Welcome to Event-o-Pedia

Search Advanced Ex: logon failure -"account disabled" -"LogType:Windows Event Log" 417 event(s) found in the alternate event classification Events by Business Needs Found categories (630 - Events, 81 - Folders): 110X - Non Audit (EventLog) This category includes non audit events written to Security Log. These events are generated by event system REGARDLESS of Audit Policy settings and indicate status of the event system. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->110X - Non Audit (EventLog) Account Lockout Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Account Lockout Account Logon This category includes events indicating the following user actions: Credentials validation, i.e. initial logon Access to network resources, e.g. network server logon, file ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon Account Logon This category includes events indicating the following user actions: Credentials validation, i.e. initial logon Access to network resources, e.g. network server logon, file ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon Account Management This category includes events indicating the following user actions: A user/computer account or group is created, changed, or deleted A user/computer account is renamed, disabled, or enabled... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management Account Management This category includes events indicating the following user actions: A user/computer account or group is created, changed, or deleted A user/computer account is renamed, disabled, or enabled... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management Application Generated Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Application Generated Application Group Management Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Application Group Management Audit Policy Change Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Audit Policy Change Authentication Policy Change Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authentication Policy Change Authorization Policy Change Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authorization Policy Change Central Access Policy Staging Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Central Access Policy Staging Certification Services Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services Computer Account Management Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Computer Account Management Credential Validation Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Credential Validation Detailed Directory Service Replication This category contains the events unsignificant for security auditing. We recommend disabling the following subcategories to reduce event noise: Directory Service Replication ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Detailed Directory Service Replication Detailed File Share Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Detailed File Share Detailed Tracking This category (also known as Process Tracking) includes events indicating the following system/user activity: program activation process exit handle duplication indirect object acc... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking Detailed Tracking This category (also known as Process Tracking) includes events indicating the following system/user activity: program activation process exit handle duplication ind... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Detailed Tracking Directory Service Access Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Directory Service Access Directory Service Changes Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Directory Service Changes Directory Service Replication This category contains the events unsignificant for security auditing. We recommend disabling the following subcategories to reduce event noise: Directory Service Replication ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Directory Service Replication Distribution Group Management Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management DPAPI Activity Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->DPAPI Activity DS Access This category contrains events of a user accessing an Active Directory object that has its own system access control list (SACL) specified. It allows to track the following actions: Creat... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access DS Access This category contrains events of a user accessing an Active Directory object that has its own system access control list (SACL) specified. It allows to track the following changes: Creation, Del... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->DS Access Event processing Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->110X - Non Audit (EventLog)->Event processing EventID 1100 - The event logging service has shut down. This event indicates that Windows Event Log service has been shut down. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->110X - Non Audit (EventLog)->Service shutdown->EventID 1100 - The event logging service has shut down. EventID 1101 - Audit events have been dropped by the transport. %1. This event indicates that incoming event data cannot be put to the event log for some reason.  InsertionString1 contains the failure reason description. Note: Events sent to the Security log are... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->110X - Non Audit (EventLog)->Event processing->EventID 1101 - Audit events have been dropped by the transport. %1. EventID 1102 - The audit log was cleared. This event record indicates that the audit log has been cleared. This event is always recorded, regardless of the audit policy. It is recorded even if auditing is turned off. Note: The audit log s... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->110X - Non Audit (EventLog)->Log clear->EventID 1102 - The audit log was cleared. EventID 1104 - The security log is now full. This event indicates than no more event can be written to the log until it will be cleared up, rotated or log size will be increased. Note: If the log is set to Overwrite events as required (retentio... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->110X - Non Audit (EventLog)->Event processing->EventID 1104 - The security log is now full. EventID 1105 - Event log automatic backup This event indicates that the audit log has automatically backed up. Note: The audit log should be saved in a file before deleting. The practice of always saving copies of audit logs is good for c... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->110X - Non Audit (EventLog)->Log automatic backup->EventID 1105 - Event log automatic backup EventID 1108 - The event logging service encountered an error while processing an incoming event published from %3. The cause calling this event is undetermined. InsertionString3 contains the name of event Source which error originated from. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->110X - Non Audit (EventLog)->Event processing->EventID 1108 - The event logging service encountered an error while processing an incoming event published from %3. EventID 4608 - Windows is starting up. The Local Security Authority logs this event when the auditing system has been successfully initialized suring system startup. Note: This event is logged for informational purposes only. Find more... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Security State Change->EventID 4608 - Windows is starting up. EventID 4609 - Windows is shutting down. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000, 2003  EventID 513 - Windows is shutting down  Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Security State Change->EventID 4609 - Windows is shutting down. EventID 4610 - An authentication package has been loaded by the Local Security Authority. This event record indicates that the Local Security Authority (LSA) has successfully loaded an authentication package used for authenticating logon requests. Find more information about this event on... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Security System Extension->EventID 4610 - An authentication package has been loaded by the Local Security Authority. EventID 4611 - A trusted logon process has been registered with the Local Security Authority. This event record indicates that a logon process has registered with the Local Security Authority (LSA). Also, logon requests will now be accepted from this source. Note: Logon processes are trust... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Security System Extension->EventID 4611 - A trusted logon process has been registered with the Local Security Authority. EventID 4612 - Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000, 2003 EventID 516 - Internal resources allocated for the queuing... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 4612 - Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. EventID 4614 - A notification package has been loaded by the Security Account Manager. This event record indicates that the Security Accounts Manager (SAM) has successfully loaded a notification package. Note:  The person responsible for maintaining the Security Account needs to ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Security System Extension->EventID 4614 - A notification package has been loaded by the Security Account Manager. EventID 4615 - Invalid use of LPC port. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 4615 - Invalid use of LPC port. EventID 4616 - system time was changed. [2008 R2 and higher] Indicates that the computer's clock was successfuly changed. Note: It might have been synchronized with a time server on the Internet or an intranet, or a user might have manually set the system ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Security State Change->EventID 4616 - system time was changed. [2008 R2 and higher] EventID 4616 - system time was changed. [2008] Indicates that the computer's clock was successfuly changed. Note: It might have been synchronized with a time server on the Internet or an intranet, or a user might have manually set the system ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Security State Change->EventID 4616 - system time was changed. [2008] EventID 4618 - A monitored security event pattern has occurred. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 4618 - A monitored security event pattern has occurred. EventID 4621 - Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Security State Change->EventID 4621 - Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. EventID 4622 - A security package has been loaded by the Local Security Authority. This event record indicates that the Local Security Authority (LSA) has successfully loaded a security package used for authenticating logon requests and/or for providing security services for applica... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Security System Extension->EventID 4622 - A security package has been loaded by the Local Security Authority. EventID 4624 - An account was successfully logged on. Indicates that a logon session was successfully created for the user logging on to the local computer either locally or remotely. Note: The message contains the Logon ID, a number that is generated w... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Logon->EventID 4624 - An account was successfully logged on. EventID 4625 - An account failed to log on. Indicates that a user failed to log on due to any reason. Note: This event is logged on the workstation or server where the user failed to log on. Logon type field allows to determine if us... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Account Lockout->EventID 4625 - An account failed to log on. EventID 4625 - An account failed to log on. Indicates that a user failed to log on due to any reason. Note: This event is logged on the workstation or server where the user failed to log on. Logon type field allows to determine if us... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Logon->EventID 4625 - An account failed to log on. EventID 4626 - User / Device claims information. This event is generated when the Audit User/Device claims subcategory is configured and the user's logon token contains user/device claims information. The Logon ID field can be used to correlate thi... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->User / Device Claims->EventID 4626 - User / Device claims information. EventID 4627 - Group membership information. Audit Group Membership enables you to audit group membership when it is enumerated on the client computer. This policy allows you to audit the group membership information in the user's logon token. ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Group Membership->EventID 4627 - Group membership information. EventID 4634 - An account was logged off. Indicates that a user has successfully ended a logon session (a network connection to a file share, interactive logon, or other logon type), in other words logged off. Note: This event does not neces... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Logoff->EventID 4634 - An account was logged off. EventID 4646 - IKE DoS-prevention mode started. IKE DoS-prevention mode started. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Main Mode->EventID 4646 - IKE DoS-prevention mode started. EventID 4647 - User initiated logoff. Indicates that a user that had logged on interactively (type 2) or by terminal services has started the logoff process. This event means that the system started erasing from memory user's primary a... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Logoff->EventID 4647 - User initiated logoff. EventID 4648 - A logon was attempted using explicit credentials. Indicates that a user who is already logged on successfully created another logon session with different user's credentials. Find more information about this event on ultimatewindowssecurity.com. ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Logon->EventID 4648 - A logon was attempted using explicit credentials. EventID 4649 - A replay attack was detected. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Other Logon/Logoff Events->EventID 4649 - A replay attack was detected. EventID 4650 - An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Main Mode->EventID 4650 - An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. EventID 4651 - An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Main Mode->EventID 4651 - An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. EventID 4652 - An IPsec Main Mode negotiation failed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Main Mode->EventID 4652 - An IPsec Main Mode negotiation failed. EventID 4653 - An IPsec Main Mode negotiation failed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Main Mode->EventID 4653 - An IPsec Main Mode negotiation failed. EventID 4654 - An IPsec quick mode negotiation failed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Quick Mode->EventID 4654 - An IPsec quick mode negotiation failed. EventID 4655 - An IPsec Main Mode security association ended. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Main Mode->EventID 4655 - An IPsec Main Mode security association ended. EventID 4656 - A handle to an object was requested. [2008 R2 and higher] It is generated by corresponding resource manager in multiple subcategories: File System Kernel Object Registry SAM Other Object Access Events Note:  Event 4656 might o... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File System->EventID 4656 - A handle to an object was requested. [2008 R2 and higher] EventID 4656 - A handle to an object was requested. [2008 R2 and higher] It is generated by corresponding resource manager in multiple subcategories:  File System Kernel Object Registry SAM Other Object Access Events Note:  Event 4656 might... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Kernel Object->EventID 4656 - A handle to an object was requested. [2008 R2 and higher] EventID 4656 - A handle to an object was requested. [2008 R2 and higher] It is generated by corresponding resource manager in multiple subcategories: File System Kernel Object Registry SAM Other Object Access Events Note:  Event 4656 might oc... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->SAM->EventID 4656 - A handle to an object was requested. [2008 R2 and higher] EventID 4656 - A handle to an object was requested. [2008 R2 and higher] It is generated by corresponding resource manager in multiple subcategories: File System Kernel Object Registry SAM Other Object Access Events Note:  Event 4656 might oc... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Registry->EventID 4656 - A handle to an object was requested. [2008 R2 and higher] EventID 4656 - A handle to an object was requested. [2008 R2 and higher] It is generated by corresponding resource manager in multiple subcategories: File System Kernel Object Registry SAM Other Object Access Events Note:  Event 4656 might oc... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 4656 - A handle to an object was requested. [2008 R2 and higher] EventID 4656 - A handle to an object was requested. [2008] It is generated by corresponding resource manager in multiple subcategories: File System Kernel Object Registry SAM Other Object Access Events Note:  Event 4656 might o... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File System->EventID 4656 - A handle to an object was requested. [2008] EventID 4656 - A handle to an object was requested. [2008] It is generated by corresponding resource manager in multiple subcategories:  File System Kernel Object Registry SAM Other Object Access Events Note:  Event 4656 might... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Kernel Object->EventID 4656 - A handle to an object was requested. [2008] EventID 4656 - A handle to an object was requested. [2008] It is generated by corresponding resource manager in multiple subcategories: File System Kernel Object Registry SAM Other Object Access Events Note:  Event 4656 might oc... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->SAM->EventID 4656 - A handle to an object was requested. [2008] EventID 4656 - A handle to an object was requested. [2008] It is generated by corresponding resource manager in multiple subcategories: File System Kernel Object Registry SAM Other Object Access Events Note:  Event 4656 might oc... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Registry->EventID 4656 - A handle to an object was requested. [2008] EventID 4656 - A handle to an object was requested. [2008] It is generated by corresponding resource manager in multiple subcategories: File System Kernel Object Registry SAM Other Object Access Events Note:  Event 4656 might oc... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 4656 - A handle to an object was requested. [2008] EventID 4657 - A registry value was modified. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Registry->EventID 4657 - A registry value was modified. EventID 4658 - The handle to an object was closed. This event indicates that object previously opened has successfully closed. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File System->EventID 4658 - The handle to an object was closed. EventID 4658 - The handle to an object was closed. This event indicates that object previously opened has successfully closed. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->SAM->EventID 4658 - The handle to an object was closed. EventID 4658 - The handle to an object was closed. This event indicates that object previously opened has successfully closed. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Registry->EventID 4658 - The handle to an object was closed. EventID 4658 - The handle to an object was closed. This event indicates that object previously opened has successfully closed. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Window... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 4658 - The handle to an object was closed. EventID 4659 - A handle to an object was requested with intent to delete. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File System->EventID 4659 - A handle to an object was requested with intent to delete. EventID 4660 - An object was deleted. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000 EventID 564 - Object Deleted [Win 2000] Windows 2003 / XP ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File System->EventID 4660 - An object was deleted. EventID 4660 - An object was deleted. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000 EventID 564 - Object Deleted [Win 2000] Windows 2003 / XP ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Registry->EventID 4660 - An object was deleted. EventID 4661 - A handle to an object was requested. [2012 and lower] Indicates that an attempt was made to access a directory service object. Success or failure is indicated in the message.  Note: This event occurs only on Domain Controllers.  Find more in... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Directory Service Access->EventID 4661 - A handle to an object was requested. [2012 and lower] EventID 4661 - A handle to an object was requested. [2012 and lower] Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000 EventID 565 - Object Open [Win 2000] Windows 2003 EventI... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->SAM->EventID 4661 - A handle to an object was requested. [2012 and lower] EventID 4661 - A handle to an object was requested. [2012 R2 and higher] Indicates that an attempt was made to access a directory service object. Success or failure is indicated in the message.  Note: This event occurs only on Domain Controllers.  Find more in... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Directory Service Access->EventID 4661 - A handle to an object was requested. [2012 R2 and higher] EventID 4661 - A handle to an object was requested. [2012 R2 and higher] Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000 EventID 565 - Object Open [Win 2000] Windows 2003 EventI... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->SAM->EventID 4661 - A handle to an object was requested. [2012 R2 and higher] EventID 4662 - An operation was performed on an object. Indicates that the AD object was accesses by user.  Note:  This event occurs only on Domain Controllers. Find more information about this event on ultimatewindowssecurity.com. Correspo... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Directory Service Access->EventID 4662 - An operation was performed on an object. EventID 4662 - An operation was performed on an object. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 4662 - An operation was performed on an object. EventID 4663 - An attempt was made to access an object. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File System->EventID 4663 - An attempt was made to access an object. EventID 4663 - An attempt was made to access an object. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Kernel Object->EventID 4663 - An attempt was made to access an object. EventID 4663 - An attempt was made to access an object. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows XP EventID 567 - Object Access Attempt [Win XP] Windows 2003 ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Registry->EventID 4663 - An attempt was made to access an object. EventID 4664 - An attempt was made to create a hard link. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File System->EventID 4664 - An attempt was made to create a hard link. EventID 4665 - An attempt was made to create an application client context. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Application Generated->EventID 4665 - An attempt was made to create an application client context. EventID 4666 - An application attempted an operation. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Application Generated->EventID 4666 - An application attempted an operation. EventID 4667 - An application client context was deleted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Application Generated->EventID 4667 - An application client context was deleted. EventID 4668 - An application was initialized. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Application Generated->EventID 4668 - An application was initialized. EventID 4670 - Permissions on an object were changed (File System). This event is generated by corresponding resource manager in following categories: File System Registry Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Subcategory (special)->EventID 4670 - Permissions on an object were changed (File System). EventID 4670 - Permissions on an object were changed (Registry). This event is generated by corresponding resource manager in following categories: File System Registry Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Subcategory (special)->EventID 4670 - Permissions on an object were changed (Registry). EventID 4670 - Permissions on an object were changed (Token). This event is generated by corresponding resource manager in following categories: File System Registry Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Subcategory (special)->EventID 4670 - Permissions on an object were changed (Token). EventID 4671 - An application attempted to access a blocked ordinal through the TBS. TBS - Trusted Platform Module  Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 4671 - An application attempted to access a blocked ordinal through the TBS. EventID 4672 - Special privileges assigned to new logon. This event indicates that one of the following priveleges (user rights) is assigned to a user logged on: Act as part of the operating system Back up files and directories Create a to... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Special Logon->EventID 4672 - Special privileges assigned to new logon. EventID 4673 - A privileged service was called. Indicates that an attempt has been made by a user to use a privilege to perform a privileged system service. Note: These are high volume events, which typically do not contain sufficient information... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Privilege Use->Sensitive Privilege Use->EventID 4673 - A privileged service was called. EventID 4674 - An operation was attempted on a privileged object - Failure. This event indicates that the specified user attempted to exercise the user right specified in the Privileges field.  Note: These are high volume events, which typically do not contain sufficien... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Privilege Use->Sensitive Privilege Use->EventID 4674 - An operation was attempted on a privileged object - Failure. EventID 4674 - An operation was attempted on a privileged object - Success. This event indicates that the specified user attempted to exercise the user right specified in the Privileges field.  Note: These are high volume events, which typically do not contain sufficien... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Privilege Use->Sensitive Privilege Use->EventID 4674 - An operation was attempted on a privileged object - Success. EventID 4675 - SIDs were filtered. Find more information about this event  on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Logon->EventID 4675 - SIDs were filtered. EventID 4688 - A new process has been created. Indicates a successful execution of a program by user. Note: New Process ID field allows you to correlate this event to events from other categories. Associated messages have the same Process ID num... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Process Creation->EventID 4688 - A new process has been created. EventID 4689 - A process has exited. Indicates a successful closing/termination of a program by user. Note: In order to find out when the ended process started look for a preceding event 4688 with the same Process ID. Find more infor... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Process Termination->EventID 4689 - A process has exited. EventID 4690 - An attempt was made to duplicate a handle to an object. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Handle Manipulation->EventID 4690 - An attempt was made to duplicate a handle to an object. EventID 4691 - Indirect access to an object was requested. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 4691 - Indirect access to an object was requested. EventID 4692 - Backup of data protection master key was attempted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->DPAPI Activity->EventID 4692 - Backup of data protection master key was attempted. EventID 4693 - Recovery of data protection master key was attempted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->DPAPI Activity->EventID 4693 - Recovery of data protection master key was attempted. EventID 4694 - Protection of auditable protected data was attempted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->DPAPI Activity->EventID 4694 - Protection of auditable protected data was attempted. EventID 4695 - Unprotection of auditable protected data was attempted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->DPAPI Activity->EventID 4695 - Unprotection of auditable protected data was attempted. EventID 4696 - A primary token was assigned to process. Indicates an either successful service start or a scheduled task executing a program under the authority of a different user. Find more information about this event on ultimatewindowssecurity.com. C... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Process Creation->EventID 4696 - A primary token was assigned to process. EventID 4697 - A service was installed in the system. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Security System Extension->EventID 4697 - A service was installed in the system. EventID 4698 - A scheduled task was created. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2003 EventID 602 - Scheduled Task created [Win 2003] Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 4698 - A scheduled task was created. EventID 4699 - A scheduled task was deleted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 4699 - A scheduled task was deleted. EventID 4700 - A scheduled task was enabled. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 4700 - A scheduled task was enabled. EventID 4701 - A scheduled task was disabled. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 4701 - A scheduled task was disabled. EventID 4702 - A scheduled task was updated. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 4702 - A scheduled task was updated. EventID 4703 - A token right was adjusted. This event generates when token privileges were enabled or disabled for a specific account’s token. As of Windows 10, event 4703 is also logged by applications or services that dynamically adju... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Token Right Adjusted Events->EventID 4703 - A token right was adjusted. EventID 4704 - A user right was assigned. This event record indicates that a specific right was successfully assigned to the identified user on the computer where event was logged. Find more information about this event on ultimatewindowssec... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authorization Policy Change->EventID 4704 - A user right was assigned. EventID 4705 - A user right was removed. This event record indicates that a specific right assigned to the identified user was successfully removed on the computer where event was logged. Refer to the link to learn about User Rights Find m... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authorization Policy Change->EventID 4705 - A user right was removed. EventID 4706 - A new trust was created to a domain. This event record indicates that the identified user successfully created a trust relationship with the specified domain. Find more information about this event on ultimatewindowssecurity.com. Corre... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authentication Policy Change->EventID 4706 - A new trust was created to a domain. EventID 4707 - A trust to a domain was removed. This event record indicates that the identified user successfully removed a trust relationship with the specified domain. Note:  Removing certain trust relationships can have serious security im... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authentication Policy Change->EventID 4707 - A trust to a domain was removed. EventID 4709 - IPsec Services was started. This service provides compatibility with Internet Protocol security (IPsec) policies used in earlier versions of Windows. Note: This is a normal condition. No further action is required. Find more i... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 4709 - IPsec Services was started. EventID 4710 - IPsec Services was disabled. This service provides compatibility with Internet Protocol security (IPsec) policies used in earlier versions of Windows. Note: New deployments of Windows Vista and Windows Server 2008 should not us... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 4710 - IPsec Services was disabled. EventID 4711 - %1 PAStore Engine. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 4711 - %1 EventID 4712 - IPsec Services encountered a potentially serious failure. Restarting the computer to resolve this problem. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 4712 - IPsec Services encountered a potentially serious failure. EventID 4713 - Kerberos policy was changed. Indicates that a change to the GPO named "Kerberos Policy" was successfully applied on the specified computer. Note:  This event is logged only on Domain Controllers. Find more information ab... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authentication Policy Change->EventID 4713 - Kerberos policy was changed. EventID 4714 - Data Recovery Agent group policy for Encrypting File System (EFS) has changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 4714 - Data Recovery Agent group policy for Encrypting File System (EFS) has changed. EventID 4714 - Encrypted data recovery policy was changed. Indicates that a change to the EFS data recovery agent information was successfully applied on the specified computer. Find more information about this event on ultimatewindowssecurity.com. Correspo... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authorization Policy Change->EventID 4714 - Encrypted data recovery policy was changed. EventID 4715 - The audit policy (SACL) on an object was changed. The audit policy (SACL) on an object was changed. The following event is always audited when audit policy is disabled regardless of the "Audit Policy Change" subcategory setting in Windows Vista. Fi... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Audit Policy Change->EventID 4715 - The audit policy (SACL) on an object was changed. EventID 4716 - Trusted domain information was modified. Indicates that existing trust's properties have been successfully modified.  Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: W... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authentication Policy Change->EventID 4716 - Trusted domain information was modified. EventID 4717 - System security access was granted to an account. This event record indicates that a user account was granted logon rights (such as "Access this computer from the network" or "Logon as a service"). Note: Certain rights have security implications.... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authentication Policy Change->EventID 4717 - System security access was granted to an account. EventID 4718 - System security access was removed from an account. This event record indicates that logon rights (such as "Access this computer from the network" or "Logon as a service") were removed from a user account. Access Right field contains a list of removed... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authentication Policy Change->EventID 4718 - System security access was removed from an account. EventID 4719 - System audit policy was changed. A change was successfully made to the computer's audit policy.  Refer to the link to learn about Audit Policy Categories and Subcategories Find more information about this event on ultimatewi... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Audit Policy Change->EventID 4719 - System audit policy was changed. EventID 4720 - A user account was created. Indicates a successful creation of a new user account. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000 EventI... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4720 - A user account was created. EventID 4722 - A user account was enabled. Indicates that a user account was successfully enabled. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2003 EventI... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4722 - A user account was enabled. EventID 4723 - An attempt was made to change an account's password. Indicates successful and failed attempts of a user to change his own or other user's password. Note: For password changes by non-owners see "Event ID 4724 - An attempt was made to reset an account'... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4723 - An attempt was made to change an account's password. EventID 4724 - An attempt was made to reset an account's password. Indicates a successful or failed attempt of one user to reset password for another user. Resetting password does not require knowing the current password. Note: For self-password changes see Event... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4724 - An attempt was made to reset an account's password. EventID 4725 - A user account was disabled. Indicates that a user account was successfully disabled. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2003 Event... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4725 - A user account was disabled. EventID 4726 - A user account was deleted. Indicates that a "Target Account" was successfully deleted by "Subject" user account. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS version... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4726 - A user account was deleted. EventID 4727 - A security-enabled global group was created. Indicates that a global security group was successfully created by "Subject" user. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4727 - A security-enabled global group was created. EventID 4728 - A member was added to a security-enabled global group. Indicates that a member (user, computer or another group account) was successfully added to the security global group by "Subject" user. Find more information about this event on ultimatewindowssecur... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4728 - A member was added to a security-enabled global group. EventID 4729 - A member was removed from a security-enabled global group. Indicates that member (user, computer or another group account) was successfully removed from security global group by "Subject" user. Find more information about this event on ultimatewindowssecuri... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4729 - A member was removed from a security-enabled global group. EventID 4730 - A security-enabled global group was deleted. Indicates that security global group was successfully deleted by "Subject" user. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Wi... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4730 - A security-enabled global group was deleted. EventID 4731 - A security-enabled local group was created. Indicates that security local group was successfully created by "Subject" user. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Wi... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4731 - A security-enabled local group was created. EventID 4732 - A member was added to a security-enabled local group. Indicates that a member (user, computer or another group account) was successfully added to the security local group by "Subject" user. Find more information about this event on ultimatewindowssecuri... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4732 - A member was added to a security-enabled local group. EventID 4733 - A member was removed from a security-enabled local group. Indicates that member (user, computer or another group account) was successfully removed from security local group by "Subject" user. Find more information about this event on ultimatewindowssecurit... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4733 - A member was removed from a security-enabled local group. EventID 4734 - A security-enabled local group was deleted. Indicates that security local group was successfully deleted by "Subject" user. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Win... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4734 - A security-enabled local group was deleted. EventID 4735 - A security-enabled local group was changed. Indicates that security local group was successfully changed by "Subject" user. Note: This event also shows group membership changes (additions and removals of a group member) for which there are ot... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4735 - A security-enabled local group was changed. EventID 4737 - A security-enabled global group was changed. Indicates that security global group was successfully changed by "Subject" user. Note: This event also shows group membership changes (additions and removals of a group member) for which there are o... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4737 - A security-enabled global group was changed. EventID 4738 - A user account was changed. Indicates that a user account ("Target Account") was successfully changed by "Subject" user. Note: In some cases the actual change may be not reflected in this event but another event will be created... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4738 - A user account was changed. EventID 4739 - Domain Policy was changed. Indicates that a domain policy was successfully changed by "caller user".  Find more information about this event  on ultimatewindowssecurity.com. Corresponding events on other OS versions... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authentication Policy Change->EventID 4739 - Domain Policy was changed. EventID 4740 - A user account was locked out. Indicates that a user account ("target account") was locked out due to the fact that the number of consecutive failed logon attempts exceeded the maximum allowed number set in the Domain Lockout Polic... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4740 - A user account was locked out. EventID 4741 - A computer account was created. Indicates a successful creation of a "New Computer Account" by "Subject" user. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Win... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Computer Account Management->EventID 4741 - A computer account was created. EventID 4742 - A computer account was changed. Indicates that a computer account ("Computer Account That Was Changed") was successfully changed by "Subject" user. Find more information about this event on ultimatewindowssecurity.com. Correspondi... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Computer Account Management->EventID 4742 - A computer account was changed. EventID 4743 - A computer account was deleted. Indicates that a "Target Computer" account was successfully deleted by "Subject" user account. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Computer Account Management->EventID 4743 - A computer account was deleted. EventID 4744 - A security-disabled local group was created. Indicates that distribution local group was successfully created by "Subject" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecur... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management->EventID 4744 - A security-disabled local group was created. EventID 4745 - A security-disabled local group was changed. Indicates that distribution local group was successfully changed by "Subject" user. Note: This event occurs only on Domain Controllers. This event also shows group membership changes (addi... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management->EventID 4745 - A security-disabled local group was changed. EventID 4746 - A member was added to a security-disabled local group. Indicates that a member (user, computer or another group account) was successfully added to the distribution local group by "Subject" user. Find more information about this event on ultimatewindowsse... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management->EventID 4746 - A member was added to a security-disabled local group. EventID 4747 - A member was removed from a security-disabled local group. Indicates that member (user, computer or another group account) was successfully removed from distribution local group by "Subject" user. Find more information about this event on ultimatewindowssec... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management->EventID 4747 - A member was removed from a security-disabled local group. EventID 4748 - A security-disabled local group was deleted. Indicates that distribution local group was successfully deleted by "Subject" user. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management->EventID 4748 - A security-disabled local group was deleted. EventID 4749 - A security-disabled global group was created. Indicates that a global distribution group was successfully created by "Subject" user. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versio... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management->EventID 4749 - A security-disabled global group was created. EventID 4750 - A security-disabled global group was changed. Indicates that distribution global group was successfully changed by "Subject" user. Note: This event also shows group membership changes (additions and removals of a group member) for which there a... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management->EventID 4750 - A security-disabled global group was changed. EventID 4751 - A member was added to a security-disabled global group. Indicates that a member (user, computer or another group account) was successfully added to the distribution global group by "Subject" user. Note: This event occurs only on Domain Controllers. Find... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management->EventID 4751 - A member was added to a security-disabled global group. EventID 4752 - A member was removed from a security-disabled global group. Indicates that member (user, computer or another group account) was successfully removed from distribution global group by "Subject" user. Note: This event occurs only on Domain Controllers. Find ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management->EventID 4752 - A member was removed from a security-disabled global group. EventID 4753 - A security-disabled global group was deleted. Indicates that distribution global group was successfully deleted by "Subject" user. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions:... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management->EventID 4753 - A security-disabled global group was deleted. EventID 4754 - A security-enabled universal group was created. Indicates that a universal security group was successfully created by "Subject" user. Note: This event occurs only on Domain Controllers. Find more information about this event on ultimatewindowss... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4754 - A security-enabled universal group was created. EventID 4755 - A security-enabled universal group was changed. Indicates that security universal group was successfully changed by "Subject" user. Note: This event also shows group membership changes (additions and removals of a group member) for which there ar... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4755 - A security-enabled universal group was changed. EventID 4756 - A member was added to a security-enabled universal group. Indicates that a member (user, computer or another group account) was successfully added to the security universal group by "Subject" user. Note: This event occurs only on Domain Controllers. Find ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4756 - A member was added to a security-enabled universal group. EventID 4757 - A member was removed from a security-enabled universal group. Indicates that member (user, computer or another group account) was successfully removed from security universal group by "Subject" user. Note: This event occurs only on Domain Controllers. Find m... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4757 - A member was removed from a security-enabled universal group. EventID 4758 - A security-enabled universal group was deleted. Indicates that security universal group was successfully deleted by "Subject" user. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4758 - A security-enabled universal group was deleted. EventID 4759 - A security-disabled universal group was created. Indicates that a universal distribution group was successfully created by "Subject" user. Note: This event occurs only on Domain Controllers. Find more information about this event on ultimatewind... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management->EventID 4759 - A security-disabled universal group was created. EventID 4760 - A security-disabled universal group was changed. Indicates that distribution universal group was successfully changed by "Subject" user. Note: This event occurs only on Domain Controllers. This event also shows group membership changes (... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management->EventID 4760 - A security-disabled universal group was changed. EventID 4761 - A member was added to a security-disabled universal group. Indicates that member (user, computer or another group account) was successfully added to a distribution universal group by "Subject" user. Note: This event occurs only on Domain Controllers. Find... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management->EventID 4761 - A member was added to a security-disabled universal group. EventID 4762 - A member was removed from a security-disabled universal group. Indicates that member (user, computer or another group account) was successfully removed from distribution universal group by "Subject" user. Note: This event occurs only on Domain Controllers. Fi... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management->EventID 4762 - A member was removed from a security-disabled universal group. EventID 4763 - A security-disabled universal group was deleted. Indicates that distribution universal group was successfully deleted by "Subject" user. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versio... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Distribution Group Management->EventID 4763 - A security-disabled universal group was deleted. EventID 4764 - A group's type was changed. Indicates that type or/and scope of "target" group was successfully changed by "caller" user. Note: This event occurs only on Domain Controllers. There are two types of groups in Active Directory: ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4764 - A group's type was changed. EventID 4765 - SID History was added to an account. SID history is used for roaming user profile access, certification authority access, and software installation access, as well as resource access.  Find more information about this event on ulti... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4765 - SID History was added to an account. EventID 4766 - An attempt to add SID History to an account failed. SID history is used for roaming user profile access, certification authority access, and software installation access, as well as resource access. Find more information about this event on ultimatewi... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4766 - An attempt to add SID History to an account failed. EventID 4767 - A user account was unlocked. Indicates that "Target Account" was successfully unlocked by "Subject" user. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Window... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4767 - A user account was unlocked. EventID 4768 - A Kerberos authentication ticket (TGT) was requested - Failure. Indicates that the authentication ticket was denied to a user or computer account requesting it. In other words, this event indicates either a failed user/computer initial domain logon. Note: Logged... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Kerberos Authentication Service->EventID 4768 - A Kerberos authentication ticket (TGT) was requested - Failure. EventID 4768 - A Kerberos authentication ticket (TGT) was requested - Success. Indicates that the authentication ticket was granted to a user or computer account requesting it. In other words, this event indicates successful user/computer initial domain logon. Note: Logged onl... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Kerberos Authentication Service->EventID 4768 - A Kerberos authentication ticket (TGT) was requested - Success. EventID 4769 - A Kerberos service ticket was requested - Failure. Indicates that the service ticket was granted or denied to a user or computer account requesting it. In other words, this event indicates a successful or failed attempt of a user/computer account to ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Kerberos Service Ticket Operations->EventID 4769 - A Kerberos service ticket was requested - Failure. EventID 4769 - A Kerberos service ticket was requested - Success. Indicates that the service ticket was granted or denied to a user or computer account requesting it. In other words, this event indicates a successful or failed attempt of a user/computer account to ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Kerberos Service Ticket Operations->EventID 4769 - A Kerberos service ticket was requested - Success. EventID 4770 - A Kerberos service ticket was renewed. Indicates automatic AS ticket or TGS ticket renewal .  Note: There is no Failure Audit form of this audit event record.  Find more information about this event on ultimatewindowssecurity.... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Kerberos Service Ticket Operations->EventID 4770 - A Kerberos service ticket was renewed. EventID 4771 - Kerberos pre-authentication failed. Indicates that the kerberos pre-authentication was failed. The reason is in the failure code, see here. In other words, it indicates a user/computer account failed initial logon. Refer to the link f... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Kerberos Authentication Service->EventID 4771 - Kerberos pre-authentication failed. EventID 4772 - A Kerberos authentication ticket request failed. No additional info provided for this event from Microsoft. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Kerberos Authentication Service->EventID 4772 - A Kerberos authentication ticket request failed. EventID 4774 - An account was mapped for logon. No additional info provided for this event from Microsoft. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Credential Validation->EventID 4774 - An account was mapped for logon. EventID 4775 - An account could not be mapped for logon. No additional info provided for this event from Microsoft. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Credential Validation->EventID 4775 - An account could not be mapped for logon. EventID 4776 - The computer attempted to validate the credentials for an account. This event is generated when a logon request fails. It is generated on the computer where access was attempted. Note: The authentication information fields provide detailed information about this spe... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Credential Validation->EventID 4776 - The computer attempted to validate the credentials for an account. EventID 4777 - The domain controller failed to validate the credentials for an account. No additional info provided for this event from Microsoft. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Credential Validation->EventID 4777 - The domain controller failed to validate the credentials for an account. EventID 4778 - A session was reconnected to a Window Station. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2003 EventID 682 - Session reconnected to winstation  Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Other Logon/Logoff Events->EventID 4778 - A session was reconnected to a Window Station. EventID 4779 - A session was disconnected from a Window Station. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2003 EventID 683 - Session disconnected from winstation  Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Other Logon/Logoff Events->EventID 4779 - A session was disconnected from a Window Station. EventID 4780 - The ACL was set on accounts which are members of administrators groups. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4780 - The ACL was set on accounts which are members of administrators groups. EventID 4781 - The name of an account was changed. Indicates that "Target Account" name was successfully changed by "Subject" user. Note: This event is important to track because a rogue admin may change his account or computer name to cover his mal... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4781 - The name of an account was changed. EventID 4782 - The password hash an account was accessed. Find more information about this event  on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Other Account Management Events->EventID 4782 - The password hash an account was accessed. EventID 4783 - A basic application group was created. An application group is a group of users, computers, or other security principals. An application group is not a group of applications. Find more information about this event  on ultimatewindows... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Application Group Management->EventID 4783 - A basic application group was created. EventID 4784 - A basic application group was changed. An application group is a group of users, computers, or other security principals. An application group is not a group of applications. Find more information about this event  on ultimatewindows... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Application Group Management->EventID 4784 - A basic application group was changed. EventID 4785 - A member was added to a basic application group. An application group is a group of users, computers, or other security principals. An application group is not a group of applications. Find more information about this event  on ultimatewindows... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Application Group Management->EventID 4785 - A member was added to a basic application group. EventID 4786 - A member was removed from a basic application group. An application group is a group of users, computers, or other security principals. An application group is not a group of applications. Find more information about this event  on ultimatewindows... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Application Group Management->EventID 4786 - A member was removed from a basic application group. EventID 4787 - A non-member was added to a basic application group. An application group is a group of users, computers, or other security principals. An application group is not a group of applications. Find more information about this event  on ultimatewindows... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Application Group Management->EventID 4787 - A non-member was added to a basic application group. EventID 4788 - A non-member was removed from a basic application group. An application group is a group of users, computers, or other security principals. An application group is not a group of applications. Find more information about this event  on ultimatewindows... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Application Group Management->EventID 4788 - A non-member was removed from a basic application group. EventID 4789 - A basic application group was deleted. An application group is a group of users, computers, or other security principals. An application group is not a group of applications. Find more information about this event  on ultimatewindows... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Application Group Management->EventID 4789 - A basic application group was deleted. EventID 4790 - An LDAP query group was created. Find more information about this event  on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Application Group Management->EventID 4790 - An LDAP query group was created. EventID 4791 - A basic application group was changed. An application group is a group of users, computers, or other security principals. An application group is not a group of applications. Find more information about this event  on ultimatewindows... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Application Group Management->EventID 4791 - A basic application group was changed. EventID 4792 - An LDAP query group was deleted. Find more information about this event  on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Application Group Management->EventID 4792 - An LDAP query group was deleted. EventID 4793 - The Password Policy Checking API was called. Find more information about this event  on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Other Account Management Events->EventID 4793 - The Password Policy Checking API was called. EventID 4794 - An attempt was made to set the Directory Services Restore Mode Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4794 - An attempt was made to set the Directory Services Restore Mode EventID 4797 - An attempt was made to query the existence of a blank password for an account. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4797 - An attempt was made to query the existence of a blank password for an account. EventID 4798 - A user's local group membership was enumerated. Windows logs this event when a process enumerates the local groups to which a the specified user belongs on that computer. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4798 - A user's local group membership was enumerated. EventID 4799 - A security-enabled local group membership was enumerated. Windows logs this event when a process enumerates the members of the specified local group on that computer. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4799 - A security-enabled local group membership was enumerated. EventID 4800 - The workstation was locked. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Other Logon/Logoff Events->EventID 4800 - The workstation was locked. EventID 4801 - The workstation was unlocked. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Other Logon/Logoff Events->EventID 4801 - The workstation was unlocked. EventID 4802 - The screen saver was invoked. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Other Logon/Logoff Events->EventID 4802 - The screen saver was invoked. EventID 4803 - The screen saver was dismissed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Other Logon/Logoff Events->EventID 4803 - The screen saver was dismissed. EventID 4816 - RPC detected an integrity violation while decrypting an incoming message. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 4816 - RPC detected an integrity violation while decrypting an incoming message. EventID 4817 - Auditing settings on object were changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Audit Policy Change->EventID 4817 - Auditing settings on object were changed. EventID 4818 - Central Access Policy does not grant the same access permissions as the current Central Access Policy. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Central Access Policy Staging->EventID 4818 - Central Access Policy does not grant the same access permissions as the current Central Access Policy. EventID 4819 - Central Access Policies on the machine have been changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 4819 - Central Access Policies on the machine have been changed. EventID 4820 - A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Kerberos Authentication Service->EventID 4820 - A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions. EventID 4821 - A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Kerberos Service Ticket Operations->EventID 4821 - A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions. EventID 4822 - NTLM authentication failed because the account was a member of the Protected User group. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Credential Validation->EventID 4822 - NTLM authentication failed because the account was a member of the Protected User group. EventID 4823 - NTLM authentication failed because access control restrictions are required. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Credential Validation->EventID 4823 - NTLM authentication failed because access control restrictions are required. EventID 4824 - Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Kerberos Authentication Service->EventID 4824 - Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group. EventID 4825 - A user was denied the access to Remote Desktop. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Other Logon/Logoff Events->EventID 4825 - A user was denied the access to Remote Desktop. EventID 4826 - Boot Configuration Data loaded. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 4826 - Boot Configuration Data loaded. EventID 4830 - SID History was removed from an account. Find more information about this event on ultimatewindowssecurity.com. Set-ADUser UserName -remove @{sidhistory="S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx"} Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4830 - SID History was removed from an account. EventID 4864 - A namespace collision was detected. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authentication Policy Change->EventID 4864 - A namespace collision was detected. EventID 4865 - A trusted forest information entry was added. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authentication Policy Change->EventID 4865 - A trusted forest information entry was added. EventID 4866 - A trusted forest information entry was removed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authentication Policy Change->EventID 4866 - A trusted forest information entry was removed. EventID 4867 - A trusted forest information entry was modified. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authentication Policy Change->EventID 4867 - A trusted forest information entry was modified. EventID 4868 - The certificate manager denied a pending certificate request. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4868 - The certificate manager denied a pending certificate request. EventID 4869 - Certificate Services received a resubmitted certificate request. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4869 - Certificate Services received a resubmitted certificate request. EventID 4870 - Certificate Services revoked a certificate. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4870 - Certificate Services revoked a certificate. EventID 4871 - Certificate Services received a request to publish the certificate revocation list (CRL). Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4871 - Certificate Services received a request to publish the certificate revocation list (CRL). EventID 4872 - Certificate Services published the certificate revocation list (CRL). Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4872 - Certificate Services published the certificate revocation list (CRL). EventID 4873 - A certificate request extension changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4873 - A certificate request extension changed. EventID 4874 - One or more certificate request attributes changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4874 - One or more certificate request attributes changed. EventID 4875 - Certificate Services received a request to shut down. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4875 - Certificate Services received a request to shut down. EventID 4876 - Certificate Services backup started. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4876 - Certificate Services backup started. EventID 4877 - Certificate Services backup completed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4877 - Certificate Services backup completed. EventID 4878 - Certificate Services restore started. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4878 - Certificate Services restore started. EventID 4879 - Certificate Services restore completed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4879 - Certificate Services restore completed. EventID 4880 - Certificate Services started. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4880 - Certificate Services started. EventID 4881 - Certificate Services stopped. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4881 - Certificate Services stopped. EventID 4882 - The security permissions for Certificate Services changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4882 - The security permissions for Certificate Services changed. EventID 4883 - Certificate Services retrieved an archived key. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4883 - Certificate Services retrieved an archived key. EventID 4884 - Certificate Services imported a certificate into its database. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4884 - Certificate Services imported a certificate into its database. EventID 4885 - The audit filter for Certificate Services changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4885 - The audit filter for Certificate Services changed. EventID 4886 - Certificate Services received a certificate request. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4886 - Certificate Services received a certificate request. EventID 4887 - Certificate Services approved a certificate request and issued a certificate. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4887 - Certificate Services approved a certificate request and issued a certificate. EventID 4888 - Certificate Services denied a certificate request. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4888 - Certificate Services denied a certificate request. EventID 4889 - Certificate Services set the status of a certificate request to pending. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4889 - Certificate Services set the status of a certificate request to pending. EventID 4890 - The certificate manager settings for Certificate Services changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4890 - The certificate manager settings for Certificate Services changed. EventID 4891 - A configuration entry changed in Certificate Services. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4891 - A configuration entry changed in Certificate Services. EventID 4892 - A property of Certificate Services changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4892 - A property of Certificate Services changed. EventID 4893 - Certificate Services archived a key. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4893 - Certificate Services archived a key. EventID 4894 - Certificate Services imported and archived a key. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4894 - Certificate Services imported and archived a key. EventID 4895 - Certificate Services published the CA certificate to Active Directory Domain Services. