| ID |
Event Description |
|
4750
|
A security-disabled global group was changed
Domain Controller, Audit Success
|
|
4751
|
A member was added to a security-disabled global group
Domain Controller, Audit Success
|
|
4752
|
A member was removed from a security-disabled global group
Domain Controller, Audit Success
|
|
4753
|
A security-disabled global group was deleted
Domain Controller, Audit Success
|
|
4757
|
A member was removed from a security-enabled universal group
Domain Controller
|
|
4758
|
A security-enabled universal group was deleted
Domain Controller
|
|
4759
|
A security-disabled universal group was created
Domain Controller
|
|
4760
|
A security-disabled universal group was changed
Domain Controller
|
|
4761
|
A member was added to a security-disabled universal group
Domain Controller
|
|
4762
|
A member was removed from a security-disabled universal group
Domain Controller
|
|
4763
|
A security-disabled universal group was deleted
Domain Controller
|
|
4767
|
A user account was unlocked
ISO 27001:2013, Audit Success
|
|
4776
|
The computer attempted to validate the credentials for an account
Audit Failure, Audit Success, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
|
|
4778
|
A session was reconnected to a Window Station
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4779
|
A session was disconnected from a Window Station
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4781
|
The name of an account was changed
Audit Success
|
|
4783
|
A basic application group was created
Domain Controller, Audit Success
|
|
4784
|
A basic application group was changed
Domain Controller, Audit Success
|
|
4785
|
A member was added to a basic application group
Domain Controller, Audit Success
|
|
4786
|
A member was removed from a basic application group
Domain Controller, Audit Success
|
|
4787
|
A non-member was added to a basic application group
Domain Controller, Audit Success
|
|
4788
|
A non-member was removed from a basic application group
Domain Controller, Audit Success
|
|
4789
|
A basic application group was deleted
Domain Controller, Audit Success
|
|
4790
|
An LDAP query group was created
Domain Controller, Audit Success
|
|
4791
|
A basic application group was changed
Domain Controller, Audit Success
|
|
4792
|
An LDAP query group was deleted
Domain Controller, Audit Success
|
|
4793
|
The Password Policy Checking API was called
Domain Controller, Audit Success
|
|
4797
|
An attempt was made to query the existence of a blank password for an account
|
|
4798
|
A user's local group membership was enumerated
Audit Success
|
|
4799
|
A security-enabled local group membership was enumerated
Audit Success
|
|
4800
|
The workstation was locked
Audit Success, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4801
|
The workstation was unlocked
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4802
|
The screen saver was invoked
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4803
|
The screen saver was dismissed
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4816
|
RPC detected an integrity violation while decrypting an incoming message.
Audit Success
|
|
4817
|
Auditing settings on object were changed
Audit Success
|
|
4818
|
Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
Audit Success
|
|
4819
|
Central Access Policies on the machine have been changed
Audit Success
|
|
4820
|
A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions
Domain Controller
|
|
4821
|
A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions
Domain Controller
|
|
4822
|
NTLM authentication failed because the account was a member of the Protected User group
|
|
4823
|
NTLM authentication failed because access control restrictions are required
|
|
4824
|
Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group
Domain Controller
|
|
4825
|
A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group
|
|
4826
|
Boot Configuration Data loaded
Audit Success
|
|
4864
|
A namespace collision was detected
|
|
4865
|
A trusted forest information entry was added
|
|
4866
|
A trusted forest information entry was removed
|
|
4867
|
A trusted forest information entry was modified
|
|
4868
|
The certificate manager denied a pending certificate request
|
|
4869
|
Certificate Services received a resubmitted certificate request
|
|
4870
|
Certificate Services revoked a certificate
|
|
4871
|
Certificate Services received a request to publish the certificate revocation list (CRL)
|
|
4872
|
Certificate Services published the certificate revocation list (CRL)
|
|
4873
|
A certificate request extension changed
