Windows Security Log Events
All Sources
Windows Audit
SharePoint Audit
(
LOGbinder for SharePoint
)
SQL Server Audit
(
LOGbinder for SQL Server
)
Exchange Audit
(
LOGbinder for Exchange
)
Sysmon
(
MS Sysinternals Sysmon
)
Windows Audit Categories:
All categories
Account Logon
Account Management
Directory Service
Logon/Logoff
Non Audit (Event Log)
Object Access
Policy Change
Privilege Use
Process Tracking
System
Uncategorized
Subcategories:
All subcategories
IPsec Driver
Other System Events
Security State Change
Security System Extension
System Integrity
Windows Versions:
All events
Win2000, XP and Win2003 only
Win2008, Win2012R2, Win2016 and Win10+, Win2019
Category:
System
Windows
4608
Windows is starting up
Windows
4609
Windows is shutting down
Windows
4610
An authentication package has been loaded by the Local Security Authority
Windows
4611
A trusted logon process has been registered with the Local Security Authority
Windows
4612
Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
Windows
4614
A notification package has been loaded by the Security Account Manager.
Windows
4615
Invalid use of LPC port
Windows
4616
The system time was changed.
Windows
4618
A monitored security event pattern has occurred
Windows
4621
Administrator recovered system from CrashOnAuditFail
Windows
4622
A security package has been loaded by the Local Security Authority.
Windows
4697
A service was installed in the system
Windows
4821
A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions
Windows
4822
NTLM authentication failed because the account was a member of the Protected User group
Windows
4823
NTLM authentication failed because access control restrictions are required
Windows
4824
Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group
Windows
4825
A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group
Windows
4830
SID History was removed from an account
Windows
5024
The Windows Firewall Service has started successfully
Windows
5025
The Windows Firewall Service has been stopped
Windows
5027
The Windows Firewall Service was unable to retrieve the security policy from the local storage
Windows
5028
The Windows Firewall Service was unable to parse the new security policy.
Windows
5029
The Windows Firewall Service failed to initialize the driver
Windows
5030
The Windows Firewall Service failed to start
Windows
5032
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network
Windows
5033
The Windows Firewall Driver has started successfully
Windows
5034
The Windows Firewall Driver has been stopped
Windows
5035
The Windows Firewall Driver failed to start
Windows
5037
The Windows Firewall Driver detected critical runtime error. Terminating
Windows
5038
Code integrity determined that the image hash of a file is not valid
Windows
5056
A cryptographic self test was performed
Windows
5058
Key file operation
Windows
5059
Key migration operation
Windows
5061
Cryptographic operation
Windows
5071
Key access denied by Microsoft key distribution service
Windows
5146
The Windows Filtering Platform has blocked a packet
Windows
5147
A more restrictive Windows Filtering Platform filter has blocked a packet
Windows
5379
Credential Manager credentials were read
Windows
5380
Vault Find Credential
Windows
5381
Vault credentials were read
Windows
5382
Vault credentials were read
Windows
5478
IPsec Services has started successfully
Windows
5479
IPsec Services has been shut down successfully
Windows
5480
IPsec Services failed to get the complete list of network interfaces on the computer
Windows
5483
IPsec Services failed to initialize RPC server. IPsec Services could not be started
Windows
5484
IPsec Services has experienced a critical failure and has been shut down
Windows
5485
IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces
Windows
5890
An object was added to the COM+ Catalog
Windows
6281
Code Integrity determined that the page hashes of an image file are not valid...
Windows
6400
BranchCache: Received an incorrectly formatted response while discovering availability of content.
Windows
6401
BranchCache: Received invalid data from a peer. Data discarded.
Windows
6402
BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
Windows
6403
BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.
Windows
6404
BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
Windows
6405
BranchCache: %2 instance(s) of event id %1 occurred.
Windows
6406
%1 registered to Windows Firewall to control filtering for the following:
Windows
6407
%1
Windows
6408
Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
Windows
6409
BranchCache: A service connection point object could not be parsed
Windows
6410
Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues
Windows
6417
The FIPS mode crypto selftests succeeded
Windows
6418
The FIPS mode crypto selftests failed
Windows
8191
Highest System-Defined Audit Message Value
Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:
Upcoming Webinars
Pentesting Large Language Model Apps using the OWASP Top 10 for LLM Apps
Additional Resources
Encyclopedia
•
Event IDs
•
All Event IDs
•
Audit Policy
Go To Event ID:
Security Log
Quick Reference
Chart
Download now!
Tweet
User name:
Password:
/
Forgot?
Register
February 2025
Patch Tuesday
"Patch Tuesday - Four Zero Days; Average Month Overall " - sponsored by LOGbinder.com
Home
Cookies help us deliver the best experience on our website. By using our website, you agree to the use of cookies.