ID |
Event Description |
1100
|
The event logging service has shut down
Audit Success, PCI-DSS
|
1101
|
Audit Events Have Been Dropped By The Transport
CJIS, PCI-DSS, ISO 27001:2013
|
1102
|
The audit log was cleared
CJIS, ISO 27001:2013, PCI-DSS
|
1104
|
The security event log is now full
CJIS, PCI-DSS, ISO 27001:2013
|
4608
|
Windows is starting up
Audit Success, PCI-DSS
|
4609
|
Windows is shutting down
|
4610
|
An authentication package has been loaded by the Local Security Authority
Audit Success
|
4611
|
A trusted logon process has been registered with the Local Security Authority
Audit Success
|
4612
|
Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3, CMMC L2
|
4614
|
A notification package has been loaded by the Security Account Manager
Audit Success
|
4615
|
Invalid use of LPC port
Audit Success
|
4616
|
The system time was changed
Audit Success
|
4618
|
A monitored security event pattern has occurred.
Audit Success
|
4621
|
Administrator recovered system from CrashOnAuditFail.
Audit Success, NIST SP 800-53, NIST 800-171, CMMC L2
|
4622
|
A security package has been loaded by the Local Security Authority
Audit Success
|
4624
|
An account was successfully logged on
CJIS, Audit Success, ISO 27001:2013, HIPAA, NIST SP 800-53, CMMC L1, NIST 800-171
|
4625
|
An account failed to log on
Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST SP 800-53, NIST 800-171, CMMC L1
|
4626
|
User / Device claims information
Audit Success
|
4634
|
An account was logged off
Audit Success
|
4646
|
n/a
Audit Success
|
4647
|
User initiated logoff
Audit Success
|
4648
|
A logon was attempted using explicit credentials
Audit Success
|
4649
|
A replay attack was detected
Domain Controller, Audit Success, Audit Failure, PCI-DSS, HIPAA, CJIS, ISO 27001:2013
|
4650
|
An IPsec main mode security association was established
Audit Success
|
4651
|
An IPsec main mode security association was established
Audit Success
|
4652
|
An IPsec main mode negotiation failed
Audit Failure
|
4653
|
An IPsec main mode negotiation failed
Audit Failure
|
4654
|
An IPsec quick mode negotiation failed
Audit Failure
|
4655
|
An IPsec main mode security association ended
Audit Success
|
4656
|
A handle to an object was requested
Audit Failure, Audit Success, CJIS
|
4657
|
A registry value was modified
Audit Success
|
4658
|
The handle to an object was closed
Audit Success
|
4659
|
A handle to an object was requested with intent to delete
|
4660
|
An object was deleted
Audit Success
|
4661
|
A handle to an object was requested
Domain Controller, Audit Success, Audit Failure
|
4662
|
An operation was performed on an object
Domain Controller, Audit Success, Audit Failure
|
4663
|
An attempt was made to access an object
Audit Success, CJIS
|
4664
|
An attempt was made to create a hard link
Audit Success
|
4665
|
An attempt was made to create an application client context
|
4666
|
An application attempted an operation
|
4667
|
An application client context was deleted
|
4668
|
An application was initialized
|
4670
|
Permissions on an object were changed
Audit Success
|
4671
|
An application attempted to access a blocked ordinal through the TBS
|
4672
|
Special privileges assigned to new logon
Audit Success
|
4673
|
A privileged service was called
Audit Success
|
4674
|
An operation was attempted on a privileged object
Audit Failure, Audit Success
|
4675
|
SIDs were filtered
Domain Controller, Audit Success
|
4688
|
A new process has been created
NIST 800-171, NIST SP 800-53, Audit Success, ISO 27001:2013, CMMC L3
|
4689
|
A process has exited
Audit Success
|
4690
|
An attempt was made to duplicate a handle to an object
Audit Success
|
4691
|
Indirect access to an object was requested
Audit Success
|
4692
|
Backup of data protection master key was attempted
Audit Success, Audit Failure
|
4693
|
Recovery of data protection master key was attempted
Audit Success, Audit Failure
|
4694
|
Protection of auditable protected data was attempted
Audit Success, Audit Failure
|
4695
|
Unprotection of auditable protected data was attempted
Audit Success, Audit Failure
|
4696
|
A primary token was assigned to process
Audit Success
|
4697
|
A service was installed in the system
Audit Success
|
4698
|
A scheduled task was created
Audit Success, PCI-DSS
|
4699
|
A scheduled task was deleted
Audit Success, PCI-DSS
|
4700
|
A scheduled task was enabled
Audit Success
|
4701
|
A scheduled task was disabled
Audit Success
|
4702
|
A scheduled task was updated
Audit Success, PCI-DSS
|
4704
|
A user right was assigned
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1, CMMC L3
|
4705
|
A user right was removed
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1, CMMC L3
|
4706
|
