Windows Security Log Events
All Sources
Windows Audit
SharePoint Audit
(
LOGbinder for SharePoint
)
SQL Server Audit
(
LOGbinder for SQL Server
)
Exchange Audit
(
LOGbinder for Exchange
)
Sysmon
(
MS Sysinternals Sysmon
)
Windows Audit Categories:
All categories
Account Logon
Account Management
Directory Service
Logon/Logoff
Non Audit (Event Log)
Object Access
Policy Change
Privilege Use
Process Tracking
System
Uncategorized
Subcategories:
All subcategories
IPsec Driver
Other System Events
Security State Change
Security System Extension
System Integrity
Windows Versions:
All events
Win2000, XP and Win2003 only
Win2008, Win2012R2, Win2016 and Win10+, Win2019
Required when sub-category selected.
Category:
System
Subcategory:
Other System Events
Windows
4821
A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions
Windows
4822
NTLM authentication failed because the account was a member of the Protected User group
Windows
4823
NTLM authentication failed because access control restrictions are required
Windows
4824
Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group
Windows
4825
A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group
Windows
4830
SID History was removed from an account
Windows
5024
The Windows Firewall Service has started successfully
Windows
5025
The Windows Firewall Service has been stopped
Windows
5027
The Windows Firewall Service was unable to retrieve the security policy from the local storage
Windows
5028
The Windows Firewall Service was unable to parse the new security policy.
Windows
5029
The Windows Firewall Service failed to initialize the driver
Windows
5030
The Windows Firewall Service failed to start
Windows
5032
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network
Windows
5033
The Windows Firewall Driver has started successfully
Windows
5034
The Windows Firewall Driver has been stopped
Windows
5035
The Windows Firewall Driver failed to start
Windows
5037
The Windows Firewall Driver detected critical runtime error. Terminating
Windows
5058
Key file operation
Windows
5059
Key migration operation
Windows
5071
Key access denied by Microsoft key distribution service
Windows
5146
The Windows Filtering Platform has blocked a packet
Windows
5147
A more restrictive Windows Filtering Platform filter has blocked a packet
Windows
5379
Credential Manager credentials were read
Windows
5380
Vault Find Credential
Windows
5381
Vault credentials were read
Windows
5382
Vault credentials were read
Windows
6400
BranchCache: Received an incorrectly formatted response while discovering availability of content.
Windows
6401
BranchCache: Received invalid data from a peer. Data discarded.
Windows
6402
BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
Windows
6403
BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.
Windows
6404
BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
Windows
6405
BranchCache: %2 instance(s) of event id %1 occurred.
Windows
6406
%1 registered to Windows Firewall to control filtering for the following:
Windows
6407
%1
Windows
6408
Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
Windows
6409
BranchCache: A service connection point object could not be parsed
Windows
6417
The FIPS mode crypto selftests succeeded
Windows
6418
The FIPS mode crypto selftests failed
Windows
8191
Highest System-Defined Audit Message Value
Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:
Upcoming Webinars
Pentesting Large Language Model Apps using the OWASP Top 10 for LLM Apps
Additional Resources
Encyclopedia
•
Event IDs
•
All Event IDs
•
Audit Policy
Go To Event ID:
Security Log
Quick Reference
Chart
Download now!
Tweet
User name:
Password:
/
Forgot?
Register
February 2025
Patch Tuesday
"Patch Tuesday - Four Zero Days; Average Month Overall " - sponsored by LOGbinder.com
Home
Cookies help us deliver the best experience on our website. By using our website, you agree to the use of cookies.