ID Event Description
1100 The event logging service has shut down
Audit Success, PCI-DSS
1102 The audit log was cleared
CJIS, ISO 27001:2013, PCI-DSS
4624 An account was successfully logged on
CJIS, Audit Success, ISO 27001:2013, HIPAA, NIST SP 800-53, CMMC L1, NIST 800-171
4625 An account failed to log on
Audit Failure, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST SP 800-53, NIST 800-171, CMMC L1
4626 User / Device claims information
Audit Success
4627 Group membership information
Audit Success
4634 An account was logged off
Audit Success
4647 User initiated logoff
Audit Success
4648 A logon was attempted using explicit credentials
Audit Success
4649 A replay attack was detected
Domain Controller, Audit Success, Audit Failure, PCI-DSS, HIPAA, CJIS, ISO 27001:2013
4672 Special privileges assigned to new logon
Audit Success
4692 Backup of data protection master key was attempted
Audit Success, Audit Failure
4693 Recovery of data protection master key was attempted
Audit Success, Audit Failure
4694 Protection of auditable protected data was attempted
Audit Success, Audit Failure
4695 Unprotection of auditable protected data was attempted
Audit Success, Audit Failure
4698 A scheduled task was created
Audit Success, PCI-DSS
4699 A scheduled task was deleted
Audit Success, PCI-DSS
4700 A scheduled task was enabled
Audit Success
4701 A scheduled task was disabled
Audit Success
4702 A scheduled task was updated
Audit Success, PCI-DSS
4704 A user right was assigned
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1, CMMC L3
4713 Kerberos policy was changed
Domain Controller, Audit Success
4717 System security access was granted to an account
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L3
4718 System security access was removed from an account
ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
4719 System audit policy was changed
Audit Success
4720 A user account was created
ISO 27001:2013, NIST SP 800-53, Audit Success, PCI-DSS, NIST 800-171, CMMC L1
4722 A user account was enabled
ISO 27001:2013, NIST SP 800-53, NIST 800-171, Audit Success, PCI-DSS, CMMC L1
4725 A user account was disabled
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
4726 A user account was deleted
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, PCI-DSS, CMMC L1
4728 A member was added to a security-enabled global group
Domain Controller, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L1
4732 A member was added to a security-enabled local group
ISO 27001:2013, NIST 800-171, NIST SP 800-53, Audit Success, CMMC L1
4739 Domain Policy was changed
Domain Controller, NIST 800-171, NIST SP 800-53, ISO 27001:2013, Audit Success, CMMC L3
4741 A computer account was created
Domain Controller, Audit Success
4742 A computer account was changed
Domain Controller, Audit Success
4743 A computer account was deleted
Domain Controller, Audit Success
4756 A member was added to a security-enabled universal group
Domain Controller, ISO 27001:2013
4776 The computer attempted to validate the credentials for an account
Audit Failure, Audit Success, CJIS, ISO 27001:2013, PCI-DSS, HIPAA, NIST 800-171, NIST SP 800-53, CMMC L1
4778 A session was reconnected to a Window Station
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4779 A session was disconnected from a Window Station
Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4782 The password hash an account was accessed
Domain Controller, Audit Success
4793 The Password Policy Checking API was called
Domain Controller, Audit Success
4800 The workstation was locked
Audit Success, ISO 27001:2013, NIST 800-171, NIST SP 800-53, CMMC L3
4801 The workstation was unlocked
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4802 The screen saver was invoked
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4803 The screen saver was dismissed
