ID Event Description
1102 The audit log was cleared
CJIS, ISO 27001:2013, PCI-DSS
4611 A trusted logon process has been registered with the Local Security Authority
Audit Success
4616 The system time was changed
Audit Success
4624 An account was successfully logged on
CJIS, Audit Success, ISO 27001:2013, HIPAA, NIST SP 800-53, CMMC L1, NIST 800-171
4625 An account failed to log on
Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST SP 800-53, NIST 800-171, CMMC L1
4626 User / Device claims information
Audit Success
4627 Group membership information
Audit Success
4648 A logon was attempted using explicit credentials
Audit Success
4656 A handle to an object was requested
Audit Failure, Audit Success, CJIS
4657 A registry value was modified
Audit Success
4658 The handle to an object was closed
Audit Success
4659 A handle to an object was requested with intent to delete
4660 An object was deleted
Audit Success
4661 A handle to an object was requested
Domain Controller, Audit Success, Audit Failure
4662 An operation was performed on an object
Domain Controller, Audit Success, Audit Failure
4663 An attempt was made to access an object
Audit Success, CJIS
4664 An attempt was made to create a hard link
Audit Success
4670 Permissions on an object were changed
Audit Success
4672 Special privileges assigned to new logon
Audit Success
4673 A privileged service was called
Audit Success
4674 An operation was attempted on a privileged object
Audit Failure, Audit Success
4688 A new process has been created
NIST 800-171, NIST SP 800-53, Audit Success, ISO 27001:2013, CMMC L3
4689 A process has exited
Audit Success
4690 An attempt was made to duplicate a handle to an object
Audit Success
4696 A primary token was assigned to process
Audit Success
4697 A service was installed in the system
Audit Success
4698 A scheduled task was created
Audit Success, PCI-DSS
4699 A scheduled task was deleted
Audit Success, PCI-DSS
4700 A scheduled task was enabled
Audit Success
4701 A scheduled task was disabled
Audit Success
4702 A scheduled task was updated
Audit Success, PCI-DSS
4703 A token right was adjusted
Audit Success
4717 System security access was granted to an account
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
4718 System security access was removed from an account
ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
4719 System audit policy was changed
Audit Success
4720 A user account was created
ISO 27001:2013, NIST SP 800-53, Audit Success, PCI-DSS, NIST 800-171, CMMC L1
4722 A user account was enabled
ISO 27001:2013, NIST SP 800-53, NIST 800-171, Audit Success, PCI-DSS, CMMC L1
4723 An attempt was made to change an account's password
Audit Success, Audit Failure, CJIS
4724 An attempt was made to reset an account's password
Audit Failure, Audit Success, CJIS, ISO 27001:2013
4725 A user account was disabled
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
4726 A user account was deleted
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
4727 A security-enabled global group was created
Domain Controller
4728 A member was added to a security-enabled global group
Domain Controller, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L1
4729 A member was removed from a security-enabled global group
Domain Controller
4730 A security-enabled global group was deleted
Domain Controller
4731 A security-enabled local group was created
Audit Success
4732 A member was added to a security-enabled local group
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
4733 A member was removed from a security-enabled local group
Audit Success
4734 A security-enabled local group was deleted
Audit Success
4735 A security-enabled local group was changed
Audit Success
4737 A security-enabled global group was changed
Domain Controller
4738 A user account was changed
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
4740 A user account was locked out
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
4741 A computer account was created
Domain Controller, Audit Success
4742 A computer account was changed
Domain Controller, Audit Success
4743 A computer account was deleted
Domain Controller, Audit Success
4744 A security-disabled local group was created
4745 A security-disabled local group was changed
4746 A member was added to a security-disabled local group
4747 A member was removed from a security-disabled local group
4748 A security-disabled local group was deleted
4749 A security-disabled global group was created
Domain Controller, Audit Success
4750 A security-disabled global group was changed
Domain Controller, Audit Success
4751 A member was added to a security-disabled global group
Domain Controller, Audit Success
4752 A member was removed from a security-disabled global group
Domain Controller, Audit Success
4753 A security-disabled global group was deleted
Domain Controller, Audit Success
4754 A security-enabled universal group was created
Domain Controller
4755 A security-enabled universal group was changed
Domain Controller
4756 A member was added to a security-enabled universal group
Domain Controller, ISO 27001:2013
4757 A member was removed from a security-enabled universal group
Domain Controller
4758 A security-enabled universal group was deleted
Domain Controller
4759 A security-disabled universal group was created
Domain Controller
4760 A security-disabled universal group was changed
Domain Controller
4761 A member was added to a security-disabled universal group
Domain Controller
4762 A member was removed from a security-disabled universal group
Domain Controller
4763 A security-disabled universal group was deleted
Domain Controller
4764 A group’s type was changed
Domain Controller, Audit Success
4767 A user account was unlocked
ISO 27001:2013, Audit Success
4781 The name of an account was changed
Audit Success
4782 The password hash an account was accessed
Domain Controller, Audit Success
4793 The Password Policy Checking API was called
Domain Controller, Audit Success
4794 An attempt was made to set the Directory Services Restore Mode administrator password
Domain Controller, Audit Success, Audit Failure
4797 An attempt was made to query the existence of a blank password for an account
4798 A user's local group membership was enumerated
Audit Success
4799 A security-enabled local group membership was enumerated
Audit Success
4819 Central Access Policies on the machine have been changed
Audit Success
4826 Boot Configuration Data loaded
Audit Success
4904 An attempt was made to register a security event source
Audit Success
4905 An attempt was made to unregister a security event source
Audit Success
4985 The state of a transaction has changed
Audit Success
5136 A directory service object was modified
Domain Controller, Audit Success
5137 A directory service object was created
Domain Controller, Audit Success
5140 A network share object was accessed
Audit Success, Audit Failure
5142 A network share object was added
Audit Success
5143 A network share object was modified
Audit Success
5144 A network share object was deleted
Audit Success
6416 A new external device was recognized by the system.
Audit Success