ID Event Description
1100 The event logging service has shut down
Audit Success, PCI-DSS
1102 The audit log was cleared
CJIS, ISO 27001:2013, PCI-DSS
4625 An account failed to log on
Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST SP 800-53, NIST 800-171, CMMC L1
4626 User / Device claims information
Audit Success
4627 Group membership information
Audit Success
4648 A logon was attempted using explicit credentials
Audit Success
4649 A replay attack was detected
Domain Controller, Audit Success, Audit Failure, PCI-DSS, HIPAA, CJIS, ISO 27001:2013
4663 An attempt was made to access an object
Audit Success, CJIS
4675 SIDs were filtered
Domain Controller, Audit Success
4688 A new process has been created
NIST 800-171, NIST SP 800-53, Audit Success, ISO 27001:2013, CMMC L3
4689 A process has exited
Audit Success
4692 Backup of data protection master key was attempted
Audit Success, Audit Failure
4693 Recovery of data protection master key was attempted
Audit Success, Audit Failure
4694 Protection of auditable protected data was attempted
Audit Success, Audit Failure
4695 Unprotection of auditable protected data was attempted
Audit Success, Audit Failure
4698 A scheduled task was created
Audit Success, PCI-DSS
4699 A scheduled task was deleted
Audit Success, PCI-DSS
4700 A scheduled task was enabled
Audit Success
4701 A scheduled task was disabled
Audit Success
4702 A scheduled task was updated
Audit Success, PCI-DSS
4713 Kerberos policy was changed
Domain Controller, Audit Success
4719 System audit policy was changed
Audit Success
4720 A user account was created
ISO 27001:2013, NIST SP 800-53, Audit Success, PCI-DSS, NIST 800-171, CMMC L1
4722 A user account was enabled
ISO 27001:2013, NIST SP 800-53, NIST 800-171, Audit Success, PCI-DSS, CMMC L1
4725 A user account was disabled
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
4726 A user account was deleted
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
4728 A member was added to a security-enabled global group
Domain Controller, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L1
4732 A member was added to a security-enabled local group
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
4739 Domain Policy was changed
Domain Controller, NIST 800-171, NIST SP 800-53, ISO 27001:2013, Audit Success, CMMC L3
4741 A computer account was created
Domain Controller, Audit Success
4742 A computer account was changed
Domain Controller, Audit Success
4743 A computer account was deleted
Domain Controller, Audit Success
4756 A member was added to a security-enabled universal group
Domain Controller, ISO 27001:2013
4778 A session was reconnected to a Window Station
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4779 A session was disconnected from a Window Station
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4780 The ACL was set on accounts which are members of administrators groups
Domain Controller, Audit Success
4782 The password hash an account was accessed
Domain Controller, Audit Success
4793 The Password Policy Checking API was called
Domain Controller, Audit Success
4800 The workstation was locked
Audit Success, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
4801 The workstation was unlocked
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4819 Central Access Policies on the machine have been changed
Audit Success
4826 Boot Configuration Data loaded
Audit Success
4902 The Per-user audit policy table was created
Audit Success
4904 An attempt was made to register a security event source
Audit Success
4912 Per User Audit Policy was changed
Audit Success
4944 The following policy was active when the Windows Firewall started
Audit Success
4945 A rule was listed when the Windows Firewall started
Audit Success
4946 A change was made to the Windows Firewall exception list. A rule was added
Audit Success
4947 A change was made to the Windows Firewall exception list. A rule was modified
Audit Success
4948 A change was made to the Windows Firewall exception list. A rule was deleted
Audit Success
4949 Windows Firewall settings were restored to the default values.
Audit Success
4950 A Windows Firewall setting was changed
Audit Success
4951 Windows Firewall ignored a rule because its major version number is not recognized
Audit Failure
4952 Windows Firewall ignored parts of a rule because its minor version number is not recognized
Audit Failure
4953 Windows Firewall ignored a rule because it could not be parsed
Audit Failure
4956 Windows Firewall changed the active profile
Audit Success
4957 Windows Firewall did not apply the following rule
Audit Failure
4958 Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
Audit Failure
5024 The Windows Firewall service started successfully.
Audit Success
5027 The Windows Firewall service was unable to retrieve the security policy from the local storage.
Audit Failure
5028 Windows Firewall was unable to parse the new security policy.
Audit Failure
5029 The Windows Firewall service failed to initialize the driver.
Audit Failure
5030 The Windows Firewall service failed to start.
Audit Failure
5032 Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
Audit Failure
5033 The Windows Firewall Driver started successfully.
Audit Success
5034 The Windows Firewall Driver was stopped.
Audit Success
5035 The Windows Firewall Driver failed to start.
Audit Failure
5037 The Windows Firewall Driver detected a critical runtime error.
Audit Failure
5050 An attempt to programmatically disable Windows Firewall was rejected.
5060 Verification operation failed.
Audit Failure
5063 A cryptographic provider operation was attempted.
Audit Success, Audit Failure
5064 A cryptographic context operation was attempted.
Audit Success, Audit Failure
5065 A cryptographic context modification was attempted.
Audit Success, Audit Failure
5066 A cryptographic function operation was attempted.
Audit Success, Audit Failure
5067 A cryptographic function modification was attempted.
Audit Success, Audit Failure
5068 A cryptographic function provider operation was attempted.
Audit Success, Audit Failure
5069 A cryptographic function property operation was attempted.
Audit Success, Audit Failure
5070 A cryptographic function property modification was attempted.
Audit Success, Audit Failure
5142 A network share object was added
Audit Success
5478 The IPsec Policy Agent service was started.
Audit Success
5480 IPsec Policy Agent failed to get the complete list of network interfaces on the computer.
5483 The IPsec Policy Agent service failed to initialize its RPC server.
5484 The IPsec Policy Agent service experienced a critical failure and has shut down.
5485 IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces.
6145 One or more errors occurred while processing security policy in the group policy objects.
Audit Failure