ISO 27001:2013, Audit Success, NIST 800-171, NIST SP 800-53, CMMC L3
4819 Central Access Policies on the machine have been changed
Audit Success
4826 Boot Configuration Data loaded
Audit Success
4902 The Per-user audit policy table was created
Audit Success
4904 An attempt was made to register a security event source
Audit Success
4912 Per User Audit Policy was changed
Audit Success
4930 An Active Directory replica source naming context was modified
Domain Controller, Audit Success, Audit Failure
4931 An Active Directory replica destination naming context was modified
Domain Controller, Audit Success, Audit Failure
4932 Synchronization of a replica of an Active Directory naming context has begun
Audit Success, Audit Failure, Domain Controller
4933 Synchronization of a replica of an Active Directory naming context has ended
Audit Success, Audit Failure, Domain Controller
4944 The following policy was active when the Windows Firewall started
Audit Success
4945 A rule was listed when the Windows Firewall started
Audit Success
4946 A change was made to the Windows Firewall exception list. A rule was added
Audit Success
4947 A change was made to the Windows Firewall exception list. A rule was modified
Audit Success
4948 A change was made to the Windows Firewall exception list. A rule was deleted
Audit Success
4949 Windows Firewall settings were restored to the default values.
Audit Success
4950 A Windows Firewall setting was changed
Audit Success
4951 Windows Firewall ignored a rule because its major version number is not recognized
Audit Failure
4952 Windows Firewall ignored parts of a rule because its minor version number is not recognized
Audit Failure
4953 Windows Firewall ignored a rule because it could not be parsed
Audit Failure
4954 Group Policy settings for Windows Firewall were changed, and the new settings were applied.
Audit Success
4956 Windows Firewall changed the active profile
Audit Success
4957 Windows Firewall did not apply the following rule
Audit Failure
4958 Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
Audit Failure
4960 IPsec dropped an inbound packet that failed an integrity check
4961 IPsec dropped an inbound packet that failed a replay check
4962 IPsec dropped an inbound packet that failed a replay check
4963 IPsec dropped an inbound clear text packet that should have been secured
4965 IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)
5024 The Windows Firewall service started successfully.
Audit Success
5027 The Windows Firewall service was unable to retrieve the security policy from the local storage.
Audit Failure
5028 Windows Firewall was unable to parse the new security policy.
Audit Failure
5029 The Windows Firewall service failed to initialize the driver.
Audit Failure
5030 The Windows Firewall service failed to start.
Audit Failure
5032 Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
Audit Failure
5033 The Windows Firewall Driver started successfully.
Audit Success
5034 The Windows Firewall Driver was stopped.
Audit Success
5035 The Windows Firewall Driver failed to start.
Audit Failure
5037 The Windows Firewall Driver detected a critical runtime error.
Audit Failure
5050 An attempt to programmatically disable Windows Firewall was rejected.
5063 A cryptographic provider operation was attempted.
Audit Success, Audit Failure
5064 A cryptographic context operation was attempted.
Audit Success, Audit Failure
5065 A cryptographic context modification was attempted.
Audit Success, Audit Failure
5066 A cryptographic function operation was attempted.
Audit Success, Audit Failure
5067 A cryptographic function modification was attempted.
Audit Success, Audit Failure
5068 A cryptographic function provider operation was attempted.
Audit Success, Audit Failure
5069 A cryptographic function property operation was attempted.
Audit Success, Audit Failure
5070 A cryptographic function property modification was attempted.
Audit Success, Audit Failure
5140 A network share object was accessed
Audit Success, Audit Failure
5142 A network share object was added
Audit Success
5143 A network share object was modified
Audit Success
5144 A network share object was deleted
Audit Success
5447 A Windows Filtering Platform filter has been changed.
Audit Success
5478 The IPsec Policy Agent service was started.
Audit Success
5480 IPsec Policy Agent failed to get the complete list of network interfaces on the computer.
5483 The IPsec Policy Agent service failed to initialize its RPC server.
5484 The IPsec Policy Agent service experienced a critical failure and has shut down.
5485 IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces.
5632 A request was made to authenticate to a wireless network.
Audit Success, Audit Failure
5633 A request was made to authenticate to a wired network.
Audit Success, Audit Failure
6144 Security policy in the group policy objects has been applied successfully.
Audit Success
6145 One or more errors occurred while processing security policy in the group policy objects.
Audit Failure