| ID |
Event Description |
|
1100
|
The event logging service has shut down
Audit Success, PCI-DSS
|
|
1102
|
The audit log was cleared
CJIS, ISO 27001:2013, PCI-DSS
|
|
4611
|
A trusted logon process has been registered with the Local Security Authority
Audit Success
|
|
4615
|
Invalid use of LPC port
Audit Success
|
|
4616
|
The system time was changed
Audit Success
|
|
4618
|
A monitored security event pattern has occurred.
Audit Success
|
|
4624
|
An account was successfully logged on
CJIS, Audit Success, ISO 27001:2013, HIPAA, NIST SP 800-53, CMMC L1, NIST 800-171
|
|
4625
|
An account failed to log on
Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST SP 800-53, NIST 800-171, CMMC L1
|
|
4626
|
User / Device claims information
Audit Success
|
|
4627
|
Group membership information
Audit Success
|
|
4634
|
An account was logged off
Audit Success
|
|
4647
|
User initiated logoff
Audit Success
|
|
4648
|
A logon was attempted using explicit credentials
Audit Success
|
|
4649
|
A replay attack was detected
Domain Controller, Audit Success, Audit Failure, PCI-DSS, HIPAA, CJIS, ISO 27001:2013
|
|
4650
|
An IPsec main mode security association was established
Audit Success
|
|
4651
|
An IPsec main mode security association was established
Audit Success
|
|
4652
|
An IPsec main mode negotiation failed
Audit Failure
|
|
4653
|
An IPsec main mode negotiation failed
Audit Failure
|
|
4654
|
An IPsec quick mode negotiation failed
Audit Failure
|
|
4655
|
An IPsec main mode security association ended
Audit Success
|
|
4656
|
A handle to an object was requested
Audit Failure, Audit Success, CJIS
|
|
4657
|
A registry value was modified
Audit Success
|
|
4658
|
The handle to an object was closed
Audit Success
|
|
4659
|
A handle to an object was requested with intent to delete
|
|
4660
|
An object was deleted
Audit Success
|
|
4661
|
A handle to an object was requested
Domain Controller, Audit Success, Audit Failure
|
|
4662
|
An operation was performed on an object
Domain Controller, Audit Success, Audit Failure
|
|
4663
|
An attempt was made to access an object
Audit Success, CJIS
|
|
4664
|
An attempt was made to create a hard link
Audit Success
|
|
4665
|
An attempt was made to create an application client context
|
|
4666
|
An application attempted an operation
|
|
4667
|
An application client context was deleted
|
|
4668
|
An application was initialized
|
|
4670
|
Permissions on an object were changed
Audit Success
|
|
4671
|
An application attempted to access a blocked ordinal through the TBS
|
|
4672
|
Special privileges assigned to new logon
Audit Success
|
|
4673
|
A privileged service was called
Audit Success
|
|
4674
|
An operation was attempted on a privileged object
Audit Failure, Audit Success
|
|
4675
|
SIDs were filtered
Domain Controller, Audit Success
|
|
4688
|
A new process has been created
NIST 800-171, NIST SP 800-53, Audit Success, ISO 27001:2013, CMMC L3
|
|
4689
|
A process has exited
Audit Success
|
|
4690
|
An attempt was made to duplicate a handle to an object
Audit Success
|
|
4691
|
Indirect access to an object was requested
Audit Success
|
|
4692
|
Backup of data protection master key was attempted
Audit Success, Audit Failure
|
|
4693
|
Recovery of data protection master key was attempted
Audit Success, Audit Failure
|
|
4694
|
Protection of auditable protected data was attempted
Audit Success, Audit Failure
|
|
4695
|
Unprotection of auditable protected data was attempted
Audit Success, Audit Failure
|
|
4696
|
A primary token was assigned to process
Audit Success
|
|
4697
|
A service was installed in the system
Audit Success
|
|
4698
|
A scheduled task was created
Audit Success, PCI-DSS
|
|
4699
|
A scheduled task was deleted
Audit Success, PCI-DSS
|
|
4700
|
A scheduled task was enabled
Audit Success
|
|
4701
|
A scheduled task was disabled
Audit Success
|
|
4702
|
A scheduled task was updated
Audit Success, PCI-DSS
|
|
4703
|
A token right was adjusted
Audit Success
|
|
4704
|
A user right was assigned
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1, CMMC L3
|
|
4705
|
A user right was removed
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1, CMMC L3
|
|
4706
|
A new trust was created to a domain
Domain Controller, Audit Success
|
|
4707
|
A trust to a domain was removed
Domain Controller, Audit Success
|
|
4713
|
Kerberos policy was changed
Domain Controller, Audit Success
|
|
4715
|
