| ID |
Event Description |
|
1100
|
The event logging service has shut down
Audit Success, PCI-DSS
|
|
1101
|
Audit Events Have Been Dropped By The Transport
CJIS, PCI-DSS, ISO 27001:2013
|
|
1102
|
The audit log was cleared
CJIS, ISO 27001:2013, PCI-DSS
|
|
1104
|
The security event log is now full
CJIS, PCI-DSS, ISO 27001:2013
|
|
4608
|
Windows is starting up
Audit Success, PCI-DSS
|
|
4609
|
Windows is shutting down
|
|
4610
|
An authentication package has been loaded by the Local Security Authority
Audit Success
|
|
4611
|
A trusted logon process has been registered with the Local Security Authority
Audit Success
|
|
4612
|
Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3, CMMC L2
|
|
4614
|
A notification package has been loaded by the Security Account Manager
Audit Success
|
|
4615
|
Invalid use of LPC port
Audit Success
|
|
4616
|
The system time was changed
Audit Success
|
|
4618
|
A monitored security event pattern has occurred.
Audit Success
|
|
4621
|
Administrator recovered system from CrashOnAuditFail.
Audit Success, NIST SP 800-53, NIST 800-171, CMMC L2
|
|
4622
|
A security package has been loaded by the Local Security Authority
Audit Success
|
|
4697
|
A service was installed in the system
Audit Success
|
|
4816
|
RPC detected an integrity violation while decrypting an incoming message.
Audit Success
|
|
4830
|
SID History was removed from an account
|
|
4960
|
IPsec dropped an inbound packet that failed an integrity check
|
|
4961
|
IPsec dropped an inbound packet that failed a replay check
|
|
4962
|
IPsec dropped an inbound packet that failed a replay check
|
|
4963
|
IPsec dropped an inbound clear text packet that should have been secured
|
|
4965
|
IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)
|
|
5024
|
The Windows Firewall service started successfully.
Audit Success
|
|
5025
|
The Windows Firewall service was stopped.
Audit Success
|
|
5027
|
The Windows Firewall service was unable to retrieve the security policy from the local storage.
Audit Failure
|
|
5028
|
Windows Firewall was unable to parse the new security policy.
Audit Failure
|
|
5029
|
The Windows Firewall service failed to initialize the driver.
Audit Failure
|
|
5030
|
The Windows Firewall service failed to start.
Audit Failure
|
|
5032
|
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
Audit Failure
|
|
5033
|
The Windows Firewall Driver started successfully.
Audit Success
|
|
5034
|
The Windows Firewall Driver was stopped.
Audit Success
|
|
5035
|
The Windows Firewall Driver failed to start.
Audit Failure
|
|
5037
|
The Windows Firewall Driver detected a critical runtime error.
Audit Failure
|
|
5038
|
Code integrity determined that the image hash of a file is not valid.
Audit Failure
|
|
5050
|
An attempt to programmatically disable Windows Firewall was rejected.
|
|
5056
|
A cryptographic self test was performed.
Audit Success
|
|
5057
|
A cryptographic primitive operation failed.
Audit Failure
|
|
5058
|
Key file operation.
Audit Success, Audit Failure
|
|
5059
|
Key migration operation.
Audit Success, Audit Failure
|
|
5060
|
Verification operation failed.
Audit Failure
|
|
5061
|
Cryptographic operation.
Audit Success, Audit Failure
|
|
5062
|
A kernel-mode cryptographic self test was performed.
Audit Success
|
|
5071
|
Key access denied by Microsoft key distribution service.
|
|
5478
|
The IPsec Policy Agent service was started.
Audit Success
|
|
5479
|
The IPsec Policy Agent service was stopped.
|
|
5480
|
IPsec Policy Agent failed to get the complete list of network interfaces on the computer.
|
|
5483
|
The IPsec Policy Agent service failed to initialize its RPC server.
|
|
5484
|
The IPsec Policy Agent service experienced a critical failure and has shut down.
|
|
5485
|
IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces.
|
|
6281
|
Code Integrity determined that the page hashes of an image file are not valid.
Audit Failure
|
|
6400
|
BranchCache: Received an incorrectly formatted response while discovering availability of content.
|
|
6401
|
BranchCache: Received invalid data from a peer. Data discarded.
|
|
6402
|
BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
|
|
6403
|
BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.
|
|
6404
|
BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
|
|
6405
|
BranchCache: %2 instance(s) of event id %1 occurred.
|
|
6406
|
%1 registered to Windows Firewall to control filtering for the following: %2.
|
|
6407
|
n/a
|
|
6408
|
Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
|
|
6409
|
BranchCache: A service connection point object could not be parsed.
|
|
6410
|
Code integrity determined that a file does not meet the security requirements to load into a process.
Audit Failure
|
|
6417
|
The FIPS mode crypto selftests succeeded.
|
|
6418
|
The FIPS mode crypto selftests failed.
|
|
512
|
Windows NT is starting up
|
|
513
|
Windows is shutting down
|
|
514
|
An authentication package has been loaded by the Local Security Authority
|
|
515
|
A trusted logon process has registered with the Local Security Authority
|
|
516
|
Queuing of audit messages have been exhausted, leading to the loss of some audits
|
|
517
|
The audit log was cleared
|
|
518
|
A notification package has been loaded by the Security Account Manager
|
|
519
|
A process is using an invalid local procedure call (LPC) port
|
|
520
|
The system time was changed
|
|
521
|
Unable to log events to security log
|
|
523
|
The security log is full
|