallerUserSid$CallerUserName(CallerDomainName CallerLogonIdOrdinalTEMP|”6
Û:hs|àˆ~%Yî]XÿÿÆD‚	EventDataAÿÿOŠoData7K•NameOldBlockedOrdinals
AÿÿOŠoData7K•NameNewBlockedOrdinals
¼6è6,OldBlockedOrdinals,NewBlockedOrdinalsTEMP$9w¸ÒdŒ—ñ'æÅ”'E¯ÿÿFD‚	EventDataAÿÿ[ŠoDataCK•NameOldIgnoreDefaultSettings
Aÿÿ[ŠoDataCK•NameNewIgnoreDefaultSettings
AÿÿWŠoData?K•NameOldIgnoreLocalSettings
AÿÿWŠoData?K•NameNewIgnoreLocalSettings
AÿÿOŠoData7K•NameOldBlockedOrdinals
AÿÿOŠoData7K•NameNewBlockedOrdinals
:@:x:¬:à:;8OldIgnoreDefaultSettings8NewIgnoreDefaultSettings4OldIgnoreLocalSettings4NewIgnoreLocalSettings,OldBlockedOrdinals,NewBlockedOrdinalsTEMP`ì='*º^&•¹ÕÖ0>ÜX5£ÿÿ€D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ?ŠoData'K•Name
ObjectPath
AÿÿMŠoData5K•NameObjectVirtualPath
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
Œ>°>Ô>ü> ?<?d?|?$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdObjectPath(ObjectVirtualPathProcessIdProcessNameTEMPè@FW1°Ï	Š‡¹ÒØ,N–ÿÿD‚	EventDataAÿÿGŠoData/K•NameProfileChanged
AÿÿQŠoData9K•NameAuthenticationSetId
AÿÿUŠoData=K•NameAuthenticationSetName
$AHAtA$ProfileChanged,AuthenticationSetId0AuthenticationSetNameTEMPôBFW1°Ï	Š‡¹ÒØ,N–ÿÿD‚	EventDataAÿÿGŠoData/K•NameProfileChanged
AÿÿQŠoData9K•NameAuthenticationSetId
AÿÿUŠoData=K•NameAuthenticationSetName
0CTC€C$ProfileChanged,AuthenticationSetId0AuthenticationSetNameTEMPEFW1°Ï	Š‡¹ÒØ,N–ÿÿD‚	EventDataAÿÿGŠoData/K•NameProfileChanged
AÿÿQŠoData9K•NameAuthenticationSetId
AÿÿUŠoData=K•NameAuthenticationSetName
<E`EŒE$ProfileChanged,AuthenticationSetId0AuthenticationSetNameTEMP8 G##Ðy`ÖÀTÒ]W§ÿÿ0D‚	EventDataAÿÿGŠoData/K•NameProfileChanged
Aÿÿ[ŠoDataCK•NameConnectionSecurityRuleId
Aÿÿ_ŠoDataGK•NameConnectionSecurityRuleName
\G€G¸G$ProfileChanged8ConnectionSecurityRuleId<ConnectionSecurityRuleNameTEMP8XI##Ðy`ÖÀTÒ]W§ÿÿ0D‚	EventDataAÿÿGŠoData/K•NameProfileChanged
Aÿÿ[ŠoDataCK•NameConnectionSecurityRuleId
Aÿÿ_ŠoDataGK•NameConnectionSecurityRuleName
”I¸IðI$ProfileChanged8ConnectionSecurityRuleId<ConnectionSecurityRuleNameTEMP8K##Ðy`ÖÀTÒ]W§ÿÿ0D‚	EventDataAÿÿGŠoData/K•NameProfileChanged
Aÿÿ[ŠoDataCK•NameConnectionSecurityRuleId
Aÿÿ_ŠoDataGK•NameConnectionSecurityRuleName
ÌKðK(L$ProfileChanged8ConnectionSecurityRuleId<ConnectionSecurityRuleNameTEMP°MAÉø¢X¸ô	'}-ÿÿD‚	EventDataAÿÿGŠoData/K•NameProfileChanged
AÿÿOŠoData7K•NameCryptographicSetId
AÿÿSŠoData;K•NameCryptographicSetName
ìMN<N$ProfileChanged,CryptographicSetId0CryptographicSetNameTEMP¸OAÉø¢X¸ô	'}-ÿÿD‚	EventDataAÿÿGŠoData/K•NameProfileChanged
AÿÿOŠoData7K•NameCryptographicSetId
AÿÿSŠoData;K•NameCryptographicSetName
ôOPDP$ProfileChanged,CryptographicSetId0CryptographicSetNameTEMPÀQAÉø¢X¸ô	'}-ÿÿD‚	EventDataAÿÿGŠoData/K•NameProfileChanged
AÿÿOŠoData7K•NameCryptographicSetId
AÿÿSŠoData;K•NameCryptographicSetName
üQ RLR$ProfileChanged,CryptographicSetId0CryptographicSetNameTEMPHèS&% ØôÆyÝáXoLÿÿ8D‚	EventDataAÿÿGŠoData/K•NameProfileChanged
Aÿÿ_ŠoDataGK•NameIpSecSecurityAssociationId
AÿÿcŠoDataKK•NameIpSecSecurityAssociationName
$THT„T$ProfileChanged<IpSecSecurityAssociationId@IpSecSecurityAssociationNameTEMPPpW±E@nï¶»¨õ%™ÇYÿÿxD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ;ŠoData#K•NameFileName
AÿÿIŠoData1K•NameVirtualFileName
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
X4XXX€X¤X¼XàXøX$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdFileName$VirtualFileNameProcessIdProcessNameTEMPP([=¢7-†Mñ-Û¿•XÿÿÞD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ7ŠoDataK•NameModule
Aÿÿ?ŠoData'K•Name
ReturnCode
 [Ä[è[\4\H\$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdModuleReturnCodeTEMPL_í åVË|úÝK8{“XýÿÿÿtD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameProviderName
AÿÿEŠoData-K•Name
AlgorithmName
Aÿÿ7ŠoDataK•NameReason
Aÿÿ?ŠoData'K•Name
ReturnCode
¬_Ð_ô_`@```€`”`$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ProviderName AlgorithmNameReasonReturnCodeTEMP (dü"ý–ðxä{Úç
É×hÿÿÿBD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameProviderName
AÿÿEŠoData-K•Name
AlgorithmName
Aÿÿ9ŠoData!K•NameKeyName
Aÿÿ9ŠoData!K•NameKeyType
AÿÿAŠoData)K•NameKeyFilePath
Aÿÿ=ŠoData%K•Name	Operation
	Aÿÿ?ŠoData'K•Name
ReturnCode
e(eLete˜e¸eØeìeff4f$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ProviderName AlgorithmNameKeyNameKeyTypeKeyFilePathOperationReturnCodeTEMP(

€iØ‘>Á×“8ƒn<ùfT×ÿÿúD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameProviderName
AÿÿEŠoData-K•Name
AlgorithmName
Aÿÿ9ŠoData!K•NameKeyName
Aÿÿ9ŠoData!K•NameKeyType
Aÿÿ=ŠoData%K•Name	Operation
Aÿÿ?ŠoData'K•Name
ReturnCode
	Hjljj¸jÜjüjk0kDk\k$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ProviderName AlgorithmNameKeyNameKeyTypeOperationReturnCodeTEMP

 ngáeçD@Ár ’ýÅM
ÿÿôD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameProviderName
AÿÿEŠoData-K•Name
AlgorithmName
Aÿÿ9ŠoData!K•NameKeyName
Aÿÿ9ŠoData!K•NameKeyType
Aÿÿ7ŠoDataK•NameReason
Aÿÿ?ŠoData'K•Name
ReturnCode
	hoŒo°oØoüop<pPpdpxp$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ProviderName AlgorithmNameKeyNameKeyTypeReasonReturnCodeTEMP(

ÄsØ‘>Á×“8ƒn<ùfT×ÿÿúD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿCŠoData+K•NameProviderName
AÿÿEŠoData-K•Name
AlgorithmName
Aÿÿ9ŠoData!K•NameKeyName
Aÿÿ9ŠoData!K•NameKeyType
Aÿÿ=ŠoData%K•Name	Operation
Aÿÿ?ŠoData'K•Name
ReturnCode
	Œt°tÔtüt u@u`utuˆu u$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ProviderName AlgorithmNameKeyNameKeyTypeOperationReturnCodeTEMP,v*:äòùIµÛ%!SÊøÿÿžD‚	EventDataAÿÿ7ŠoDataK•NameModule
Aÿÿ?ŠoData'K•Name
ReturnCode
¸vÌvModuleReturnCodeTEMPLy%ÌªWø×2N?5	çÓÿÿtD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId

AÿÿCŠoData+K•NameProviderName
Aÿÿ?ŠoData'K•Name
ModuleName
Aÿÿ=ŠoData%K•Name	Operation
Aÿÿ?ŠoData'K•Name
ReturnCode
0zTzxz
 zÄzäz{{$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId ProviderNameModuleNameOperationReturnCodeTEMP0Ð}æÚ,%my˜Gð³lH±¦NÿÿhD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId

Aÿÿ5ŠoDataK•NameScope
AÿÿAŠoData)K•NameContextName
Aÿÿ=ŠoData%K•Name	Operation
Aÿÿ?ŠoData'K•Name
ReturnCode
p~”~¸~
à~0H$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdScopeContextNameOperationReturnCodeTEMPœ		@‚žâ¢s,-¶”õ`Ð«¸Ðÿÿ¨D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId

Aÿÿ5ŠoDataK•NameScope
AÿÿAŠoData)K•NameContextName
Aÿÿ;ŠoData#K•NameOldValue
Aÿÿ;ŠoData#K•NameNewValue
Aÿÿ?ŠoData'K•Name
ReturnCode
ô‚ƒ<ƒ
dƒˆƒ˜ƒ´ƒÌƒäƒ$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdScopeContextNameOldValueNewValueReturnCodeTEMP”p‡ë
Ûþ‚*µ	b–@Õe}ÿÿ<D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId

Aÿÿ5ŠoDataK•NameScope
AÿÿAŠoData)K•NameContextName
AÿÿAŠoData)K•NameInterfaceId
AÿÿCŠoData+K•NameFunctionName
Aÿÿ;ŠoData#K•NamePosition
Aÿÿ=ŠoData%K•Name	Operation
	Aÿÿ?ŠoData'K•Name
ReturnCode
Lˆpˆ”ˆ
¼ˆàˆðˆ‰(‰H‰`‰x‰$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdScopeContextNameInterfaceId FunctionNamePositionOperationReturnCodeTEMP”ŸOÎ Ÿph¯ib»ásIrÔÿÿ:D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId

Aÿÿ5ŠoDataK•NameScope
AÿÿAŠoData)K•NameContextName
AÿÿAŠoData)K•NameInterfaceId
AÿÿCŠoData+K•NameFunctionName
Aÿÿ;ŠoData#K•NameOldValue
Aÿÿ;ŠoData#K•NameNewValue
	Aÿÿ?ŠoData'K•Name
ReturnCode
àŽ(Ž
PŽtŽ„Ž Ž¼ŽÜŽôŽ$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdScopeContextNameInterfaceId FunctionNameOldValueNewValueReturnCodeTEMPä’8Áãd
2@fr#;¢ÿÿ†D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId

Aÿÿ5ŠoDataK•NameScope
AÿÿAŠoData)K•NameContextName
AÿÿAŠoData)K•NameInterfaceId
AÿÿCŠoData+K•NameFunctionName
AÿÿCŠoData+K•NameProviderName
Aÿÿ;ŠoData#K•NamePosition
	Aÿÿ=ŠoData%K•Name	Operation
Aÿÿ?ŠoData'K•Name
ReturnCode
Ô“ø“”
D”h”x”””°”Ð”ð”• •$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdScopeContextNameInterfaceId FunctionName ProviderNamePositionOperationReturnCodeTEMPð˜/rØ|ÍUˆ}/Târ/¬<;ÿÿ€D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId

Aÿÿ5ŠoDataK•NameScope
AÿÿAŠoData)K•NameContextName
AÿÿAŠoData)K•NameInterfaceId
AÿÿCŠoData+K•NameFunctionName
AÿÿCŠoData+K•NamePropertyName
Aÿÿ=ŠoData%K•Name	Operation
	Aÿÿ5ŠoDataK•NameValue
Aÿÿ?ŠoData'K•Name
ReturnCode
à™š(š
Pštš„š š¼šÜšüš›$›$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdScopeContextNameInterfaceId FunctionName PropertyNameOperationValueReturnCodeTEMPøži(*òaÙUø$)I{†R»ÿÿ„D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId

Aÿÿ5ŠoDataK•NameScope
AÿÿAŠoData)K•NameContextName
AÿÿAŠoData)K•NameInterfaceId
AÿÿCŠoData+K•NameFunctionName
AÿÿCŠoData+K•NamePropertyName
Aÿÿ;ŠoData#K•NameOldValue
	Aÿÿ;ŠoData#K•NameNewValue
Aÿÿ?ŠoData'K•Name
ReturnCode
èŸ 0 
X | Œ ¨ Ä ä ¡¡4¡$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdScopeContextNameInterfaceId FunctionName PropertyNameOldValueNewValueReturnCodeTEMPpt£´çÅeúâá–Mç=íËˆÿÿðD‚	EventDataAÿÿMŠoData5K•NameCAConfigurationId
Aÿÿ;ŠoData#K•NameNewValue
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
ì£¤,¤P¤t¤œ¤(CAConfigurationIdNewValue$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP`Ü¦I=$L¦ MßØuð£Ÿ’ÿÿæD‚	EventDataAÿÿCŠoData+K•NamePropertyName
Aÿÿ;ŠoData#K•NameNewValue
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
T§t§Œ§°§Ô§ü§ PropertyNameNewValue$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPªªüœEŒÞNÏ¬&kÒžnÿÿ²D‚	EventDataAÿÿQŠoData9K•NameNewSecuritySettings
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
lª˜ª¼ªàª«,NewSecuritySettings$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPt¼¬%˜™( ÑüHƒ!AÇøÿÿZD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
0T|$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP¼ô¯®gÊ©Ý6M/wîwÿÿ D‚	EventDataAÿÿCŠoData+K•NameSerialNumber
Aÿÿ7ŠoDataK•NameCAName
Aÿÿ7ŠoDataK•NameStatus
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
€° °´°È°ì°±8± SerialNumberCANameStatus$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPd²NÔ“K‹~ë)	qxö`ÿÿÒD‚	EventDataAÿÿMŠoData5K•NameCAConfigurationId
Aÿÿ]ŠoDataEK•NameNewSigningCertificateHash
Œ²´²(CAConfigurationId8NewSigningCertificateHashTEMP¸µ²u
Vt’åBSQ‹±ÿÿ˜D‚	EventDataAÿÿMŠoData5K•NameCAConfigurationId
AÿÿEŠoData-K•Name
BaseCRLNumber
AÿÿMŠoData5K•NameBaseCRLThisUpdate
AÿÿAŠoData)K•NameBaseCRLHash
AÿÿGŠoData/K•NameDeltaCRLNumber
AÿÿMŠoData5K•NameDeltaCRLIndicator
AÿÿOŠoData7K•NameDeltaCRLThisUpdate
AÿÿCŠoData+K•NameDeltaCRLHash
X¶€¶ ¶È¶ä¶·0·\·(CAConfigurationId BaseCRLNumber(BaseCRLThisUpdateBaseCRLHash$DeltaCRLNumber(DeltaCRLIndicator,DeltaCRLThisUpdate DeltaCRLHashTEMP¬¸Ú®O	vú™KÕ³KÍªË7ÿÿTD‚	EventDataAÿÿ3ŠoDataK•NameType
¸TypeTEMP<¹Šbyb@”fÇÜ“É\j	ÿÿ¦D‚	EventDataAÿÿ3ŠoDataK•NameType
AÿÿKŠoData3K•NamePacketsDiscarded

,¹

<¹Type(PacketsDiscardedTEMP<¬¼%”ô3S·N£sXwÎŸúÿÿD‚	EventDataAÿÿ=ŠoData%K•Name	Direction
AÿÿEŠoData-K•Name
SourceAddress
AÿÿAŠoData)K•NameDestAddress
Aÿÿ=ŠoData%K•Name	EtherType
AÿÿAŠoData)K•NameEncapMethod
AÿÿAŠoData)K•NameSnapControl
Aÿÿ9ŠoData!K•NameSnapOui
Aÿÿ9ŠoData!K•NameVlanTag
Aÿÿ?ŠoData'K•Name
FilterRTID

Aÿÿ=ŠoData%K•Name	LayerName
	Aÿÿ=ŠoData%K•Name	LayerRTID

ˆ½ ½À½Ü½ô½¾,¾@¾

T¾p¾

ˆ¾Direction SourceAddressDestAddressEtherTypeEncapMethodSnapControlSnapOuiVlanTagFilterRTIDLayerNameLayerRTIDTEMP<èÁ%”ô3S·N£sXwÎŸúÿÿD‚	EventDataAÿÿ=ŠoData%K•Name	Direction
AÿÿEŠoData-K•Name
SourceAddress
AÿÿAŠoData)K•NameDestAddress
Aÿÿ=ŠoData%K•Name	EtherType
AÿÿAŠoData)K•NameEncapMethod
AÿÿAŠoData)K•NameSnapControl
Aÿÿ9ŠoData!K•NameSnapOui
Aÿÿ9ŠoData!K•NameVlanTag
Aÿÿ?ŠoData'K•Name
FilterRTID

Aÿÿ=ŠoData%K•Name	LayerName
	Aÿÿ=ŠoData%K•Name	LayerRTID

ÄÂÜÂüÂÃ0ÃLÃhÃ|Ã

Ã¬Ã

ÄÃDirection SourceAddressDestAddressEtherTypeEncapMethodSnapControlSnapOuiVlanTagFilterRTIDLayerNameLayerRTIDTEMPH(ÇBz¤öïè-úÀ†¼Å'ïü¹ÿÿD‚	EventDataAÿÿ=ŠoData%K•Name	ProcessId

AÿÿAŠoData)K•NameApplication
Aÿÿ=ŠoData%K•Name	Direction
AÿÿEŠoData-K•Name
SourceAddress
Aÿÿ?ŠoData'K•Name
SourcePort
AÿÿAŠoData)K•NameDestAddress
Aÿÿ;ŠoData#K•NameDestPort
Aÿÿ;ŠoData#K•NameProtocol
Aÿÿ?ŠoData'K•Name
FilterRTID

Aÿÿ=ŠoData%K•Name	LayerName
	Aÿÿ=ŠoData%K•Name	LayerRTID



ÈÈ8ÈPÈpÈŒÈ¨ÈÀÈ

ØÈôÈ

ÉProcessIdApplicationDirection SourceAddressSourcePortDestAddressDestPortProtocolFilterRTIDLayerNameLayerRTIDTEMPHpÌBz¤öïè-úÀ†¼Å'ïü¹ÿÿD‚	EventDataAÿÿ=ŠoData%K•Name	ProcessId

AÿÿAŠoData)K•NameApplication
Aÿÿ=ŠoData%K•Name	Direction
AÿÿEŠoData-K•Name
SourceAddress
Aÿÿ?ŠoData'K•Name
SourcePort
AÿÿAŠoData)K•NameDestAddress
Aÿÿ;ŠoData#K•NameDestPort
Aÿÿ;ŠoData#K•NameProtocol
Aÿÿ?ŠoData'K•Name
FilterRTID

Aÿÿ=ŠoData%K•Name	LayerName
	Aÿÿ=ŠoData%K•Name	LayerRTID



LÍdÍ€Í˜Í¸ÍÔÍðÍÎ

 Î<Î

TÎProcessIdApplicationDirection SourceAddressSourcePortDestAddressDestPortProtocolFilterRTIDLayerNameLayerRTIDTEMPðèÐ²86ðRaÂóÒ%"É@ÚnÿÿHD‚	EventDataAÿÿ=ŠoData%K•Name	ProcessId

AÿÿAŠoData)K•NameApplication
AÿÿEŠoData-K•Name
SourceAddress
Aÿÿ?ŠoData'K•Name
SourcePort
Aÿÿ;ŠoData#K•NameProtocol
Aÿÿ?ŠoData'K•Name
FilterRTID

Aÿÿ=ŠoData%K•Name	LayerName
Aÿÿ=ŠoData%K•Name	LayerRTID



ˆÑ Ñ¼ÑÜÑøÑ

Ò,Ò

DÒProcessIdApplication SourceAddressSourcePortProtocolFilterRTIDLayerNameLayerRTIDTEMPðØÔ²86ðRaÂóÒ%"É@ÚnÿÿHD‚	EventDataAÿÿ=ŠoData%K•Name	ProcessId

AÿÿAŠoData)K•NameApplication
AÿÿEŠoData-K•Name
SourceAddress
Aÿÿ?ŠoData'K•Name
SourcePort
Aÿÿ;ŠoData#K•NameProtocol
Aÿÿ?ŠoData'K•Name
FilterRTID

Aÿÿ=ŠoData%K•Name	LayerName
Aÿÿ=ŠoData%K•Name	LayerRTID



xÕÕ¬ÕÌÕèÕ

ÖÖ

4ÖProcessIdApplication SourceAddressSourcePortProtocolFilterRTIDLayerNameLayerRTIDTEMPH˜ÙÓz
v$!LV @àˆãöÿÿD‚	EventDataAÿÿ=ŠoData%K•Name	ProcessID

AÿÿAŠoData)K•NameApplication
Aÿÿ=ŠoData%K•Name	Direction
AÿÿEŠoData-K•Name
SourceAddress
Aÿÿ?ŠoData'K•Name
SourcePort
AÿÿAŠoData)K•NameDestAddress
Aÿÿ;ŠoData#K•NameDestPort
Aÿÿ;ŠoData#K•NameProtocol
Aÿÿ?ŠoData'K•Name
FilterRTID

Aÿÿ=ŠoData%K•Name	LayerName
	Aÿÿ=ŠoData%K•Name	LayerRTID



tÚŒÚ¨ÚÀÚàÚüÚÛ0Û

HÛdÛ

|ÛProcessIDApplicationDirection SourceAddressSourcePortDestAddressDestPortProtocolFilterRTIDLayerNameLayerRTIDTEMPL

xßI
¬š_ÉMÿR3;CPÿÿ°D‚	EventDataAÿÿ=ŠoData%K•Name	ProcessID

AÿÿAŠoData)K•NameApplication
Aÿÿ=ŠoData%K•Name	Direction
AÿÿEŠoData-K•Name
SourceAddress
Aÿÿ?ŠoData'K•Name
SourcePort
AÿÿAŠoData)K•NameDestAddress
Aÿÿ;ŠoData#K•NameDestPort
Aÿÿ;ŠoData#K•NameProtocol
Aÿÿ?ŠoData'K•Name
FilterRTID

Aÿÿ=ŠoData%K•Name	LayerName
	Aÿÿ=ŠoData%K•Name	LayerRTID

AÿÿCŠoData+K•NameRemoteUserID
AÿÿIŠoData1K•NameRemoteMachineID


|à”à°àÈàèàá á8á

Pálá

„áœá¼áProcessIDApplicationDirection SourceAddressSourcePortDestAddressDestPortProtocolFilterRTIDLayerNameLayerRTID RemoteUserID$RemoteMachineIDTEMPH,åÓz
v$!LV @àˆãöÿÿD‚	EventDataAÿÿ=ŠoData%K•Name	ProcessID

AÿÿAŠoData)K•NameApplication
Aÿÿ=ŠoData%K•Name	Direction
AÿÿEŠoData-K•Name
SourceAddress
Aÿÿ?ŠoData'K•Name
SourcePort
AÿÿAŠoData)K•NameDestAddress
Aÿÿ;ŠoData#K•NameDestPort
Aÿÿ;ŠoData#K•NameProtocol
Aÿÿ?ŠoData'K•Name
FilterRTID

Aÿÿ=ŠoData%K•Name	LayerName
	Aÿÿ=ŠoData%K•Name	LayerRTID



æ æ<æTætææ¬æÄæ

Üæøæ

çProcessIDApplicationDirection SourceAddressSourcePortDestAddressDestPortProtocolFilterRTIDLayerNameLayerRTIDTEMPL