A new trust was created to a domain
Domain Controller, Audit Success
|
4707
|
A trust to a domain was removed
Domain Controller, Audit Success
|
4709
|
The IPsec Policy Agent service was started
|
4710
|
The IPsec Policy Agent service was disabled
|
4711
|
PAStore Engine
|
4712
|
IPsec Policy Agent encountered a potentially serious failure
|
4713
|
Kerberos policy was changed
Domain Controller, Audit Success
|
4714
|
Data Recovery Agent group policy for Encrypting File System (EFS) has changed
|
4715
|
The audit policy (SACL) on an object was changed
Audit Success
|
4716
|
Trusted domain information was modified
Domain Controller, Audit Success
|
4717
|
System security access was granted to an account
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
|
4718
|
System security access was removed from an account
ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
|
4719
|
System audit policy was changed
Audit Success
|
4720
|
A user account was created
ISO 27001:2013, NIST SP 800-53, Audit Success, PCI-DSS, NIST 800-171, CMMC L1
|
4722
|
A user account was enabled
ISO 27001:2013, NIST SP 800-53, NIST 800-171, Audit Success, PCI-DSS, CMMC L1
|
4723
|
An attempt was made to change an account's password
Audit Success, Audit Failure, CJIS
|
4724
|
An attempt was made to reset an account's password
Audit Failure, Audit Success, CJIS, ISO 27001:2013
|
4725
|
A user account was disabled
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
|
4726
|
A user account was deleted
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
|
4727
|
A security-enabled global group was created
Domain Controller
|
4728
|
A member was added to a security-enabled global group
Domain Controller, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L1
|
4729
|
A member was removed from a security-enabled global group
Domain Controller
|
4730
|
A security-enabled global group was deleted
Domain Controller
|
4731
|
A security-enabled local group was created
Audit Success
|
4732
|
A member was added to a security-enabled local group
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
|
4733
|
A member was removed from a security-enabled local group
Audit Success
|
4734
|
A security-enabled local group was deleted
Audit Success
|
4735
|
A security-enabled local group was changed
Audit Success
|
4737
|
A security-enabled global group was changed
Domain Controller
|
4738
|
A user account was changed
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
|
4739
|
Domain Policy was changed
Domain Controller, NIST 800-171, NIST SP 800-53, ISO 27001:2013, Audit Success, CMMC L3
|
4740
|
A user account was locked out
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
|
4741
|
A computer account was created
Domain Controller, Audit Success
|
4742
|
A computer account was changed
Domain Controller, Audit Success
|
4743
|
A computer account was deleted
Domain Controller, Audit Success
|
4744
|
A security-disabled local group was created
|
4745
|
A security-disabled local group was changed
|
4746
|
A member was added to a security-disabled local group
|
4747
|
A member was removed from a security-disabled local group
|
4748
|
A security-disabled local group was deleted
|
4749
|
A security-disabled global group was created
Domain Controller, Audit Success
|
4750
|
A security-disabled global group was changed
Domain Controller, Audit Success
|
4751
|
A member was added to a security-disabled global group
Domain Controller, Audit Success
|
4752
|
A member was removed from a security-disabled global group
Domain Controller, Audit Success
|
4753
|
A security-disabled global group was deleted
Domain Controller, Audit Success
|
4754
|
A security-enabled universal group was created
Domain Controller
|
4755
|
A security-enabled universal group was changed
Domain Controller
|
4757
|
A member was removed from a security-enabled universal group
Domain Controller
|
4758
|
A security-enabled universal group was deleted
Domain Controller
|
4759
|
A security-disabled universal group was created
Domain Controller
|
4760
|
A security-disabled universal group was changed
Domain Controller
|
4761
|
A member was added to a security-disabled universal group
Domain Controller
|
4762
|
A member was removed from a security-disabled universal group
Domain Controller
|
4763
|
A security-disabled universal group was deleted
Domain Controller
|
4764
|
A group’s type was changed
Domain Controller, Audit Success
|
4765
|
SID History was added to an account
Domain Controller, Audit Success
|
4766
|
An attempt to add SID History to an account failed
Domain Controller, Audit Failure
|
4767
|
A user account was unlocked
ISO 27001:2013, Audit Success
|
4768
|
This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).