The audit policy (SACL) on an object was changed
Audit Success
|
|
4716
|
Trusted domain information was modified
Domain Controller, Audit Success
|
|
4717
|
System security access was granted to an account
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
|
|
4718
|
System security access was removed from an account
ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4719
|
System audit policy was changed
Audit Success
|
|
4720
|
A user account was created
ISO 27001:2013, NIST SP 800-53, Audit Success, PCI-DSS, NIST 800-171, CMMC L1
|
|
4722
|
A user account was enabled
ISO 27001:2013, NIST SP 800-53, NIST 800-171, Audit Success, PCI-DSS, CMMC L1
|
|
4723
|
An attempt was made to change an account's password
Audit Success, Audit Failure, CJIS
|
|
4724
|
An attempt was made to reset an account's password
Audit Failure, Audit Success, CJIS, ISO 27001:2013
|
|
4725
|
A user account was disabled
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
|
|
4726
|
A user account was deleted
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
|
|
4727
|
A security-enabled global group was created
Domain Controller
|
|
4728
|
A member was added to a security-enabled global group
Domain Controller, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L1
|
|
4729
|
A member was removed from a security-enabled global group
Domain Controller
|
|
4730
|
A security-enabled global group was deleted
Domain Controller
|
|
4731
|
A security-enabled local group was created
Audit Success
|
|
4732
|
A member was added to a security-enabled local group
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
|
|
4733
|
A member was removed from a security-enabled local group
Audit Success
|
|
4734
|
A security-enabled local group was deleted
Audit Success
|
|
4735
|
A security-enabled local group was changed
Audit Success
|
|
4737
|
A security-enabled global group was changed
Domain Controller
|
|
4738
|
A user account was changed
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
|
|
4739
|
Domain Policy was changed
Domain Controller, NIST 800-171, NIST SP 800-53, ISO 27001:2013, Audit Success, CMMC L3
|
|
4740
|
A user account was locked out
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
|
|
4741
|
A computer account was created
Domain Controller, Audit Success
|
|
4742
|
A computer account was changed
Domain Controller, Audit Success
|
|
4743
|
A computer account was deleted
Domain Controller, Audit Success
|
|
4744
|
A security-disabled local group was created
|
|
4745
|
A security-disabled local group was changed
|
|
4746
|
A member was added to a security-disabled local group
|
|
4747
|
A member was removed from a security-disabled local group
|
|
4748
|
A security-disabled local group was deleted
|
|
4749
|
A security-disabled global group was created
Domain Controller, Audit Success
|
|
4750
|
A security-disabled global group was changed
Domain Controller, Audit Success
|
|
4751
|
A member was added to a security-disabled global group
Domain Controller, Audit Success
|
|
4752
|
A member was removed from a security-disabled global group
Domain Controller, Audit Success
|
|
4753
|
A security-disabled global group was deleted
Domain Controller, Audit Success
|
|
4754
|
A security-enabled universal group was created
Domain Controller
|
|
4755
|
A security-enabled universal group was changed
Domain Controller
|
|
4756
|
A member was added to a security-enabled universal group
Domain Controller, ISO 27001:2013
|
|
4757
|
A member was removed from a security-enabled universal group
Domain Controller
|
|
4758
|
A security-enabled universal group was deleted
Domain Controller
|
|
4759
|
A security-disabled universal group was created
Domain Controller
|
|
4760
|
A security-disabled universal group was changed
Domain Controller
|
|
4761
|
A member was added to a security-disabled universal group
Domain Controller
|
|
4762
|
A member was removed from a security-disabled universal group
Domain Controller
|
|
4763
|
A security-disabled universal group was deleted
Domain Controller
|
|
4764
|
A group’s type was changed
Domain Controller, Audit Success
|
|
4765
|
SID History was added to an account
Domain Controller, Audit Success
|
|
4766
|
An attempt to add SID History to an account failed
Domain Controller, Audit Failure
|
|
4767
|
A user account was unlocked
ISO 27001:2013, Audit Success
|
|
4768
|
This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).
