How-to: List of Windows Event IDs

A list of the most common / useful Windows Event IDs.

Event Log Source EventID Description
Security Security 4608 Windows NT is starting up.
Security Security 4609 Windows is shutting down.
Security USER32 1074 The process nnn has initiated the restart of computer.


Security 4610 An authentication package has been loaded by the Local Security Authority.
Security Security 4611 A trusted logon process has registered with the Local Security Authority.
Security Security 4612 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.




Security 4614 A notification package has been loaded by the Security Account Manager.
Security Security 4615 A process is using an invalid local procedure call (LPC) port.
Security Security 4616 The system time was changed.
Security Security(Logon/Logoff) 4624 Successful Logon.
Security Security(Logon/Logoff) 4625 Logon Failure - Unknown user name or bad password. / logon time restriction / Account disabled/expired / not been granted the requested logon type / password has expired / Account locked out
Security Security(Logon/Logoff) 4634 User Logoff.
Security Security(Logon/Logoff) 4646 IKE DoS-prevention mode started.
Security Security(Logon/Logoff) 4647 User initiated logoff.
Security Security(Logon/Logoff) 4648 A logon was attempted using explicit credentials.
Security Security(Logon/Logoff) 4649 A replay attack was detected.
Security Security(Logon/Logoff) 4697 A service was installed in the system.
Security Object access 4698 A scheduled task was created.
Security Object access 4699 A scheduled task was deleted.
Security Object access 4700 A scheduled task was enabled.
Security Object access 4701 A scheduled task was disabled.
Security Object access 4702 A scheduled task was updated.
Security Account Management 4720 User Account Created.
Security Account Management 4722 User Account Enabled.
Security Account Management 4723 Change Password Attempt.
Security Account Management 4724 User Account password set.
Security Account Management 4725 User Account Disabled.
Security Account Management 4726 User Account Deleted.
Security Account Management 4732 Local User Account Created.
Security Account Management 4738 User Account Changed.
Security, Account Management 4739 Domain Policy Changed.
Security Account Management 4740 User Account Locked Out.
Security Account Management 4741 Computer Account Created.
Security Account Management 4742 Computer Account Changed.
Security Account Management 4743 Computer Account Deleted.
Security Account Management 4767 A user account was unlocked.
Security Security(Logon/Logoff) 4774 An account was mapped for logon.
Security Security(Logon/Logoff) 4775 The name: %2 could not be mapped for logon by: %1
Security Security(Logon/Logoff) 4776 Account Used for Logon by.
Security Security(Logon/Logoff) 4777 The logon to account: %2 by: %1 from workstation: %3 failed.
Security Security(Logon/Logoff) 4778 Session reconnected to winstation.
Security Security(Logon/Logoff) 4779 Session disconnected from winstation.
Security Security(Logon/Logoff) 4800 The workstation was locked.
Security Security(Logon/Logoff) 4801 The workstation was unlocked.
Security Security(Logon/Logoff) 4802 The screen saver was invoked.
Security Security(Logon/Logoff) 4803 The screen saver was dismissed.
System EventLog 6005 The event log was started.
System EventLog 6006 The Event log service was stopped.
System EventLog 6013 System uptime.
System EventLog 1102 The audit log was cleared.
System EventLog 1104 The security Log is now full.
System EventLog 1105 Event log automatic backup.
System EventLog 1108 The event logging service encountered an error.
System Service Control Manager 7035 The nnn service was successfully sent a start/Stop control.
System Service Control Manager 7036 The nnn service entered the Running/Stopped state.
System W32Time 29 The time provider NtpClient is configured to acquire time from one or more time sources; however none of the sources are currently accessible.
System W32Time 38 The time provider NtpClient cannot reach or is currently receiving invalid time data.
System W32Time 47 Time Provider NtpClient: No valid response received.

All logon/logoff events include a Logon Type code, to give the precise type of logon or logoff.

Use these Event IDs in Windows Event Viewer to filter for specific events. When working with Event IDs it can be important to specify the source in addition to the ID, the same number can have different meanings in different logs from different sources.

Prior to Windows Vista many security event IDs were different, for most events: New EventId = Old Pre-Vista EventId + 4096

“Early in life I had noticed that no event is ever correctly reported in a newspaper” ~ George Orwell

Related PowerShell Cmdlets

Logon Types - Windows Logon types.
Technet - Event Log Policy Settings (Size/Retention)

Copyright © 1999-2024
Some rights reserved