Domain Controller, Audit Success, Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, NIST 800-171, NIST SP 800-53
|
4769
|
A Kerberos service ticket was requested
Domain Controller, Audit Success, Audit Failure, CJIS, ISO 27001:2013, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
|
4770
|
A Kerberos service ticket was renewed
Domain Controller, Audit Success
|
4771
|
Kerberos pre-authentication failed
Domain Controller, Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L3
|
4772
|
A Kerberos authentication ticket request failed
Domain Controller, Audit Failure, Not Implemented
|
4773
|
A Kerberos service ticket request failed
Domain Controller, Audit Failure, Not Implemented
|
4774
|
An account was mapped for logon
Domain Controller, Audit Success, Audit Failure
|
4775
|
An account could not be mapped for logon
Domain Controller, Audit Failure
|
4776
|
The computer attempted to validate the credentials for an account
Audit Failure, Audit Success, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
|
4777
|
The domain controller failed to validate the credentials for an account
Audit Failure
|
4778
|
A session was reconnected to a Window Station
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
4779
|
A session was disconnected from a Window Station
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
4780
|
The ACL was set on accounts which are members of administrators groups
Domain Controller, Audit Success
|
4781
|
The name of an account was changed
Audit Success
|
4782
|
The password hash an account was accessed
Domain Controller, Audit Success
|
4783
|
A basic application group was created
Domain Controller, Audit Success
|
4784
|
A basic application group was changed
Domain Controller, Audit Success
|
4785
|
A member was added to a basic application group
Domain Controller, Audit Success
|
4786
|
A member was removed from a basic application group
Domain Controller, Audit Success
|
4787
|
A non-member was added to a basic application group
Domain Controller, Audit Success
|
4788
|
A non-member was removed from a basic application group
Domain Controller, Audit Success
|
4789
|
A basic application group was deleted
Domain Controller, Audit Success
|
4790
|
An LDAP query group was created
Domain Controller, Audit Success
|
4791
|
A basic application group was changed
Domain Controller, Audit Success
|
4792
|
An LDAP query group was deleted
Domain Controller, Audit Success
|
4793
|
The Password Policy Checking API was called
Domain Controller, Audit Success
|
4794
|
An attempt was made to set the Directory Services Restore Mode administrator password
Domain Controller, Audit Success, Audit Failure
|
4797
|
An attempt was made to query the existence of a blank password for an account
|
4800
|
The workstation was locked
Audit Success, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
|
4801
|
The workstation was unlocked
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
4802
|
The screen saver was invoked
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
4803
|
The screen saver was dismissed
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
|
4816
|
RPC detected an integrity violation while decrypting an incoming message.