Domain Controller, Audit Success, Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, NIST 800-171, NIST SP 800-53
|
|
4769
|
A Kerberos service ticket was requested
Domain Controller, Audit Success, Audit Failure, CJIS, ISO 27001:2013, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
|
|
4770
|
A Kerberos service ticket was renewed
Domain Controller, Audit Success
|
|
4771
|
Kerberos pre-authentication failed
Domain Controller, Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4778
|
A session was reconnected to a Window Station
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4779
|
A session was disconnected from a Window Station
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4780
|
The ACL was set on accounts which are members of administrators groups
Domain Controller, Audit Success
|
|
4781
|
The name of an account was changed
Audit Success
|
|
4782
|
The password hash an account was accessed
Domain Controller, Audit Success
|
|
4783
|
A basic application group was created
Domain Controller, Audit Success
|
|
4784
|
A basic application group was changed
Domain Controller, Audit Success
|
|
4785
|
A member was added to a basic application group
Domain Controller, Audit Success
|
|
4786
|
A member was removed from a basic application group
Domain Controller, Audit Success
|
|
4787
|
A non-member was added to a basic application group
Domain Controller, Audit Success
|
|
4788
|
A non-member was removed from a basic application group
Domain Controller, Audit Success
|
|
4789
|
A basic application group was deleted
Domain Controller, Audit Success
|
|
4790
|
An LDAP query group was created
Domain Controller, Audit Success
|
|
4791
|
A basic application group was changed
Domain Controller, Audit Success
|
|
4792
|
An LDAP query group was deleted
Domain Controller, Audit Success
|
|
4793
|
The Password Policy Checking API was called
Domain Controller, Audit Success
|
|
4794
|
An attempt was made to set the Directory Services Restore Mode administrator password
Domain Controller, Audit Success, Audit Failure
|
|
4797
|
An attempt was made to query the existence of a blank password for an account
|
|
4798
|
A user's local group membership was enumerated
Audit Success
|
|
4799
|
A security-enabled local group membership was enumerated
Audit Success
|
|
4800
|
The workstation was locked
Audit Success, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4801
|
The workstation was unlocked
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4802
|
The screen saver was invoked
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4803
|
The screen saver was dismissed
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
|
4817
|
Auditing settings on object were changed
Audit Success
|
|
4818
|
Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
Audit Success
|
|
4819
|
Central Access Policies on the machine have been changed
Audit Success
|
|
4820
|
A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions
Domain Controller
|
|
4821
|
A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions
Domain Controller
|
|
4824
|
Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group
Domain Controller
|
|
4825
|
A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group
|
|
4826
|
Boot Configuration Data loaded
Audit Success
|
|
4830
|
SID History was removed from an account
|
|
4864
|
A namespace collision was detected
|
|
4865
|
A trusted forest information entry was added
|
|
4866
|
A trusted forest information entry was removed
|
|
4867
|
A trusted forest information entry was modified
|
|
4868
|
The certificate manager denied a pending certificate request
|
|
4869
|
Certificate Services received a resubmitted certificate request
|
|
4873
|
A certificate request extension changed
|
|
4874
|
One or more certificate request attributes changed
|
|
4883
|
Certificate Services retrieved an archived key
|
|
4884
|
Certificate Services imported a certificate into its database
|
|
4886
|
Certificate Services received a certificate request
|
|
4887
|
Certificate Services approved a certificate request and issued a certificate
|
|
4888
|
Certificate Services denied a certificate request
|
|
4889
|
Certificate Services set the status of a certificate request to pending
|
|
4893
|
Certificate Services archived a key
|
|
