ID Event Description
4624 An account was successfully logged on
4625 An account failed to log on
4626 User / Device claims information
4627 Group membership information
4634 An account was logged off
4646 n/a
4647 User initiated logoff
4648 A logon was attempted using explicit credentials
4649 A replay attack was detected
4650 An IPsec main mode security association was established
4651 An IPsec main mode security association was established
4652 An IPsec main mode negotiation failed
4653 An IPsec main mode negotiation failed
4654 An IPsec quick mode negotiation failed
4655 An IPsec main mode security association ended
4672 Special privileges assigned to new logon
4675 SIDs were filtered
4775 An account could not be mapped for logon
4777 The domain controller failed to validate the credentials for an account
4778 A session was reconnected to a Window Station
4779 A session was disconnected from a Window Station
4800 The workstation was locked
4801 The workstation was unlocked
4802 The screen saver was invoked
4803 The screen saver was dismissed
4825 A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group
4964 Special groups have been assigned to a new logon
4976 During main mode negotiation, IPsec received an invalid negotiation packet
4977 During quick mode negotiation, IPsec received an invalid negotiation packet
4978 During extended mode negotiation, IPsec received an invalid negotiation packet
4979 IPsec main mode and extended mode security associations were established
4980 IPsec main mode and extended mode security associations were established
4981 IPsec main mode and extended mode security associations were established
4982 IPsec main mode and extended mode security associations were established
4983 An IPsec extended mode negotiation failed
4984 An IPsec extended mode negotiation failed
5049 An IPsec security association was deleted.
5378 The requested credentials delegation was disallowed by policy.
5451 An IPsec quick mode security association was established.
5452 An IPsec quick mode security association ended.
5453 An IPsec negotiation with a remote computer failed.
5632 A request was made to authenticate to a wireless network.
5633 A request was made to authenticate to a wired network.
6272 Network Policy Server granted access to a user.
6273 Network Policy Server denied access to a user.
6274 Network Policy Server discarded the request for a user.
6275 Network Policy Server discarded the accounting request for a user.
6276 Network Policy Server quarantined a user.
6277 Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
6278 Network Policy Server granted full access to a user because the host met the defined health policy.
6279 Network Policy Server locked the user account due to repeated failed authentication attempts.
6280 Network Policy Server unlocked the user account.
528 Successful Logon
529 Logon Failure : Unknown username or bad password
530 Logon Failure : Account logon time restriction violation
531 Logon Failure : Account currently disabled
532 Logon Failure : The specified user account has expired
533 Logon Failure : User not allowed to logon at this computer
534 Logon Failure : The user has note been granted the requested logon type at this machine
535 Logon Failure : The specified account's password has expired
536 Logon Failure : The NetLogon component is not active
537 The logon attempt failed for other reasons
538 The user has logged off
539 Logon Failure : Account locked out
540 Successful Network Logon
548 Logon Failure : Domain SID inconsistent
549 Logon Failure : All SIDs were filtered out
551 User initiated logoff
552 Logon attempt using explicit credentials
672 Authentication Ticket Request
673 Service Ticket Request
674 Service Ticket Renewed
675 Pre-authentication failed
676 Authentication Ticket Request Failed
677 Service Ticket Request Failed
678 Account Mapped for Logon
679 The name could not be mapped for logon
680 Logon attempt
681 The logon to account from workstation
682 Session reconnected to winstation
683 Session disconnected from winstation