ëI
¬š_ÉMÿR3;CPÿÿ°D‚	EventDataAÿÿ=ŠoData%K•Name	ProcessID

AÿÿAŠoData)K•NameApplication
Aÿÿ=ŠoData%K•Name	Direction
AÿÿEŠoData-K•Name
SourceAddress
Aÿÿ?ŠoData'K•Name
SourcePort
AÿÿAŠoData)K•NameDestAddress
Aÿÿ;ŠoData#K•NameDestPort
Aÿÿ;ŠoData#K•NameProtocol
Aÿÿ?ŠoData'K•Name
FilterRTID

Aÿÿ=ŠoData%K•Name	LayerName
	Aÿÿ=ŠoData%K•Name	LayerRTID

AÿÿCŠoData+K•NameRemoteUserID
AÿÿIŠoData1K•NameRemoteMachineID


ì(ìDì\ì|ì˜ì´ìÌì

äìí

í0íPíProcessIDApplicationDirection SourceAddressSourcePortDestAddressDestPortProtocolFilterRTIDLayerNameLayerRTID RemoteUserID$RemoteMachineIDTEMPððï²86ðRaÂóÒ%"É@ÚnÿÿHD‚	EventDataAÿÿ=ŠoData%K•Name	ProcessId

AÿÿAŠoData)K•NameApplication
AÿÿEŠoData-K•Name
SourceAddress
Aÿÿ?ŠoData'K•Name
SourcePort
Aÿÿ;ŠoData#K•NameProtocol
Aÿÿ?ŠoData'K•Name
FilterRTID

Aÿÿ=ŠoData%K•Name	LayerName
Aÿÿ=ŠoData%K•Name	LayerRTID



ð¨ðÄðäðñ

ñ4ñ

LñProcessIdApplication SourceAddressSourcePortProtocolFilterRTIDLayerNameLayerRTIDTEMPðàó²86ðRaÂóÒ%"É@ÚnÿÿHD‚	EventDataAÿÿ=ŠoData%K•Name	ProcessId

AÿÿAŠoData)K•NameApplication
AÿÿEŠoData-K•Name
SourceAddress
Aÿÿ?ŠoData'K•Name
SourcePort
Aÿÿ;ŠoData#K•NameProtocol
Aÿÿ?ŠoData'K•Name
FilterRTID

Aÿÿ=ŠoData%K•Name	LayerName
Aÿÿ=ŠoData%K•Name	LayerRTID



€ô˜ô´ôÔôðô

õ$õ

<õProcessIdApplication SourceAddressSourcePortProtocolFilterRTIDLayerNameLayerRTIDTEMPü$ú&P^QGgümÊÕô/6tÛÿÿšD‚	EventDataAÿÿIŠoData1K•NameOpCorrelationID
AÿÿKŠoData3K•NameAppCorrelationID
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ7ŠoDataK•NameDSName
Aÿÿ7ŠoDataK•NameDSType
Aÿÿ;ŠoData#K•NameObjectDN
Aÿÿ?ŠoData'K•Name
ObjectGUID
	AÿÿAŠoData)K•NameObjectClass
Aÿÿ[ŠoDataCK•NameAttributeLDAPDisplayName
AÿÿOŠoData7K•NameAttributeSyntaxOID
AÿÿGŠoData/K•NameAttributeValue

AÿÿEŠoData-K•Name
OperationType
PûtûœûÀûäûü0üDüXüpüŒü¨üàüý0ý$OpCorrelationID(AppCorrelationID$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdDSNameDSTypeObjectDNObjectGUIDObjectClass8AttributeLDAPDisplayName,AttributeSyntaxOID$AttributeValue OperationTypeTEMP°Ì`ê"N6PbM€KrÏ…OÿÿHD‚	EventDataAÿÿIŠoData1K•NameOpCorrelationID
AÿÿKŠoData3K•NameAppCorrelationID
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ7ŠoDataK•NameDSName
Aÿÿ7ŠoDataK•NameDSType
Aÿÿ;ŠoData#K•NameObjectDN
Aÿÿ?ŠoData'K•Name
ObjectGUID
	AÿÿAŠoData)K•NameObjectClass
¨Ìô<dˆœ°Èä$OpCorrelationID(AppCorrelationID$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdDSNameDSTypeObjectDNObjectGUIDObjectClassTEMP4Ì~Áœ}otòrý•œ_ã2ÿÿ–D‚	EventDataAÿÿIŠoData1K•NameOpCorrelationID
AÿÿKŠoData3K•NameAppCorrelationID
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ7ŠoDataK•NameDSName
Aÿÿ7ŠoDataK•NameDSType
AÿÿAŠoData)K•NameOldObjectDN
AÿÿAŠoData)K•NameNewObjectDN
	Aÿÿ?ŠoData'K•Name
ObjectGUID
AÿÿAŠoData)K•NameObjectClass
¼à,Pxœ°Äàü	$OpCorrelationID(AppCorrelationID$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdDSNameDSTypeOldObjectDNNewObjectDNObjectGUIDObjectClassTEMP4
~Áœ}otòrý•œ_ã2ÿÿ–D‚	EventDataAÿÿIŠoData1K•NameOpCorrelationID
AÿÿKŠoData3K•NameAppCorrelationID
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ7ŠoDataK•NameDSName
Aÿÿ7ŠoDataK•NameDSType
AÿÿAŠoData)K•NameOldObjectDN
AÿÿAŠoData)K•NameNewObjectDN
	Aÿÿ?ŠoData'K•Name
ObjectGUID
AÿÿAŠoData)K•NameObjectClass
ð
<`„¬Ðäø0L$OpCorrelationID(AppCorrelationID$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdDSNameDSTypeOldObjectDNNewObjectDNObjectGUIDObjectClassTEMP¸¼ÿ§›ÎN—ú7·ïÍ‘”¦óÿÿ D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ=ŠoData%K•Name	IpAddress
Aÿÿ7ŠoDataK•NameIpPort
Aÿÿ=ŠoData%K•Name	ShareName
Hl¸Üô$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdIpAddressIpPortShareNameTEMP ”ù¼r`{––›2ñRÿÿ@D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ?ŠoData'K•Name
ObjectType
Aÿÿ=ŠoData%K•Name	IpAddress
Aÿÿ7ŠoDataK•NameIpPort
Aÿÿ=ŠoData%K•Name	ShareName
AÿÿGŠoData/K•NameShareLocalPath
Aÿÿ?ŠoData'K•Name
AccessMask
	Aÿÿ?ŠoData'K•Name
AccessList
p”¸à 8Ldˆ¤$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdObjectTypeIpAddressIpPortShareName$ShareLocalPathAccessMaskAccessListTEMP(„#ÐYe
%dâ;@^1àèÿÿŽD‚	EventDataAÿÿIŠoData1K•NameOpCorrelationID
AÿÿKŠoData3K•NameAppCorrelationID
AÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ7ŠoDataK•NameDSName
Aÿÿ7ŠoDataK•NameDSType
Aÿÿ;ŠoData#K•NameObjectDN
Aÿÿ?ŠoData'K•Name
ObjectGUID
	AÿÿAŠoData)K•NameObjectClass
Aÿÿ?ŠoData'K•Name
TreeDelete
t˜Àä0Th|”°Ì$OpCorrelationID(AppCorrelationID$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdDSNameDSTypeObjectDNObjectGUIDObjectClassTreeDeleteTEMPh!`©®‚‰²çvùêaÿÿìD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ=ŠoData%K•Name	ShareName
AÿÿGŠoData/K•NameShareLocalPath
€!¤!È!ð!","$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdShareName$ShareLocalPathTEMPpà&j«€ÈÓTPÍ »™“ÿÿZD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ?ŠoData'K•Name
ObjectType
Aÿÿ=ŠoData%K•Name	ShareName
AÿÿGŠoData/K•NameShareLocalPath
Aÿÿ=ŠoData%K•Name	OldRemark
Aÿÿ=ŠoData%K•Name	NewRemark
AÿÿAŠoData)K•NameOldMaxUsers
	AÿÿAŠoData)K•NameNewMaxUsers
AÿÿEŠoData-K•Name
OldShareFlags
AÿÿEŠoData-K•Name
NewShareFlags
Aÿÿ5ŠoDataK•NameOldSD

Aÿÿ5ŠoDataK•NameNewSD
(0(T(|( (¼(Ô(ø()()D)`)€) )°)$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdObjectTypeShareName$ShareLocalPathOldRemarkNewRemarkOldMaxUsersNewMaxUsers OldShareFlags NewShareFlagsOldSDNewSDTEMPhà+`©®‚‰²çvùêaÿÿìD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ=ŠoData%K•Name	ShareName
AÿÿGŠoData/K•NameShareLocalPath
X,|, ,È,ì,-$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdShareName$ShareLocalPathTEMP´

<16°¾0«3U}gþîÿÿàD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ?ŠoData'K•Name
ObjectType
Aÿÿ=ŠoData%K•Name	IpAddress
Aÿÿ7ŠoDataK•NameIpPort
Aÿÿ=ŠoData%K•Name	ShareName
AÿÿGŠoData/K•NameShareLocalPath
AÿÿOŠoData7K•NameRelativeTargetName
	Aÿÿ?ŠoData'K•Name
AccessMask
Aÿÿ?ŠoData'K•Name
AccessList
AÿÿCŠoData+K•NameAccessReason
@2d2ˆ2°2Ô2ð23343X3„3 3¼3$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdObjectTypeIpAddressIpPortShareName$ShareLocalPath,RelativeTargetNameAccessMaskAccessList AccessReasonTEMPÄ		Ð6Ù{CÈ¤G7æ-®(5×Tåÿÿ¾D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ9ŠoData!K•NameSpnName
Aÿÿ=ŠoData%K•Name	ErrorCode
AÿÿAŠoData)K•NameServerNames
AÿÿIŠoData1K•NameConfiguredNames
AÿÿAŠoData)K•NameIpAddresses
„7¨7Ì7ô78,8D8`8„8$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdSpnNameErrorCodeServerNames$ConfiguredNamesIpAddressesTEMPt0:%˜™( ÑüHƒ!AÇøÿÿZD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
€:¤:È:ð:$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMPt¤<%˜™( ÑüHƒ!AÇøÿÿZD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
ô<=<=d=$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdTEMP0$@pa®óLèäÖú@ïñq¸ÿÿfD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ9ŠoData!K•NamePackage
Aÿÿ9ŠoData!K•NameUserUPN
AÿÿCŠoData+K•NameTargetServer
Aÿÿ;ŠoData#K•NameCredType
Ä@è@A4AXAlA€A A$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdPackageUserUPN TargetServerCredTypeTEMPÐ		°Dn²Û©!ßlå¸®qñéÿÿÄD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
AÿÿEŠoData-K•Name
TransactionId
Aÿÿ;ŠoData#K•NameNewState
AÿÿIŠoData1K•NameResourceManager
Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
dEˆE¬EÔEøEF0FTFlF$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonId TransactionIdNewState$ResourceManagerProcessIdProcessNameTEMP ŒJœ½©dÀ¸ÿ&’ÉÿÿÎD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId

Aÿÿ=ŠoData%K•Name	ProcessId
AÿÿAŠoData)K•NameProcessName
AÿÿIŠoData1K•NameRemoteIpAddress
Aÿÿ?ŠoData'K•Name
RemotePort
AÿÿEŠoData-K•Name
InterfaceUuid
AÿÿKŠoData3K•NameProtocolSequence
	AÿÿUŠoData=K•NameAuthenticationService
AÿÿQŠoData9K•NameAuthenticationLevel
|K KÄK
ìKL(LDLhL„L¤LÌLüL$SubjectUserSid$SubjectUserName(SubjectDomainName$SubjectLogonIdProcessIdProcessName$RemoteIpAddressRemotePort InterfaceUuid(ProtocolSequence0AuthenticationService,AuthenticationLevelTEMPXxPÞ;m‹ÑoÛ€æ“‰’ÏÿÿD‚	EventDataAÿÿ3ŠoDataK•NameSSID
Aÿÿ;ŠoData#K•NameIdentity
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ9ŠoData!K•NamePeerMac
Aÿÿ;ŠoData#K•NameLocalMac
Aÿÿ;ŠoData#K•NameIntfGuid
Aÿÿ?ŠoData'K•Name
ReasonCode
Aÿÿ?ŠoData'K•Name
ReasonText
	Aÿÿ=ŠoData%K•Name	ErrorCode
TQdQ|Q QÈQìQRR0RLRhRSSIDIdentity$SubjectUserName(SubjectDomainName$SubjectLogonIdPeerMacLocalMacIntfGuidReasonCodeReasonTextErrorCodeTEMPì¼VÎRÑ•n"&®ÅÐzÿÿD‚	EventDataAÿÿ3ŠoDataK•NameSSID
Aÿÿ;ŠoData#K•NameIdentity
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ9ŠoData!K•NamePeerMac
Aÿÿ;ŠoData#K•NameLocalMac
Aÿÿ;ŠoData#K•NameIntfGuid
Aÿÿ?ŠoData'K•Name
ReasonCode
Aÿÿ?ŠoData'K•Name
ReasonText
	Aÿÿ=ŠoData%K•Name	ErrorCode
AÿÿEŠoData-K•Name
EAPReasonCode
AÿÿOŠoData7K•NameEapRootCauseString
AÿÿCŠoData+K•NameEAPErrorCode