4894
|
Certificate Services imported and archived a key
|
|
4896
|
One or more rows have been deleted from the certificate database
|
|
4902
|
The Per-user audit policy table was created
Audit Success
|
|
4904
|
An attempt was made to register a security event source
Audit Success
|
|
4905
|
An attempt was made to unregister a security event source
Audit Success
|
|
4907
|
Auditing settings on object were changed
|
|
4911
|
Resource attributes of the object were changed
Audit Success
|
|
4912
|
Per User Audit Policy was changed
Audit Success
|
|
4913
|
Central Access Policy on the object was changed
Audit Success
|
|
4932
|
Synchronization of a replica of an Active Directory naming context has begun
Audit Success, Audit Failure, Domain Controller
|
|
4933
|
Synchronization of a replica of an Active Directory naming context has ended
Audit Success, Audit Failure, Domain Controller
|
|
4934
|
Attributes of an Active Directory object were replicated
Domain Controller, Audit Success, Audit Failure
|
|
4945
|
A rule was listed when the Windows Firewall started
Audit Success
|
|
4946
|
A change was made to the Windows Firewall exception list. A rule was added
Audit Success
|
|
4947
|
A change was made to the Windows Firewall exception list. A rule was modified
Audit Success
|
|
4948
|
A change was made to the Windows Firewall exception list. A rule was deleted
Audit Success
|
|
4951
|
Windows Firewall ignored a rule because its major version number is not recognized
Audit Failure
|
|
4952
|
Windows Firewall ignored parts of a rule because its minor version number is not recognized
Audit Failure
|
|
4953
|
Windows Firewall ignored a rule because it could not be parsed
Audit Failure
|
|
4957
|
Windows Firewall did not apply the following rule
Audit Failure
|
|
4958
|
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
Audit Failure
|
|
4964
|
Special groups have been assigned to a new logon
Audit Success
|
|
4979
|
IPsec main mode and extended mode security associations were established
|
|
4980
|
IPsec main mode and extended mode security associations were established
|
|
4981
|
IPsec main mode and extended mode security associations were established
|
|
4982
|
IPsec main mode and extended mode security associations were established
|
|
4983
|
An IPsec extended mode negotiation failed
|
|
4984
|
An IPsec extended mode negotiation failed
|
|
4985
|
The state of a transaction has changed
Audit Success
|
|
5039
|
A registry key was virtualized.
|
|
5040
|
A change was made to IPsec settings. An authentication set was added.
|
|
5041
|
A change was made to IPsec settings. An authentication set was modified.
|
|
5042
|
A change was made to IPsec settings. An authentication set was deleted.
|
|
5043
|
A change was made to IPsec settings. A connection security rule was added.
|
|
5044
|
A change was made to IPsec settings. A connection security rule was modified.
|
|
5045
|
A change was made to IPsec settings. A connection security rule was deleted.
|
|
5046
|
A change was made to IPsec settings. A crypto set was added.
|
|
5047
|
A change was made to IPsec settings. A crypto set was modified.
|
|
5048
|
A change was made to IPsec settings. A crypto set was deleted.
|
|
5049
|
An IPsec security association was deleted.
Audit Success
|
|
5050
|
An attempt to programmatically disable Windows Firewall was rejected.
|
|
5051
|
A file was virtualized.
|
|
5056
|
A cryptographic self test was performed.
Audit Success
|
|
5057
|
A cryptographic primitive operation failed.
Audit Failure
|
|
5058
|
Key file operation.
Audit Success, Audit Failure
|
|
5059
|
Key migration operation.
Audit Success, Audit Failure
|
|
5060
|
Verification operation failed.
Audit Failure
|
|
5061
|
Cryptographic operation.
Audit Success, Audit Failure
|
|
5063
|
A cryptographic provider operation was attempted.
Audit Success, Audit Failure
|
|
5064
|
A cryptographic context operation was attempted.
Audit Success, Audit Failure
|
|
5065
|
A cryptographic context modification was attempted.
Audit Success, Audit Failure
|
|
5066
|
A cryptographic function operation was attempted.
Audit Success, Audit Failure
|
|
5067
|
A cryptographic function modification was attempted.
Audit Success, Audit Failure
|
|
5068
|
A cryptographic function provider operation was attempted.