Audit Success
|
4817
|
Auditing settings on object were changed
Audit Success
|
4818
|
Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
Audit Success
|
4819
|
Central Access Policies on the machine have been changed
Audit Success
|
4820
|
A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions
Domain Controller
|
4825
|
A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group
|
4826
|
Boot Configuration Data loaded
Audit Success
|
4864
|
A namespace collision was detected
|
4865
|
A trusted forest information entry was added
|
4866
|
A trusted forest information entry was removed
|
4867
|
A trusted forest information entry was modified
|
4868
|
The certificate manager denied a pending certificate request
|
4869
|
Certificate Services received a resubmitted certificate request
|
4870
|
Certificate Services revoked a certificate
|
4871
|
Certificate Services received a request to publish the certificate revocation list (CRL)
|
4872
|
Certificate Services published the certificate revocation list (CRL)
|
4873
|
A certificate request extension changed
|
4874
|
One or more certificate request attributes changed
|
4875
|
Certificate Services received a request to shut down
|
4876
|
Certificate Services backup started
|
4877
|
Certificate Services backup completed
|
4878
|
Certificate Services restore started
|
4879
|
Certificate Services restore completed
|
4880
|
Certificate Services started
|
4881
|
Certificate Services stopped
|
4882
|
The security permissions for Certificate Services changed
|
4883
|
Certificate Services retrieved an archived key
|
4884
|
Certificate Services imported a certificate into its database
|
4885
|
The audit filter for Certificate Services changed
|
4886
|
Certificate Services received a certificate request
|
4887
|
Certificate Services approved a certificate request and issued a certificate
|
4888
|
Certificate Services denied a certificate request
|
4889
|
Certificate Services set the status of a certificate request to pending
|
4890
|
The certificate manager settings for Certificate Services changed
|
4891
|
A configuration entry changed in Certificate Services
|
4892
|
A property of Certificate Services changed
|
4893
|
Certificate Services archived a key
|
4894
|
Certificate Services imported and archived a key
|
4895
|
Certificate Services published the CA certificate to Active Directory Domain Services
|
4896
|
One or more rows have been deleted from the certificate database
|
4897
|
Role separation enabled
|
4898
|
Certificate Services loaded a template
|
4899
|
A Certificate Services template was updated
|
4900
|
Certificate Services template security was updated
|
4902
|
The Per-user audit policy table was created
Audit Success
|
4904
|
An attempt was made to register a security event source
Audit Success
|
4905
|
An attempt was made to unregister a security event source
Audit Success
|
4906
|
The CrashOnAuditFail value has changed
Audit Success
|
4907
|
Auditing settings on object were changed
|
4908
|
Special Groups Logon table modified
Audit Success
|
4909
|
The local policy settings for the TBS were changed
Not Implemented
|
4910
|
The group policy settings for the TBS were changed
Not Implemented
|
4911
|
Resource attributes of the object were changed
Audit Success
|
4912
|
Per User Audit Policy was changed
Audit Success
|
4913
|
Central Access Policy on the object was changed
Audit Success
|
4928
|
An Active Directory replica source naming context was established
Domain Controller, Audit Success, Audit Failure
|
4929
|
An Active Directory replica source naming context was removed
Domain Controller, Audit Success, Audit Failure
|
4930
|
An Active Directory replica source naming context was modified
Domain Controller, Audit Success, Audit Failure
|
4931
|
An Active Directory replica destination naming context was modified
Domain Controller, Audit Success, Audit Failure
|
4932
|
Synchronization of a replica of an Active Directory naming context has begun
Audit Success, Audit Failure, Domain Controller
|
4933
|
Synchronization of a replica of an Active Directory naming context has ended
Audit Success, Audit Failure, Domain Controller
|
4934
|
Attributes of an Active Directory object were replicated
Domain Controller, Audit Success, Audit Failure
|
4935
|
Replication failure begins
Domain Controller, Audit Success, Audit Failure
|
4936
|
Replication failure ends
Domain Controller, Audit Success, Audit Failure
|
4937
|
A lingering object was removed from a replica
Audit Success
|
4944
|
The following policy was active when the Windows Firewall started
Audit Success
|
4945
|
A rule was listed when the Windows Firewall started
Audit Success
|
4946
|
A change was made to the Windows Firewall exception list. A rule was added
Audit Success
|
4947
|
A change was made to the Windows Firewall exception list. A rule was modified
Audit Success
|
4948
|
A change was made to the Windows Firewall exception list. A rule was deleted
Audit Success
|
4949
|
Windows Firewall settings were restored to the default values.