ÔWäWüW XHXlX€X˜X°XÌXèXY YLYSSIDIdentity$SubjectUserName(SubjectDomainName$SubjectLogonIdPeerMacLocalMacIntfGuidReasonCodeReasonTextErrorCode EAPReasonCode,EapRootCauseString EAPErrorCodeTEMP8\ƒ‘›ÐÈ)Ä1/ÿ›ÒòÿÿjD‚	EventDataAÿÿEŠoData-K•Name
InterfaceName
Aÿÿ;ŠoData#K•NameIdentity
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿGŠoData/K•NameSubjectLogonId
Aÿÿ?ŠoData'K•Name
ReasonCode
Aÿÿ?ŠoData'K•Name
ReasonText
Aÿÿ=ŠoData%K•Name	ErrorCode
¬\Ì\ä\]0]T]p]Œ] InterfaceNameIdentity$SubjectUserName(SubjectDomainName$SubjectLogonIdReasonCodeReasonTextErrorCodeTEMP`		d`VÈ!ÓØx@TÜÔ®çü=‰ÿÿŒD‚	EventDataAÿÿAŠoData)K•NameProviderKey
AÿÿCŠoData+K•NameProviderName
Aÿÿ?ŠoData'K•Name
CalloutKey
AÿÿAŠoData)K•NameCalloutName
AÿÿAŠoData)K•NameCalloutType
Aÿÿ=ŠoData%K•Name	CalloutId
Aÿÿ;ŠoData#K•NameLayerKey
Aÿÿ=ŠoData%K•Name	LayerName
Aÿÿ9ŠoData!K•NameLayerId
a4aTapaŒa¨aÀaØaðaProviderKey ProviderNameCalloutKeyCalloutNameCalloutTypeCalloutIdLayerKeyLayerNameLayerIdTEMP„fE”Ÿ4µlú”âææC¦~EÿÿÔD‚	EventDataAÿÿAŠoData)K•NameProviderKey
AÿÿCŠoData+K•NameProviderName
Aÿÿ=ŠoData%K•Name	FilterKey
Aÿÿ?ŠoData'K•Name
FilterName
Aÿÿ?ŠoData'K•Name
FilterType
Aÿÿ;ŠoData#K•NameFilterId

Aÿÿ;ŠoData#K•NameLayerKey
Aÿÿ=ŠoData%K•Name	LayerName
Aÿÿ9ŠoData!K•NameLayerId
Aÿÿ7ŠoDataK•NameWeight
	
Aÿÿ?ŠoData'K•Name
Conditions
Aÿÿ7ŠoDataK•NameAction
Aÿÿ?ŠoData'K•Name
CalloutKey
AÿÿAŠoData)K•NameCalloutName

$g@g`gxg”g

°gÈgàgøg

h h<hPhlhProviderKey ProviderNameFilterKeyFilterNameFilterTypeFilterIdLayerKeyLayerNameLayerIdWeightConditionsActionCalloutKeyCalloutNameTEMPÄ´i²Ëi?²<6®hûÅÆtü÷ÿÿöD‚	EventDataAÿÿAŠoData)K•NameProviderKey
AÿÿCŠoData+K•NameProviderName
AÿÿCŠoData+K•NameProviderType
ðij,jProviderKey ProviderName ProviderTypeTEMP4lÊÙöòh®(!fÔd$ÿÿ²D‚	EventDataAÿÿAŠoData)K•NameProviderKey
AÿÿCŠoData+K•NameProviderName
AÿÿOŠoData7K•NameProviderContextKey
AÿÿQŠoData9K•NameProviderContextName
AÿÿQŠoData9K•NameProviderContextType
˜l´lÔlm,mProviderKey ProviderName,ProviderContextKey,ProviderContextName,ProviderContextTypeTEMP ToÌ†öº·V€®8#203FÿÿÆD‚	EventDataAÿÿAŠoData)K•NameProviderKey
AÿÿCŠoData+K•NameProviderName
AÿÿAŠoData)K•NameSubLayerKey
AÿÿCŠoData+K•NameSubLayerName
AÿÿCŠoData+K•NameSubLayerType
Aÿÿ7ŠoDataK•NameWeight
Ìoèop$pDpdpProviderKey ProviderNameSubLayerKey SubLayerName SubLayerTypeWeightTEMP

DtV·µgÏ5a>	Á<ùÿÿ˜D‚	EventDataAÿÿ=ŠoData%K•Name	ProcessId
Aÿÿ9ŠoData!K•NameUserSid
Aÿÿ;ŠoData#K•NameUserName
AÿÿAŠoData)K•NameProviderKey
AÿÿCŠoData+K•NameProviderName
Aÿÿ?ŠoData'K•Name
ChangeType
Aÿÿ?ŠoData'K•Name
CalloutKey
AÿÿAŠoData)K•NameCalloutName
AÿÿAŠoData)K•NameCalloutType
Aÿÿ=ŠoData%K•Name	CalloutId
	Aÿÿ;ŠoData#K•NameLayerKey
Aÿÿ=ŠoData%K•Name	LayerName
Aÿÿ9ŠoData!K•NameLayerId
Hu`utuŒu¨uÈuäuvv8vPvhv€vProcessIdUserSidUserNameProviderKey ProviderNameChangeTypeCalloutKeyCalloutNameCalloutTypeCalloutIdLayerKeyLayerNameLayerIdTEMP@¨{ÝÍ2%Œ«6I#r®ºúÿÿàD‚	EventDataAÿÿ=ŠoData%K•Name	ProcessId
Aÿÿ9ŠoData!K•NameUserSid
Aÿÿ;ŠoData#K•NameUserName
AÿÿAŠoData)K•NameProviderKey
AÿÿCŠoData+K•NameProviderName
Aÿÿ?ŠoData'K•Name
ChangeType
Aÿÿ=ŠoData%K•Name	FilterKey
Aÿÿ?ŠoData'K•Name
FilterName
Aÿÿ?ŠoData'K•Name
FilterType
Aÿÿ;ŠoData#K•NameFilterId
	
Aÿÿ;ŠoData#K•NameLayerKey
Aÿÿ=ŠoData%K•Name	LayerName
Aÿÿ9ŠoData!K•NameLayerId
Aÿÿ7ŠoDataK•NameWeight


Aÿÿ?ŠoData'K•Name
Conditions
Aÿÿ7ŠoDataK•NameAction
Aÿÿ?ŠoData'K•Name
CalloutKey
AÿÿAŠoData)K•NameCalloutName
}(}<}T}p}}¬}Ä}à}

ü}~,~D~

X~l~ˆ~œ~¸~ProcessIdUserSidUserNameProviderKey ProviderNameChangeTypeFilterKeyFilterNameFilterTypeFilterIdLayerKeyLayerNameLayerIdWeightConditionsActionCalloutKeyCalloutNameTEMP€6çè}–Pƒ{GùÌC·ÂÆÿÿD‚	EventDataAÿÿ=ŠoData%K•Name	ProcessId
Aÿÿ9ŠoData!K•NameUserSid
Aÿÿ;ŠoData#K•NameUserName
Aÿÿ?ŠoData'K•Name
ChangeType
AÿÿAŠoData)K•NameProviderKey
AÿÿCŠoData+K•NameProviderName
AÿÿCŠoData+K•NameProviderType
˜°ÄÜø‚4‚ProcessIdUserSidUserNameChangeTypeProviderKey ProviderName ProviderTypeTEMPÈ		H…ª ÒC¸l‘¤ª°åð
"ÿÿ¾D‚	EventDataAÿÿ=ŠoData%K•Name	ProcessId
Aÿÿ9ŠoData!K•NameUserSid
Aÿÿ;ŠoData#K•NameUserName
AÿÿAŠoData)K•NameProviderKey
AÿÿCŠoData+K•NameProviderName
Aÿÿ?ŠoData'K•Name
ChangeType
AÿÿOŠoData7K•NameProviderContextKey
AÿÿQŠoData9K•NameProviderContextName
AÿÿQŠoData9K•NameProviderContextType
ü…†(†@†\†|†˜†Ä†ð†ProcessIdUserSidUserNameProviderKey ProviderNameChangeType,ProviderContextKey,ProviderContextName,ProviderContextTypeTEMPÜ

$ŠeÊÅý:9†Ÿ
Žms„/¶òÿÿÒD‚	EventDataAÿÿ=ŠoData%K•Name	ProcessId
Aÿÿ9ŠoData!K•NameUserSid
Aÿÿ;ŠoData#K•NameUserName
AÿÿAŠoData)K•NameProviderKey
AÿÿCŠoData+K•NameProviderName
Aÿÿ?ŠoData'K•Name
ChangeType
AÿÿAŠoData)K•NameSubLayerKey
AÿÿCŠoData+K•NameSubLayerName
AÿÿCŠoData+K•NameSubLayerType
Aÿÿ7ŠoDataK•NameWeight
	ìŠ‹‹0‹L‹l‹ˆ‹¤‹Ä‹ä‹ProcessIdUserSidUserNameProviderKey ProviderNameChangeTypeSubLayerKey SubLayerName SubLayerTypeWeightTEMP\`“½Š(ÃÛ_™‰ÙŒ>îˆÿÿ4D‚	EventDataAÿÿCŠoData+K•NameLocalAddress
AÿÿKŠoData3K•NameLocalAddressMask
Aÿÿ=ŠoData%K•Name	LocalPort
AÿÿQŠoData9K•NameLocalTunnelEndpoint
AÿÿEŠoData-K•Name
RemoteAddress
AÿÿMŠoData5K•NameRemoteAddressMask
Aÿÿ?ŠoData'K•Name
RemotePort
AÿÿOŠoData7K•NamePeerPrivateAddress
AÿÿSŠoData;K•NameRemoteTunnelEndpoint
Aÿÿ?ŠoData'K•Name
IpProtocol
	AÿÿKŠoData3K•NameKeyingModuleName
Aÿÿ?ŠoData'K•Name
AhAuthType
AÿÿAŠoData)K•NameEspAuthType
Aÿÿ?ŠoData'K•Name
CipherType

AÿÿIŠoData1K•NameLifetimeSeconds
AÿÿMŠoData5K•NameLifetimeKilobytes
AÿÿIŠoData1K•NameLifetimePackets
Aÿÿ3ŠoDataK•NameMode
Aÿÿ3ŠoDataK•NameRole
AÿÿMŠoData5K•NameTransportFilterId

AÿÿCŠoData+K•NameMainModeSaId

AÿÿEŠoData-K•Name
QuickModeSaId

Aÿÿ?ŠoData'K•Name
InboundSpi

AÿÿAŠoData)K•NameOutboundSpi

@•`•ˆ• •Ì•ì•–0–\–Œ–¨–Ð–ì–—$—H—p—”—¤—

´—

Ü—

ü—

˜

8˜ LocalAddress(LocalAddressMaskLocalPort,LocalTunnelEndpoint RemoteAddress(RemoteAddressMaskRemotePort,PeerPrivateAddress0RemoteTunnelEndpointIpProtocol(KeyingModuleNameAhAuthTypeEspAuthTypeCipherType$LifetimeSeconds(LifetimeKilobytes$LifetimePacketsModeRole(TransportFilterId MainModeSaId QuickModeSaIdInboundSpiOutboundSpiTEMP\
T Ø`ZHŸüÈ`!LÇ“ÃÿÿÊD‚	EventDataAÿÿCŠoData+K•NameLocalAddress
AÿÿKŠoData3K•NameLocalAddressMask
Aÿÿ=ŠoData%K•Name	LocalPort
AÿÿQŠoData9K•NameLocalTunnelEndpoint
AÿÿEŠoData-K•Name
RemoteAddress
AÿÿMŠoData5K•NameRemoteAddressMask
Aÿÿ?ŠoData'K•Name
RemotePort
AÿÿOŠoData7K•NamePeerPrivateAddress
AÿÿSŠoData;K•NameRemoteTunnelEndpoint
Aÿÿ?ŠoData'K•Name
IpProtocol
	AÿÿKŠoData3K•NameKeyingModuleName
Aÿÿ?ŠoData'K•Name
AhAuthType
AÿÿAŠoData)K•NameEspAuthType
Aÿÿ?ŠoData'K•Name
CipherType

