Windows Security Log Events



(LOGbinder for SharePoint)
(LOGbinder for SQL Server)
(LOGbinder for Exchange)
(MS Sysinternals Sysmon)
Windows Audit Categories:

Subcategories:

Windows Versions:
Category: Object Access
Windows 4656 A handle to an object was requested
Windows 4657 A registry value was modified
Windows 4658 The handle to an object was closed
Windows 4659 A handle to an object was requested with intent to delete
Windows 4660 An object was deleted
Windows 4661 A handle to an object was requested
Windows 4663 An attempt was made to access an object
Windows 4664 An attempt was made to create a hard link
Windows 4665 An attempt was made to create an application client context.
Windows 4666 An application attempted an operation
Windows 4667 An application client context was deleted
Windows 4668 An application was initialized
Windows 4670 Permissions on an object were changed
Windows 4671 An application attempted to access a blocked ordinal through the TBS
Windows 4690 An attempt was made to duplicate a handle to an object
Windows 4691 Indirect access to an object was requested
Windows 4698 A scheduled task was created
Windows 4699 A scheduled task was deleted
Windows 4700 A scheduled task was enabled
Windows 4701 A scheduled task was disabled
Windows 4702 A scheduled task was updated
Windows 4818 Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
Windows 4868 The certificate manager denied a pending certificate request
Windows 4869 Certificate Services received a resubmitted certificate request
Windows 4870 Certificate Services revoked a certificate
Windows 4871 Certificate Services received a request to publish the certificate revocation list (CRL)
Windows 4872 Certificate Services published the certificate revocation list (CRL)
Windows 4873 A certificate request extension changed
Windows 4874 One or more certificate request attributes changed.
Windows 4875 Certificate Services received a request to shut down
Windows 4876 Certificate Services backup started
Windows 4877 Certificate Services backup completed
Windows 4878 Certificate Services restore started
Windows 4879 Certificate Services restore completed
Windows 4880 Certificate Services started
Windows 4881 Certificate Services stopped
Windows 4882 The security permissions for Certificate Services changed
Windows 4883 Certificate Services retrieved an archived key
Windows 4884 Certificate Services imported a certificate into its database
Windows 4885 The audit filter for Certificate Services changed
Windows 4886 Certificate Services received a certificate request
Windows 4887 Certificate Services approved a certificate request and issued a certificate
Windows 4888 Certificate Services denied a certificate request
Windows 4889 Certificate Services set the status of a certificate request to pending
Windows 4890 The certificate manager settings for Certificate Services changed.
Windows 4891 A configuration entry changed in Certificate Services
Windows 4892 A property of Certificate Services changed
Windows 4893 Certificate Services archived a key
Windows 4894 Certificate Services imported and archived a key
Windows 4895 Certificate Services published the CA certificate to Active Directory Domain Services
Windows 4896 One or more rows have been deleted from the certificate database
Windows 4897 Role separation enabled
Windows 4898 Certificate Services loaded a template
Windows 4899 A Certificate Services template was updated
Windows 4900 Certificate Services template security was updated
Windows 4985 The state of a transaction has changed
Windows 5031 The Windows Firewall Service blocked an application from accepting incoming connections on the network.
Windows 5120 OCSP Responder Service Started
Windows 5140 A network share object was accessed
Windows 5142 A network share object was added.
Windows 5143 A network share object was modified
Windows 5144 A network share object was deleted.
Windows 5145 A network share object was checked to see whether client can be granted desired access
Windows 5148 The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
Windows 5149 The DoS attack has subsided and normal processing is being resumed.
Windows 5150 The Windows Filtering Platform has blocked a packet.
Windows 5151 A more restrictive Windows Filtering Platform filter has blocked a packet.
Windows 5152 The Windows Filtering Platform blocked a packet
Windows 5153 A more restrictive Windows Filtering Platform filter has blocked a packet
Windows 5154 The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
Windows 5155 The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections
Windows 5156 The Windows Filtering Platform has allowed a connection
Windows 5157 The Windows Filtering Platform has blocked a connection
Windows 5158 The Windows Filtering Platform has permitted a bind to a local port
Windows 5159 The Windows Filtering Platform has blocked a bind to a local port
Windows 5168 Spn check for SMB/SMB2 fails.
Windows 5888 An object in the COM+ Catalog was modified
Windows 5889 An object was deleted from the COM+ Catalog

Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
    Additional Resources
      Encyclopedia
      Event IDs
      All Event IDs
      Audit Policy

      Go To Event ID:

      Security Log
      Quick Reference
      Chart
      Download now!