From 1d4bc9423caf1062527812ba0bac455cd0459d80 Mon Sep 17 00:00:00 2001 From: illfated Date: Tue, 24 Sep 2019 20:09:52 +0200 Subject: [PATCH] Auditing: add MD code block to table keywords Description: This PR aims to block keywords and values from being translated to another language, keeping the values and keywords intact, in response to the windows-itpro-docs issue ticket #4995. Proposed changes: - Surround Logon Type values and Logon Title keywords with MD code block markers (back ticks) to keep them from being translated by MT. - Add XML indentation to the XML for the layout to be shown properly. Thanks to @takondo for pointing out the uselessness in translating these parts of the table when the document is machine translated. Ref. issue ticket #4995 (The ticket can be closed when this commit is successfully migrated and shown to be effective against machine translation.) --- .../threat-protection/auditing/event-4624.md | 120 +++++++++--------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index 2ca7e8267c..1eaf9e6b79 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -33,55 +33,55 @@ This event generates when a logon session is created (on destination machine). I
***Event XML:*** -``` -- -- - - 4624 - 2 - 0 - 12544 - 0 - 0x8020000000000000 - - 211 - - - Security - WIN-GG82ULGC9GO - - -- - S-1-5-18 - WIN-GG82ULGC9GO$ - WORKGROUP - 0x3e7 - S-1-5-21-1377283216-344919071-3415362939-500 - Administrator - WIN-GG82ULGC9GO - 0x8dcdc - 2 - User32 - Negotiate - WIN-GG82ULGC9GO - {00000000-0000-0000-0000-000000000000} - - - - - 0 - 0x44c - C:\\Windows\\System32\\svchost.exe - 127.0.0.1 - 0 - %%1833 - - - - - - - %%1843 - 0x0 - %%1842 - - - +```xml + + + + + 4624 + 2 + 0 + 12544 + 0 + 0x8020000000000000 + + 211 + + + Security + WIN-GG82ULGC9GO + + + + S-1-5-18 + WIN-GG82ULGC9GO$ + WORKGROUP + 0x3e7 + S-1-5-21-1377283216-344919071-3415362939-500 + Administrator + WIN-GG82ULGC9GO + 0x8dcdc + 2 + User32 + Negotiate + WIN-GG82ULGC9GO + {00000000-0000-0000-0000-000000000000} + - + - + 0 + 0x44c + C:\\Windows\\System32\\svchost.exe + 127.0.0.1 + 0 + %%1833 + - + - + - + %%1843 + 0x0 + %%1842 + + ``` ***Required Server Roles:*** None. @@ -144,17 +144,17 @@ This event generates when a logon session is created (on destination machine). I ## Logon types and descriptions -| Logon Type | Logon Title | Description | -|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 2 | Interactive | A user logged on to this computer. | -| 3 | Network | A user or computer logged on to this computer from the network. | -| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. | -| 5 | Service | A service was started by the Service Control Manager. | -| 7 | Unlock | This workstation was unlocked. | -| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). | -| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | -| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | -| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | +| Logon Type | Logon Title | Description | +|:----------:|---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `2` | `Interactive` | A user logged on to this computer. | +| `3` | `Network` | A user or computer logged on to this computer from the network. | +| `4` | `Batch` | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. | +| `5` | `Service` | A service was started by the Service Control Manager. | +| `7` | `Unlock` | This workstation was unlocked. | +| `8` | `NetworkCleartext` | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). | +| `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | +| `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | +| `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | - **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.