AÿÿIŠoData1K•NameLifetimeSeconds
AÿÿMŠoData5K•NameLifetimeKilobytes
AÿÿIŠoData1K•NameLifetimePackets
Aÿÿ3ŠoDataK•NameMode
Aÿÿ3ŠoDataK•NameRole
AÿÿMŠoData5K•NameTransportFilterId

AÿÿCŠoData+K•NameMainModeSaId

AÿÿEŠoData-K•Name
QuickModeSaId

Aÿÿ?ŠoData'K•Name
InboundSpi

AÿÿAŠoData)K•NameOutboundSpi

Aÿÿ;ŠoData#K•NameTunnelId

AÿÿMŠoData5K•NameTrafficSelectorId

\¢|¢¤¢¼¢è¢£0£L£x£¨£Ä£ì£¤$¤@¤d¤Œ¤°¤À¤

Ð¤

ø¤

¥

8¥

T¥

p¥

ˆ¥ LocalAddress(LocalAddressMaskLocalPort,LocalTunnelEndpoint RemoteAddress(RemoteAddressMaskRemotePort,PeerPrivateAddress0RemoteTunnelEndpointIpProtocol(KeyingModuleNameAhAuthTypeEspAuthTypeCipherType$LifetimeSeconds(LifetimeKilobytes$LifetimePacketsModeRole(TransportFilterId MainModeSaId QuickModeSaIdInboundSpiOutboundSpiTunnelId(TrafficSelectorIdTEMP`d¨îÔìªH$²d¨ÿÿ~D‚	EventDataAÿÿCŠoData+K•NameLocalAddress
Aÿÿ=ŠoData%K•Name	LocalPort
AÿÿQŠoData9K•NameLocalTunnelEndpoint
AÿÿEŠoData-K•Name
RemoteAddress
Aÿÿ?ŠoData'K•Name
RemotePort
AÿÿSŠoData;K•NameRemoteTunnelEndpoint
Aÿÿ?ŠoData'K•Name
IpProtocol
AÿÿEŠoData-K•Name
QuickModeSaId

©$©<©h©ˆ©¤©Ô©

ð© LocalAddressLocalPort,LocalTunnelEndpoint RemoteAddressRemotePort0RemoteTunnelEndpointIpProtocol QuickModeSaIdTEMP\

X6P¶äzvFÏMµPÿÿD‚	EventDataAÿÿCŠoData+K•NameLocalAddress
Aÿÿ=ŠoData%K•Name	LocalPort
AÿÿQŠoData9K•NameLocalTunnelEndpoint
AÿÿEŠoData-K•Name
RemoteAddress
Aÿÿ?ŠoData'K•Name
RemotePort
AÿÿSŠoData;K•NameRemoteTunnelEndpoint
Aÿÿ?ŠoData'K•Name
IpProtocol
AÿÿEŠoData-K•Name
QuickModeSaId

Aÿÿ;ŠoData#K•NameTunnelId

AÿÿMŠoData5K•NameTrafficSelectorId
	
 ®@®X®„®¤®À®ð®

¯

,¯

D¯ LocalAddressLocalPort,LocalTunnelEndpoint RemoteAddressRemotePort0RemoteTunnelEndpointIpProtocol QuickModeSaIdTunnelId(TrafficSelectorIdTEMPP¼¯Òêyg¦Ø»$ž<[7øJ.ÿÿD‚	EventDataTEMPˆx²1·˜lÄ`mÐš€ºY•¯µÿÿ†D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿUŠoData=K•NameSubjectUserDomainName
AÿÿGŠoData/K•NameSubjectLogonId

AÿÿSŠoData;K•NameObjectCollectionName
AÿÿaŠoDataIK•NameObjectIdentifyingProperties
Aÿÿ[ŠoDataCK•NameModifiedObjectProperties
³(³L³
|³ ³Ð³´$SubjectUserSid$SubjectUserName0SubjectUserDomainName$SubjectLogonId0ObjectCollectionName<ObjectIdentifyingProperties8ModifiedObjectPropertiesTEMPhð¶§8C›qyV&1HK#|/ÿÿvD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿUŠoData=K•NameSubjectUserDomainName
AÿÿGŠoData/K•NameSubjectLogonId

AÿÿSŠoData;K•NameObjectCollectionName
AÿÿaŠoDataIK•NameObjectIdentifyingProperties
AÿÿKŠoData3K•NameObjectProperties
|· ·Ä·
ô·¸H¸„¸$SubjectUserSid$SubjectUserName0SubjectUserDomainName$SubjectLogonId0ObjectCollectionName<ObjectIdentifyingProperties(ObjectPropertiesTEMPhX»§8C›qyV&1HK#|/ÿÿvD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿUŠoData=K•NameSubjectUserDomainName
AÿÿGŠoData/K•NameSubjectLogonId

AÿÿSŠoData;K•NameObjectCollectionName
AÿÿaŠoDataIK•NameObjectIdentifyingProperties
AÿÿKŠoData3K•NameObjectProperties
ä»¼,¼
\¼€¼°¼ì¼$SubjectUserSid$SubjectUserName0SubjectUserDomainName$SubjectLogonId0ObjectCollectionName<ObjectIdentifyingProperties(ObjectPropertiesTEMP(è½Ýñ¬ÓÏr˜¿w¨gOì¤•ÿÿžD‚	EventDataAÿÿ=ŠoData%K•Name	ErrorCode
Aÿÿ9ŠoData!K•NameGPOList
¾(¾ErrorCodeGPOListTEMP(¿Ýñ¬ÓÏr˜¿w¨gOì¤•ÿÿžD‚	EventDataAÿÿ=ŠoData%K•Name	ErrorCode
Aÿÿ9ŠoData!K•NameGPOList
8¿P¿ErrorCodeGPOListTEMPø4È¶fK ï¼M4øgd_ÿÿšD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿeŠoDataMK•NameFullyQualifiedSubjectUserName
AÿÿMŠoData5K•NameSubjectMachineSID
AÿÿOŠoData7K•NameSubjectMachineName
AÿÿkŠoDataSK•Name FullyQualifiedSubjectMachineName
AÿÿKŠoData3K•NameMachineInventory
AÿÿIŠoData1K•NameCalledStationID
AÿÿKŠoData3K•NameCallingStationID
	AÿÿGŠoData/K•NameNASIPv4Address
AÿÿGŠoData/K•NameNASIPv6Address
AÿÿEŠoData-K•Name
NASIdentifier
AÿÿAŠoData)K•NameNASPortType

Aÿÿ9ŠoData!K•NameNASPort
Aÿÿ?ŠoData'K•Name
ClientName
AÿÿIŠoData1K•NameClientIPAddress
AÿÿIŠoData1K•NameProxyPolicyName
AÿÿMŠoData5K•NameNetworkPolicyName
AÿÿWŠoData?K•NameAuthenticationProvider
AÿÿSŠoData;K•NameAuthenticationServer
AÿÿOŠoData7K•NameAuthenticationType
Aÿÿ9ŠoData!K•NameEAPType
Aÿÿ[ŠoDataCK•NameAccountSessionIdentifier
AÿÿIŠoData1K•NameQuarantineState
AÿÿaŠoDataIK•NameQuarantineSessionIdentifier
<Ê`Ê„Ê¬ÊìÊË@ËˆË°ËÔËüË ÌDÌdÌ€Ì”Ì°ÌÔÌøÌ ÍTÍ„Í°ÍÄÍüÍ Î$SubjectUserSid$SubjectUserName(SubjectDomainName@FullyQualifiedSubjectUserName(SubjectMachineSID,SubjectMachineNameHFullyQualifiedSubjectMachineName(MachineInventory$CalledStationID(CallingStationID$NASIPv4Address$NASIPv6Address NASIdentifierNASPortTypeNASPortClientName$ClientIPAddress$ProxyPolicyName(NetworkPolicyName4AuthenticationProvider0AuthenticationServer,AuthenticationTypeEAPType8AccountSessionIdentifier$QuarantineState<QuarantineSessionIdentifierTEMPxx×¤OSMè|naN´“ÙÿÿæD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿeŠoDataMK•NameFullyQualifiedSubjectUserName
AÿÿMŠoData5K•NameSubjectMachineSID
AÿÿOŠoData7K•NameSubjectMachineName
AÿÿkŠoDataSK•Name FullyQualifiedSubjectMachineName
AÿÿKŠoData3K•NameMachineInventory
AÿÿIŠoData1K•NameCalledStationID
AÿÿKŠoData3K•NameCallingStationID
	AÿÿGŠoData/K•NameNASIPv4Address
AÿÿGŠoData/K•NameNASIPv6Address
AÿÿEŠoData-K•Name
NASIdentifier
AÿÿAŠoData)K•NameNASPortType

Aÿÿ9ŠoData!K•NameNASPort
Aÿÿ?ŠoData'K•Name
ClientName
AÿÿIŠoData1K•NameClientIPAddress
AÿÿIŠoData1K•NameProxyPolicyName
AÿÿMŠoData5K•NameNetworkPolicyName
AÿÿWŠoData?K•NameAuthenticationProvider
AÿÿSŠoData;K•NameAuthenticationServer
AÿÿOŠoData7K•NameAuthenticationType
Aÿÿ9ŠoData!K•NameEAPType
Aÿÿ[ŠoDataCK•NameAccountSessionIdentifier
AÿÿIŠoData1K•NameQuarantineState
AÿÿaŠoDataIK•NameQuarantineSessionIdentifier
AÿÿEŠoData-K•Name
LoggingResult
”Ù¸ÙÜÙÚDÚlÚ˜ÚàÚÛ,ÛTÛxÛœÛ¼ÛØÛìÛÜ,ÜPÜxÜ¬ÜÜÜÝÝTÝxÝ´Ý$SubjectUserSid$SubjectUserName(SubjectDomainName@FullyQualifiedSubjectUserName(SubjectMachineSID,SubjectMachineNameHFullyQualifiedSubjectMachineName(MachineInventory$CalledStationID(CallingStationID$NASIPv4Address$NASIPv6Address NASIdentifierNASPortTypeNASPortClientName$ClientIPAddress$ProxyPolicyName(NetworkPolicyName4AuthenticationProvider0AuthenticationServer,AuthenticationTypeEAPType8AccountSessionIdentifier$QuarantineState<QuarantineSessionIdentifier LoggingResultTEMP”pæb{·üâsn4K‹®·ÝÿÿfD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿeŠoDataMK•NameFullyQualifiedSubjectUserName
AÿÿMŠoData5K•NameSubjectMachineSID
AÿÿOŠoData7K•NameSubjectMachineName
AÿÿkŠoDataSK•Name FullyQualifiedSubjectMachineName
AÿÿKŠoData3K•NameMachineInventory
AÿÿIŠoData1K•NameCalledStationID
AÿÿKŠoData3K•NameCallingStationID
	AÿÿGŠoData/K•NameNASIPv4Address
AÿÿGŠoData/K•NameNASIPv6Address
AÿÿEŠoData-K•Name
NASIdentifier
AÿÿAŠoData)K•NameNASPortType