Audit Success, Audit Failure
|
|
5069
|
A cryptographic function property operation was attempted.
Audit Success, Audit Failure
|
|
5070
|
A cryptographic function property modification was attempted.
Audit Success, Audit Failure
|
|
5071
|
Key access denied by Microsoft key distribution service.
|
|
5122
|
A Configuration entry changed in the OCSP Responder Service.
|
|
5126
|
Signing Certificate was automatically updated by the OCSP Responder Service.
|
|
5127
|
The OCSP Revocation Provider successfully updated the revocation information.
|
|
5136
|
A directory service object was modified
Domain Controller, Audit Success
|
|
5137
|
A directory service object was created
Domain Controller, Audit Success
|
|
5138
|
A directory service object was undeleted.
Domain Controller, Audit Success
|
|
5139
|
A directory service object was moved.
Domain Controller, Audit Success
|
|
5140
|
A network share object was accessed
Audit Success, Audit Failure
|
|
5141
|
A directory service object was deleted.
Domain Controller, Audit Success
|
|
5142
|
A network share object was added
Audit Success
|
|
5143
|
A network share object was modified
Audit Success
|
|
5144
|
A network share object was deleted
Audit Success
|
|
5145
|
A network share object was checked to see whether client can be granted desired access.
Audit Success, Audit Failure
|
|
5146
|
The Windows Filtering Platform has blocked a packet.
|
|
5147
|
A more restrictive Windows Filtering Platform filter has blocked a packet.
|
|
5150
|
The Windows Filtering Platform has blocked a packet.
|
|
5151
|
A more restrictive Windows Filtering Platform filter has blocked a packet.
|
|
5152
|
The Windows Filtering Platform has blocked a packet.
Audit Failure
|
|
5153
|
A more restrictive Windows Filtering Platform filter has blocked a packet.
Audit Success
|
|
5154
|
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Audit Success
|
|
5155
|
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Audit Failure
|
|
5156
|
The Windows Filtering Platform has allowed a connection.
Audit Success
|
|
5157
|
The Windows Filtering Platform has blocked a connection.
Audit Failure
|
|
5158
|
The Windows Filtering Platform has permitted a bind to a local port.
Audit Success
|
|
5168
|
Spn check for SMB/SMB2 fails.
Audit Failure
|
|
5169
|
A directory service object was modified.
Domain Controller, Audit Success, Audit Failure
|
|
5376
|
Credential Manager credentials were backed up.
Audit Success
|
|
5377
|
Credential Manager credentials were restored from a backup.
Audit Success
|
|
5378
|
The requested credentials delegation was disallowed by policy.
Audit Failure
|
|
5440
|
The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
|
|
5441
|
The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
|
|
5442
|
The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
|
|
5443
|
The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
|
|
5444
|
The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
|
|
5446
|
A Windows Filtering Platform callout has been changed.
|
|
5447
|
A Windows Filtering Platform filter has been changed.
Audit Success
|
|
5448
|
A Windows Filtering Platform provider has been changed.
|
|
5449
|
A Windows Filtering Platform provider context has been changed.
|
|
5450
|
A Windows Filtering Platform sub-layer has been changed.
|
|
5451
|
An IPsec quick mode security association was established.
|
|
5452
|
An IPsec quick mode security association ended.
|
|
5632
|
A request was made to authenticate to a wireless network.
Audit Success, Audit Failure
|
|
5633
|
A request was made to authenticate to a wired network.
Audit Success, Audit Failure
|
|
5888
|
An object in the COM+ Catalog was modified.
Audit Success
|
|
5889
|
An object was deleted from the COM+ Catalog.
Audit Success
|
|
5890
|
An object was added to the COM+ Catalog.
Audit Success
|
|
6272
|
Network Policy Server granted access to a user.
Audit Success, Audit Failure
|
|
6273
|
Network Policy Server denied access to a user.
Audit Success, Audit Failure
|
|
6274
|
Network Policy Server discarded the request for a user.
Audit Success, Audit Failure
|
|
6275
|
Network Policy Server discarded the accounting request for a user.