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4895 - Certificate Services published the CA certificate to Active Directory Domain Services. EventID 4896 - One or more rows have been deleted from the certificate database. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4896 - One or more rows have been deleted from the certificate database. EventID 4897 - Role separation enabled. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4897 - Role separation enabled. EventID 4898 - Certificate Services loaded a template. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4898 - Certificate Services loaded a template. EventID 4899 - A Certificate Services template was updated.        Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4899 - A Certificate Services template was updated. EventID 4900 - Certificate Services template security was updated.        Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 4900 - Certificate Services template security was updated. EventID 4902 - The Per-user audit policy table was created. This event usually logged at system startup. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Audit Policy Change->EventID 4902 - The Per-user audit policy table was created. EventID 4904 - An attempt was made to register a security event source. This event record indicates that a process identified by the Process ID field successfully registered itself as being able to write events to the Windows security log. Only audited when success audi... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Audit Policy Change->EventID 4904 - An attempt was made to register a security event source. EventID 4905 - An attempt was made to unregister a security event source. This event record indicates that a process identified by the Process ID field successfully unregistered itself as being able to write events to the Windows security log. Only audited when success au... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Audit Policy Change->EventID 4905 - An attempt was made to unregister a security event source. EventID 4906 - The CrashOnAuditFail value has changed. This event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Audit Policy Change->EventID 4906 - The CrashOnAuditFail value has changed. EventID 4907 - Auditing settings on object were changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Audit Policy Change->EventID 4907 - Auditing settings on object were changed. EventID 4908 - Special Groups Logon table modified. This event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting.  Find more information about this event on ultimatewindowssecurity.com... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Audit Policy Change->EventID 4908 - Special Groups Logon table modified. EventID 4909 - The local policy settings for the TBS were changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 4909 - The local policy settings for the TBS were changed. EventID 4910 - The group policy settings for the TBS were changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 4910 - The group policy settings for the TBS were changed. EventID 4911 - Resource attributes of the object were changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authorization Policy Change->EventID 4911 - Resource attributes of the object were changed. EventID 4912 - Per User Audit Policy was changed. This event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Audit Policy Change->EventID 4912 - Per User Audit Policy was changed. EventID 4913 - Central Access Policy on the object was changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Authorization Policy Change->EventID 4913 - Central Access Policy on the object was changed. EventID 4928 - An Active Directory replica source naming context was established. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Detailed Directory Service Replication->EventID 4928 - An Active Directory replica source naming context was established. EventID 4929 - An Active Directory replica source naming context was removed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Detailed Directory Service Replication->EventID 4929 - An Active Directory replica source naming context was removed. EventID 4930 - An Active Directory replica source naming context was modified. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Detailed Directory Service Replication->EventID 4930 - An Active Directory replica source naming context was modified. EventID 4931 - An Active Directory replica destination naming context was modified. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Detailed Directory Service Replication->EventID 4931 - An Active Directory replica destination naming context was modified. EventID 4932 - Synchronization of a replica of an Active Directory naming context has begun. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Directory Service Replication->EventID 4932 - Synchronization of a replica of an Active Directory naming context has begun. EventID 4933 - Synchronization of a replica of an Active Directory naming context has ended. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Directory Service Replication->EventID 4933 - Synchronization of a replica of an Active Directory naming context has ended. EventID 4934 - Attributes of an Active Directory object were replicated. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Detailed Directory Service Replication->EventID 4934 - Attributes of an Active Directory object were replicated. EventID 4935 - Replication failure begins. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Detailed Directory Service Replication->EventID 4935 - Replication failure begins. EventID 4936 - Replication failure ends. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Detailed Directory Service Replication->EventID 4936 - Replication failure ends. EventID 4937 - A lingering object was removed from a replica. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Detailed Directory Service Replication->EventID 4937 - A lingering object was removed from a replica. EventID 4944 - The following policy was active when the Windows Firewall started. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000, 2003 EventID 848 - The following policy was active when the Win... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->MPSSVC Rule-Level Policy Change->EventID 4944 - The following policy was active when the Windows Firewall started. EventID 4945 - A rule was listed when the Windows Firewall started. This event is logged everytime Windows Firewall starts .  Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000, 2003 ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->MPSSVC Rule-Level Policy Change->EventID 4945 - A rule was listed when the Windows Firewall started. EventID 4946 - A change has been made to Windows Firewall exception list. A rule was added. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000, 2003 EventID 851 - A change has been made to the Windows Firewa... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->MPSSVC Rule-Level Policy Change->EventID 4946 - A change has been made to Windows Firewall exception list. A rule was added. EventID 4947 - A change has been made to Windows Firewall exception list. A rule was modified. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000, 2003 EventID 851 - A change has been made to the Windows Firew... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->MPSSVC Rule-Level Policy Change->EventID 4947 - A change has been made to Windows Firewall exception list. A rule was modified. EventID 4948 - A change has been made to Windows Firewall exception list. A rule was deleted. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000, 2003 EventID 851 - A change has been made to the Windows Firew... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->MPSSVC Rule-Level Policy Change->EventID 4948 - A change has been made to Windows Firewall exception list. A rule was deleted. EventID 4949 - Windows Firewall settings were restored to the default values. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->MPSSVC Rule-Level Policy Change->EventID 4949 - Windows Firewall settings were restored to the default values. EventID 4950 - A Windows Firewall setting has changed. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000, 2003 EventID 854 - The Windows Firewall logging settings have ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->MPSSVC Rule-Level Policy Change->EventID 4950 - A Windows Firewall setting has changed. EventID 4951 - A rule has been ignored because its major version number was not recognized by Windows Firewall. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->MPSSVC Rule-Level Policy Change->EventID 4951 - A rule has been ignored because its major version number was not recognized by Windows Firewall. EventID 4952 - Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->MPSSVC Rule-Level Policy Change->EventID 4952 - Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. EventID 4953 - A rule has been ignored by Windows Firewall because it could not parse the rule. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->MPSSVC Rule-Level Policy Change->EventID 4953 - A rule has been ignored by Windows Firewall because it could not parse the rule. EventID 4954 - Windows Firewall Group Policy settings has changed. The new settings have been applied. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->MPSSVC Rule-Level Policy Change->EventID 4954 - Windows Firewall Group Policy settings has changed. The new settings have been applied. EventID 4956 - Windows Firewall has changed the active profile. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->MPSSVC Rule-Level Policy Change->EventID 4956 - Windows Firewall has changed the active profile. EventID 4957 - Windows Firewall did not apply the following rule. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->MPSSVC Rule-Level Policy Change->EventID 4957 - Windows Firewall did not apply the following rule. EventID 4958 - Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->MPSSVC Rule-Level Policy Change->EventID 4958 - Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. EventID 4960 - IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this compute... Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->IPsec Driver->EventID 4960 - IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this compute... EventID 4961 - IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->IPsec Driver->EventID 4961 - IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. EventID 4962 - IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->IPsec Driver->EventID 4962 - IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. EventID 4963 - IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This coul... Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->IPsec Driver->EventID 4963 - IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This coul... EventID 4964 - Special groups have been assigned to a new logon. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Special Logon->EventID 4964 - Special groups have been assigned to a new logon. EventID 4965 - IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these e... Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->IPsec Driver->EventID 4965 - IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these e... EventID 4976 - During Main Mode negotiation, IPsec received an invalid negotiation packet. During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. Find more ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Main Mode->EventID 4976 - During Main Mode negotiation, IPsec received an invalid negotiation packet. EventID 4977 - During Quick Mode negotiation, IPsec received an invalid negotiation packet. During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. Find more... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Quick Mode->EventID 4977 - During Quick Mode negotiation, IPsec received an invalid negotiation packet. EventID 4978 - During Extended Mode negotiation, IPsec received an invalid negotiation packet. During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. Find mo... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Extended Mode->EventID 4978 - During Extended Mode negotiation, IPsec received an invalid negotiation packet. EventID 4979 - IPsec Main Mode and Extended Mode security associations were established. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Extended Mode->EventID 4979 - IPsec Main Mode and Extended Mode security associations were established. EventID 4980 - IPsec Main Mode and Extended Mode security associations were established. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Extended Mode->EventID 4980 - IPsec Main Mode and Extended Mode security associations were established. EventID 4981 - IPsec Main Mode and Extended Mode security associations were established. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Extended Mode->EventID 4981 - IPsec Main Mode and Extended Mode security associations were established. EventID 4982 - IPsec Main Mode and Extended Mode security associations were established. [2008 R2 and lower] Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Extended Mode->EventID 4982 - IPsec Main Mode and Extended Mode security associations were established. [2008 R2 and lower] EventID 4982 - IPsec Main Mode and Extended Mode security associations were established. [2012 and higher] Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Extended Mode->EventID 4982 - IPsec Main Mode and Extended Mode security associations were established. [2012 and higher] EventID 4983 - An IPsec Extended Mode negotiation failed. An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. Note: This event provides event audit data in the following categories: Local Endpoint, ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Extended Mode->EventID 4983 - An IPsec Extended Mode negotiation failed. EventID 4984 - An IPsec Extended Mode negotiation failed. An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. Note: This event provides event audit data in the following categories: Local Endpoint, ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Extended Mode->EventID 4984 - An IPsec Extended Mode negotiation failed. EventID 4985 - The state of a transaction has changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File System->EventID 4985 - The state of a transaction has changed. EventID 5024 - The Windows Firewall Service has started successfully. Indicates the successful startup of Windows Firewall service. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 5024 - The Windows Firewall Service has started successfully. EventID 5025 - The Windows Firewall Service has been stopped. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 5025 - The Windows Firewall Service has been stopped. EventID 5027 - The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 5027 - The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. EventID 5028 - The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 5028 - The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. EventID 5029 - The Windows Firewall Service failed to initialize the driver. The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 5029 - The Windows Firewall Service failed to initialize the driver. EventID 5030 - The Windows Firewall Service failed to start. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 5030 - The Windows Firewall Service failed to start. EventID 5031 - The Windows Firewall Service blocked an application from accepting incoming connections on the network. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Connection->EventID 5031 - The Windows Firewall Service blocked an application from accepting incoming connections on the network. EventID 5032 - Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. Windows Firewall with Advanced Security can be configured to notify the user when an application is blocked by the firewall, and ask if the application should continue to be blocked in the future. Thi... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 5032 - Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. EventID 5033 - The Windows Firewall Driver has started successfully. The Windows Firewall Driver has started successfully. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 5033 - The Windows Firewall Driver has started successfully. EventID 5034 - The Windows Firewall Driver has been stopped. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 5034 - The Windows Firewall Driver has been stopped. EventID 5035 - The Windows Firewall Driver failed to start. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 5035 - The Windows Firewall Driver failed to start. EventID 5037 - The Windows Firewall Driver detected critical runtime error. Terminating. The Windows Firewall Driver detected critical runtime error. Terminating. Error Code: %1 Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 5037 - The Windows Firewall Driver detected critical runtime error. Terminating. EventID 5038 - Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk dev... Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 5038 - Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk dev... EventID 5039 - A registry key was virtualized. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Registry->EventID 5039 - A registry key was virtualized. EventID 5040 - A change has been made to IPsec settings. An Authentication Set was added. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5040 - A change has been made to IPsec settings. An Authentication Set was added. EventID 5041 - A change has been made to IPsec settings. An Authentication Set was modified. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5041 - A change has been made to IPsec settings. An Authentication Set was modified. EventID 5042 - A change has been made to IPsec settings. An Authentication Set was deleted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5042 - A change has been made to IPsec settings. An Authentication Set was deleted. EventID 5043 - A change has been made to IPsec settings. A Connection Security Rule was added. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5043 - A change has been made to IPsec settings. A Connection Security Rule was added. EventID 5044 - A change has been made to IPsec settings. A Connection Security Rule was modified. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5044 - A change has been made to IPsec settings. A Connection Security Rule was modified. EventID 5045 - A change has been made to IPsec settings. A Connection Security Rule was deleted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5045 - A change has been made to IPsec settings. A Connection Security Rule was deleted. EventID 5046 - A change has been made to IPsec settings. A Crypto Set was added. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5046 - A change has been made to IPsec settings. A Crypto Set was added. EventID 5047 - A change has been made to IPsec settings. A Crypto Set was modified. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5047 - A change has been made to IPsec settings. A Crypto Set was modified. EventID 5048 - A change has been made to IPsec settings. A Crypto Set was deleted. This is a normal condition. No further action is required. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5048 - A change has been made to IPsec settings. A Crypto Set was deleted. EventID 5049 - An IPsec Security Association was deleted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Main Mode->EventID 5049 - An IPsec Security Association was deleted. EventID 5050 - An attempt to programmatically disable Windows Firewall is not supported on this version of Windows. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 5050 - An attempt to programmatically disable Windows Firewall is not supported on this version of Windows. EventID 5051 - A file was virtualized. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File System->EventID 5051 - A file was virtualized. EventID 5056 - A cryptographic self test was performed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 5056 - A cryptographic self test was performed. EventID 5057 - A cryptographic primitive operation failed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 5057 - A cryptographic primitive operation failed. EventID 5058 - Key file operation. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 5058 - Key file operation. EventID 5059 - Key migration operation. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 5059 - Key migration operation. EventID 5060 - Verification operation failed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 5060 - Verification operation failed. EventID 5061 - Cryptographic operation. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 5061 - Cryptographic operation. EventID 5062 - A kernel-mode cryptographic self test was performed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 5062 - A kernel-mode cryptographic self test was performed. EventID 5063 - A cryptographic provider operation was attempted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 5063 - A cryptographic provider operation was attempted. EventID 5064 - A cryptographic context operation was attempted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 5064 - A cryptographic context operation was attempted. EventID 5065 - A cryptographic context modification was attempted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 5065 - A cryptographic context modification was attempted. EventID 5066 - A cryptographic function operation was attempted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 5066 - A cryptographic function operation was attempted. EventID 5067 - A cryptographic function modification was attempted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 5067 - A cryptographic function modification was attempted. EventID 5068 - A cryptographic function provider operation was attempted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 5068 - A cryptographic function provider operation was attempted. EventID 5069 - A cryptographic function property operation was attempted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 5069 - A cryptographic function property operation was attempted. EventID 5070 - A cryptographic function property modification was attempted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 5070 - A cryptographic function property modification was attempted. EventID 5071 - Key access denied by Microsoft key distribution service. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 5071 - Key access denied by Microsoft key distribution service. EventID 512 - Windows is starting up The Local Security Authority logs this event when the auditing system is initialized. Note: This event corresponds to a Security 513 event. This event is logged for informational purposes only. Fin... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->System->EventID 512 - Windows is starting up EventID 5120 - OCSP Responder Service Started. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 5120 - OCSP Responder Service Started. EventID 5121 - OCSP Responder Service Stopped. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 5121 - OCSP Responder Service Stopped. EventID 5122 - Configuration entry changed in the OCSP Responder Service. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 5122 - Configuration entry changed in the OCSP Responder Service. EventID 5123 - A configuration entry changed in the OCSP Responder Service. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 5123 - A configuration entry changed in the OCSP Responder Service. EventID 5124 - A security setting was updated on OCSP Responder Service. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 5124 - A security setting was updated on OCSP Responder Service. EventID 5125 - A request was submitted to OCSP Responder Service. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 5125 - A request was submitted to OCSP Responder Service. EventID 5126 - Signing Certificate was automatically updated by the OCSP Responder Service. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 5126 - Signing Certificate was automatically updated by the OCSP Responder Service. EventID 5127 - The OCSP Revocation Provider successfully updated the revocation information. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Certification Services->EventID 5127 - The OCSP Revocation Provider successfully updated the revocation information. EventID 513 - Windows is shutting down The Event Log service, on behalf of the Local Security Authority, logs this event when it is notified that Windows is shutting down. Find more information about this event on ultimatewindowssecuri... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->System->EventID 513 - Windows is shutting down EventID 5136 - A directory service object was modified. Note: This event occurs only on Domain Controllers. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2003 Eve... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Directory Service Changes->EventID 5136 - A directory service object was modified. EventID 5137 - A directory service object was created. Documents creations of AD objects, identifying the object created and user who created it.   Find more information about this event  on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Directory Service Changes->EventID 5137 - A directory service object was created. EventID 5138 - A directory service object was undeleted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Directory Service Changes->EventID 5138 - A directory service object was undeleted. EventID 5139 - A directory service object was moved. Documents the move of an AD objects from one OU to another, identifying the object moved and user who moved it and its old and new location. Find more information about this event  on ultimatewi... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Directory Service Changes->EventID 5139 - A directory service object was moved. EventID 514 - An authentication package has been loaded by the Local Security Authority This event record indicates that the Local Security Authority (LSA) has successfully loaded an authentication package used for authenticating logon requests. Note:  Authentication packages are r... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->System->EventID 514 - An authentication package has been loaded by the Local Security Authority EventID 5140 - A network share object was accessed. [2008 R2 or higher] Gives the share that was used to access the file. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File Share->EventID 5140 - A network share object was accessed. [2008 R2 or higher] EventID 5140 - A network share object was accessed. [2008] Gives the share that was used to access the file. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File Share->EventID 5140 - A network share object was accessed. [2008] EventID 5141 - A directory service object was deleted. Documents deletion of AD objects, identifying the object deleted and user who deleted it.   Find more information about this event  on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Directory Service Changes->EventID 5141 - A directory service object was deleted. EventID 5142 - A network share object was added. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File Share->EventID 5142 - A network share object was added. EventID 5143 - A network share object was modified. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File Share->EventID 5143 - A network share object was modified. EventID 5144 - A network share object was deleted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File Share->EventID 5144 - A network share object was deleted. EventID 5145 - A network share object was checked to see whether client can be granted desired access. High volume on a file server or domain controller because of SYSVOL network access required by Group Policy Note: If Audit Detailed File Share policy setting is configured, the following event is gen... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Detailed File Share->EventID 5145 - A network share object was checked to see whether client can be granted desired access. EventID 5146 - The Windows Filtering Platform has blocked a packet. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Packet Drop->EventID 5146 - The Windows Filtering Platform has blocked a packet. EventID 5147 - A more restrictive Windows Filtering Platform filter has blocked a packet. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Packet Drop->EventID 5147 - A more restrictive Windows Filtering Platform filter has blocked a packet. EventID 5148 - The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 5148 - The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. EventID 5149 - The DoS attack has subsided and normal processing is being resumed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 5149 - The DoS attack has subsided and normal processing is being resumed. EventID 515 - A trusted logon process has registered with the Local Security Authority This event record indicates that a logon process has registered with the Local Security Authority (LSA). Also, logon requests will now be accepted from this source. Note:  Logon processes are t... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->System->EventID 515 - A trusted logon process has registered with the Local Security Authority EventID 5150 - The Windows Filtering Platform has blocked a packet. [2008 R2 and lower] Find more information about this event on ultimatewindowssecurity.com Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Connection->EventID 5150 - The Windows Filtering Platform has blocked a packet. [2008 R2 and lower] EventID 5150 - The Windows Filtering Platform has blocked a packet. [2012 and higher] Find more information about this event on ultimatewindowssecurity.com Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Connection->EventID 5150 - The Windows Filtering Platform has blocked a packet. [2012 and higher] EventID 5151 - A more restrictive Windows Filtering Platform filter has blocked a packet. [2008 R2 and lower] Find more information about this event on ultimatewindowssecurity.com Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Connection->EventID 5151 - A more restrictive Windows Filtering Platform filter has blocked a packet. [2008 R2 and lower] EventID 5151 - A more restrictive Windows Filtering Platform filter has blocked a packet. [2012 and higher] Find more information about this event on ultimatewindowssecurity.com Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Connection->EventID 5151 - A more restrictive Windows Filtering Platform filter has blocked a packet. [2012 and higher] EventID 5152 - The Windows Filtering Platform blocked a packet. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Packet Drop->EventID 5152 - The Windows Filtering Platform blocked a packet. EventID 5153 - A more restrictive Windows Filtering Platform filter has blocked a packet. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Packet Drop->EventID 5153 - A more restrictive Windows Filtering Platform filter has blocked a packet. EventID 5154 - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Connection->EventID 5154 - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. EventID 5155 - The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Connection->EventID 5155 - The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. EventID 5156 - The Windows Filtering Platform has allowed a connection. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Connection->EventID 5156 - The Windows Filtering Platform has allowed a connection. EventID 5157 - The Windows Filtering Platform has blocked a connection. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Connection->EventID 5157 - The Windows Filtering Platform has blocked a connection. EventID 5158 - The Windows Filtering Platform has permitted a bind to a local port. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Connection->EventID 5158 - The Windows Filtering Platform has permitted a bind to a local port. EventID 5159 - The Windows Filtering Platform has blocked a bind to a local port. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Connection->EventID 5159 - The Windows Filtering Platform has blocked a bind to a local port. EventID 516 - Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits This event record indicates that audit event records have been discarded, due to overwriting of earlier records or due to cessation of auditing, depending on the audit policy you have established; o... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->System->EventID 516 - Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits EventID 5168 - SPN check for SMB/SMB2 fails. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File Share->EventID 5168 - SPN check for SMB/SMB2 fails. EventID 5169 - A directory service object was modified. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Directory Service Changes->EventID 5169 - A directory service object was modified. EventID 517 - The audit log was cleared This event record indicates that the audit log has been cleared. This event is always recorded, regardless of the audit policy. It is recorded even if auditing is turned off. Note: The audit log s... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->System->EventID 517 - The audit log was cleared EventID 5170 - A directory service object was modified during a background cleanup task. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->DS Access->Directory Service Changes->EventID 5170 - A directory service object was modified during a background cleanup task. EventID 518 - An notification package has been loaded by the Security Account Manager This event record indicates that the Security Accounts Manager (SAM) has successfully loaded a notification package.  Note:  The person responsible for maintaining the Security Account need... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->System->EventID 518 - An notification package has been loaded by the Security Account Manager EventID 520 - The system time was changed [Win 2003 / XP] Indicates that the computer's clock was successfuly changed. Note: It might have been synchronized with a time server on the Internet or an intranet, or a user might have manually set the system ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->System->EventID 520 - The system time was changed [Win 2003 / XP] EventID 528 - Successful Logon [Win 2000] Indicates that a logon session was successfully created for the user logging in locally. Note: The message contains the Logon ID, a number that is generated when a user logs on to a computer. The Log... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 528 - Successful Logon [Win 2000] EventID 528 - Successful Logon [Win 2003] Indicates that a logon session was successfully created for the user logging in locally. Note: The message contains the Logon ID, a number that is generated when a user logs on to a computer. The Log... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 528 - Successful Logon [Win 2003] EventID 528 - Successful Logon [Win XP] Indicates that a logon session was successfully created for the user logging in locally. Note: The message contains the Logon ID, a number that is generated when a user logs on to a computer. The Log... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 528 - Successful Logon [Win XP] EventID 529 - Logon Failure - Unknown user name or bad password [Win 2000 / XP] Indicates that a user failed to log on due to unknown user name or bad password. Note: The person with administrative rights for the computer should establish a threshold limit for attempted log ons.... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 529 - Logon Failure - Unknown user name or bad password [Win 2000 / XP] EventID 529 - Logon Failure - Unknown user name or bad password [Win 2003] Indicates that a user failed to log on due to unknown user name or bad password. Note: The person with administrative rights for the computer should establish a threshold limit for attempted log ons.... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 529 - Logon Failure - Unknown user name or bad password [Win 2003] EventID 530 - Logon Failure - Account logon time restriction violation [Win 2000 / XP] Indicates that user attempt to log on failed because it occurred outside the hours that the user is allowed to log on. This restriction is configured on the user's domain account. Note: This event is... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 530 - Logon Failure - Account logon time restriction violation [Win 2000 / XP] EventID 530 - Logon Failure - Account logon time restriction violation [Win 2003] Indicates that user attempt to log on failed because it occurred outside the hours that the user is allowed to log on. This restriction is configured on the user's domain account. Note: This event is... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 530 - Logon Failure - Account logon time restriction violation [Win 2003] EventID 531 - Logon Failure - Account currently disabled [Win 2000 / XP] Indicates that user attempt to log on failed because the user account used to log on was disabled at the time of logon. This restriction is configured on the user account on the local computer or on t... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 531 - Logon Failure - Account currently disabled [Win 2000 / XP] EventID 531 - Logon Failure - Account currently disabled [Win 2003] Indicates that user attempt to log on failed because the user account used to log on was disabled at the time of logon. This restriction is configured on the user account on the local computer or on t... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 531 - Logon Failure - Account currently disabled [Win 2003] EventID 532 - Logon Failure - The specified user account has expired [Win 2000 / XP] Indicates that user attempt to log on failed because the user account used to log has expired. This restriction is configured on the user's domain account. Note: This event should not be confused wit... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 532 - Logon Failure - The specified user account has expired [Win 2000 / XP] EventID 532 - Logon Failure - The specified user account has expired [Win 2003] Indicates that user attempt to log on failed because the user account used to log has expired. This restriction is configured on the user's domain account. Note: This event should not be confused wit... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 532 - Logon Failure - The specified user account has expired [Win 2003] EventID 533 - Logon Failure - User not allowed to logon at this computer [Win 2000 / XP] Indicates that user attempt to log on failed because the user account is not permitted to log on from this computer. This restriction is configured on the user's domain. Note: This event is logged on... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 533 - Logon Failure - User not allowed to logon at this computer [Win 2000 / XP] EventID 533 - Logon Failure - User not allowed to logon at this computer [Win 2003] Indicates that user attempt to log on failed because the user account is not permitted to log on from this computer. This restriction is configured on the user's domain. Note: This event is logged on... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 533 - Logon Failure - User not allowed to logon at this computer [Win 2003] EventID 534 - Logon Failure - The user has not been granted the requested logon type at this machine [Win 2000 / XP] Indicates that user attempt to log on failed because the local security policy of the computer does not allow the user to log on in the requested fashion (such as interactively).  Note: The cod... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 534 - Logon Failure - The user has not been granted the requested logon type at this machine [Win 2000 / XP] EventID 534 - Logon Failure - The user has not been granted the requested logon type at this machine [Win 2003] Indicates that user attempt to log on failed because the local security policy of the computer does not allow the user to log on in the requested fashion (such as interactively).  Note:  Th... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 534 - Logon Failure - The user has not been granted the requested logon type at this machine [Win 2003] EventID 535 - Logon Failure - The specified account's password has expired [Win 2000 / XP] Indicates that user attempt to log on failed because the user account password that was used to log on has expired. This restriction is configured on the user account on the local computer or on the d... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 535 - Logon Failure - The specified account's password has expired [Win 2000 / XP] EventID 535 - Logon Failure - The specified account's password has expired [Win 2003] Indicates that user attempt to log on failed because the user account password that was used to log on has expired. This restriction is configured on the user account on the local computer or on the d... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 535 - Logon Failure - The specified account's password has expired [Win 2003] EventID 536 - The NetLogon component is not active This event record indicates that a logon attempt was made and rejected because the Net Logon service was not running. The Net Logon service supports pass-through authentication of account log ons an... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 536 - The NetLogon component is not active EventID 537 - An unexpected error occurred during logon This event record indicates that a logon attempt was made and rejected for some reason other than those covered by explicit audit records in this category. Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 537 - An unexpected error occurred during logon EventID 5376 - Credential Manager credentials were backed up. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 5376 - Credential Manager credentials were backed up. EventID 5377 - Credential Manager credentials were restored from a backup. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 5377 - Credential Manager credentials were restored from a backup. EventID 5378 - The requested credentials delegation was disallowed by policy. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Other Logon/Logoff Events->EventID 5378 - The requested credentials delegation was disallowed by policy. EventID 538 - User Logoff Indicates that a user has successfully ended a logon session (a network connection to a file share, interactive logon, or other logon type), in other words logged off. Note: If you configure an audit... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 538 - User Logoff EventID 539 - Logon Failure - Account locked out [Win 2000 / XP] Indicates that user attempt to log on failed because a user tried to log on to the system using an account that is locked out. Note: A large number of these events logged in Event Viewer usually indi... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 539 - Logon Failure - Account locked out [Win 2000 / XP] EventID 539 - Logon Failure - Account locked out [Win 2003] Indicates that user attempt to log on failed because a user tried to log on to the system using an account that is locked out. Note: A large number of these events logged in Event Viewer usually indi... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 539 - Logon Failure - Account locked out [Win 2003] EventID 540 - Successful Network Logon [Win 2000] Indicates that a logon session was successfully created for the user logging in remotely to access a network resource (e.g. a file share). Note: The message contains the Logon ID, a number that is ge... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 540 - Successful Network Logon [Win 2000] EventID 540 - Successful Network Logon [Win 2003] Indicates that a logon session was successfully created for the user logging in remotely to access a network resource (e.g. a file share). Note: The message contains the Logon ID, a number that is ge... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 540 - Successful Network Logon [Win 2003] EventID 540 - Successful Network Logon [Win XP] Indicates that a logon session was successfully created for the user logging in remotely to access a network resource (e.g. a file share). Note: The message contains the Logon ID, a number that is ge... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 540 - Successful Network Logon [Win XP] EventID 5440 - The following callout was present when the Windows Filtering Platform Base Filtering Engine started. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5440 - The following callout was present when the Windows Filtering Platform Base Filtering Engine started. EventID 5441 - The following filter was present when the Windows Filtering Platform Base Filtering Engine started. This event is logged for each filter of each WFP provider at startup. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5441 - The following filter was present when the Windows Filtering Platform Base Filtering Engine started. EventID 5442 - The following provider was present when the Windows Filtering Platform Base Filtering Engine started. This event is logged for each filter of each WFP provider at startup. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5442 - The following provider was present when the Windows Filtering Platform Base Filtering Engine started. EventID 5443 - The following provider context was present when the Windows Filtering Platform Base Filtering Engine started. This event is logged for each filter of each WFP provider at startup. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5443 - The following provider context was present when the Windows Filtering Platform Base Filtering Engine started. EventID 5444 - The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started. This event is logged for each filter of each WFP provider at startup. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5444 - The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started. EventID 5446 - A Windows Filtering Platform callout has been changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5446 - A Windows Filtering Platform callout has been changed. EventID 5447 - A Windows Filtering Platform filter has been changed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 5447 - A Windows Filtering Platform filter has been changed. EventID 5448 - A Windows Filtering Platform provider has been changed. This event is logged when a WFP provider is added or there is a change to an existing provider.   Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5448 - A Windows Filtering Platform provider has been changed. EventID 5449 - A Windows Filtering Platform provider context has been changed. This event is logged when a WFP provider context is added or there is a change to an existing provider.   Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5449 - A Windows Filtering Platform provider context has been changed. EventID 5450 - A Windows Filtering Platform sub-layer has been changed. This event is logged when a WFP provider context is added or there is a change to an existing provider.   Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5450 - A Windows Filtering Platform sub-layer has been changed. EventID 5451 - An IPsec Quick Mode security association was established. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Quick Mode->EventID 5451 - An IPsec Quick Mode security association was established. EventID 5452 - An IPsec Quick Mode security association ended. [2008 R2] Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Quick Mode->EventID 5452 - An IPsec Quick Mode security association ended. [2008 R2] EventID 5452 - An IPsec Quick Mode security association ended. [2008] Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Quick Mode->EventID 5452 - An IPsec Quick Mode security association ended. [2008] EventID 5452 - An IPsec Quick Mode security association ended. [2012 and higher] Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Quick Mode->EventID 5452 - An IPsec Quick Mode security association ended. [2012 and higher] EventID 5453 - An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Main Mode->EventID 5453 - An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. EventID 5456 - PAStore Engine applied Active Directory storage IPsec policy on the computer. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5456 - PAStore Engine applied Active Directory storage IPsec policy on the computer. EventID 5457 - PAStore Engine failed to apply Active Directory storage IPsec policy on the computer. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5457 - PAStore Engine failed to apply Active Directory storage IPsec policy on the computer. EventID 5458 - PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5458 - PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer. EventID 5459 - PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5459 - PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer. EventID 5460 - PAStore Engine applied local registry storage IPsec policy on the computer. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5460 - PAStore Engine applied local registry storage IPsec policy on the computer. EventID 5461 - PAStore Engine failed to apply local registry storage IPsec policy on the computer. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5461 - PAStore Engine failed to apply local registry storage IPsec policy on the computer. EventID 5462 - PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5462 - PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem. EventID 5463 - PAStore Engine polled for changes to the active IPsec policy and detected no changes. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5463 - PAStore Engine polled for changes to the active IPsec policy and detected no changes. EventID 5464 - PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5464 - PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services. EventID 5465 - PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5465 - PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully. EventID 5466 - PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec po... Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5466 - PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec po... EventID 5467 - PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Activ... Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5467 - PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Activ... EventID 5468 - PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cach... Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5468 - PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cach... EventID 5471 - PAStore Engine loaded local storage IPsec policy on the computer. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5471 - PAStore Engine loaded local storage IPsec policy on the computer. EventID 5472 - PAStore Engine failed to load local storage IPsec policy on the computer. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5472 - PAStore Engine failed to load local storage IPsec policy on the computer. EventID 5473 - PAStore Engine loaded directory storage IPsec policy on the computer. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5473 - PAStore Engine loaded directory storage IPsec policy on the computer. EventID 5474 - PAStore Engine failed to load directory storage IPsec policy on the computer. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5474 - PAStore Engine failed to load directory storage IPsec policy on the computer. EventID 5477 - PAStore Engine failed to add quick mode filter. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change->EventID 5477 - PAStore Engine failed to add quick mode filter. EventID 5478 - IPsec Services has started successfully. Indicates that IPSec Policy Agent service was successfully started. It must be running to support IPSec policies created by earlier versions of Windows. Note: On new deployments of Windows 2008 and ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->IPsec Driver->EventID 5478 - IPsec Services has started successfully. EventID 5479 - IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. Indicates that IPSec Policy Agent service was successfully shut down. Note: The IPsec Policy Agent service must be running to receive and process Internet Protocol security (IPsec) policies that wer... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->IPsec Driver->EventID 5479 - IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. EventID 548 - Domain SID is inconsistent Logon failure. Domain security identifier (SID) is inconsistent. This event is generated when a user account from a trusted domain attempts to authenticate, but the domain SID does not match the SID ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 548 - Domain SID is inconsistent EventID 5480 - IPsec Services failed to get the complete list of network interfaces on the computer Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->IPsec Driver->EventID 5480 - IPsec Services failed to get the complete list of network interfaces on the computer EventID 5483 - IPsec Services failed to initialize RPC server. IPsec Services could not be started. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->IPsec Driver->EventID 5483 - IPsec Services failed to initialize RPC server. IPsec Services could not be started. EventID 5484 - IPsec Services has experienced a critical failure and has been shut down Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->IPsec Driver->EventID 5484 - IPsec Services has experienced a critical failure and has been shut down EventID 5485 - IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->IPsec Driver->EventID 5485 - IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces EventID 549 - All SIDs were filtered out Logon failure. All SIDs were filtered out. During authentication across forests, SIDs corresponding to untrusted namespaces are filtered out. This event is generated when all SIDs are filtered. Th... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 549 - All SIDs were filtered out EventID 551 - User initiated logoff [Win 2003 / XP] Indicates that a user that had logged on interactively or by terminal services has started the logoff process. Note: This event means that the system started erasing from memory user's primary access... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 551 - User initiated logoff [Win 2003 / XP] EventID 552 - Logon attempt using explicit credentials [Win 2003] Indicates that a user who is already logged on successfully created another logon session with different user's credentials. Note: This event is not logged on Windows 2000 systems. Typically, this oc... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 552 - Logon attempt using explicit credentials [Win 2003] EventID 552 - Logon attempt using explicit credentials [Win XP] Indicates that a user who is already logged on successfully created another logon session with different user's credentials. Note: This event is not logged on Windows 2000 systems. Typically, this oc... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 552 - Logon attempt using explicit credentials [Win XP] EventID 560 - Object Open [Win 2000] Indicates that an attempt was made to access a Windows object (file, folder, registry key, printer or service). Success or failure is indicated in the message. If access was successful, the listed acc... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 560 - Object Open [Win 2000] EventID 560 - Object Open [Win 2003] Indicates that an attempt was made to access a Windows object (file, folder, registry key, printer or service). Success or failure is indicated in the message. If access was successful, the listed acc... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 560 - Object Open [Win 2003] EventID 560 - Object Open [Win XP] Indicates that an attempt was made to access a Windows object (file, folder, registry key, printer or service). Success or failure is indicated in the message. If access was successful, the listed acc... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 560 - Object Open [Win XP] EventID 561 - Handle Allocated [Win 2000] Indicates that a handle to an object has been opened. Note: This event is only generated for handles that caused an audit to be generated when opened. Find more information about this event on ultim... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 561 - Handle Allocated [Win 2000] EventID 562 - Handle Closed [Win 2000] Indicates that a previously successfully opened Windows object was closed by the program. Note: The Handle ID is a unique number that is assigned by the operating system when a request is made to ac... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 562 - Handle Closed [Win 2000] EventID 562 - Handle Closed [Win 2003 / XP] Indicates that a previously successfully opened Windows object was closed by the program.  Note: The Handle ID is a unique number that is assigned by the operating system when a request is ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 562 - Handle Closed [Win 2003 / XP] EventID 563 - Object Open for Delete [Win 2000 / XP] Indicates that an object has been successfully opened with the intent to delete the object.  Note: The only way to determine what happened to the object is to look at the “Object Name&rdq... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 563 - Object Open for Delete [Win 2000 / XP] EventID 563 - Object Open for Delete [Win 2003] Indicates that an object has been successfully opened with the intent to delete the object.  Note:  The only way to determine what happened to the object is to look at the “Object Nam... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 563 - Object Open for Delete [Win 2003] EventID 5632 - A request was made to authenticate to a wireless network. [2008 R2 and higher] Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Other Logon/Logoff Events->EventID 5632 - A request was made to authenticate to a wireless network. [2008 R2 and higher] EventID 5632 - A request was made to authenticate to a wireless network. [2008] Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Other Logon/Logoff Events->EventID 5632 - A request was made to authenticate to a wireless network. [2008] EventID 5633 - A request was made to authenticate to a wired network. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Other Logon/Logoff Events->EventID 5633 - A request was made to authenticate to a wired network. EventID 564 - Object Deleted [Win 2000] Indicates that the object specified by the Handle ID was successfully deleted. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 564 - Object Deleted [Win 2000] EventID 564 - Object Deleted [Win 2003 / XP] Indicates that the object specified by the Handle ID was successfully deleted. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Wi... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 564 - Object Deleted [Win 2003 / XP] EventID 565 - Object Open [Win 2000] Indicates that an attempt was made to access a directory service object. Success or failure is indicated in the message. If access was successful, the listed accesses were requested and granted. If ac... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->DS Access->EventID 565 - Object Open [Win 2000] EventID 565 - Object Open [Win 2003] Indicates that an attempt was made to access a directory service object. Success or failure is indicated in the message. If access was successful, the listed accesses were requested and granted. If ac... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->DS Access->EventID 565 - Object Open [Win 2003] EventID 566 - Object Operation [Win 2003] Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000 This event is not logged on Windows 2000. Windows 2008 EventID ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->DS Access->EventID 566 - Object Operation [Win 2003] EventID 567 - Object Access Attempt [Win 2003] Indicates that the accesses granted by the EventID 560 were actually excercised after opening the object. Success or failure is indicated in the message. If access was successful, the listed accesses ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 567 - Object Access Attempt [Win 2003] EventID 567 - Object Access Attempt [Win XP] Indicates that the accesses granted by the EventID 560 were actually excercised after opening the object. Success or failure is indicated in the message. If access was successful, the listed... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 567 - Object Access Attempt [Win XP] EventID 5712 - A Remote Procedure Call (RPC) was attempted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->RPC Events->EventID 5712 - A Remote Procedure Call (RPC) was attempted. EventID 576 - Special privileges assigned to new logon Indicates that a privilege that is not auditable on an individual-use basis has been assigned to a user's security context at logon.  Note: Some privileges are used so frequently that auditing... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 576 - Special privileges assigned to new logon EventID 576 - Special privileges assigned to new logon Indicates that a privilege that is not auditable on an individual-use basis has been assigned to a user's security context at logon.  Note: Some privileges are used so frequently that auditin... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Privilege Use->EventID 576 - Special privileges assigned to new logon EventID 577 - Privileged Service Called Indicates that an attempt has been made by a user to use a privilege to perform a privileged system service. Microsoft's Notes: These are high volume events, which typically do not contain sufficien... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Privilege Use->EventID 577 - Privileged Service Called EventID 578 - Privileged object operation Perform a privileged system service. Microsoft's Comments: These are high volume events, which typically do not contain sufficient information to act upon since they do not describe what operation... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Privilege Use->EventID 578 - Privileged object operation EventID 5888 - An object in the COM+ Catalog was modified. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 5888 - An object in the COM+ Catalog was modified. EventID 5888 - An object in the COM+ Catalog was modified. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 5888 - An object in the COM+ Catalog was modified. EventID 5889 - An object was deleted from the COM+ Catalog. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 5889 - An object was deleted from the COM+ Catalog. EventID 5889 - An object was deleted from the COM+ Catalog. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 5889 - An object was deleted from the COM+ Catalog. EventID 5890 - An object was added to the COM+ Catalog. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 5890 - An object was added to the COM+ Catalog. EventID 5890 - An object was added to the COM+ Catalog. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events->EventID 5890 - An object was added to the COM+ Catalog. EventID 592 - A new process has been created Indicates a successful execution of a program by user. Note: New Process ID field allows you to correlate this event to events from the "Object Access" categroy, e.g. in order to find out what... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Detailed Tracking->EventID 592 - A new process has been created EventID 593 - A process has exited [Win 2000] Indicates a successful closing/termination of a program by user. Note: In order to find out when the ended process started look for a preceding event 593 with the same Process ID. The Wi... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Detailed Tracking->EventID 593 - A process has exited [Win 2000] EventID 593 - A process has exited [Win 2003 / XP] Indicates a successful closing/termination of a program by user. Note: In order to find out when the ended process started look for a preceding event 593 with the same Process ID. The Wi... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Detailed Tracking->EventID 593 - A process has exited [Win 2003 / XP] EventID 594 - A handle to an object has been duplicated Indicates that a handle has been duplicated for the same or less access than previously granted. Note: This audit event is only generated if the handle being duplicated caused an audit event record ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Detailed Tracking->EventID 594 - A handle to an object has been duplicated EventID 596 - Backup of data protection master key The operating system performed a normal backup of the Data Protection application programming interface (DPAPI) master key. Note: If this computer is a member of a Windows NT 4.0 domain, this message... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Detailed Tracking->EventID 596 - Backup of data protection master key EventID 600 - A process was assigned a primary token [Win 2003 / XP] A program requested and generated a security token. This usually indicates that the program is running in a specific security context. After the program generates the security token, it accesses resou... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Detailed Tracking->EventID 600 - A process was assigned a primary token [Win 2003 / XP] EventID 601 - Attempt to install service [Win 2003] Indicates a user attempt to install a service.  Note: This event is not logged on Windows 2000 / XP systems. This event should not occur often in a business environment with a clearly defined ac... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Detailed Tracking->EventID 601 - Attempt to install service [Win 2003] EventID 602 - Scheduled Task created [Win 2003] Indicates a either a new scheduled task creation or an existing task modification. Note: This event does not get logged when a task is deleted. This event is not logged on Windows 2000 systems. Exa... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Detailed Tracking->EventID 602 - Scheduled Task created [Win 2003] EventID 608 - User Right Assigned This event record indicates that a specific right was successfully assigned to the identified user on the computer where event was logged. Find more information about this event on ultimatewindowssec... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 608 - User Right Assigned EventID 609 - User Right Removed This event record indicates that a specific right assigned to the identified user was successfully removed on the computer where event was logged. Find more information about this event on ultimate... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 609 - User Right Removed EventID 610 - New Trusted Domain [Win 2000] This event record indicates that the identified user successfully created a trust relationship with the specified domain. Note: Creating certain trust relationships can have serious security impl... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 610 - New Trusted Domain [Win 2000] EventID 610 - New Trusted Domain [Win 2003] This event record indicates that the identified user successfully created a trust relationship with the specified domain.  Note:  Creating certain trust relationships can have serious sec... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 610 - New Trusted Domain [Win 2003] EventID 611 - Trusted Domain Removed [Win 2000] This event record indicates that the identified user successfully removed a trust relationship with the specified domain. Note: Removing certain trust relationships can have serious security impli... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 611 - Trusted Domain Removed [Win 2000] EventID 611 - Trusted Domain Removed [Win 2003] This event record indicates that the identified user successfully removed a trust relationship with the specified domain. Note: Removing certain trust relationships can have serious security impli... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 611 - Trusted Domain Removed [Win 2003] EventID 612 - Audit Policy Change A change was successfully made to the computer's audit policy. This can be a result of Group Policy obtained from Active Directory or from Local Computer Policy that is configured on the computer. The... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 612 - Audit Policy Change EventID 6144 - Security policy in the group policy objects has been applied successfully. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 6144 - Security policy in the group policy objects has been applied successfully. EventID 6145 - One or more errors occured while processing security policy in the group policy objects. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events->EventID 6145 - One or more errors occured while processing security policy in the group policy objects. EventID 615 - IPSEC PolicyAgent Service [Win 2000] Indicates a change to the IPsec policy. Note: Should be investigated when they occur outside of a system startup. Find more information about this event on ultimatewindowssecurity.com. Correspondi... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Detailed Tracking->EventID 615 - IPSEC PolicyAgent Service [Win 2000] EventID 615 - IPSec Services [Win 2003 / XP] IPSec policy agent changed. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000 EventID 615 - IPSEC Policy Agent [Wi... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 615 - IPSec Services [Win 2003 / XP] EventID 616 - IPSec policy agent encountered a potentially serious failure [Win 2000] Indicates that there has been a problem applying an IPSec policy. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2003 ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 616 - IPSec policy agent encountered a potentially serious failure [Win 2000] EventID 616 - IPSec Services encountered a potentially serious failure [Win 2003 / XP] Indicates that there has been a problem applying an IPSec policy. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000 ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 616 - IPSec Services encountered a potentially serious failure [Win 2003 / XP] EventID 617 - Kerberos Policy Changed [Win 2000 / 2003] Indicates that a change to the GPO named "Kerberos Policy" was successfully applied on the specified computer. Note: This event is logged only on Domain Controllers. On Windows 2000 this event get... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 617 - Kerberos Policy Changed [Win 2000 / 2003] EventID 618 - Encrypted Data Recovery Policy Changed Indicates that a change to the EFS data recovery agent information was successfully applied on the specified computer. Find more information about this event on ultimatewindowssecurity.com. Corres... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 618 - Encrypted Data Recovery Policy Changed EventID 620 - Trusted Domain Information Modified [Win 2000] Indicates that existing trust's properties have been successfully modified. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Win... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 620 - Trusted Domain Information Modified [Win 2000] EventID 620 - Trusted Domain Information Modified [Win 2003] Indicates that existing trust's properties have been successfully modified. For example, the transitivity was enabled. Find more information about this event on ultimatewindowssecurity.com. Corre... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 620 - Trusted Domain Information Modified [Win 2003] EventID 621 - System Security Access Granted [Win 2003 / XP] This event record indicates that a user account was granted logon rights (such as "Access this computer from the network" or "Logon as a service"). Find more information about this event on ultimat... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 621 - System Security Access Granted [Win 2003 / XP] EventID 622 - System Security Access Removed [Win 2003 / XP] This event record indicates that logon rights (such as "Access this computer from the network" or "Logon as a service") were removed from a user account. Find more information about this event on ult... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 622 - System Security Access Removed [Win 2003 / XP] EventID 624 - User Account Created [Win 2000 / XP] Indicates a successful creation of a new user account.  Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2003 ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 624 - User Account Created [Win 2000 / XP] EventID 624 - User Account Created [Win 2003] Indicates a successful creation of a new user account.  Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000 / XP ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 624 - User Account Created [Win 2003] EventID 626 - User Account Enabled [Win 2003 / XP] Indicates that a user account was successfully enabled. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000 Note: This ev... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 626 - User Account Enabled [Win 2003 / XP] EventID 627 - Change Password Attempt Indicates successful and failed attempts of a user to change his own or other user's password. Because the user can change the password without logging on, the Caller User Name might be shown as "anon... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 627 - Change Password Attempt EventID 6272 - Network Policy Server granted access to a user. [2012 R2 and lower]  Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Network Policy Server->EventID 6272 - Network Policy Server granted access to a user. [2012 R2 and lower] EventID 6272 - Network Policy Server granted access to a user. [2016 and higher]  Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Network Policy Server->EventID 6272 - Network Policy Server granted access to a user. [2016 and higher] EventID 6273 - Network Policy Server denied access to a user. [2012 R2 and lower] Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Network Policy Server->EventID 6273 - Network Policy Server denied access to a user. [2012 R2 and lower] EventID 6273 - Network Policy Server denied access to a user. [2016 and higher] Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Network Policy Server->EventID 6273 - Network Policy Server denied access to a user. [2016 and higher] EventID 6274 - Network Policy Server discarded the request for a user. [2012 R2 and lower] Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Network Policy Server->EventID 6274 - Network Policy Server discarded the request for a user. [2012 R2 and lower] EventID 6274 - Network Policy Server discarded the request for a user. [2016 and higher] Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Network Policy Server->EventID 6274 - Network Policy Server discarded the request for a user. [2016 and higher] EventID 6275 - Network Policy Server discarded the accounting request for a user. [2012 R2 and lower] Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Network Policy Server->EventID 6275 - Network Policy Server discarded the accounting request for a user. [2012 R2 and lower] EventID 6275 - Network Policy Server discarded the accounting request for a user. [2016 and higher] Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Network Policy Server->EventID 6275 - Network Policy Server discarded the accounting request for a user. [2016 and higher] EventID 6276 - Network Policy Server quarantined a user. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Network Policy Server->EventID 6276 - Network Policy Server quarantined a user. EventID 6277 - Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Network Policy Server->EventID 6277 - Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. EventID 6278 - Network Policy Server granted full access to a user because the host met the defined health policy. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Network Policy Server->EventID 6278 - Network Policy Server granted full access to a user because the host met the defined health policy. EventID 6279 - Network Policy Server locked the user account due to repeated failed authentication attempts. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Network Policy Server->EventID 6279 - Network Policy Server locked the user account due to repeated failed authentication attempts. EventID 628 - User Account password set Indicates a successful attempt of one user to reset password for another user. Note: Do not confuse password resets with password changes. For password changes users always have to provide current pa... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 628 - User Account password set EventID 6280 - Network Policy Server unlocked the user account. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Network Policy Server->EventID 6280 - Network Policy Server unlocked the user account. EventID 6281 - Code Integrity determined that the page hashes of an image file are not valid. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 6281 - Code Integrity determined that the page hashes of an image file are not valid. EventID 629 - User Account Disabled [Win 2003 / XP] Indicates that a user account was successfully disabled. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows 2000 Note: This ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 629 - User Account Disabled [Win 2003 / XP] EventID 630 - User Account Deleted Indicates that a "target" user account was successfully deleted by "caller" user account. Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS ver... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 630 - User Account Deleted EventID 631 - Security Enabled Global Group Created [Win 2000] Indicates that a global security group was successfully created by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecur... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 631 - Security Enabled Global Group Created [Win 2000] EventID 631 - Security Enabled Global Group Created [Win 2003] Indicates that a global security group was successfully created by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecur... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 631 - Security Enabled Global Group Created [Win 2003] EventID 632 - Security Enabled Global Group Member Added Indicates that a member (user, computer or another group account) was successfully added to the security global group by "caller" user. The Member Name field specifies the user who was added. ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 632 - Security Enabled Global Group Member Added EventID 633 - Security Enabled Global Group Member Removed Indicates that member (user, computer or another group account) was successfully removed from security global group by "caller" user. Note: This event also occurs when a user account is deleted and... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 633 - Security Enabled Global Group Member Removed EventID 634 - Security Enabled Global Group Deleted [Win 2000 / 2003] Indicates that security global group was successfully deleted by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecurity.... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 634 - Security Enabled Global Group Deleted [Win 2000 / 2003] EventID 635 - Security Enabled Local Group Created [Win 2000 / XP] Indicates that security local group was successfully created by "caller" user. Note:   There is no Failure Audit form of this audit event record. Find more information about this event on ulti... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 635 - Security Enabled Local Group Created [Win 2000 / XP] EventID 635 - Security Enabled Local Group Created [Win 2003] Indicates that security local group was successfully created by "caller" user. Note:   There is no Failure Audit form of this audit event record. Find more information about this event on ulti... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 635 - Security Enabled Local Group Created [Win 2003] EventID 636 - Security Enabled Local Group Member Added Indicates that a member (user, computer or another group account) was successfully added to the security local group by "caller" user. Find more information about this event on ultimatewindowssecurit... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 636 - Security Enabled Local Group Member Added EventID 637 - Security Enabled Local Group Member Removed Indicates that member (user, computer or another group account) was successfully removed from security local group by "caller" user. Find more information about this event on ultimatewindowssecurity... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 637 - Security Enabled Local Group Member Removed EventID 638 - Security Enabled Local Group Deleted Indicates that security local group was successfully deleted by "caller" user. Note: There is no Failure Audit form of this audit event record. Find more information about this event on ultimatewind... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 638 - Security Enabled Local Group Deleted EventID 639 - Security Enabled Local Group Changed [Win 2000 / XP] Indicates that security local group was successfully changed by "caller" user. Note: This event also shows group membership changes (additions and removals of a group member) for which there are oth... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 639 - Security Enabled Local Group Changed [Win 2000 / XP] EventID 639 - Security Enabled Local Group Changed [Win 2003] Indicates that security local group was successfully changed by "caller" user. Note:  This event also shows group membership changes (additions and removals of a group member) for which there ar... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 639 - Security Enabled Local Group Changed [Win 2003] EventID 6400 - BranchCache: Received an incorrectly formatted response while discovering availability of content. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 6400 - BranchCache: Received an incorrectly formatted response while discovering availability of content. EventID 6401 - BranchCache: Received invalid data from a peer. Data discarded. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 6401 - BranchCache: Received invalid data from a peer. Data discarded. EventID 6402 - BranchCache: The message to the hosted cache offering it data is incorrectly formatted. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 6402 - BranchCache: The message to the hosted cache offering it data is incorrectly formatted. EventID 6403 - BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 6403 - BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data. EventID 6404 - BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 6404 - BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. EventID 6405 - BranchCache: A number of instances of event occurred. BranchCache: %2 instance(s) of event id %1 occurred Event ID:    %1 Number of instances: %2 Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 6405 - BranchCache: A number of instances of event occurred. EventID 6406 - A module registered to Windows Firewall to control filtering. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 6406 - A module registered to Windows Firewall to control filtering. EventID 6407 - BranchCache: Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 6407 - BranchCache: <Dynamic Description> EventID 6408 - Registered product failed and Windows Firewall is now controlling the filtering. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 6408 - Registered product failed and Windows Firewall is now controlling the filtering. EventID 6409 - BranchCache: A service connection point object could not be parsed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events->EventID 6409 - BranchCache: A service connection point object could not be parsed. EventID 641 - Security Enabled Global Group Changed [Win 2000] Indicates that security global group was successfully changed by "caller" user. There is no Failure Audit form of this audit event record. Group changes can have security implications. Find more info... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 641 - Security Enabled Global Group Changed [Win 2000] EventID 641 - Security Enabled Global Group Changed [Win 2003] Indicates that security global group was successfully changed by "caller" user. There is no Failure Audit form of this audit event record. Group changes can have security implications. Find more info... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 641 - Security Enabled Global Group Changed [Win 2003] EventID 6410 - Code integrity determined that a file does not meet the security requirements to load into a process. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 6410 - Code integrity determined that a file does not meet the security requirements to load into a process. EventID 6416 - A new external device was recognized by the system. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Plug and Play Events->EventID 6416 - A new external device was recognized by the system. EventID 6417 - The FIPS mode crypto selftests succeeded. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 6417 - The FIPS mode crypto selftests succeeded. EventID 6418 - The FIPS mode crypto selftests failed. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity->EventID 6418 - The FIPS mode crypto selftests failed. EventID 6419 - A request was made to disable a device. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Plug and Play Events->EventID 6419 - A request was made to disable a device. EventID 642 - User Account Changed [Win 2000 / XP] Indicates that a user account ("target account") was successfully changed by another user ("caller user"). If a property changed, the new value is specified. Properties that display hyphens did not ch... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 642 - User Account Changed [Win 2000 / XP] EventID 642 - User Account Changed [Win 2003] Indicates that a user account ("target account") was successfully changed by another user ("caller user"). If a property changed, the new value is specified. Properties that display hyphens did not ch... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 642 - User Account Changed [Win 2003] EventID 6420 - A device was disabled. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Plug and Play Events->EventID 6420 - A device was disabled. EventID 6421 - A request was made to enable a device. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Plug and Play Events->EventID 6421 - A request was made to enable a device. EventID 6422 - A device was enabled. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Plug and Play Events->EventID 6422 - A device was enabled. EventID 6423 - The installation of this device is forbidden by system policy. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Plug and Play Events->EventID 6423 - The installation of this device is forbidden by system policy. EventID 6424 - The installation of this device was allowed, after having previously been forbidden by policy. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Plug and Play Events->EventID 6424 - The installation of this device was allowed, after having previously been forbidden by policy. EventID 643 - Domain Policy Changed [Win 2000 / XP] Indicates that a domain policy was successfully changed by "caller user". There is no Failure Audit form of this audit event record. Find more information about this event on ultimatewindowssecurity.... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 643 - Domain Policy Changed [Win 2000 / XP] EventID 643 - Domain Policy Changed [Win 2003] Indicates that a domain policy was successfully changed by "caller user". Find more information about this event on ultimatewindowssecurity.com. Corresponding events on other OS versions: Windows... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 643 - Domain Policy Changed [Win 2003] EventID 644 - User Account Locked Out Indicates that a user account ("target account") was locked out due to the fact that the number of consecutive failed logon attempts exceeded the maximum allowed number set in the Domain Lockout Polic... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 644 - User Account Locked Out EventID 645 - Computer Account Created [Win 2000] Indicates a successful creation of a new computer account by "caller user". Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecurity.co... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 645 - Computer Account Created [Win 2000] EventID 645 - Computer Account Created [Win 2003] Indicates a successful creation of a new computer account by "caller user". Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecurity.c... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 645 - Computer Account Created [Win 2003] EventID 646 - Computer Account Changed [Win 2000] Indicates that a computer account ("target account") was successfully changed by another user ("caller user"). Note: This event occurs only on domain controllers. Find more information about this e... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 646 - Computer Account Changed [Win 2000] EventID 646 - Computer Account Changed [Win 2003] Indicates that a computer account ("target account") was successfully changed by another user ("caller user"). Note:  This event occurs only on domain controllers. Find more information about t... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 646 - Computer Account Changed [Win 2003] EventID 647 - Computer Account Deleted [Win 2000 / 2003] Indicates that a "target" computer account was successfully deleted by "caller" user account. Note: This event occurs only on domain controllers. Find more information about this event on ultimatew... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 647 - Computer Account Deleted [Win 2000 / 2003] EventID 648 - Security Disabled Local Group Created [Win 2000] Indicates that distribution local group was successfully created by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecuri... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 648 - Security Disabled Local Group Created [Win 2000] EventID 648 - Security Disabled Local Group Created [Win 2003] Indicates that distribution local group was successfully created by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecuri... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 648 - Security Disabled Local Group Created [Win 2003] EventID 649 - Security Disabled Local Group Changed [Win 2000] Indicates that distribution local group was successfully changed by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecuri... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 649 - Security Disabled Local Group Changed [Win 2000] EventID 649 - Security Disabled Local Group Changed [Win 2003] Indicates that distribution local group was successfully changed by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecuri... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 649 - Security Disabled Local Group Changed [Win 2003] EventID 650 - Security Disabled Local Group Member Added [Win 2000 / 2003] Indicates that a member (user, computer or another group account) was successfully added to the distribution local group by "caller" user. Note: This event occurs only on domain controllers. Find mo... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 650 - Security Disabled Local Group Member Added [Win 2000 / 2003] EventID 651 - Security Disabled Local Group Member Removed [Win 2000 / 2003] Indicates that member (user, computer or another group account) was successfully removed from distribution local group by "caller" user. Note: This event occurs only on domain controllers. Find mor... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 651 - Security Disabled Local Group Member Removed [Win 2000 / 2003] EventID 652 - Security Disabled Local Group Deleted [Win 2000 / 2003] Indicates that distribution local group was successfully deleted by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecuri... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 652 - Security Disabled Local Group Deleted [Win 2000 / 2003] EventID 653 - Security Disabled Global Group Created [Win 2000] Indicates that a global distribution group was successfully created by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowsse... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 653 - Security Disabled Global Group Created [Win 2000] EventID 653 - Security Disabled Global Group Created [Win 2003] Indicates that a global distribution group was successfully created by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowsse... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 653 - Security Disabled Global Group Created [Win 2003] EventID 654 - Security Disabled Global Group Changed [Win 2000] Indicates that distribution global group was successfully changed by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecur... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 654 - Security Disabled Global Group Changed [Win 2000] EventID 654 - Security Disabled Global Group Changed [Win 2003] Indicates that distribution global group was successfully changed by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecur... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 654 - Security Disabled Global Group Changed [Win 2003] EventID 655 - Security Disabled Global Group Member Added [Win 2000 / 2003] Indicates that a member (user, computer or another group account) was successfully added to the distribution global group by "caller" user. Note: This event occurs only on domain controllers. Find m... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 655 - Security Disabled Global Group Member Added [Win 2000 / 2003] EventID 656 - Security Disabled Global Group Member Removed [Win 2000 / 2003] Indicates that member (user, computer or another group account) was successfully removed from distribution global group by "caller" user. Note: This event occurs only on domain controllers. Find mo... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 656 - Security Disabled Global Group Member Removed [Win 2000 / 2003] EventID 657 - Security Disabled Global Group Deleted [Win 2000 / 2003] Indicates that distribution global group was successfully deleted by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecur... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 657 - Security Disabled Global Group Deleted [Win 2000 / 2003] EventID 658 - Security Enabled Universal Group Created [Win 2000] Indicates that a universal security group was successfully created by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssec... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 658 - Security Enabled Universal Group Created [Win 2000] EventID 658 - Security Enabled Universal Group Created [Win 2003] Indicates that a universal security group was successfully created by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssec... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 658 - Security Enabled Universal Group Created [Win 2003] EventID 659 - Security Enabled Universal Group Changed [Win 2000] Indicates that security universal group was successfully changed by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecuri... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 659 - Security Enabled Universal Group Changed [Win 2000] EventID 659 - Security Enabled Universal Group Changed [Win 2003] Indicates that security universal group was successfully changed by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecuri... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 659 - Security Enabled Universal Group Changed [Win 2003] EventID 660 - Security Enabled Universal Group Member Added [Win 2000 / 2003] Indicates that a member (user, computer or another group account) was successfully added to the security universal group by "caller" user. Note: This event occurs only on domain controllers. Find mo... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 660 - Security Enabled Universal Group Member Added [Win 2000 / 2003] EventID 661 - Security Enabled Universal Group Member Removed [Win 2000 / 2003] Indicates that member (user, computer or another group account) was successfully removed from security universal group by "caller" user. Note: This event occurs only on domain controllers. Find mor... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 661 - Security Enabled Universal Group Member Removed [Win 2000 / 2003] EventID 662 - Security Enabled Universal Group Deleted [Win 2000 / 2003] Indicates that security universal group was successfully deleted by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowssecuri... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 662 - Security Enabled Universal Group Deleted [Win 2000 / 2003] EventID 663 - Security Disabled Universal Group Created [Win 2000] Indicates that a universal distribution group was successfully created by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindow... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 663 - Security Disabled Universal Group Created [Win 2000] EventID 663 - Security Disabled Universal Group Created [Win 2003] Indicates that a universal distribution group was successfully created by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindow... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 663 - Security Disabled Universal Group Created [Win 2003] EventID 664 - Security Disabled Universal Group Changed [Win 2000] Indicates that distribution universal group was successfully changed by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowsse... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 664 - Security Disabled Universal Group Changed [Win 2000] EventID 664 - Security Disabled Universal Group Changed [Win 2003] Indicates that distribution universal group was successfully changed by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowsse... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 664 - Security Disabled Universal Group Changed [Win 2003] EventID 665 - Security Disabled Universal Group Member Added [Win 2000 / 2003] Indicates that member (user, computer or another group account) was successfully added to a distribution universal group by "caller" user. Note: This event occurs only on domain controllers. Find m... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 665 - Security Disabled Universal Group Member Added [Win 2000 / 2003] EventID 666 - Security Disabled Universal Group Member Removed [Win 2000 / 2003] Indicates that member (user, computer or another group account) was successfully removed from distribution universal group by "caller" user. Note: This event occurs only on domain controllers. Find... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 666 - Security Disabled Universal Group Member Removed [Win 2000 / 2003] EventID 667 - Security Disabled Universal Group Deleted [Win 2000 / 2003] Indicates that distribution universal group was successfully deleted by "caller" user. Note: This event occurs only on domain controllers. Find more information about this event on ultimatewindowsse... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 667 - Security Disabled Universal Group Deleted [Win 2000 / 2003] EventID 668 - Group Type Changed [Win 2000 / 2003] Indicates that type or/and scope of "target" group was successfully changed by "caller" user. Note: This event occurs only on Domain Controllers. There are two types of groups in Active Directory: ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 668 - Group Type Changed [Win 2000 / 2003] EventID 671 - User Account Unlocked [Win 2003 / XP] Indicates that "target" user account was successfully unlocked by "caller" user. Note: This event is not logged on Windows 2000. Find more information about this event on ultimatewindowssecurity.com... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 671 - User Account Unlocked [Win 2003 / XP] EventID 672 - Authentication Ticket Granted [Win 2000] Indicates that the authentication ticket was granted to a user or computer account requesting it. In other words, this event indicates a successful user/computer initial domain logon. Note:  Log... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 672 - Authentication Ticket Granted [Win 2000] EventID 672 - Authentication Ticket Request [Win 2003] Indicates that the authentication ticket was either granted or denied to a user or computer account requesting it. In other words, this event indicates either a successful or failed user/computer init... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 672 - Authentication Ticket Request [Win 2003] EventID 673 - Service Ticket Granted [Win 2000] Indicates that the service ticket was granted to a user or computer account requesting it.  In other words, this event indicates a successful attempt of a user/computer account to access a networ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 673 - Service Ticket Granted [Win 2000] EventID 673 - Service Ticket Request [Win 2003] Indicates that the service ticket was either granted or denied to a user or computer account requesting it. In other words, this event indicates either a successful or failed attempt of a user/comput... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 673 - Service Ticket Request [Win 2003] EventID 674 - Service Ticket Renewed [Win 2003] Indicates automatic AS (Authentification Server) ticket or TGS (Ticket Granting Server) ticket renewal .  Note: There is no Failure Audit form of this audit event record.  Some fields prov... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 674 - Service Ticket Renewed [Win 2003] EventID 674 - Ticket Granted Renewed [Win 2000] Indicates automatic AS (Authentification Server) ticket or TGS (Ticket Granting Server) ticket renewal .  Note: There is no Failure Audit form of this audit event record.  Some fields... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 674 - Ticket Granted Renewed [Win 2000] EventID 675 - Pre-authentication failed Indicates that the ticket-granting ticket (TGT) was not obtained.  Event IDs 675 and 677 indicate failed attempts to logon to the domain.  If a client computer's time differs from the authen... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 675 - Pre-authentication failed EventID 676 - Authentication Ticket Request Failed [Win 2000] This event is not generated by Windows Server 2003 with SP1.This event is logged when the user/computer initial logon fails for other reasons than those reported by EventID 675 - Pre-authentication fa... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 676 - Authentication Ticket Request Failed [Win 2000] EventID 677 - Service Ticket Request Failed [Win 2000] Indicates that the service ticket was denied to a user or computer account requesting it. In other words, this event indicates a failed attempt of a user/computer account to access a network resource... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 677 - Service Ticket Request Failed [Win 2000] EventID 678 - Account Mapped for Logon An account was successfully mapped to a domain account. Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 678 - Account Mapped for Logon EventID 679 - Account could not be mapped for logon Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 679 - Account could not be mapped for logon EventID 680 - Account Used for Logon by: %1 [Win 2000] A set of credentials was passed to the authentication system on this computer either by a local process or by a remote process or user. Success or failure is displayed in the message. If this event i... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 680 - Account Used for Logon by: %1 [Win 2000] EventID 680 - Logon attempt by: %1 [Win 2003 / XP] A set of credentials was passed to the authentication system on this computer either by a local process or by a remote process or user. Success or failure is displayed in the message. If this event i... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 680 - Logon attempt by: %1 [Win 2003 / XP] EventID 681 - The logon to account: %2 by: %1 from workstation: %3 failed [Win 2000] A failed logon attempt to  a Windows 2000-based domain controller (DC) is made from a down-level client or through a trust with a down-level domain. Note: Refer to the following link in order t... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 681 - The logon to account: %2 by: %1 from workstation: %3 failed [Win 2000] EventID 682 - Session reconnected to winstation A user reconnected to a disconnected terminal server session, or an administrator opened or reestablished the connection to the remote computer. This message is logged for informational purposes only.... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 682 - Session reconnected to winstation EventID 683 - Session disconnected from winstation A user disconnected from another computer without logging off. The connection was either a terminal server session or a remote administration session. This message is logged for informational purposes... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 683 - Session disconnected from winstation EventID 684 - Set ACLs of members in administrators groups [Win 2003] According to Microsoft: "Set the security descriptor of members of administrative groups." Every 60 minutes on a domain controller a background thread searches all members of administrative groups (su... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 684 - Set ACLs of members in administrators groups [Win 2003] EventID 685 - Account Name Changed [Win 2003 / XP] Indicates that "target" account name was successfully changed by "caller" user. Note: This event is important to track because a rogue admin may change his account or computer name to cover his mali... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 685 - Account Name Changed [Win 2003 / XP] EventID 806 - Per User Audit Policy was refreshed [Win 2003 / XP] Indicates that a certain number of elements was changed in the specified Per User Audit Policy. Find more information about this event on ultimatewindowssecurity.com. Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 806 - Per User Audit Policy was refreshed [Win 2003 / XP] EventID 808 - A security event source has attempted to register [Win 2003 / XP] This event record indicates that a process identified by the Process ID field successfully registered itself as being able to write events to the Windows security log. Find more information about ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 808 - A security event source has attempted to register [Win 2003 / XP] EventID 809 - A security event source has attempted to unregister [Win 2003 / XP] This event record indicates that a process identified by the Process ID field successfully unregistered itself as being able to write events to the Windows security log. Find more information abou... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 809 - A security event source has attempted to unregister [Win 2003 / XP] EventID 848 - The following policy was active when the Windows Firewall started [Win 2003 / XP] This event logs the Windows Firewall policy settings in effect at the time of startup, which is usually when the Windows system boots up. Note: You can get details on Windows Firewall configuratio... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 848 - The following policy was active when the Windows Firewall started [Win 2003 / XP] EventID 849 - An application was listed as an exception when the Windows Firewall started [Win 2003 / XP] This event is generated during the Windows Firewall start-up and documents exception rule settings for each Windows Firewall application. One event is generated per each exception rule. Find more inf... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 849 - An application was listed as an exception when the Windows Firewall started [Win 2003 / XP] EventID 850 - A port was listed as an exception when the Windows Firewall started [Win 2003 / XP] This event is generated during the Windows Firewall start-up and documents exception rule settings for each Windows Firewall port/protocol. One event is generated per each exception rule. Find more i... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 850 - A port was listed as an exception when the Windows Firewall started [Win 2003 / XP] EventID 851 - A change has been made to the Windows Firewall application exception list [Win 2003 / XP] This event indicates that a change was successfully made to the list of exceptions rules (specifically exception rules that allow traffic through for the specified applications) of the Windows Firewal... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 851 - A change has been made to the Windows Firewall application exception list [Win 2003 / XP] EventID 852 - A change has been made to the Windows Firewall port exception list [Win 2003 / XP] This event indicates that a change was successfully made to the list of exceptions rules (specifically exception rules that allow traffic through specified ports via specified protocols) of the Window... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 852 - A change has been made to the Windows Firewall port exception list [Win 2003 / XP] EventID 853 - The Windows Firewall operational mode has changed [Win 2003 / XP] This event indicates that a change was successfully made to the operation mode of the Windows Firewall. In other words, it was either turned on or turned off. The change was made either through the lo... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 853 - The Windows Firewall operational mode has changed [Win 2003 / XP] EventID 854 - The Windows Firewall logging settings have changed [Win 2003 / XP] This event indicates that a change was successfully made to the logging settings of the Windows Firewall. The change was made either through the local policy or via a group policy propagation. Find m... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 854 - The Windows Firewall logging settings have changed [Win 2003 / XP] EventID 855 - A Windows Firewall ICMP setting has changed [Win 2003 / XP] This event indicates that a change was successfully made to the ICMP setting of the Windows Firewall. The change was made either through the local policy or via a group policy propagation. Find more ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 855 - A Windows Firewall ICMP setting has changed [Win 2003 / XP] EventID 861 - The Windows Firewall has detected an application listening for incoming traffic [Win 2003 / XP] This event indicates that an application requested to open UDP or TCP ports in listening mode and shows whether the request was allowed or not. The text of the error message contains the file path and... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Detailed Tracking->EventID 861 - The Windows Firewall has detected an application listening for incoming traffic [Win 2003 / XP] File Share Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File Share File System Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File System Filtering Platform Connection Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Connection Filtering Platform Packet Drop Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Filtering Platform Packet Drop Filtering Platform Policy Change Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Filtering Platform Policy Change Group Membership Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Group Membership Handle Manipulation Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Handle Manipulation IPsec Driver Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->IPsec Driver IPsec Extended Mode Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Extended Mode IPsec Main Mode Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Main Mode IPsec Quick Mode Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->IPsec Quick Mode Kerberos Authentication Service This subcategory comprises the Kerberos-related authentication events. These events are generated on domain controllers only. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Kerberos Authentication Service Kerberos Service Ticket Operations This subcategory comprises the events related to Kerberos service ticket grant/denial. These events are generated on domain controllers only. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Kerberos Service Ticket Operations Kernel Object     12802  |  0x70003202  |  Kernel Object Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Kernel Object Log automatic backup Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->110X - Non Audit (EventLog)->Log automatic backup Log clear Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->110X - Non Audit (EventLog)->Log clear Logoff Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Logoff Logon Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Logon Logon/Logoff Events from this category track each instance of a user logging on to or logging off from a computer. Account logon events are generated on domain controllers for domain account activity and on... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff Logon/Logoff Events from this category track each instance of a user logging on to or logging off from a computer. Account logon events are generated on domain controllers for domain account activity and on local... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff MPSSVC Rule-Level Policy Change Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->MPSSVC Rule-Level Policy Change Network Policy Server Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Network Policy Server Object Access Events from this category reflect successful and failed attempts to access all objects outside Active Directory. This includes reading, changing, deleting the following types of objects: ... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access Object Access Events from this category reflect successful and failed attempts to access all objects outside Active Directory. This includes reading, changing, deleting the following types of objects: ... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access Other Account Management Events Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Other Account Management Events Other Logon/Logoff Events Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Other Logon/Logoff Events Other Object Access Events Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Other Object Access Events Other Policy Change Events Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Other Policy Change Events Other System Events Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Other System Events Plug and Play Events Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Plug and Play Events Policy Change Events from this category track every incidence of a change to: user rights assignment policies, audit policies (local and domain-level), or trust relationship policies, or Windows... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change Policy Change Events from this category track every incidence of a change to: user rights assignment policies, audit policies (local and domain-level), or trust relationship policies. Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change Privilege Use Events in this category track each instance of a user exercising a user right. Privilege refers to the user rights you find in the Local Security Policy under Security Settings\Local Policies\U... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Privilege Use Privilege Use Events in this category track each instance of a user exercising a user right. Privilege refers to the user rights you find in the Local Security Policy under Security Settings\Local Policies\U... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Privilege Use Process Creation Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Process Creation Process Termination Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Process Termination Registry Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Registry RPC Events Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->RPC Events SAM Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->SAM Security Group Management Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management Security Log This Event Category comprises events originating in Security Log on Windows Family Systems of 2008 (Vista Generation) versions. Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log Security Log This Event Category comprises events originating in Security Log on Windows Family Systems of 2000-2003 versions. Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log Security State Change Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Security State Change Security System Extension Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->Security System Extension Sensitive Privilege Use Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Privilege Use->Sensitive Privilege Use Service shutdown Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->110X - Non Audit (EventLog)->Service shutdown Special Logon Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Special Logon Subcategory (special) This is a virtual subcategory. EventID 4670 placed here according to some Microsoft documentation is actually written under Object Access category. The Subcategory (Task Category) for 4670 corre... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Policy Change->Subcategory (special) System This category allows to audit when a user restarts or shuts down the computer; or an event has occurred that affects either the system security or the security log. Also events from this category refl... Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System System This category allows to audit when a user restarts or shuts down the computer; or an event has occurred that affects either the system security or the security log. Also events from this category refl... Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->System System Integrity Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->System->System Integrity Token Right Adjusted Events Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Token Right Adjusted Events User / Device Claims Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->User / Device Claims User Account Management Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management