Aÿÿ9ŠoData!K•NameNASPort
Aÿÿ?ŠoData'K•Name
ClientName
AÿÿIŠoData1K•NameClientIPAddress
AÿÿIŠoData1K•NameProxyPolicyName
AÿÿMŠoData5K•NameNetworkPolicyName
AÿÿWŠoData?K•NameAuthenticationProvider
AÿÿSŠoData;K•NameAuthenticationServer
AÿÿOŠoData7K•NameAuthenticationType
Aÿÿ9ŠoData!K•NameEAPType
Aÿÿ[ŠoDataCK•NameAccountSessionIdentifier
Aÿÿ?ŠoData'K•Name
ReasonCode
Aÿÿ7ŠoDataK•NameReason
xèœèÀèèè(éPé|éÄéìéê8ê\ê€ê ê¼êÐêìêë4ë\ëëÀëìëì8ìTì$SubjectUserSid$SubjectUserName(SubjectDomainName@FullyQualifiedSubjectUserName(SubjectMachineSID,SubjectMachineNameHFullyQualifiedSubjectMachineName(MachineInventory$CalledStationID(CallingStationID$NASIPv4Address$NASIPv6Address NASIdentifierNASPortTypeNASPortClientName$ClientIPAddress$ProxyPolicyName(NetworkPolicyName4AuthenticationProvider0AuthenticationServer,AuthenticationTypeEAPType8AccountSessionIdentifierReasonCodeReasonTEMPPõ£>ÇüJ]CÅ0ïÕ!
[{ÿÿ²D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿeŠoDataMK•NameFullyQualifiedSubjectUserName
AÿÿMŠoData5K•NameSubjectMachineSID
AÿÿOŠoData7K•NameSubjectMachineName
AÿÿkŠoDataSK•Name FullyQualifiedSubjectMachineName
AÿÿKŠoData3K•NameMachineInventory
AÿÿIŠoData1K•NameCalledStationID
AÿÿKŠoData3K•NameCallingStationID
	AÿÿGŠoData/K•NameNASIPv4Address
AÿÿGŠoData/K•NameNASIPv6Address
AÿÿEŠoData-K•Name
NASIdentifier
AÿÿAŠoData)K•NameNASPortType

Aÿÿ9ŠoData!K•NameNASPort
Aÿÿ?ŠoData'K•Name
ClientName
AÿÿIŠoData1K•NameClientIPAddress
AÿÿIŠoData1K•NameProxyPolicyName
AÿÿMŠoData5K•NameNetworkPolicyName
AÿÿWŠoData?K•NameAuthenticationProvider
AÿÿSŠoData;K•NameAuthenticationServer
AÿÿOŠoData7K•NameAuthenticationType
Aÿÿ9ŠoData!K•NameEAPType
Aÿÿ[ŠoDataCK•NameAccountSessionIdentifier
Aÿÿ?ŠoData'K•Name
ReasonCode
Aÿÿ7ŠoDataK•NameReason
AÿÿEŠoData-K•Name
LoggingResult
l÷÷´÷Ü÷øDøpø¸øàøù,ùPùtù”ù°ùÄùàùú(úPú„ú´úàúôú,ûHû\û$SubjectUserSid$SubjectUserName(SubjectDomainName@FullyQualifiedSubjectUserName(SubjectMachineSID,SubjectMachineNameHFullyQualifiedSubjectMachineName(MachineInventory$CalledStationID(CallingStationID$NASIPv4Address$NASIPv6Address NASIdentifierNASPortTypeNASPortClientName$ClientIPAddress$ProxyPolicyName(NetworkPolicyName4AuthenticationProvider0AuthenticationServer,AuthenticationTypeEAPType8AccountSessionIdentifierReasonCodeReason LoggingResultTEMP”b{·üâsn4K‹®·ÝÿÿfD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿeŠoDataMK•NameFullyQualifiedSubjectUserName
AÿÿMŠoData5K•NameSubjectMachineSID
AÿÿOŠoData7K•NameSubjectMachineName
AÿÿkŠoDataSK•Name FullyQualifiedSubjectMachineName
AÿÿKŠoData3K•NameMachineInventory
AÿÿIŠoData1K•NameCalledStationID
AÿÿKŠoData3K•NameCallingStationID
	AÿÿGŠoData/K•NameNASIPv4Address
AÿÿGŠoData/K•NameNASIPv6Address
AÿÿEŠoData-K•Name
NASIdentifier
AÿÿAŠoData)K•NameNASPortType

Aÿÿ9ŠoData!K•NameNASPort
Aÿÿ?ŠoData'K•Name
ClientName
AÿÿIŠoData1K•NameClientIPAddress
AÿÿIŠoData1K•NameProxyPolicyName
AÿÿMŠoData5K•NameNetworkPolicyName
AÿÿWŠoData?K•NameAuthenticationProvider
AÿÿSŠoData;K•NameAuthenticationServer
AÿÿOŠoData7K•NameAuthenticationType
Aÿÿ9ŠoData!K•NameEAPType
Aÿÿ[ŠoDataCK•NameAccountSessionIdentifier
Aÿÿ?ŠoData'K•Name
ReasonCode
Aÿÿ7ŠoDataK•NameReason
 DhÐø$l”¸à(Hdx”¸Ü	8	h	”	¨	à	ü	$SubjectUserSid$SubjectUserName(SubjectDomainName@FullyQualifiedSubjectUserName(SubjectMachineSID,SubjectMachineNameHFullyQualifiedSubjectMachineName(MachineInventory$CalledStationID(CallingStationID$NASIPv4Address$NASIPv6Address NASIdentifierNASPortTypeNASPortClientName$ClientIPAddress$ProxyPolicyName(NetworkPolicyName4AuthenticationProvider0AuthenticationServer,AuthenticationTypeEAPType8AccountSessionIdentifierReasonCodeReasonTEMP”¬b{·üâsn4K‹®·ÝÿÿfD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿeŠoDataMK•NameFullyQualifiedSubjectUserName
AÿÿMŠoData5K•NameSubjectMachineSID
AÿÿOŠoData7K•NameSubjectMachineName
AÿÿkŠoDataSK•Name FullyQualifiedSubjectMachineName
AÿÿKŠoData3K•NameMachineInventory
AÿÿIŠoData1K•NameCalledStationID
AÿÿKŠoData3K•NameCallingStationID
	AÿÿGŠoData/K•NameNASIPv4Address
AÿÿGŠoData/K•NameNASIPv6Address
AÿÿEŠoData-K•Name
NASIdentifier
AÿÿAŠoData)K•NameNASPortType

Aÿÿ9ŠoData!K•NameNASPort
Aÿÿ?ŠoData'K•Name
ClientName
AÿÿIŠoData1K•NameClientIPAddress
AÿÿIŠoData1K•NameProxyPolicyName
AÿÿMŠoData5K•NameNetworkPolicyName
AÿÿWŠoData?K•NameAuthenticationProvider
AÿÿSŠoData;K•NameAuthenticationServer
AÿÿOŠoData7K•NameAuthenticationType
Aÿÿ9ŠoData!K•NameEAPType
Aÿÿ[ŠoDataCK•NameAccountSessionIdentifier
Aÿÿ?ŠoData'K•Name
ReasonCode
Aÿÿ7ŠoDataK•NameReason
´Øü$dŒ¸(Lt˜¼Üø(Lp˜Ìü(<t$SubjectUserSid$SubjectUserName(SubjectDomainName@FullyQualifiedSubjectUserName(SubjectMachineSID,SubjectMachineNameHFullyQualifiedSubjectMachineName(MachineInventory$CalledStationID(CallingStationID$NASIPv4Address$NASIPv6Address NASIdentifierNASPortTypeNASPortClientName$ClientIPAddress$ProxyPolicyName(NetworkPolicyName4AuthenticationProvider0AuthenticationServer,AuthenticationTypeEAPType8AccountSessionIdentifierReasonCodeReasonTEMPÌ€"ƒÛóG2ä}4Ãè™HÉÊ¢mÿÿ¨	D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿeŠoDataMK•NameFullyQualifiedSubjectUserName
AÿÿMŠoData5K•NameSubjectMachineSID
AÿÿOŠoData7K•NameSubjectMachineName
AÿÿkŠoDataSK•Name FullyQualifiedSubjectMachineName
AÿÿKŠoData3K•NameMachineInventory
AÿÿIŠoData1K•NameCalledStationID
AÿÿKŠoData3K•NameCallingStationID
	AÿÿGŠoData/K•NameNASIPv4Address
AÿÿGŠoData/K•NameNASIPv6Address
AÿÿEŠoData-K•Name
NASIdentifier
AÿÿAŠoData)K•NameNASPortType

Aÿÿ9ŠoData!K•NameNASPort
Aÿÿ?ŠoData'K•Name
ClientName
AÿÿIŠoData1K•NameClientIPAddress
AÿÿIŠoData1K•NameProxyPolicyName
AÿÿMŠoData5K•NameNetworkPolicyName
AÿÿWŠoData?K•NameAuthenticationProvider
AÿÿSŠoData;K•NameAuthenticationServer
AÿÿOŠoData7K•NameAuthenticationType
Aÿÿ9ŠoData!K•NameEAPType
Aÿÿ[ŠoDataCK•NameAccountSessionIdentifier
AÿÿIŠoData1K•NameQuarantineState
AÿÿYŠoDataAK•NameExtendedQuarantineState
AÿÿQŠoData9K•NameQuarantineSessionID
AÿÿMŠoData5K•NameQuarantineHelpURL
AÿÿcŠoDataKK•NameQuarantineSystemHealthResult
Ä$è$%4%t%œ%È%&8&\&„&¨&Ì&ì&''8'\'€'¨'Ü'(8(L(„(¨(Ü()0)$SubjectUserSid$SubjectUserName(SubjectDomainName@FullyQualifiedSubjectUserName(SubjectMachineSID,SubjectMachineNameHFullyQualifiedSubjectMachineName(MachineInventory$CalledStationID(CallingStationID$NASIPv4Address$NASIPv6Address NASIdentifierNASPortTypeNASPortClientName$ClientIPAddress$ProxyPolicyName(NetworkPolicyName4AuthenticationProvider0AuthenticationServer,AuthenticationTypeEAPType8AccountSessionIdentifier$QuarantineState4ExtendedQuarantineState,QuarantineSessionID(QuarantineHelpURL@QuarantineSystemHealthResultTEMPd¤3ˆQ†#¿›»u¡òåî~ƒÜÿÿ
D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿeŠoDataMK•NameFullyQualifiedSubjectUserName
AÿÿMŠoData5K•NameSubjectMachineSID
AÿÿOŠoData7K•NameSubjectMachineName
AÿÿkŠoDataSK•Name FullyQualifiedSubjectMachineName
AÿÿKŠoData3K•NameMachineInventory
AÿÿIŠoData1K•NameCalledStationID
AÿÿKŠoData3K•NameCallingStationID
	AÿÿGŠoData/K•NameNASIPv4Address
AÿÿGŠoData/K•NameNASIPv6Address
AÿÿEŠoData-K•Name
NASIdentifier
AÿÿAŠoData)K•NameNASPortType

Aÿÿ9ŠoData!K•NameNASPort
Aÿÿ?ŠoData'K•Name
ClientName
AÿÿIŠoData1K•NameClientIPAddress
AÿÿIŠoData1K•NameProxyPolicyName
AÿÿMŠoData5K•NameNetworkPolicyName
AÿÿWŠoData?K•NameAuthenticationProvider
AÿÿSŠoData;K•NameAuthenticationServer
AÿÿOŠoData7K•NameAuthenticationType
Aÿÿ9ŠoData!K•NameEAPType
Aÿÿ[ŠoDataCK•NameAccountSessionIdentifier
AÿÿIŠoData1K•NameQuarantineState
AÿÿYŠoDataAK•NameExtendedQuarantineState
AÿÿQŠoData9K•NameQuarantineSessionID
AÿÿMŠoData5K•NameQuarantineHelpURL
AÿÿcŠoDataKK•NameQuarantineSystemHealthResult
AÿÿQŠoData9K•NameQuarantineGraceTime
ü5 6D6l6¬6Ô67H7p7”7¼7à78$8@8T8p8”8¸8à89D9p9„9¼9à9:@:h:¨:$SubjectUserSid$SubjectUserName(SubjectDomainName@FullyQualifiedSubjectUserName(SubjectMachineSID,SubjectMachineNameHFullyQualifiedSubjectMachineName(MachineInventory$CalledStationID(CallingStationID$NASIPv4Address$NASIPv6Address NASIdentifierNASPortTypeNASPortClientName$ClientIPAddress$ProxyPolicyName(NetworkPolicyName4AuthenticationProvider0AuthenticationServer,AuthenticationTypeEAPType8AccountSessionIdentifier$QuarantineState4ExtendedQuarantineState,QuarantineSessionID(QuarantineHelpURL@QuarantineSystemHealthResult,QuarantineGraceTimeTEMPÌ°DƒÛóG2ä}4Ãè™HÉÊ¢mÿÿ¨	D‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿeŠoDataMK•NameFullyQualifiedSubjectUserName
AÿÿMŠoData5K•NameSubjectMachineSID
AÿÿOŠoData7K•NameSubjectMachineName
AÿÿkŠoDataSK•Name FullyQualifiedSubjectMachineName
AÿÿKŠoData3K•NameMachineInventory
AÿÿIŠoData1K•NameCalledStationID
AÿÿKŠoData3K•NameCallingStationID
	AÿÿGŠoData/K•NameNASIPv4Address
AÿÿGŠoData/K•NameNASIPv6Address
AÿÿEŠoData-K•Name
NASIdentifier
AÿÿAŠoData)K•NameNASPortType

