A list of the most common / useful Windows Event IDs.
Event Log | Source | EventID | Description |
---|---|---|---|
Security | Security | 4608 | Windows NT is starting up. |
Security | Security | 4609 | Windows is shutting down. |
Security, | USER32 | 1074 | The process nnn has initiated the restart of computer. |
Security |
Security | 4610 | An authentication package has been loaded by the Local Security Authority. |
Security | Security | 4611 | A trusted logon process has registered with the Local Security Authority. |
Security | Security | 4612 | Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. |
Security
|
Security | 4614 | A notification package has been loaded by the Security Account Manager. |
Security | Security | 4615 | A process is using an invalid local procedure call (LPC) port. |
Security | Security | 4616 | The system time was changed. |
Security | Security(Logon/Logoff) | 4624 | Successful Logon. |
Security | Security(Logon/Logoff) | 4625 | Logon Failure - Unknown user name or bad password. / logon time restriction / Account disabled/expired / not been granted the requested logon type / password has expired / Account locked out |
Security | Security(Logon/Logoff) | 4634 | User Logoff. |
Security | Security(Logon/Logoff) | 4646 | IKE DoS-prevention mode started. |
Security | Security(Logon/Logoff) | 4647 | User initiated logoff. |
Security | Security(Logon/Logoff) | 4648 | A logon was attempted using explicit credentials. |
Security | Security(Logon/Logoff) | 4649 | A replay attack was detected. |
Security | Security(Logon/Logoff) | 4697 | A service was installed in the system. |
Security | Object access | 4698 | A scheduled task was created. |
Security | Object access | 4699 | A scheduled task was deleted. |
Security | Object access | 4700 | A scheduled task was enabled. |
Security | Object access | 4701 | A scheduled task was disabled. |
Security | Object access | 4702 | A scheduled task was updated. |
Security | Account Management | 4720 | User Account Created. |
Security | Account Management | 4722 | User Account Enabled. |
Security | Account Management | 4723 | Change Password Attempt. |
Security | Account Management | 4724 | User Account password set. |
Security | Account Management | 4725 | User Account Disabled. |
Security | Account Management | 4726 | User Account Deleted. |
Security | Account Management | 4732 | Local User Account Created. |
Security | Account Management | 4738 | User Account Changed. |
Security, | Account Management | 4739 | Domain Policy Changed. |
Security | Account Management | 4740 | User Account Locked Out. |
Security | Account Management | 4741 | Computer Account Created. |
Security | Account Management | 4742 | Computer Account Changed. |
Security | Account Management | 4743 | Computer Account Deleted. |
Security | Account Management | 4767 | A user account was unlocked. |
Security | Security(Logon/Logoff) | 4774 | An account was mapped for logon. |
Security | Security(Logon/Logoff) | 4775 | The name: %2 could not be mapped for logon by: %1 |
Security | Security(Logon/Logoff) | 4776 | Account Used for Logon by. |
Security | Security(Logon/Logoff) | 4777 | The logon to account: %2 by: %1 from workstation: %3 failed. |
Security | Security(Logon/Logoff) | 4778 | Session reconnected to winstation. |
Security | Security(Logon/Logoff) | 4779 | Session disconnected from winstation. |
Security | Security(Logon/Logoff) | 4800 | The workstation was locked. |
Security | Security(Logon/Logoff) | 4801 | The workstation was unlocked. |
Security | Security(Logon/Logoff) | 4802 | The screen saver was invoked. |
Security | Security(Logon/Logoff) | 4803 | The screen saver was dismissed. |
System | EventLog | 6005 | The event log was started. |
System | EventLog | 6006 | The Event log service was stopped. |
System | EventLog | 6013 | System uptime. |
System | EventLog | 1102 | The audit log was cleared. |
System | EventLog | 1104 | The security Log is now full. |
System | EventLog | 1105 | Event log automatic backup. |
System | EventLog | 1108 | The event logging service encountered an error. |
System | Service Control Manager | 7035 | The nnn service was successfully sent a start/Stop control. |
System | Service Control Manager | 7036 | The nnn service entered the Running/Stopped state. |
System | W32Time | 29 | The time provider NtpClient is configured to acquire time from one or more time sources; however none of the sources are currently accessible. |
System | W32Time | 38 | The time provider NtpClient cannot reach or is currently receiving invalid time data. |
System | W32Time | 47 | Time Provider NtpClient: No valid response received. |
All logon/logoff events include a Logon Type code, to give the precise type of logon or logoff.
Use these Event IDs in Windows Event Viewer to filter for specific events. When working with Event IDs it can be important to specify the source in addition to the ID, the same number can have different meanings in different logs from different sources.
Prior to Windows Vista many security event IDs were different, for most events: New EventId = Old Pre-Vista EventId + 4096
“Early in life I had noticed that no event is ever correctly reported in a newspaper” ~ George Orwell
Logon Types - Windows Logon types.
Technet - Event Log Policy Settings (Size/Retention)