Audit Success
|
4950
|
A Windows Firewall setting was changed
Audit Success
|
4951
|
Windows Firewall ignored a rule because its major version number is not recognized
Audit Failure
|
4952
|
Windows Firewall ignored parts of a rule because its minor version number is not recognized
Audit Failure
|
4953
|
Windows Firewall ignored a rule because it could not be parsed
Audit Failure
|
4954
|
Group Policy settings for Windows Firewall were changed, and the new settings were applied.
Audit Success
|
4956
|
Windows Firewall changed the active profile
Audit Success
|
4957
|
Windows Firewall did not apply the following rule
Audit Failure
|
4958
|
Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
Audit Failure
|
4960
|
IPsec dropped an inbound packet that failed an integrity check
|
4961
|
IPsec dropped an inbound packet that failed a replay check
|
4962
|
IPsec dropped an inbound packet that failed a replay check
|
4963
|
IPsec dropped an inbound clear text packet that should have been secured
|
4964
|
Special groups have been assigned to a new logon
Audit Success
|
4965
|
IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)
|
4976
|
During main mode negotiation, IPsec received an invalid negotiation packet
Audit Success
|
4977
|
During quick mode negotiation, IPsec received an invalid negotiation packet
|
4978
|
During extended mode negotiation, IPsec received an invalid negotiation packet
|
4979
|
IPsec main mode and extended mode security associations were established
|
4980
|
IPsec main mode and extended mode security associations were established
|
4981
|
IPsec main mode and extended mode security associations were established
|
4982
|
IPsec main mode and extended mode security associations were established
|
4983
|
An IPsec extended mode negotiation failed
|
4984
|
An IPsec extended mode negotiation failed
|
4985
|
The state of a transaction has changed
Audit Success
|
5024
|
The Windows Firewall service started successfully.
Audit Success
|
5025
|
The Windows Firewall service was stopped.
Audit Success
|
5027
|
The Windows Firewall service was unable to retrieve the security policy from the local storage.
Audit Failure
|
5028
|
Windows Firewall was unable to parse the new security policy.
Audit Failure
|
5029
|
The Windows Firewall service failed to initialize the driver.
Audit Failure
|
5030
|
The Windows Firewall service failed to start.
Audit Failure
|
5031
|
Windows Firewall blocked an application from accepting incoming connections on the network.
Audit Failure
|
5032
|
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
Audit Failure
|
5033
|
The Windows Firewall Driver started successfully.
Audit Success
|
5034
|
The Windows Firewall Driver was stopped.
Audit Success
|
5035
|
The Windows Firewall Driver failed to start.
Audit Failure
|
5037
|
The Windows Firewall Driver detected a critical runtime error.
Audit Failure
|
5038
|
Code integrity determined that the image hash of a file is not valid.
Audit Failure
|
5039
|
A registry key was virtualized.
|
5040
|
A change was made to IPsec settings. An authentication set was added.
|
5041
|
A change was made to IPsec settings. An authentication set was modified.
|
5042
|
A change was made to IPsec settings. An authentication set was deleted.
|
5043
|
A change was made to IPsec settings. A connection security rule was added.
|
5044
|
A change was made to IPsec settings. A connection security rule was modified.
|
5045
|
A change was made to IPsec settings. A connection security rule was deleted.
|
5046
|
A change was made to IPsec settings. A crypto set was added.
|
5047
|
A change was made to IPsec settings. A crypto set was modified.
|
5048
|
A change was made to IPsec settings. A crypto set was deleted.
|
5049
|
An IPsec security association was deleted.
Audit Success
|
5050
|
An attempt to programmatically disable Windows Firewall was rejected.
|
5051
|
A file was virtualized.
|
5056
|
A cryptographic self test was performed.
Audit Success
|
5057
|
A cryptographic primitive operation failed.
Audit Failure
|
5058
|
Key file operation.
Audit Success, Audit Failure
|
5059
|
Key migration operation.
Audit Success, Audit Failure
|
5060
|
Verification operation failed.
Audit Failure
|
5061
|
Cryptographic operation.
Audit Success, Audit Failure
|
5062
|
A kernel-mode cryptographic self test was performed.