Aÿÿ9ŠoData!K•NameNASPort
Aÿÿ?ŠoData'K•Name
ClientName
AÿÿIŠoData1K•NameClientIPAddress
AÿÿIŠoData1K•NameProxyPolicyName
AÿÿMŠoData5K•NameNetworkPolicyName
AÿÿWŠoData?K•NameAuthenticationProvider
AÿÿSŠoData;K•NameAuthenticationServer
AÿÿOŠoData7K•NameAuthenticationType
Aÿÿ9ŠoData!K•NameEAPType
Aÿÿ[ŠoDataCK•NameAccountSessionIdentifier
AÿÿIŠoData1K•NameQuarantineState
AÿÿYŠoDataAK•NameExtendedQuarantineState
AÿÿQŠoData9K•NameQuarantineSessionID
AÿÿMŠoData5K•NameQuarantineHelpURL
AÿÿcŠoDataKK•NameQuarantineSystemHealthResult
ôFG<GdG¤GÌGøG@HhHŒH´HØHüHI8ILIhIŒI°IØIJ<JhJ|J´JØJK8K`K$SubjectUserSid$SubjectUserName(SubjectDomainName@FullyQualifiedSubjectUserName(SubjectMachineSID,SubjectMachineNameHFullyQualifiedSubjectMachineName(MachineInventory$CalledStationID(CallingStationID$NASIPv4Address$NASIPv6Address NASIdentifierNASPortTypeNASPortClientName$ClientIPAddress$ProxyPolicyName(NetworkPolicyName4AuthenticationProvider0AuthenticationServer,AuthenticationTypeEAPType8AccountSessionIdentifier$QuarantineState4ExtendedQuarantineState,QuarantineSessionID(QuarantineHelpURL@QuarantineSystemHealthResultTEMP¬LMâZ!“<†CÁÛs¨?¨ÏUÿÿxD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿeŠoDataMK•NameFullyQualifiedSubjectUserName
œMÀMäMN$SubjectUserSid$SubjectUserName(SubjectDomainName@FullyQualifiedSubjectUserNameTEMP¬øOâZ!“<†CÁÛs¨?¨ÏUÿÿxD‚	EventDataAÿÿGŠoData/K•NameSubjectUserSid
AÿÿIŠoData1K•NameSubjectUserName
AÿÿMŠoData5K•NameSubjectDomainName
AÿÿeŠoDataMK•NameFullyQualifiedSubjectUserName
HPlPP¸P$SubjectUserSid$SubjectUserName(SubjectDomainName@FullyQualifiedSubjectUserNameTEMP´„Q¤N”&@¿F&ÃÁ*ÏNžÿÿXD‚	EventDataAÿÿ7ŠoDataK•Nameparam1
˜Qparam1TEMPØLR[|ã8G®
ž'2ª E°ÿÿjD‚	EventDataAÿÿIŠoData1K•NameClientIPAddress
`R$ClientIPAddressTEMPØ$S[|ã8G®
ž'2ª E°ÿÿjD‚	EventDataAÿÿIŠoData1K•NameClientIPAddress
8S$ClientIPAddressTEMPØüS[|ã8G®
ž'2ª E°ÿÿjD‚	EventDataAÿÿIŠoData1K•NameClientIPAddress
T$ClientIPAddressTEMPØÔTŸÖ«I¡ s"®ÍVrÿÿjD‚	EventDataAÿÿIŠoData1K•NameHostedCacheName
èT$HostedCacheNameTEMPHðUuŽýs|ïw¹/QK©Xÿÿ®D‚	EventDataAÿÿIŠoData1K•NameHostedCacheName
Aÿÿ=ŠoData%K•Name	ErrorCode
V<V$HostedCacheNameErrorCodeTEMP WJ$<°C}8:zým*–ÿÿ–D‚	EventDataAÿÿ9ŠoData!K•NameEventId
Aÿÿ5ŠoDataK•NameCount
HW\WEventIdCountTEMP<HX#aSðG®„TuhsìöHÿÿ¨D‚	EventDataAÿÿAŠoData)K•NameProductName
Aÿÿ?ŠoData'K•Name
Categories
pXŒXProductNameCategoriesTEMP¸8Yw€˜JüÉFlƒfò¯bamÿÿZD‚	EventDataAÿÿ9ŠoData!K•NameMessage
LYMessageTEMP<<Z#aSðG®„TuhsìöHÿÿ¨D‚	EventDataAÿÿAŠoData)K•NameProductName
Aÿÿ?ŠoData'K•Name
Categories
dZ€ZProductNameCategoriesOPCO00´Zwin:InfoLEVL@PäZ(win:InformationalTASKt600pa00pHa00p a00pÔa00pb11pHb11ptb11p b11pÜb11pc11pPc11pŒc11pÈc11pôc22pd22p`d22p d22pÜd22pe22pHe22p¤e22püe22p8f	2	2ppf
2
2pÄf22pg33phg33p¨g33pðg44p,h44p€h44pÜh44p,i55ppi55p´i55pj55p`j55p°j55püj66p8k66pˆk66pàk66p4l66pl66pèl77p,m77pdm77pœm77pÌm88pn88phn88p¨n88pänÿÿpDoHSE_ADT_SYSTEM_SECURITYSTATECHANGEXSE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION4SE_ADT_SYSTEM_INTEGRITYDSE_ADT_SYSTEM_IPSECDRIVEREVENTS0SE_ADT_SYSTEM_OTHERS,SE_ADT_LOGON_LOGON,SE_ADT_LOGON_LOGOFF<SE_ADT_LOGON_ACCOUNTLOCKOUT<SE_ADT_LOGON_IPSECMAINMODE8SE_ADT_LOGON_SPECIALLOGON<SE_ADT_LOGON_IPSECQUICKMODE<SE_ADT_LOGON_IPSECUSERMODE,SE_ADT_LOGON_OTHERS(SE_ADT_LOGON_NPSDSE_ADT_OBJECTACCESS_FILESYSTEM@SE_ADT_OBJECTACCESS_REGISTRY<SE_ADT_OBJECTACCESS_KERNEL4SE_ADT_OBJECTACCESS_SAM8SE_ADT_OBJECTACCESS_OTHER\SE_ADT_OBJECTACCESS_CERTIFICATIONAUTHORITYXSE_ADT_OBJECTACCESS_APPLICATIONGENERATED<SE_ADT_OBJECTACCESS_HANDLE8SE_ADT_OBJECTACCESS_SHARETSE_ADT_OBJECTACCESS_FIREWALLPACKETDROPSTSE_ADT_OBJECTACCESS_FIREWALLCONNECTIONPSE_ADT_OBJECTACCESS_DETAILEDFILESHARE@SE_ADT_PRIVILEGEUSE_SENSITIVEHSE_ADT_PRIVILEGEUSE_NONSENSITIVE<SE_ADT_PRIVILEGEUSE_OTHERSTSE_ADT_DETAILEDTRACKING_PROCESSCREATION\SE_ADT_DETAILEDTRACKING_PROCESSTERMINATIONPSE_ADT_DETAILEDTRACKING_DPAPIACTIVITYDSE_ADT_DETAILEDTRACKING_RPCCALLDSE_ADT_POLICYCHANGE_AUDITPOLICYXSE_ADT_POLICYCHANGE_AUTHENTICATIONPOLICYTSE_ADT_POLICYCHANGE_AUTHORIZATIONPOLICYPSE_ADT_POLICYCHANGE_MPSSCVRULEPOLICYLSE_ADT_POLICYCHANGE_WFPIPSECPOLICY<SE_ADT_POLICYCHANGE_OTHERSPSE_ADT_ACCOUNTMANAGEMENT_USERACCOUNTXSE_ADT_ACCOUNTMANAGEMENT_COMPUTERACCOUNTTSE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP\SE_ADT_ACCOUNTMANAGEMENT_DISTRIBUTIONGROUPXSE_ADT_ACCOUNTMANAGEMENT_APPLICATIONGROUPDSE_ADT_ACCOUNTMANAGEMENT_OTHERS8SE_ADT_DSACCESS_DSACCESS8SE_ADT_DSACCESS_DSCHANGES0SE_ADT_DS_REPLICATIONDSE_ADT_DS_DETAILED_REPLICATIONXSE_ADT_ACCOUNTLOGON_CREDENTIALVALIDATION@SE_ADT_ACCOUNTLOGON_KERBEROS<SE_ADT_ACCOUNTLOGON_OTHERS`SE_ADT_ACCOUNTLOGON_KERBCREDENTIALVALIDATION<SE_ADT_UNKNOWN_SUBCATEGORYKEYWEVNTðIŠ
€¨ZØZ˜
€¨ZØZ˜
€Ì¨ZØZ˜
€Ì¨ZØZ˜
€Ì¨ZØZ˜
€¤¨ZØZ˜
€œ¨ZØZ˜
€°¨ZØZ˜
€,¨ZØZ˜

