ID Event Description
1100 The event logging service has shut down
4608 Windows is starting up
4609 Windows is shutting down
4610 An authentication package has been loaded by the Local Security Authority
4611 A trusted logon process has been registered with the Local Security Authority
4612 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
4614 A notification package has been loaded by the Security Account Manager
4615 Invalid use of LPC port
4616 The system time was changed
4618 A monitored security event pattern has occurred.
4621 Administrator recovered system from CrashOnAuditFail.
4622 A security package has been loaded by the Local Security Authority.
4697 A service was installed in the system
4816 RPC detected an integrity violation while decrypting an incoming message. Peer Name: %1 Protocol Sequence: %2 Security Error: %3
4830 SID History was removed from an account
4960 IPsec dropped an inbound packet that failed an integrity check
4961 IPsec dropped an inbound packet that failed a replay check
4962 IPsec dropped an inbound packet that failed a replay check
4963 IPsec dropped an inbound clear text packet that should have been secured
4965 IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)
5024 The Windows Firewall service started successfully.
5025 The Windows Firewall service was stopped.
5027 The Windows Firewall service was unable to retrieve the security policy from the local storage.
5028 Windows Firewall was unable to parse the new security policy.
5029 The Windows Firewall service failed to initialize the driver.
5030 The Windows Firewall service failed to start.
5032 Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033 The Windows Firewall Driver started successfully.
5034 The Windows Firewall Driver was stopped.
5035 The Windows Firewall Driver failed to start.
5037 The Windows Firewall Driver detected a critical runtime error.
5038 Code integrity determined that the image hash of a file is not valid.
5050 An attempt to programmatically disable Windows Firewall was rejected.
5056 A cryptographic self test was performed.
5057 A cryptographic primitive operation failed.
5058 Key file operation.
5059 Key migration operation.
5060 Verification operation failed.
5061 Cryptographic operation.
5062 A kernel-mode cryptographic self test was performed.
5071 Key access denied by Microsoft key distribution service.
5478 The IPsec Policy Agent service was started.
5479 The IPsec Policy Agent service was stopped.
5480 IPsec Policy Agent failed to get the complete list of network interfaces on the computer.
5483 The IPsec Policy Agent service failed to initialize its RPC server.
5484 The IPsec Policy Agent service experienced a critical failure and has shut down.
5485 IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces.
6281 Code Integrity determined that the page hashes of an image file are not valid.
6400 BranchCache: Received an incorrectly formatted response while discovering availability of content.
6401 BranchCache: Received invalid data from a peer. Data discarded.
6402 BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
6403 BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.
6404 BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
6405 BranchCache: %2 instance(s) of event id %1 occurred.
6406 %1 registered to Windows Firewall to control filtering for the following: %2.
6407 n/a
6408 Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
6409 BranchCache: A service connection point object could not be parsed.
6410 Code integrity determined that a file does not meet the security requirements to load into a process.
6417 The FIPS mode crypto selftests succeeded.
6418 The FIPS mode crypto selftests failed.
512 Windows NT is starting up
513 Windows is shutting down
514 An authentication package has been loaded by the Local Security Authority
515 A trusted logon process has registered with the Local Security Authority
516 Queuing of audit messages have been exhausted, leading to the loss of some audits
517 The audit log was cleared
518 A notification package has been loaded by the Security Account Manager
519 A process is using an invalid local procedure call (LPC) port
520 The system time was changed
521 Unable to log events to security log
523 The security log is full