Windows Security Log Events



(LOGbinder for SharePoint)
(LOGbinder for SQL Server)
(LOGbinder for Exchange)
(MS Sysinternals Sysmon)
Windows Audit Categories:

Subcategories:

Windows Versions:
Required when sub-category selected.
Category: System
Subcategory: Other System Events
Windows 4821 A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions
Windows 4822 NTLM authentication failed because the account was a member of the Protected User group
Windows 4823 NTLM authentication failed because access control restrictions are required
Windows 4824 Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group
Windows 4825 A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group
Windows 4830 SID History was removed from an account
Windows 5024 The Windows Firewall Service has started successfully
Windows 5025 The Windows Firewall Service has been stopped
Windows 5027 The Windows Firewall Service was unable to retrieve the security policy from the local storage
Windows 5028 The Windows Firewall Service was unable to parse the new security policy.
Windows 5029 The Windows Firewall Service failed to initialize the driver
Windows 5030 The Windows Firewall Service failed to start
Windows 5032 Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network
Windows 5033 The Windows Firewall Driver has started successfully
Windows 5034 The Windows Firewall Driver has been stopped
Windows 5035 The Windows Firewall Driver failed to start
Windows 5037 The Windows Firewall Driver detected critical runtime error. Terminating
Windows 5058 Key file operation
Windows 5059 Key migration operation
Windows 5071 Key access denied by Microsoft key distribution service
Windows 5146 The Windows Filtering Platform has blocked a packet
Windows 5147 A more restrictive Windows Filtering Platform filter has blocked a packet
Windows 5379 Credential Manager credentials were read
Windows 5380 Vault Find Credential
Windows 5381 Vault credentials were read
Windows 5382 Vault credentials were read
Windows 6400 BranchCache: Received an incorrectly formatted response while discovering availability of content.
Windows 6401 BranchCache: Received invalid data from a peer. Data discarded.
Windows 6402 BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
Windows 6403 BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.
Windows 6404 BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
Windows 6405 BranchCache: %2 instance(s) of event id %1 occurred.
Windows 6406 %1 registered to Windows Firewall to control filtering for the following:
Windows 6407 %1
Windows 6408 Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
Windows 6409 BranchCache: A service connection point object could not be parsed
Windows 6417 The FIPS mode crypto selftests succeeded
Windows 6418 The FIPS mode crypto selftests failed
Windows 8191 Highest System-Defined Audit Message Value

Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
Additional Resources
    Encyclopedia
    Event IDs
    All Event IDs
    Audit Policy

    Go To Event ID:

    Security Log
    Quick Reference
    Chart
    Download now!