Windows Security Log Events



(LOGbinder for SharePoint)
(LOGbinder for SQL Server)
(LOGbinder for Exchange)
(MS Sysinternals Sysmon)
Windows Audit Categories:

Subcategories:

Windows Versions:
Category: System
Windows 4608 Windows is starting up
Windows 4609 Windows is shutting down
Windows 4610 An authentication package has been loaded by the Local Security Authority
Windows 4611 A trusted logon process has been registered with the Local Security Authority
Windows 4612 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
Windows 4614 A notification package has been loaded by the Security Account Manager.
Windows 4615 Invalid use of LPC port
Windows 4616 The system time was changed.
Windows 4618 A monitored security event pattern has occurred
Windows 4621 Administrator recovered system from CrashOnAuditFail
Windows 4622 A security package has been loaded by the Local Security Authority.
Windows 4697 A service was installed in the system
Windows 4821 A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions
Windows 4822 NTLM authentication failed because the account was a member of the Protected User group
Windows 4823 NTLM authentication failed because access control restrictions are required
Windows 4824 Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group
Windows 4825 A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group
Windows 4830 SID History was removed from an account
Windows 5024 The Windows Firewall Service has started successfully
Windows 5025 The Windows Firewall Service has been stopped
Windows 5027 The Windows Firewall Service was unable to retrieve the security policy from the local storage
Windows 5028 The Windows Firewall Service was unable to parse the new security policy.
Windows 5029 The Windows Firewall Service failed to initialize the driver
Windows 5030 The Windows Firewall Service failed to start
Windows 5032 Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network
Windows 5033 The Windows Firewall Driver has started successfully
Windows 5034 The Windows Firewall Driver has been stopped
Windows 5035 The Windows Firewall Driver failed to start
Windows 5037 The Windows Firewall Driver detected critical runtime error. Terminating
Windows 5038 Code integrity determined that the image hash of a file is not valid
Windows 5056 A cryptographic self test was performed
Windows 5058 Key file operation
Windows 5059 Key migration operation
Windows 5061 Cryptographic operation
Windows 5071 Key access denied by Microsoft key distribution service
Windows 5146 The Windows Filtering Platform has blocked a packet
Windows 5147 A more restrictive Windows Filtering Platform filter has blocked a packet
Windows 5379 Credential Manager credentials were read
Windows 5380 Vault Find Credential
Windows 5381 Vault credentials were read
Windows 5382 Vault credentials were read
Windows 5478 IPsec Services has started successfully
Windows 5479 IPsec Services has been shut down successfully
Windows 5480 IPsec Services failed to get the complete list of network interfaces on the computer
Windows 5483 IPsec Services failed to initialize RPC server. IPsec Services could not be started
Windows 5484 IPsec Services has experienced a critical failure and has been shut down
Windows 5485 IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces
Windows 5890 An object was added to the COM+ Catalog
Windows 6281 Code Integrity determined that the page hashes of an image file are not valid...
Windows 6400 BranchCache: Received an incorrectly formatted response while discovering availability of content.
Windows 6401 BranchCache: Received invalid data from a peer. Data discarded.
Windows 6402 BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
Windows 6403 BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.
Windows 6404 BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
Windows 6405 BranchCache: %2 instance(s) of event id %1 occurred.
Windows 6406 %1 registered to Windows Firewall to control filtering for the following:
Windows 6407 %1
Windows 6408 Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
Windows 6409 BranchCache: A service connection point object could not be parsed
Windows 6410 Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues
Windows 6417 The FIPS mode crypto selftests succeeded
Windows 6418 The FIPS mode crypto selftests failed
Windows 8191 Highest System-Defined Audit Message Value

Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
Additional Resources
    Encyclopedia
    Event IDs
    All Event IDs
    Audit Policy

    Go To Event ID:

    Security Log
    Quick Reference
    Chart
    Download now!