€
l¨ZØZ˜

€
˜¨ZØZ˜
€ˆ¨ZØZ˜
€p¨ZØZ˜
€ä$¨ZØZ˜
€¼/¨ZØZ˜&
€&2¨ZØZ˜'
€'\3¨ZØZ˜(
€(À5¨ZØZ˜)
€)=¨ZØZ˜*
€*4D¨ZØZ˜+
€+äL¨ZØZ˜,
€,ÐX¨ZØZ˜-
€-€d¨ZØZ˜.
€.°ôl¨ZØZ˜.
€.dv¨ZØZ˜/
€/Ð€¨ZØZ˜0
€0°ø‚¨ZØZ˜0
€0¬Š¨ZØZ˜1
€1à’¨ZØZ˜2
€2š¨ZØZ˜3
€3Hž¨ZØZ˜4
€4ð¤¨ZØZ˜5
€5°¸©¨ZØZ˜5
€5ä±¨ZØZ˜6
€6Œº¨ZØZ˜7
€7ÈÁ¨ZØZ˜8
€8èÇ¨ZØZ˜9
€9¸Ë¨ZØZ˜:
€:ÀÎ¨ZØZ˜;
€;Ô¨ZØZ˜<
€<¤Ö¨ZØZ˜>
€>´Ù¨ZØZ˜?
€?Ì2¨ZØZ˜@
€@¨ß¨ZØZ˜A
€Aœâ¨ZØZ˜B
€B\ç¨ZØZ˜C
€C„í¨ZØZ˜P
€P°œñ¨ZØZ˜P
€Pö¨ZØZ˜Q
€Qû¨ZØZ˜R
€RÌþ¨ZØZ˜S
€S\¨ZØZ˜T
€T¨ZØZ˜U
€Uˆ¨ZØZ˜V
€Vp¨ZØZ˜W
€Wˆ¨ZØZ˜X
€X ¨ZØZ˜Y
€Y("¨ZØZ˜Z
€Z('¨ZØZ˜[
€[€*¨ZØZ˜\
€\Ø-¨ZØZ˜]
€]01¨ZØZ˜^
€^ˆ4¨ZØZ˜`
€`ð7¨ZØZ˜a
€aT;¨ZØZ˜b
€b¸>¨ZØZ˜c
€cD¨ZØZ˜e
€ehG¨ZØZ˜f
€fèH¨ZØZ˜g
€gJ¨ZØZ˜h
€h¸J¨ZØZ˜i
€ilK¨ZØZ˜j
€j|N¨ZØZ˜k
€kxQ¨ZØZ˜l
€l¬T¨ZØZ˜m
€mZ¨ZØZ˜n
€nh]¨ZØZ˜o
€oÌ`¨ZØZ˜p
€pTe¨ZØZ˜r
€rèr¨ZØZ˜s
€sàv¨ZØZ˜t
€tX{¨ZØZ˜u
€uP¨ZØZ˜v
€vHƒ¨ZØZ˜w
€wÀ‡¨ZØZ˜x
€x4¨ZØZ˜y
€y’¨ZØZ˜z
€zì—¨ZØZ˜{
€{dœ¨ZØZ˜|
€|Ø¡¨ZØZ˜}
€}4§¨ZØZ˜~
€~¬¨ZØZ˜
€±¨ZØZ˜
€|¶¨ZØZ˜‚
€‚ð»¨ZØZ˜ƒ
€ƒäÉ¨ZØZ˜„
€„¨Õ¨ZØZ˜…
€… Ù¨ZØZ˜†
€†Lè¨ZØZ˜‡
€‡˜÷¨ZØZ˜ˆ
€ˆü¨ZØZ˜‰
€‰„¨ZØZ˜Š
€Šø¨ZØZ˜‹
€‹T¨ZØZ˜Œ
€Œ°¨ZØZ˜
€(¨ZØZ˜Ž
€Žœ¨ZØZ˜
€!¨ZØZ˜
€l&¨ZØZ˜‘
€‘È+¨ZØZ˜’
€’@0¨ZØZ˜“
€“´5¨ZØZ˜”
€”(;¨ZØZ˜•
€•„@¨ZØZ˜–
€–àE¨ZØZ˜—
€—XJ¨ZØZ˜˜
€˜ÌO¨ZØZ˜™
€™@U¨ZØZ˜š
€šœZ¨ZØZ˜›
€›ø_¨ZØZ˜œ
€œpd¨ZØZ˜
€pi¨ZØZ˜ž
€žDo¨ZØZ˜Ÿ
€Ÿ¼s¨ZØZ˜ 
€ ´w¨ZØZ˜¡
€¡à~¨ZØZ˜¢
€¢”„¨ZØZ˜£
€£Øˆ¨ZØZ˜¤
€¤dŽ¨ZØZ˜¥
€¥’¨ZØZ˜¦
€¦´•¨ZØZ˜§
€§p—¨ZØZ˜¨
€¨´˜¨ZØZ˜©
€©àš¨ZØZ˜ª
€ª¨ZØZ˜«
€«4 ¨ZØZ˜¬
€¬€¥¨ZØZ˜
€ø©¨ZØZ˜®
€®¯¨ZØZ˜¯
€¯²¨ZØZ˜°
€°¸¨ZØZ˜±
€±x½¨ZØZ˜²
€²ÔÂ¨ZØZ˜³
€³0È¨ZØZ˜´
€´ŒÍ¨ZØZ˜µ
€µèÒ¨ZØZ˜¶
€¶`×¨ZØZ˜·
€·ÔÜ¨ZØZ˜¸
€¸Hâ¨ZØZ˜¹
€¹Àæ¨ZØZ˜º
€º˜ê¨ZØZ˜À
€Àèí¨ZØZ˜Á
€Á¼ð¨ZØZ˜Â
€Âó¨ZØZ˜Ã
€Ãdö¨ZØZ˜Ð
€Ð°8ù¨ZØZ˜Ð
€Ð¸ú¨ZØZ˜Ñ
€Ñ„ü¨ZØZ˜Ù
€ÙP£¨ZØZ˜
€ ¨ZØZ˜
€D¨ZØZ˜
€Ä¨ZØZ˜
€D¨ZØZ˜
€Ä¨ZØZ˜
€¨¨ZØZ˜
€Œ¨ZØZ˜
€4"¨ZØZ˜
€d&¨ZØZ˜	
€	)¨ZØZ˜

€
.¨ZØZ˜
€<¨ZØZ˜
€h1¨ZØZ˜

€
P4¨ZØZ˜
€¨ZØZ˜
€¨ZØZ˜
€Ä6¨ZØZ˜
€p9¨ZØZ˜
€>¨ZØZ˜
€A¨ZØZ˜
€tD¨ZØZ˜
€ÐG¨ZØZ˜
€¼J¨ZØZ˜
€`L¨ZØZ˜
€„O¨ZØZ˜
€¨R¨ZØZ˜
€ÌU¨ZØZ˜
€˜Y¨ZØZ˜
€(]¨ZØZ˜
€˜a¨ZØZ˜
€8c¨ZØZ˜
€f¨ZØZ˜ 
€ Ìg¨ZØZ˜!
€!„k¨ZØZ˜"
€"tl¨ZØZ˜#
€#,q¨ZØZ˜$
€$ôu¨ZØZ˜&
€&ü{¨ZØZ˜(
€(0}¨ZØZ˜)
€)”¨ZØZ˜*
€*ø…¨ZØZ˜+
€+è†¨ZØZ˜,
€,ÜŒ¨ZØZ˜-
€-˜5¨ZØZ˜.
€.7¨ZØZ˜0
€0”¨ZØZ˜@
€@œ’¨ZØZ˜A
€A´•¨ZØZ˜B
€BÌ˜¨ZØZ˜C
€Cä›¨ZØZ˜D
€Düž¨ZØZ˜E
€E¢¨ZØZ˜F
€F€¥¨ZØZ˜G
€GÐ¨¨ZØZ˜H
€H4ª¨ZØZ˜I
€I8¬¨ZØZ˜P
€PÀ®¨ZØZ˜Q
€Q8³¨ZØZ˜R
€RÔ´¨ZØZ˜S
€S|¶¨ZØZ˜T
€T$¸¨ZØZ˜U
€U¨ZØZ˜V
€VÌ¹¨ZØZ˜W
€W˜»¨ZØZ˜X
€X$½¨ZØZ˜Y
€Y°¾¨ZØZ˜Z
€Z¨ZØZ˜\
€\ÐÀ¨ZØZ˜]
€] Á¨ZØZ˜^
€^0Ã¨ZØZ˜`
€`ØÆ¨ZØZ˜a
€aÈ¨ZØZ˜b
€b(É¨ZØZ˜c
€cPÊ¨ZØZ˜d
€d Ì¨ZØZ˜e
€exË¨ZØZ˜p
€pˆÒ¨ZØZ˜q
€qLÔ¨ZØZ˜r
€rÖ¨ZØZ˜s
€sÔ×¨ZØZ˜t
€tàâ¨ZØZ˜u
€u¨ð¨ZØZ˜v
€vpþ¨ZØZ˜w
€wt¨ZØZ˜x
€x ¨ZØZ˜y
€y¸A¨ZØZ˜ 
€ ¨ZØZ˜¡
€¡¨ZØZ˜£
€£˜-¨ZØZ˜¤
€¤X.¨ZØZ˜¥
€¥/¨ZØZ˜¦
€¦Ø/¨ZØZ˜§
€§¤+¨ZØZ˜¨
€¨Ø,¨ZØZ˜©
€©¨ZØZ˜ª
€ª¨ZØZ˜«
€«˜0¨ZØZ˜
€X1¨ZØZ˜®
€®2¨ZØZ˜¯
€¯8;¨ZØZ˜°
€°˜?¨ZØZ˜±
€±¤A¨ZØZ˜²
€²°C¨ZØZ˜³
€³¼E¨ZØZ˜´
€´ôG¨ZØZ˜µ
€µ,J¨ZØZ˜¶
€¶dL¨ZØZ˜·
€·lN¨ZØZ˜¸
€¸tP¨ZØZ˜¹
€¹|R¨ZØZ˜º
€ºÅ¨ZØZ˜»
€»ÄT¨ZØZ˜À
€ÀY¨ZØZ˜Á
€Ád\¨ZØZ˜Â
€Â°`¨ZØZ˜Ã
€ÃPf¨ZØZ˜Ä
€Äxk¨ZØZ˜Å
€Å”p¨ZØZ˜Æ
€Æ¼u¨ZØZ˜Ç
€Çèv¨ZØZ˜È
€È4{¨ZØZ˜É
€Éd¨ZØZ˜Ê
€Ê„¨ZØZ˜Ë
€Ë”‰¨ZØZ˜Ì
€Ì(¨ZØZ˜Í
€Í<•¨ZØZ˜Î
€Î@›¨ZØZ˜
€¨ZØZ˜
€¨ZØZ˜
€P¡¨ZØZ˜
€À¤¨ZØZ˜
€ ¨¨ZØZ˜
€°,«¨ZØZ˜
€ ¨ZØZ˜
€\±¨ZØZ˜
€ì²¨ZØZ˜
€Tõ¨ZØZ˜
€Pý¨ZØZ˜
€¨ZØZ˜
€4	¨ZØZ˜
€°h¨ZØZ˜
€ ¨ZØZ˜
€À¨ZØZ˜
€è¨ZØZ˜
€P"¨ZØZ˜
€À)¨ZØZ˜
€(-¨ZØZ˜
€|·¨ZØZ˜
€(¸¨ZØZ˜
€d¹¨ZØZ˜
€ ¾¨ZØZ˜ 
€ ÜÃ¨ZØZ˜!
€!$É¨ZØZ˜"
€"lÎ¨ZØZ˜#
€#\Ò¨ZØZ˜$
€$°LÖ¨ZØZ˜$
€$”Û¨ZØZ˜%
€%°àá¨ZØZ˜%
€%(ç¨ZØZ˜&
€&tí¨ZØZ˜'
€'dñ¨ZØZ˜0
€0Ü3¨ZØZ˜
€ 8¨ZØZ˜
€;¨ZØZ˜
€ˆ=¨ZØZ˜@
€@¤]¨ZØZ˜A
€Ab¨ZØZ˜B
€Bˆh¨ZØZ˜C
€CLj¨ZØZ˜D
€DXm¨ZØZ˜F
€Fxp¨ZØZ˜G
€G”v¨ZØZ˜H
€HÔ~¨ZØZ˜I
€IT‚¨ZØZ˜J
€J‡¨ZØZ˜K
€K°ø‹¨ZØZ˜K
€KT˜¨ZØZ˜L
€L°°¥¨ZØZ˜L
€Lª¨ZØZ˜M
€Ml¯¨ZØZ˜P
€P¨ZØZ˜Q
€QÄ¨ZØZ˜R
€RØ ¨ZØZ˜S
€SŒ!¨ZØZ˜T
€T "¨ZØZ˜U
€UT#¨ZØZ˜V
€Vh$¨ZØZ˜W
€W¨ZØZ˜X
€X¨ZØZ˜Y
€Y¨ZØZ˜Z
€Z¨ZØZ˜[
€[¨ZØZ˜\
€\¨ZØZ˜_
€_|%¨ZØZ˜`
€`0&¨ZØZ˜a
€aD'¨ZØZ˜b
€bø'¨ZØZ˜e
€e)¨ZØZ˜f
€f¨ZØZ˜g
€g¨ZØZ˜h
€h¨ZØZ˜k
€kD*¨ZØZ˜l
€lô*¨ZØZ˜m
€m¨ZØZ˜
€°(M¨ZØZ˜
€€R¨ZØZ˜
€lY¨ZØZ˜P
€PˆF¨ZØZ˜
€¼¯¨ZØZ˜
€D´¨ZØZ˜
€¬¸¨ZØZ˜
€½¨ZØZ˜
€<¾¨ZØZ˜€
€€°d¿¨ZØZ˜€
€€\Î¨ZØZ˜
€°ÔÝ¨ZØZ˜
€hì¨ZØZ˜‚
€‚|û¨ZØZ˜ƒ
€ƒ
¨ZØZ˜„
€„¤¨ZØZ˜…
€…p)¨ZØZ˜†
€†Ô:¨ZØZ˜‡
€‡ K¨ZØZ˜ˆ
€ˆLN¨ZØZ˜‰
€‰øP¨ZØZ˜
€¬Q¨ZØZ˜
€„R¨ZØZ˜
€\S¨ZØZ˜
€4T¨ZØZ˜
€U¨ZØZ˜
€TV¨ZØZ˜
€lW¨ZØZ˜
€¨X¨ZØZ˜
€`Y¨ZØZ˜ÿ
€ÿ¨ZØZ˜ÍþÍþè_Cd™¨LcÝV„"Æ]dnÀZäË?_Ó’„Ä	á6f™ˆ*¸ÀÐØWEVT_TEMPLATEMUIMUIen-US
Anon7 - 2022
AnonSec Team