Windows Events ID – Part 2

Here are some of the Windows Event ID which will be helpful in determining the cause of the event.

Category: Detailed Tracking

Subcategory: DPAPI Activity

ID Message
4692 Backup of data protection master key was attempted.
4693 Recovery of data protection master key was attempted.
4694 Protection of auditable protected data was attempted.
4695 Unprotection of auditable protected data was attempted.

Subcategory: Process Creation

ID Message
4688 A new process has been created.
4696 A primary token was assigned to process.

Subcategory: Process Termination

ID Message
4689 A process has exited.

Subcategory: RPC Events

ID Message
5712 A Remote Procedure Call (RPC) was attempted.

Category: DS Access

Subcategory: Detailed Directory Service Replication

ID Message
4928 An Active Directory replica source naming context was established.
4929 An Active Directory replica source naming context was removed.
4930 An Active Directory replica source naming context was modified.
4931 An Active Directory replica destination naming context was modified.
4934 Attributes of an Active Directory object were replicated.
4935 Replication failure begins.
4936 Replication failure ends.
4937 A lingering object was removed from a replica.

Subcategory: Directory Service Access

ID Message
4662 An operation was performed on an object.

Subcategory: Directory Service Changes

ID Message
5136 A directory service object was modified.
5137 A directory service object was created.
5138 A directory service object was undeleted.
5139 A directory service object was moved.

Note The following event in the Directory Service Changes subcategory is available only in Windows Vista Service Pack 1 and in Windows Server 2008.
ID Message
5141 A directory service object was deleted.

Subcategory: Directory Service Replication

ID Message
4932 Synchronization of a replica of an Active Directory naming context has begun.
4933 Synchronization of a replica of an Active Directory naming context has ended.

Category: Logon/Logoff

Subcategory: IPsec Extended Mode

ID Message
4978 During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
4979 IPsec Main Mode and Extended Mode security associations were established.
4980 IPsec Main Mode and Extended Mode security associations were established.
4981 IPsec Main Mode and Extended Mode security associations were established.
4982 IPsec Main Mode and Extended Mode security associations were established.
4983 An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
4984 An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
Read Article :  Microsoft Office 2013 SP1 Download links

Subcategory: IPsec Main Mode

ID Message
4646 IKE DoS-prevention mode started.
4650 An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
4651 An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
4652 An IPsec Main Mode negotiation failed.
4653 An IPsec Main Mode negotiation failed.
4655 An IPsec Main Mode security association ended.
4976 During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
5049 An IPsec Security Association was deleted.
5453 An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

Subcategory: IPsec Quick Mode

ID Message
4654 An IPsec Quick Mode negotiation failed.
4977 During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
5451 An IPsec Quick Mode security association was established.
5452 An IPsec Quick Mode security association ended.

Subcategory: Logoff

ID Message
4634 An account was logged off.
4647 User initiated logoff.

Subcategory: Logon

ID Message
4624 An account was successfully logged on.
4625 An account failed to log on.
4648 A logon was attempted using explicit credentials.
4675 SIDs were filtered.
Read Article :  Microsoft Windows 8.1 Download

Note All the events in the Network Policy Server subcategory are available only in Windows Vista Service Pack 1 and in Windows Server 2008.

Subcategory: Network Policy Server

ID Message
6272 Network Policy Server granted access to a user.
6273 Network Policy Server denied access to a user.
6274 Network Policy Server discarded the request for a user.
6275 Network Policy Server discarded the accounting request for a user.
6276 Network Policy Server quarantined a user.
6277 Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
6278 Network Policy Server granted full access to a user because the host met the defined health policy.
6279 Network Policy Server locked the user account due to repeated failed authentication attempts.
6280 Network Policy Server unlocked the user account.

Subcategory: Other Logon/Logoff Events

ID Message
4649 A replay attack was detected.
4778 A session was reconnected to a Window Station.
4779 A session was disconnected from a Window Station.
4800 The workstation was locked.
4801 The workstation was unlocked.
4802 The screen saver was invoked.
4803 The screen saver was dismissed.
5378 The requested credentials delegation was disallowed by policy.
5632 A request was made to authenticate to a wireless network.
5633 A request was made to authenticate to a wired network.

Subcategory: Special Logon

ID Message
4964 Special groups have been assigned to a new logon.

Category: Object Access

Subcategory: Application Generated

ID Message
4665 An attempt was made to create an application client context.
4666 An application attempted an operation:
4667 An application client context was deleted.
4668 An application was initialized.

Subcategory: Certification Services

ID Message
4868 The certificate manager denied a pending certificate request.
4869 Certificate Services received a resubmitted certificate request.
4870 Certificate Services revoked a certificate.
4871 Certificate Services received a request to publish the certificate revocation list (CRL).
4872 Certificate Services published the certificate revocation list (CRL).
4873 A certificate request extension changed.
4874 One or more certificate request attributes changed.
4875 Certificate Services received a request to shut down.
4876 Certificate Services backup started.
4877 Certificate Services backup completed.
4878 Certificate Services restore started.
4879 Certificate Services restore completed.
4880 Certificate Services started.
4881 Certificate Services stopped.
4882 The security permissions for Certificate Services changed.
4883 Certificate Services retrieved an archived key.
4884 Certificate Services imported a certificate into its database.
4885 The audit filter for Certificate Services changed.
4886 Certificate Services received a certificate request.
4887 Certificate Services approved a certificate request and issued a certificate.
4888 Certificate Services denied a certificate request.
4889 Certificate Services set the status of a certificate request to pending.
4890 The certificate manager settings for Certificate Services changed.
4891 A configuration entry changed in Certificate Services.
4892 A property of Certificate Services changed.
4893 Certificate Services archived a key.
4894 Certificate Services imported and archived a key.
4895 Certificate Services published the CA certificate to Active Directory Domain Services.
4896 One or more rows have been deleted from the certificate database.
4897 Role separation enabled:
4898 Certificate Services loaded a template.
4899 A Certificate Services template was updated.
4900 Certificate Services template security was updated.
5120 OCSP Responder Service Started.
5121 OCSP Responder Service Stopped.
5122 A Configuration entry changed in the OCSP Responder Service.
5123 A configuration entry changed in the OCSP Responder Service.
5124 A security setting was updated on OCSP Responder Service.
5125 A request was submitted to OCSP Responder Service.
5126 Signing Certificate was automatically updated by the OCSP Responder Service.
5127 The OCSP Revocation Provider successfully updated the revocation information.
Read Article :  Easy way to Configure your Powershell Profile

Source : Microsoft Security Events

You may also like...

1 Response

  1. Angel says:

    can you please give elaborated details…it will be helpful.

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen + 3 =