|
|
4874
|
One or more certificate request attributes changed
|
|
4875
|
Certificate Services received a request to shut down
|
|
4876
|
Certificate Services backup started
|
|
4877
|
Certificate Services backup completed
|
|
4878
|
Certificate Services restore started
|
|
4879
|
Certificate Services restore completed
|
|
4880
|
Certificate Services started
|
|
4881
|
Certificate Services stopped
|
|
4882
|
The security permissions for Certificate Services changed
|
|
4883
|
Certificate Services retrieved an archived key
|
|
4884
|
Certificate Services imported a certificate into its database
|
|
4885
|
The audit filter for Certificate Services changed
|
|
4886
|
Certificate Services received a certificate request
|
|
4887
|
Certificate Services approved a certificate request and issued a certificate
|
|
4888
|
Certificate Services denied a certificate request
|
|
4889
|
Certificate Services set the status of a certificate request to pending
|
|
4890
|
The certificate manager settings for Certificate Services changed
|
|
4891
|
A configuration entry changed in Certificate Services
|
|
4892
|
A property of Certificate Services changed
|
|
4893
|
Certificate Services archived a key
|
|
4894
|
Certificate Services imported and archived a key
|
|
4895
|
Certificate Services published the CA certificate to Active Directory Domain Services
|
|
4896
|
One or more rows have been deleted from the certificate database
|
|
4897
|
Role separation enabled
|
|
4898
|
Certificate Services loaded a template
|
|
4899
|
A Certificate Services template was updated
|
|
4900
|
Certificate Services template security was updated
|
|
4902
|
The Per-user audit policy table was created
Audit Success
|
|
4904
|
An attempt was made to register a security event source
Audit Success
|
|
4905
|
An attempt was made to unregister a security event source
Audit Success
|
|
4906
|
The CrashOnAuditFail value has changed
Audit Success
|
|
4907
|
Auditing settings on object were changed
|
|
4908
|
Special Groups Logon table modified
Audit Success
|
|
4909
|
The local policy settings for the TBS were changed
Not Implemented
|
|
4910
|
The group policy settings for the TBS were changed
Not Implemented
|
|
4911
|
Resource attributes of the object were changed
Audit Success
|
|
4912
|
Per User Audit Policy was changed
Audit Success
|
|
4913
|
Central Access Policy on the object was changed
Audit Success
|
|
4928
|
An Active Directory replica source naming context was established
Domain Controller, Audit Success, Audit Failure
|
|
4929
|
An Active Directory replica source naming context was removed
Domain Controller, Audit Success, Audit Failure
|
|
4930
|
An Active Directory replica source naming context was modified
Domain Controller, Audit Success, Audit Failure
|
|
4931
|
An Active Directory replica destination naming context was modified
Domain Controller, Audit Success, Audit Failure
|
|
4932
|
Synchronization of a replica of an Active Directory naming context has begun
Audit Success, Audit Failure, Domain Controller
|
|
4933
|
Synchronization of a replica of an Active Directory naming context has ended
Audit Success, Audit Failure, Domain Controller
|
|
4934
|
Attributes of an Active Directory object were replicated
Domain Controller, Audit Success, Audit Failure
|
|
4935
|
Replication failure begins
Domain Controller, Audit Success, Audit Failure
|
|
4936
|
Replication failure ends
Domain Controller, Audit Success, Audit Failure
|
|
4937
|
A lingering object was removed from a replica
Audit Success
|
|
4944
|
The following policy was active when the Windows Firewall started
Audit Success
|
|
4945
|
A rule was listed when the Windows Firewall started
Audit Success
|
|
4946
|
A change was made to the Windows Firewall exception list. A rule was added
Audit Success
|
|
4947
|
A change was made to the Windows Firewall exception list. A rule was modified
Audit Success
|
|
4948
|
A change was made to the Windows Firewall exception list. A rule was deleted
Audit Success
|
|
4949
|
Windows Firewall settings were restored to the default values.
Audit Success
|
|
4950
|
A Windows Firewall setting was changed
Audit Success
|
|
4951
|
Windows Firewall ignored a rule because its major version number is not recognized
Audit Failure
|
|
4952
|
Windows Firewall ignored parts of a rule because its minor version number is not recognized
Audit Failure
|
|
4953
|
Windows Firewall ignored a rule because it could not be parsed
Audit Failure
|
|
4954
|
Group Policy settings for Windows Firewall were changed, and the new settings were applied.
