Ask Learn
Preview
Please sign in to use this experience.
Sign inNote
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Doriansoft noticed that there's a relationship between our pre-Vista security event IDs and our Vista-era security event IDs.
For most security events:
VistaEventId = PreVistaEventId + 4096
Why is this?
We needed to differentiate the Vista events from the pre-Vista events, because we were significantly changing the event content and didn't want to break automation. However we wanted to preserve the knowledge that security professionals already had in their heads about security events, so we wanted to make sure that there was a relationship between old and new event IDs.
We decided to offset the old IDs by some constant to get the new IDs. I wanted to offset them by a decimal number (say 6000, so 528 would become 6528, etc.). However event IDs are declared in hex in the source code and are all 3 digits long (528 = 0x210), and Raghu, my developer, wanted to conserve effort, and he won that battle so we added 0x1000 (4096) to the existing event IDs.
Anyway, that's sometimes how things go. Now you know the rest of the story.
Anonymous
May 07, 2007
The comment has been removedAnonymous
May 11, 2007
I will blog on this soon, but Vista event viewer doesn't do a good job with downlevel events. Downlevel viewer won't open uplevel logs at all. I was told that some people get better results by re-exporting the evt as evtx first but I have not tried this personally so YMMV.Anonymous
July 31, 2007
I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog postAnonymous
July 31, 2007
I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has aAnonymous
June 10, 2009
I've written twice ( here and here ) about the relationship between the "old" event IDs (5xx-6xx) in