Audit Success, Audit Failure
|
|
6276
|
Network Policy Server quarantined a user.
Audit Success, Audit Failure
|
|
6277
|
Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
Audit Success, Audit Failure
|
|
6278
|
Network Policy Server granted full access to a user because the host met the defined health policy.
Audit Success, Audit Failure
|
|
6279
|
Network Policy Server locked the user account due to repeated failed authentication attempts.
Audit Success, Audit Failure
|
|
6280
|
Network Policy Server unlocked the user account.
Audit Success, Audit Failure
|
|
6405
|
BranchCache: %2 instance(s) of event id %1 occurred.
|
|
6416
|
A new external device was recognized by the system.
Audit Success
|
|
6417
|
The FIPS mode crypto selftests succeeded.
|
|
6418
|
The FIPS mode crypto selftests failed.
|
|
6419
|
A request was made to disable a device.
Audit Success
|
|
6420
|
A device was disabled.
Audit Success
|
|
6421
|
A request was made to enable a device.
Audit Success
|
|
6422
|
A device was enabled.
Audit Success
|
|
6423
|
The installation of this device is forbidden by system policy.
Audit Success
|
|
6424
|
The installation of this device was allowed, after having previously been forbidden by policy.
Audit Success
|
|
515
|
A trusted logon process has registered with the Local Security Authority
|
|
517
|
The audit log was cleared
|
|
519
|
A process is using an invalid local procedure call (LPC) port
|
|
520
|
The system time was changed
|
|
528
|
Successful Logon
|
|
529
|
Logon Failure : Unknown username or bad password
|
|
530
|
Logon Failure : Account logon time restriction violation
|
|
531
|
Logon Failure : Account currently disabled
|
|
532
|
Logon Failure : The specified user account has expired
|
|
533
|
Logon Failure : User not allowed to logon at this computer
|
|
534
|
Logon Failure : The user has note been granted the requested logon type at this machine
|
|
535
|
Logon Failure : The specified account's password has expired
|
|
536
|
Logon Failure : The NetLogon component is not active
|
|
537
|
The logon attempt failed for other reasons
|
|
538
|
The user has logged off
|
|
539
|
Logon Failure : Account locked out
|
|
540
|
Successful Network Logon
|
|
551
|
User initiated logoff
|
|
552
|
Logon attempt using explicit credentials
|
|
560
|
Object Open
|
|
561
|
Handle Allocated
|
|
562
|
Handle Closed
|
|
563
|
Object Open for Delete
|
|
564
|
Object Deleted
|
|
565
|
Object Open
|
|
566
|
Object Operation
|
|
567
|
Object Access Attempt
|
|
568
|
Hard link creation attempt
|
|
569
|
Application client context creation attempt
|
|
570
|
Application operation attempt
|
|
571
|
Application client context deletion
|
|
572
|
Application Initialized
|
|
574
|
Security on object changed
|
|
576
|
Special privileges assigned to new logon
|
|
577
|
Privileged Service Called
|
|
578
|
Privileged object operation
|
|
592
|
A new process has been created
|
|
593
|
A process has exited
|
|
594
|
A handle to an object has been duplicated
|
|
595
|
Indirect access to an object has been obtained
|
|
596
|
Backup of data protection master key
|
|
600
|
A process was assigned a primary token
|
|
601
|
Attempt to install service
|
|
602
|
Scheduled Task created
|
|
608
|
User Right Assigned
|
|
609
|
User Right Removed
|
|
610
|
New Trusted Domain
|
|
611
|
Trusted Domain Removed
|
|
612
|
Audit Policy Change
|
|
617
|
Kerberos Policy Changed
|
|
618
|
Encrypted Data Recovery Policy Changed
|
|
619
|
Audit Security Object changed
|
|
620
|
Trusted Domain Information Modified
|
|
621
|
System Security Access Granted
|
|
622
|
System Security Access Removed
|
|
623
|
System Audit Policy Change
|
|
624
|
User Account Created
|
|
626
|
User Account Enabled
|
|
627
|
Change Password Attempt
|
|
628
|
User Account password set
|
|
629
|
User Account Disabled
