System32
Events
Scripts
Codes
GeoIP
Tools
Audit Category
Detailed Tracking
(23)
Audit Subcategory
Plug and Play Events
(7)
PnP Activity
(7)
DPAPI Activity
(4)
Process Creation
(2)
Process Termination
(1)
RPC Events
(1)
Operating Systems
Windows 10
(14)
Windows 2016
(14)
Windows 2019
(14)
Windows 2003
(8)
Windows 2008
(8)
Windows Vista
(8)
Windows XP
(8)
Windows 2008 R2
(7)
Windows 2012
(7)
Windows 2012 R2
(7)
Windows 7
(7)
Windows 8
(7)
Windows 8.1
(7)
Windows Server 2000
(6)
Tags
Audit Success
(10)
Audit Failure
(4)
ID
Event Description
4688
A new process has been created
4689
A process has exited
4692
Backup of data protection master key was attempted
4693
Recovery of data protection master key was attempted
4694
Protection of auditable protected data was attempted
4695
Unprotection of auditable protected data was attempted
4696
A primary token was assigned to process
5712
A Remote Procedure Call (RPC) was attempted.
6416
A new external device was recognized by the system.
6419
A request was made to disable a device.
6420
A device was disabled.
6421
A request was made to enable a device.
6422
A device was enabled.
6423
The installation of this device is forbidden by system policy.
6424
The installation of this device was allowed, after having previously been forbidden by policy.
592
A new process has been created
593
A process has exited
594
A handle to an object has been duplicated
595
Indirect access to an object has been obtained
596
Backup of data protection master key
600
A process was assigned a primary token
601
Attempt to install service
602
Scheduled Task created