List of most common and useful Windows Event IDs

Here is a list of the most common / useful Windows Event IDs.

Event Log, Source            EventID   EventID   Description
                           Pre-vista   Post-Vista
Security, Security               512   4608  Windows NT is starting up.
Security, Security               513   4609  Windows is shutting down.
Security, USER32                 ---   1074  The process nnn has initiated the restart of computer.
Security, Security               514   4610  An authentication package has been loaded by the Local Security Authority.
Security, Security               515   4611  A trusted logon process has registered with the Local Security Authority.
Security, Security               516   4612  Internal resources allocated for the queuing of audit messages
                                             have been exhausted, leading to the loss of some audits.
Security, Security               518   4614  A notification package has been loaded by the Security Account Manager.
Security, Security,              519   4615  A process is using an invalid local procedure call (LPC) port.
Security, Security               520   4616  The system time was changed.
Security, Security               521    ---  Unable to log events to security log.
Security, Security(Logon/Logoff) 528   4624  Successful Logon.
Security, Security(Logon/Logoff) 540   4624  Successful Network Logon.
Security, Security(Logon/Logoff) 529   4625  Logon Failure - Unknown user name or bad password.
Security, Security(Logon/Logoff) 530   4625  Logon Failure - Account logon time restriction violation.
Security, Security(Logon/Logoff) 531   4625  Logon Failure - Account currently disabled.
Security, Security(Logon/Logoff) 532   4625  Logon Failure - The specified user account has expired.
Security, Security(Logon/Logoff) 533   4625  Logon Failure - User not allowed to logon at this computer.
Security, Security(Logon/Logoff) 534   4625  Logon Failure - The user has not been granted the requested logon type
                                             at this machine.
Security, Security(Logon/Logoff) 535   4625  Logon Failure - The specified account's password has expired.
Security, Security(Logon/Logoff) 536   4625  Logon Failure - The NetLogon component is not active.
Security, Security(Logon/Logoff) 537   4625  Logon failure - The logon attempt failed for other reasons.
Security, Security(Logon/Logoff) 538   4634  User Logoff.
Security, Security(Logon/Logoff) 539   4625  Logon Failure - Account locked out.
Security, Security(Logon/Logoff) ---   4646  IKE DoS-prevention mode started.
Security, Security(Logon/Logoff) 551   4647  User initiated logoff.
Security, Security(Logon/Logoff) 552   4648  A logon was attempted using explicit credentials.
Security, Security(Logon/Logoff) 553   4649  A replay attack was detected.
Security, Security(Logon/Logoff) 601   4697  A service was installed in the system.
Security, Object access          ---   4688  A new process created.
Security, Object access          ---   4697  A new service installed.
Security, Object access          602   4698  A scheduled task was created.
Security, Object access          602   4699  A scheduled task was deleted.
Security, Object access          602   4700  A scheduled task was enabled.
Security, Object access          602   4701  A scheduled task was disabled.
Security, Object access          602   4702  A scheduled task was updated.
Security, Account Management     624   4720  User Account Created.
Security, Account Management     626   4722  User Account Enabled.
Security, Account Management     627   4723  Change Password Attempt.
Security, Account Management     628   4724  User Account password set.
Security, Account Management     629   4725  User Account Disabled.
Security, Account Management     630   4726  User Account Deleted.
Security, Account Management     636   4732  Local User Account Created.
Security, Account Management     642   4738  User Account Changed.
Security, Account Management     643   4739  GPO changed.
Security, Account Management     644   4740  User Account Locked Out.
Security, Account Management     645   4741  Computer Account Created.
Security, Account Management     646   4742  Computer Account Changed.
Security, Account Management     647   4743  Computer Account Deleted.
Security, Account Management     671   4767  A user account was unlocked.
Security, Security(Logon/Logoff) ---   4768  Kerberos TGT was requested.
Security, Security(Logon/Logoff) ---   4771  Kerberos pre-authentication failed.
Security, Security(Logon/Logoff) ---   4772  Kerberos TGT request failed.
Security, Security(Logon/Logoff) 678   4774  An account was mapped for logon.
Security, Security(Logon/Logoff) 679   4775  The name: %2 could not be mapped for logon by: %1
Security, Security(Logon/Logoff) 680   4776  Account Used for Logon by.
Security, Security(Logon/Logoff) 681   4777  The logon to account: %2 by: %1 from workstation: %3 failed.
Security, Security(Logon/Logoff) 682   4778  Session reconnected to winstation.
Security, Security(Logon/Logoff) 683   4779  Session disconnected from winstation.
Security, Security(Logon/Logoff) ---   4800  The workstation was locked.
Security, Security(Logon/Logoff) ---   4801  The workstation was unlocked.
Security, Security(Logon/Logoff) ---   4802  The screen saver was invoked.
Security, Security(Logon/Logoff) ---   4803  The screen saver was dismissed.
Security, Account Management     ---   5136  GPO changed.
Security, Account Management     ---   5137  GPO created.
Security, Account Management     ---   5141  GPO deleted.
System, EventLog,                6005  6005  The event log was started.  
System, EventLog,                6006  6006  The Event log service was stopped.
System, EventLog,                6013  6013  System uptime.
System, EventLog,                517   1102  The audit log was cleared.
System, EventLog,                ---   1104  The security Log is now full.
System, EventLog,                ---   1105  Event log automatic backup.
System, EventLog,                ---   1108  The event logging service encountered an error.
System, Service Control Manager  7035  7035  The nnn service was successfully sent a start/Stop control.
System, Service Control Manager  7036  7036  The nnn service entered the Running/Stopped state.
System, W32Time,                  29     29  The time provider NtpClient is configured to acquire time from
                                             one or more time sources; however none of the sources are currently accessible.
System, W32Time,                  38     38  The time provider NtpClient cannot reach or is currently receiving invalid time data.
System, W32Time,                  47     47  Time Provider NtpClient: No valid response received.
External media detection          --     43  new device information.
External media detection          --     400 new mass storage installation.
Software and service installation --     903,903 new application installation.
Software and service installation --     905,906 updated application.
Software and service installation --     907,908 removed application.
Software and service installation --     1022,1033 new MSI file installed.
Software and service installation --     6  new kernel filter driver.

AD/Server groups Event IDs:


All logon/logoff events include a Logon Type code, the precise type of logon or logoff:

Network (remote file shares / printers/iis)
Batch (scheduled task)
Service (service account)
NetworkCleartext (IIS)
NewCredentials (RunAs /netonly)
10 RemoteInteractive (Terminal Services,RDP)
11 CachedInteractive (cached credentials)

When working with Event IDs it can be important to specify the source in addition to the ID, the same number can have different meanings in different logs from different sources.

If you have any questions feel free to contact me on also follow me on facebook @windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

Leave a Reply