Audit Success
|
5063
|
A cryptographic provider operation was attempted.
Audit Success, Audit Failure
|
5064
|
A cryptographic context operation was attempted.
Audit Success, Audit Failure
|
5065
|
A cryptographic context modification was attempted.
Audit Success, Audit Failure
|
5066
|
A cryptographic function operation was attempted.
Audit Success, Audit Failure
|
5067
|
A cryptographic function modification was attempted.
Audit Success, Audit Failure
|
5068
|
A cryptographic function provider operation was attempted.
Audit Success, Audit Failure
|
5069
|
A cryptographic function property operation was attempted.
Audit Success, Audit Failure
|
5070
|
A cryptographic function property modification was attempted.
Audit Success, Audit Failure
|
5071
|
Key access denied by Microsoft key distribution service.
|
5120
|
OCSP Responder Service Started.
|
5121
|
OCSP Responder Service Stopped.
|
5122
|
A Configuration entry changed in the OCSP Responder Service.
|
5123
|
A configuration entry changed in the OCSP Responder Service.
|
5124
|
A security setting was updated on OCSP Responder Service.
|
5125
|
A request was submitted to OCSP Responder Service.
|
5126
|
Signing Certificate was automatically updated by the OCSP Responder Service.
|
5127
|
The OCSP Revocation Provider successfully updated the revocation information.
|
5136
|
A directory service object was modified
Domain Controller, Audit Success
|
5137
|
A directory service object was created
Domain Controller, Audit Success
|
5138
|
A directory service object was undeleted.
Domain Controller, Audit Success
|
5139
|
A directory service object was moved.
Domain Controller, Audit Success
|
5140
|
A network share object was accessed
Audit Success, Audit Failure
|
5141
|
A directory service object was deleted.
Domain Controller, Audit Success
|
5142
|
A network share object was added
Audit Success
|
5143
|
A network share object was modified
Audit Success
|
5144
|
A network share object was deleted
Audit Success
|
5145
|
A network share object was checked to see whether client can be granted desired access.
Audit Success, Audit Failure
|
5146
|
The Windows Filtering Platform has blocked a packet.
|
5147
|
A more restrictive Windows Filtering Platform filter has blocked a packet.
|
5148
|
The Windows Filtering Platform has detected a DoS attack.
Audit Failure
|
5149
|
The DoS attack has subsided and normal processing is being resumed.
Audit Failure
|
5150
|
The Windows Filtering Platform has blocked a packet.
|
5151
|
A more restrictive Windows Filtering Platform filter has blocked a packet.
|
5152
|
The Windows Filtering Platform has blocked a packet.
Audit Failure
|
5153
|
A more restrictive Windows Filtering Platform filter has blocked a packet.
Audit Success
|
5154
|
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Audit Success
|
5155
|
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Audit Failure
|
5156
|
The Windows Filtering Platform has allowed a connection.
Audit Success
|
5157
|
The Windows Filtering Platform has blocked a connection.
Audit Failure
|
5158
|
The Windows Filtering Platform has permitted a bind to a local port.
Audit Success
|
5168
|
Spn check for SMB/SMB2 fails.
Audit Failure
|
5376
|
Credential Manager credentials were backed up.
Audit Success
|
5377
|
Credential Manager credentials were restored from a backup.
Audit Success
|
5378
|
The requested credentials delegation was disallowed by policy.
Audit Failure
|
5440
|
The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
|
5441
|
The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
|
5442
|
The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
|
5443
|
The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
|
5444
|
The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
|
5446
|
A Windows Filtering Platform callout has been changed.
|
5447
|
A Windows Filtering Platform filter has been changed.
Audit Success
|
5448
|
A Windows Filtering Platform provider has been changed.
|
5449
|
A Windows Filtering Platform provider context has been changed.
|
5450
|
A Windows Filtering Platform sub-layer has been changed.
|
5451
|
An IPsec quick mode security association was established.
|
5452
|
An IPsec quick mode security association ended.
|
5453
|
An IPsec negotiation with a remote computer failed.
