ID Event Description
1100 The event logging service has shut down
Audit Success, PCI-DSS
1102 The audit log was cleared
CJIS, ISO 27001:2013, PCI-DSS
4608 Windows is starting up
Audit Success, PCI-DSS
4609 Windows is shutting down
4610 An authentication package has been loaded by the Local Security Authority
Audit Success
4611 A trusted logon process has been registered with the Local Security Authority
Audit Success
4612 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4614 A notification package has been loaded by the Security Account Manager
Audit Success
4615 Invalid use of LPC port
Audit Success
4616 The system time was changed
Audit Success
4618 A monitored security event pattern has occurred.
Audit Success
4621 Administrator recovered system from CrashOnAuditFail.
Audit Success, NIST SP 800-53, NIST 800-171, CMMC L2
4622 A security package has been loaded by the Local Security Authority
Audit Success
4697 A service was installed in the system
Audit Success
4816 RPC detected an integrity violation while decrypting an incoming message.
Audit Success
4830 SID History was removed from an account
4960 IPsec dropped an inbound packet that failed an integrity check
4961 IPsec dropped an inbound packet that failed a replay check
4962 IPsec dropped an inbound packet that failed a replay check
4963 IPsec dropped an inbound clear text packet that should have been secured
4965 IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)
5024 The Windows Firewall service started successfully.
Audit Success
5025 The Windows Firewall service was stopped.
Audit Success
5027 The Windows Firewall service was unable to retrieve the security policy from the local storage.
Audit Failure
5028 Windows Firewall was unable to parse the new security policy.
Audit Failure
5029 The Windows Firewall service failed to initialize the driver.
Audit Failure
5030 The Windows Firewall service failed to start.
Audit Failure
5032 Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
Audit Failure
5033 The Windows Firewall Driver started successfully.
Audit Success
5034 The Windows Firewall Driver was stopped.
Audit Success
5035 The Windows Firewall Driver failed to start.
Audit Failure
5037 The Windows Firewall Driver detected a critical runtime error.
Audit Failure
5038 Code integrity determined that the image hash of a file is not valid.
Audit Failure
5050 An attempt to programmatically disable Windows Firewall was rejected.
5056 A cryptographic self test was performed.
Audit Success
5057 A cryptographic primitive operation failed.
Audit Failure
5058 Key file operation.
Audit Success, Audit Failure
5059 Key migration operation.
Audit Success, Audit Failure
5060 Verification operation failed.
Audit Failure
5061 Cryptographic operation.
Audit Success, Audit Failure
5062 A kernel-mode cryptographic self test was performed.
Audit Success
5071 Key access denied by Microsoft key distribution service.
5478 The IPsec Policy Agent service was started.
Audit Success
5479 The IPsec Policy Agent service was stopped.
5480 IPsec Policy Agent failed to get the complete list of network interfaces on the computer.
5483 The IPsec Policy Agent service failed to initialize its RPC server.
5484 The IPsec Policy Agent service experienced a critical failure and has shut down.
5485 IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces.
6281 Code Integrity determined that the page hashes of an image file are not valid.
Audit Failure
6400 BranchCache: Received an incorrectly formatted response while discovering availability of content.
6401 BranchCache: Received invalid data from a peer. Data discarded.
6402 BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
6403 BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.
6404 BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
6405 BranchCache: %2 instance(s) of event id %1 occurred.
6406 %1 registered to Windows Firewall to control filtering for the following: %2.
6407 n/a
6408 Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
6409 BranchCache: A service connection point object could not be parsed.
6410 Code integrity determined that a file does not meet the security requirements to load into a process.
Audit Failure
6417 The FIPS mode crypto selftests succeeded.
6418 The FIPS mode crypto selftests failed.
512 Windows NT is starting up
513 Windows is shutting down
514 An authentication package has been loaded by the Local Security Authority
515 A trusted logon process has registered with the Local Security Authority
516 Queuing of audit messages have been exhausted, leading to the loss of some audits
517 The audit log was cleared
518 A notification package has been loaded by the Security Account Manager
519 A process is using an invalid local procedure call (LPC) port
520 The system time was changed
521 Unable to log events to security log
523 The security log is full