Event IDs

A list of the most common / useful Windows Event IDs.

Event Log, Source            EventID   EventID   Description
                           Pre-vista   Post-Vista
Security, Security               512   4608  Windows NT is starting up.
Security, Security               513   4609  Windows is shutting down.
Security, USER32                 ---   1074  The process nnn has initiated the restart of computer.
Security, Security               514   4610  An authentication package has been loaded by the Local Security Authority.
Security, Security               515   4611  A trusted logon process has registered with the Local Security Authority.
Security, Security               516   4612  Internal resources allocated for the queuing of audit messages
                                             have been exhausted, leading to the loss of some audits.
Security, Security               518   4614  A notification package has been loaded by the Security Account Manager.
Security, Security,              519   4615  A process is using an invalid local procedure call (LPC) port.
Security, Security               520   4616  The system time was changed.
Security, Security               521    ---  Unable to log events to security log.
Security, Security(Logon/Logoff) 528   4624  Successful Logon.
Security, Security(Logon/Logoff) 540   4624  Successful Network Logon.
Security, Security(Logon/Logoff) 529   4625  Logon Failure - Unknown user name or bad password.
Security, Security(Logon/Logoff) 530   4625  Logon Failure - Account logon time restriction violation.
Security, Security(Logon/Logoff) 531   4625  Logon Failure - Account currently disabled.
Security, Security(Logon/Logoff) 532   4625  Logon Failure - The specified user account has expired.
Security, Security(Logon/Logoff) 533   4625  Logon Failure - User not allowed to logon at this computer.
Security, Security(Logon/Logoff) 534   4625  Logon Failure - The user has not been granted the requested logon type
                                             at this machine.
Security, Security(Logon/Logoff) 535   4625  Logon Failure - The specified account's password has expired.
Security, Security(Logon/Logoff) 536   4625  Logon Failure - The NetLogon component is not active.
Security, Security(Logon/Logoff) 537   4625  Logon failure - The logon attempt failed for other reasons.
Security, Security(Logon/Logoff) 538   4634  User Logoff.
Security, Security(Logon/Logoff) 539   4625  Logon Failure - Account locked out.
Security, Security(Logon/Logoff) ---   4646  IKE DoS-prevention mode started.
Security, Security(Logon/Logoff) 551   4647  User initiated logoff.
Security, Security(Logon/Logoff) 552   4648  A logon was attempted using explicit credentials.
Security, Security(Logon/Logoff) 553   4649  A replay attack was detected.
Security, Security(Logon/Logoff) 601   4697  A service was installed in the system.
Security, Object access          602   4698  A scheduled task was created.
Security, Object access          602   4699  A scheduled task was deleted.
Security, Object access          602   4700  A scheduled task was enabled.
Security, Object access          602   4701  A scheduled task was disabled.
Security, Object access          602   4702  A scheduled task was updated.
Security, Account Management     624   4720  User Account Created.
Security, Account Management     626   4722  User Account Enabled.
Security, Account Management     627   4723  Change Password Attempt.
Security, Account Management     628   4724  User Account password set.
Security, Account Management     629   4725  User Account Disabled.
Security, Account Management     630   4726  User Account Deleted.
Security, Account Management     636   4732  Local User Account Created.
Security, Account Management     642   4738  User Account Changed.
Security, Account Management     643   4739  Domain Policy Changed.
Security, Account Management     644   4740  User Account Locked Out.
Security, Account Management     645   4741  Computer Account Created.
Security, Account Management     646   4742  Computer Account Changed.
Security, Account Management     647   4743  Computer Account Deleted.
Security, Account Management     671   4767  A user account was unlocked.
Security, Security(Logon/Logoff) 678   4774  An account was mapped for logon.
Security, Security(Logon/Logoff) 679   4775  The name: %2 could not be mapped for logon by: %1
Security, Security(Logon/Logoff) 680   4776  Account Used for Logon by.
Security, Security(Logon/Logoff) 681   4777  The logon to account: %2 by: %1 from workstation: %3 failed.
Security, Security(Logon/Logoff) 682   4778  Session reconnected to winstation.
Security, Security(Logon/Logoff) 683   4779  Session disconnected from winstation.
Security, Security(Logon/Logoff) ---   4800  The workstation was locked.
Security, Security(Logon/Logoff) ---   4801  The workstation was unlocked.
Security, Security(Logon/Logoff) ---   4802  The screen saver was invoked.
Security, Security(Logon/Logoff) ---   4803  The screen saver was dismissed.
System, EventLog,                6005  6005  The event log was started.  
System, EventLog,                6006  6006  The Event log service was stopped.
System, EventLog,                6013  6013  System uptime.
System, EventLog,                517   1102  The audit log was cleared.
System, EventLog,                ---   1104  The security Log is now full.
System, EventLog,                ---   1105  Event log automatic backup.
System, EventLog,                ---   1108  The event logging service encountered an error.
System, Service Control Manager  7035  7035  The nnn service was successfully sent a start/Stop control.
System, Service Control Manager  7036  7036  The nnn service entered the Running/Stopped state.
System, W32Time,                  29     29  The time provider NtpClient is configured to acquire time from
                                             one or more time sources; however none of the sources are currently accessible.
System, W32Time,                  38     38  The time provider NtpClient cannot reach or is currently receiving invalid time data.
System, W32Time,                  47     47  Time Provider NtpClient: No valid response received.

All logon/logoff events include a Logon Type code, the precise type of logon or logoff:

 2 Interactive
 3 Network (remote file shares / printers/iis)
 4 Batch (scheduled task)
 5 Service (service account)
 7 Unlock
 8 NetworkCleartext (IIS)
 9 NewCredentials (RunAs /netonly)
10 RemoteInteractive (Terminal Services,RDP)
11 CachedInteractive (cached credentials)

When working with Event IDs it can be important to specify the source in addition to the ID, the same number can have different meanings in different logs from different sources.

With the launch of Vista many security event IDs changed, for most security events: VistaEventId = PreVistaEventId + 4096
The relationship between old and new IDs is not entirely 1:1 (you will notice some duplicate numbers in the table above.)

It is possible to view event logs from a remote computer, but if the remote machine is vista or later and the local machine is XP or 2003 then you will see the following error: "The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer."

“Early in life I had noticed that no event is ever correctly reported in a newspaper” ~ George Orwell

Related:

Q977519 - Description of security events in Windows 7 and in Windows Server 2008 R2
Technet - Event Log Policy Settings (Size/Retention)


© Copyright SS64.com 1999-2013
Some rights reserved