Audit Success
|
|
4956
|
Windows Firewall changed the active profile
Audit Success
|
|
4957
|
Windows Firewall did not apply the following rule
Audit Failure
|
|
4958
|
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
Audit Failure
|
|
4960
|
IPsec dropped an inbound packet that failed an integrity check
|
|
4961
|
IPsec dropped an inbound packet that failed a replay check
|
|
4962
|
IPsec dropped an inbound packet that failed a replay check
|
|
4963
|
IPsec dropped an inbound clear text packet that should have been secured
|
|
4964
|
Special groups have been assigned to a new logon
Audit Success
|
|
4965
|
IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)
|
|
4976
|
During main mode negotiation, IPsec received an invalid negotiation packet
Audit Success
|
|
4977
|
During quick mode negotiation, IPsec received an invalid negotiation packet
|
|
4978
|
During extended mode negotiation, IPsec received an invalid negotiation packet
|
|
4979
|
IPsec main mode and extended mode security associations were established
|
|
4980
|
IPsec main mode and extended mode security associations were established
|
|
4981
|
IPsec main mode and extended mode security associations were established
|
|
4982
|
IPsec main mode and extended mode security associations were established
|
|
4983
|
An IPsec extended mode negotiation failed
|
|
4984
|
An IPsec extended mode negotiation failed
|
|
4985
|
The state of a transaction has changed
Audit Success
|
|
5024
|
The Windows Firewall service started successfully.
Audit Success
|
|
5025
|
The Windows Firewall service was stopped.
Audit Success
|
|
5027
|
The Windows Firewall service was unable to retrieve the security policy from the local storage.
Audit Failure
|
|
5028
|
Windows Firewall was unable to parse the new security policy.
Audit Failure
|
|
5029
|
The Windows Firewall service failed to initialize the driver.
Audit Failure
|
|
5030
|
The Windows Firewall service failed to start.
Audit Failure
|
|
5031
|
Windows Firewall blocked an application from accepting incoming connections on the network.
Audit Failure
|
|
5032
|
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
Audit Failure
|
|
5033
|
The Windows Firewall Driver started successfully.
Audit Success
|
|
5034
|
The Windows Firewall Driver was stopped.
Audit Success
|
|
5035
|
The Windows Firewall Driver failed to start.
Audit Failure
|
|
5037
|
The Windows Firewall Driver detected a critical runtime error.
Audit Failure
|
|
5038
|
Code integrity determined that the image hash of a file is not valid.
Audit Failure
|
|
5039
|
A registry key was virtualized.
|
|
5040
|
A change was made to IPsec settings. An authentication set was added.
|
|
5041
|
A change was made to IPsec settings. An authentication set was modified.
|
|
5042
|
A change was made to IPsec settings. An authentication set was deleted.
|
|
5043
|
A change was made to IPsec settings. A connection security rule was added.
|
|
5044
|
A change was made to IPsec settings. A connection security rule was modified.
|
|
5045
|
A change was made to IPsec settings. A connection security rule was deleted.
|
|
5046
|
A change was made to IPsec settings. A crypto set was added.
|
|
5047
|
A change was made to IPsec settings. A crypto set was modified.
|
|
5048
|
A change was made to IPsec settings. A crypto set was deleted.
|
|
5049
|
An IPsec security association was deleted.
Audit Success
|
|
5050
|
An attempt to programmatically disable Windows Firewall was rejected.
|
|
5051
|
A file was virtualized.
|
|
5056
|
A cryptographic self test was performed.
Audit Success
|
|
5057
|
A cryptographic primitive operation failed.
Audit Failure
|
|
5058
|
Key file operation.
Audit Success, Audit Failure
|
|
5059
|
Key migration operation.
Audit Success, Audit Failure
|
|
5060
|
Verification operation failed.
Audit Failure
|
|
5061
|
Cryptographic operation.
Audit Success, Audit Failure
|
|
5062
|
A kernel-mode cryptographic self test was performed.
Audit Success
|
|
5063
|
A cryptographic provider operation was attempted.
Audit Success, Audit Failure
|
|
5064
|
A cryptographic context operation was attempted.
Audit Success, Audit Failure
|
|
5065
|
A cryptographic context modification was attempted.
Audit Success, Audit Failure
|
|
5066
|
A cryptographic function operation was attempted.
Audit Success, Audit Failure
|
|
5067
|
A cryptographic function modification was attempted.
Audit Success, Audit Failure
|
|
5068
|
A cryptographic function provider operation was attempted.
Audit Success, Audit Failure
|
|
5069
|
A cryptographic function property operation was attempted.
Audit Success, Audit Failure
|
|
5070
|
A cryptographic function property modification was attempted.
