Windows Security Log Events
All Sources
Windows Audit
SharePoint Audit
(
LOGbinder for SharePoint
)
SQL Server Audit
(
LOGbinder for SQL Server
)
Exchange Audit
(
LOGbinder for Exchange
)
Sysmon
(
MS Sysinternals Sysmon
)
Windows Audit Categories:
All categories
Account Logon
Account Management
Directory Service
Logon/Logoff
Non Audit (Event Log)
Object Access
Policy Change
Privilege Use
Process Tracking
System
Uncategorized
Subcategories:
All subcategories
Audit Policy Change
Authentication Policy Change
Authorization Policy Change
Filtering Platform Policy Change
MPSSVC Rule-Level Policy Change
Other Policy Change Events
Windows Versions:
All events
Win2000, XP and Win2003 only
Win2008, Win2012R2, Win2016 and Win10+, Win2019
Category:
Policy Change
Windows
4670
Permissions on an object were changed
Windows
4703
A token right was adjusted
Windows
4704
A user right was assigned
Windows
4705
A user right was removed
Windows
4706
A new trust was created to a domain
Windows
4707
A trust to a domain was removed
Windows
4709
IPsec Services was started
Windows
4710
IPsec Services was disabled
Windows
4711
PAStore Engine (1%)
Windows
4712
IPsec Services encountered a potentially serious failure
Windows
4713
Kerberos policy was changed
Windows
4714
Encrypted data recovery policy was changed
Windows
4715
The audit policy (SACL) on an object was changed
Windows
4716
Trusted domain information was modified
Windows
4717
System security access was granted to an account
Windows
4718
System security access was removed from an account
Windows
4719
System audit policy was changed
Windows
4817
Auditing settings on object were changed.
Windows
4819
Central Access Policies on the machine have been changed
Windows
4826
Boot Configuration Data loaded
Windows
4865
A trusted forest information entry was added
Windows
4866
A trusted forest information entry was removed
Windows
4867
A trusted forest information entry was modified
Windows
4902
The Per-user audit policy table was created
Windows
4904
An attempt was made to register a security event source
Windows
4905
An attempt was made to unregister a security event source
Windows
4906
The CrashOnAuditFail value has changed
Windows
4907
Auditing settings on object were changed
Windows
4908
Special Groups Logon table modified
Windows
4911
Resource attributes of the object were changed
Windows
4912
Per User Audit Policy was changed
Windows
4913
Central Access Policy on the object was changed
Windows
4944
The following policy was active when the Windows Firewall started
Windows
4945
A rule was listed when the Windows Firewall started
Windows
4946
A change has been made to Windows Firewall exception list. A rule was added
Windows
4947
A change has been made to Windows Firewall exception list. A rule was modified
Windows
4948
A change has been made to Windows Firewall exception list. A rule was deleted
Windows
4949
Windows Firewall settings were restored to the default values
Windows
4950
A Windows Firewall setting has changed
Windows
4951
A rule has been ignored because its major version number was not recognized by Windows Firewall
Windows
4952
Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall
Windows
4954
Windows Firewall Group Policy settings has changed. The new settings have been applied
Windows
4956
Windows Firewall has changed the active profile
Windows
4957
Windows Firewall did not apply the following rule
Windows
4958
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
Windows
5063
A cryptographic provider operation was attempted
Windows
5064
A cryptographic context operation was attempted
Windows
5065
A cryptographic context modification was attempted
Windows
5066
A cryptographic function operation was attempted
Windows
5067
A cryptographic function modification was attempted
Windows
5068
A cryptographic function provider operation was attempted
Windows
5069
A cryptographic function property operation was attempted
Windows
5070
A cryptographic function property operation was attempted
Windows
5440
The following callout was present when the Windows Filtering Platform Base Filtering Engine started
Windows
5441
The following filter was present when the Windows Filtering Platform Base Filtering Engine started
Windows
5442
The following provider was present when the Windows Filtering Platform Base Filtering Engine started
Windows
5443
The following provider context was present when the Windows Filtering Platform Base Filtering Engine started
Windows
5444
The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started
Windows
5446
A Windows Filtering Platform callout has been changed
Windows
5447
A Windows Filtering Platform filter has been changed
Windows
5448
A Windows Filtering Platform provider has been changed
Windows
5449
A Windows Filtering Platform provider context has been changed
Windows
5450
A Windows Filtering Platform sub-layer has been changed
Windows
5456
PAStore Engine applied Active Directory storage IPsec policy on the computer
Windows
5457
PAStore Engine failed to apply Active Directory storage IPsec policy on the computer
Windows
5458
PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer
Windows
5459
PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer
Windows
5460
PAStore Engine applied local registry storage IPsec policy on the computer
Windows
5461
PAStore Engine failed to apply local registry storage IPsec policy on the computer
Windows
5462
PAStore Engine failed to apply some rules of the active IPsec policy on the computer
Windows
5463
PAStore Engine polled for changes to the active IPsec policy and detected no changes
Windows
5464
PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services
Windows
5465
PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully
Windows
5466
PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead
Windows
5467
PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy
Windows
5468
PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes
Windows
5471
PAStore Engine loaded local storage IPsec policy on the computer
Windows
5472
PAStore Engine failed to load local storage IPsec policy on the computer
Windows
5473
PAStore Engine loaded directory storage IPsec policy on the computer
Windows
5474
PAStore Engine failed to load directory storage IPsec policy on the computer
Windows
5477
PAStore Engine failed to add quick mode filter
Windows
6144
Security policy in the group policy objects has been applied successfully
Windows
6145
One or more errors occured while processing security policy in the group policy objects
Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:
Upcoming Webinars
Windows Event Forwarding: 4 Silent Killers that Stop the Flow of Events without You Knowing
Additional Resources
Encyclopedia
•
Event IDs
•
All Event IDs
•
Audit Policy
Go To Event ID:
Security Log
Quick Reference
Chart
Download now!
Tweet
User name:
Password:
/
Forgot?
Register
March 2026
Patch Tuesday
"Patch Tuesday - Two Zero-Days for the Month " - sponsored by LOGbinder
Home
Cookies help us deliver the best experience on our website. By using our website, you agree to the use of cookies.