Audit Success
|
5456
|
IPsec Policy Agent applied Active Directory storage IPsec policy on the computer.
|
5457
|
IPsec Policy Agent failed to apply Active Directory storage IPsec policy on the computer.
|
5458
|
IPsec Policy Agent applied locally cached copy of Active Directory storage IPsec policy on the computer.
|
5459
|
IPsec Policy Agent failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
|
5460
|
IPsec Policy Agent applied local registry storage IPsec policy on the computer.
|
5461
|
IPsec Policy Agent failed to apply local registry storage IPsec policy on the computer
|
5462
|
IPsec Policy Agent failed to apply some rules of the active IPsec policy on the computer.
|
5463
|
IPsec Policy Agent polled for changes to the active IPsec policy and detected no changes.
|
5464
|
IPsec Policy Agent polled for changes to the active IPsec policy, detected changes, and applied them.
|
5465
|
IPsec Policy Agent received a control for forced reloading of IPsec policy and processed the control successfully.
|
5466
|
IPsec Policy Agent polled for changes to the Active Directory IPsec policy.
|
5467
|
IPsec Policy Agent polled for changes to the Active Directory IPsec policy.
|
5468
|
IPsec Policy Agent polled for changes to the Active Directory IPsec policy.
|
5471
|
IPsec Policy Agent loaded local storage IPsec policy on the computer.
|
5472
|
IPsec Policy Agent failed to load local storage IPsec policy on the computer.
|
5473
|
IPsec Policy Agent loaded directory storage IPsec policy on the computer.
|
5474
|
IPsec Policy Agent failed to load directory storage IPsec policy on the computer.
|
5477
|
IPsec Policy Agent failed to add quick mode filter.
|
5478
|
The IPsec Policy Agent service was started.
Audit Success
|
5479
|
The IPsec Policy Agent service was stopped.
|
5480
|
IPsec Policy Agent failed to get the complete list of network interfaces on the computer.
|
5483
|
The IPsec Policy Agent service failed to initialize its RPC server.
|
5484
|
The IPsec Policy Agent service experienced a critical failure and has shut down.
|
5485
|
IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces.
|
5632
|
A request was made to authenticate to a wireless network.
Audit Success, Audit Failure
|
5633
|
A request was made to authenticate to a wired network.
Audit Success, Audit Failure
|
5712
|
A Remote Procedure Call (RPC) was attempted.
Audit Success
|
5888
|
An object in the COM+ Catalog was modified.
Audit Success
|
5889
|
An object was deleted from the COM+ Catalog.
Audit Success
|
5890
|
An object was added to the COM+ Catalog.
Audit Success
|
6144
|
Security policy in the group policy objects has been applied successfully.
Audit Success
|
6145
|
One or more errors occurred while processing security policy in the group policy objects.
Audit Failure
|
6272
|
Network Policy Server granted access to a user.
Audit Success, Audit Failure
|
6273
|
Network Policy Server denied access to a user.
Audit Success, Audit Failure
|
6274
|
Network Policy Server discarded the request for a user.
Audit Success, Audit Failure
|
6275
|
Network Policy Server discarded the accounting request for a user.
Audit Success, Audit Failure
|
6276
|
Network Policy Server quarantined a user.
Audit Success, Audit Failure
|
6277
|
Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
Audit Success, Audit Failure
|
6278
|
Network Policy Server granted full access to a user because the host met the defined health policy.
Audit Success, Audit Failure
|
6279
|
Network Policy Server locked the user account due to repeated failed authentication attempts.
Audit Success, Audit Failure
|
6280
|
Network Policy Server unlocked the user account.
Audit Success, Audit Failure
|
6281
|
Code Integrity determined that the page hashes of an image file are not valid.
Audit Failure
|
6400
|
BranchCache: Received an incorrectly formatted response while discovering availability of content.
|
6401
|
BranchCache: Received invalid data from a peer. Data discarded.
|
6402
|
BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
|
6403
|
BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.
|
6404
|
BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
|
6405
|
BranchCache: %2 instance(s) of event id %1 occurred.
|
6406
|
%1 registered to Windows Firewall to control filtering for the following: %2.
|
6407
|
n/a
|
6408
|
Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
|