Audit Success, Audit Failure
|
|
5071
|
Key access denied by Microsoft key distribution service.
|
|
5120
|
OCSP Responder Service Started.
|
|
5121
|
OCSP Responder Service Stopped.
|
|
5122
|
A Configuration entry changed in the OCSP Responder Service.
|
|
5123
|
A configuration entry changed in the OCSP Responder Service.
|
|
5124
|
A security setting was updated on OCSP Responder Service.
|
|
5125
|
A request was submitted to OCSP Responder Service.
|
|
5126
|
Signing Certificate was automatically updated by the OCSP Responder Service.
|
|
5127
|
The OCSP Revocation Provider successfully updated the revocation information.
|
|
5136
|
A directory service object was modified
Domain Controller, Audit Success
|
|
5137
|
A directory service object was created
Domain Controller, Audit Success
|
|
5138
|
A directory service object was undeleted.
Domain Controller, Audit Success
|
|
5140
|
A network share object was accessed
Audit Success, Audit Failure
|
|
5142
|
A network share object was added
Audit Success
|
|
5143
|
A network share object was modified
Audit Success
|
|
5144
|
A network share object was deleted
Audit Success
|
|
5145
|
A network share object was checked to see whether client can be granted desired access.
Audit Success, Audit Failure
|
|
5146
|
The Windows Filtering Platform has blocked a packet.
|
|
5147
|
A more restrictive Windows Filtering Platform filter has blocked a packet.
|
|
5148
|
The Windows Filtering Platform has detected a DoS attack.
Audit Failure
|
|
5149
|
The DoS attack has subsided and normal processing is being resumed.
Audit Failure
|
|
5150
|
The Windows Filtering Platform has blocked a packet.
|
|
5151
|
A more restrictive Windows Filtering Platform filter has blocked a packet.
|
|
5152
|
The Windows Filtering Platform has blocked a packet.
Audit Failure
|
|
5153
|
A more restrictive Windows Filtering Platform filter has blocked a packet.
Audit Success
|
|
5154
|
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Audit Success
|
|
5155
|
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Audit Failure
|
|
5156
|
The Windows Filtering Platform has allowed a connection.
Audit Success
|
|
5157
|
The Windows Filtering Platform has blocked a connection.
Audit Failure
|
|
5158
|
The Windows Filtering Platform has permitted a bind to a local port.
Audit Success
|
|
5168
|
Spn check for SMB/SMB2 fails.
Audit Failure
|
|
5376
|
Credential Manager credentials were backed up.
Audit Success
|
|
5377
|
Credential Manager credentials were restored from a backup.
Audit Success
|
|
5378
|
The requested credentials delegation was disallowed by policy.
Audit Failure
|
|
5440
|
The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
|
|
5441
|
The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
|
|
5442
|
The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
|
|
5443
|
The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
|
|
5444
|
The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
|
|
5447
|
A Windows Filtering Platform filter has been changed.
Audit Success
|
|
5448
|
A Windows Filtering Platform provider has been changed.
|
|
5449
|
A Windows Filtering Platform provider context has been changed.
|
|
5450
|
A Windows Filtering Platform sub-layer has been changed.
|
|
5451
|
An IPsec quick mode security association was established.
|
|
5452
|
An IPsec quick mode security association ended.
|
|
5453
|
An IPsec negotiation with a remote computer failed.
Audit Success
|
|
5456
|
IPsec Policy Agent applied Active Directory storage IPsec policy on the computer.
|
|
5457
|
IPsec Policy Agent failed to apply Active Directory storage IPsec policy on the computer.
|
|
5458
|
IPsec Policy Agent applied locally cached copy of Active Directory storage IPsec policy on the computer.
|
|
5459
|
IPsec Policy Agent failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
|
|
5460
|
IPsec Policy Agent applied local registry storage IPsec policy on the computer.
|
|
5461
|
IPsec Policy Agent failed to apply local registry storage IPsec policy on the computer
|
|
5462
|
IPsec Policy Agent failed to apply some rules of the active IPsec policy on the computer.
|
|
5463
|
IPsec Policy Agent polled for changes to the active IPsec policy and detected no changes.
|
|
5464
|
IPsec Policy Agent polled for changes to the active IPsec policy, detected changes, and applied them.