|
|
630
|
User Account Deleted
|
|
631
|
Security Enabled Global Group Created
|
|
632
|
Security Enabled Global Group Member Added
|
|
633
|
Security Enabled Global Group Member Removed
|
|
634
|
Security Enabled Global Group Deleted
|
|
635
|
Security Enabled Local Group Created
|
|
636
|
Security Enabled Local Group Member Added
|
|
637
|
Security Enabled Local Group Member Removed
|
|
638
|
Security Enabled Local Group Deleted
|
|
639
|
Security Enabled Local Group Changed
|
|
640
|
General Account Database Change
|
|
641
|
Security Enabled Global Group Changed
|
|
642
|
User Account Changed
|
|
643
|
Domain Policy Changed
|
|
644
|
User Account Locked Out
|
|
645
|
Computer Account Created
|
|
646
|
Computer Account Changed
|
|
647
|
Computer Account Deleted
|
|
648
|
Security Disabled Local Group Created
|
|
649
|
Security Disabled Local Group Changed
|
|
650
|
Security Disabled Local Group Member Added
|
|
651
|
Security Disabled Local Group Member Removed
|
|
652
|
Security Disabled Local Group Deleted
|
|
653
|
Security Disabled Global Group Created
|
|
654
|
Security Disabled Global Group Changed
|
|
655
|
Security Disabled Global Group Member Added
|
|
656
|
Security Disabled Global Group Member Removed
|
|
657
|
Security Disabled Global Group Deleted
|
|
658
|
Security Enabled Universal Group Created
|
|
659
|
Security Enabled Universal Group Changed
|
|
660
|
Security Enabled Universal Group Member Added
|
|
661
|
Security Enabled Universal Group Member Removed
|
|
662
|
Security Enabled Universal Group Deleted
|
|
663
|
Security Disabled Universal Group Created
|
|
664
|
Security Disabled Universal Group Changed
|
|
665
|
Security Disabled Universal Group Member Added
|
|
666
|
Security Disabled Universal Group Member Removed
|
|
667
|
Security Disabled Universal Group Deleted
|
|
668
|
Group Type Changed
|
|
669
|
Add SID History
|
|
670
|
Add SID History
|
|
671
|
User Account Unlocked
|
|
672
|
Authentication Ticket Request
|
|
673
|
Service Ticket Request
|
|
674
|
Service Ticket Renewed
|
|
675
|
Pre-authentication failed
|
|
682
|
Session reconnected to winstation
|
|
683
|
Session disconnected from winstation
|
|
684
|
Set ACLs of members in administrators groups
|
|
685
|
Account Name Changed
|
|
686
|
Password of the following user accessed
|
|
687
|
Basic Application Group Created
|
|
688
|
Basic Application Group Changed
|
|
689
|
Basic Application Group Member Added
|
|
690
|
Basic Application Group Member Removed
|
|
691
|
Basic Application Group Non-Member Added
|
|
692
|
Basic Application Group Non-Member Removed
|
|
693
|
Basic Application Group Deleted
|
|
694
|
LDAP Query Group Created
|
|
695
|
LDAP Query Group Changed
|
|
696
|
LDAP Query Group Deleted
|
|
697
|
Password Policy Checking API is called
|
|
698
|
An attempt to set the Directory Services Restore Mode administrator password has been made
|
|
699
|
RODC SpecifiC Local Group Member Added
|
|
800
|
One or more rows have been deleted from the certificate database
|
|
806
|
Per User Audit Policy table created
|
|
807
|
Per user auditing policy set for user
|
|
808
|
A security event source has attempted to register
|
|
809
|
A security event source has attempted to unregister
|
|
849
|
A rule was listed when the Windows Firewall started
|
|
850
|
A change has been made to Windows Firewall exception list
|
|
851
|
A change has been made to Windows Firewall exception list. A rule was modified
|
|
852
|
A change has been made to Windows Firewall exception list. A rule was deleted
|
|
855
|
A rule has been ignored because its major version number was not recognized by Windows Firewall
|
|
856
|
A rule has been partially ignored because its minor version number was not recognized by Windows Firewall
|
|
857
|
A rule has been rejected by Windows Firewall
|