|
|
5465
|
IPsec Policy Agent received a control for forced reloading of IPsec policy and processed the control successfully.
|
|
5466
|
IPsec Policy Agent polled for changes to the Active Directory IPsec policy.
|
|
5467
|
IPsec Policy Agent polled for changes to the Active Directory IPsec policy.
|
|
5468
|
IPsec Policy Agent polled for changes to the Active Directory IPsec policy.
|
|
5471
|
IPsec Policy Agent loaded local storage IPsec policy on the computer.
|
|
5472
|
IPsec Policy Agent failed to load local storage IPsec policy on the computer.
|
|
5473
|
IPsec Policy Agent loaded directory storage IPsec policy on the computer.
|
|
5474
|
IPsec Policy Agent failed to load directory storage IPsec policy on the computer.
|
|
5477
|
IPsec Policy Agent failed to add quick mode filter.
|
|
5478
|
The IPsec Policy Agent service was started.
Audit Success
|
|
5479
|
The IPsec Policy Agent service was stopped.
|
|
5480
|
IPsec Policy Agent failed to get the complete list of network interfaces on the computer.
|
|
5483
|
The IPsec Policy Agent service failed to initialize its RPC server.
|
|
5484
|
The IPsec Policy Agent service experienced a critical failure and has shut down.
|
|
5485
|
IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces.
|
|
5632
|
A request was made to authenticate to a wireless network.
Audit Success, Audit Failure
|
|
5633
|
A request was made to authenticate to a wired network.
Audit Success, Audit Failure
|
|
5712
|
A Remote Procedure Call (RPC) was attempted.
Audit Success
|
|
5888
|
An object in the COM+ Catalog was modified.
Audit Success
|
|
5889
|
An object was deleted from the COM+ Catalog.
Audit Success
|
|
5890
|
An object was added to the COM+ Catalog.
Audit Success
|
|
6144
|
Security policy in the group policy objects has been applied successfully.
Audit Success
|
|
6145
|
One or more errors occurred while processing security policy in the group policy objects.
Audit Failure
|
|
6272
|
Network Policy Server granted access to a user.
Audit Success, Audit Failure
|
|
6273
|
Network Policy Server denied access to a user.
Audit Success, Audit Failure
|
|
6274
|
Network Policy Server discarded the request for a user.
Audit Success, Audit Failure
|
|
6275
|
Network Policy Server discarded the accounting request for a user.
Audit Success, Audit Failure
|
|
6276
|
Network Policy Server quarantined a user.
Audit Success, Audit Failure
|
|
6277
|
Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
Audit Success, Audit Failure
|
|
6278
|
Network Policy Server granted full access to a user because the host met the defined health policy.
Audit Success, Audit Failure
|
|
6279
|
Network Policy Server locked the user account due to repeated failed authentication attempts.
Audit Success, Audit Failure
|
|
6280
|
Network Policy Server unlocked the user account.
Audit Success, Audit Failure
|
|
6281
|
Code Integrity determined that the page hashes of an image file are not valid.
Audit Failure
|
|
6400
|
BranchCache: Received an incorrectly formatted response while discovering availability of content.
|
|
6401
|
BranchCache: Received invalid data from a peer. Data discarded.
|
|
6402
|
BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
|
|
6403
|
BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.
|
|
6404
|
BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
|
|
6405
|
BranchCache: %2 instance(s) of event id %1 occurred.
|
|
6406
|
%1 registered to Windows Firewall to control filtering for the following: %2.
|
|
6407
|
n/a
|
|
6408
|
Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
|
|
6409
|
BranchCache: A service connection point object could not be parsed.
|
|
6410
|
Code integrity determined that a file does not meet the security requirements to load into a process.
Audit Failure
|
|
6416
|
A new external device was recognized by the system.
Audit Success
|
|
6417
|
The FIPS mode crypto selftests succeeded.
|
|
6418
|
The FIPS mode crypto selftests failed.
|
|
6419
|
A request was made to disable a device.
Audit Success
|
|
6420
|
A device was disabled.
Audit Success
|
|
6421
|
A request was made to enable a device.
Audit Success
|
|
6422
|
A device was enabled.
Audit Success
|
|
6423
|
The installation of this device is forbidden by system policy.
Audit Success
|
|
6424
|
The installation of this device was allowed, after having previously been forbidden by policy.
Audit Success
|