Windows Events ID – Part 3

Here are some of the Windows Event ID which will be helpful in determining the cause of the event.

Subcategory: File Share

ID Message
5140 A network share object was accessed.

Subcategory: File System

ID Message
4664 An attempt was made to create a hard link.
4985 The state of a transaction has changed.
5051 A file was virtualized.

Subcategory: Filtering Platform Connection

ID Message
5031 The Windows Firewall Service blocked an application from accepting incoming connections on the network.
5154 The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
5155 The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
5156 The Windows Filtering Platform has allowed a connection.
5157 The Windows Filtering Platform has blocked a connection.
5158 The Windows Filtering Platform has permitted a bind to a local port.
5159 The Windows Filtering Platform has blocked a bind to a local port.

Subcategory: Filtering Platform Packet Drop

ID Message
5152 The Windows Filtering Platform blocked a packet.
5153 A more restrictive Windows Filtering Platform filter has blocked a packet.

Subcategory: Handle Manipulation

ID Message
4656 A handle to an object was requested.
4658 The handle to an object was closed.
4690 An attempt was made to duplicate a handle to an object.

Subcategory: Other Object Access Events

ID Message
4671 An application attempted to access a blocked ordinal through the TBS.
4691 Indirect access to an object was requested.
4698 A scheduled task was created.
4699 A scheduled task was deleted.
4700 A scheduled task was enabled.
4701 A scheduled task was disabled.
4702 A scheduled task was updated.
5888 An object in the COM+ Catalog was modified.
5889 An object was deleted from the COM+ Catalog.
5890 An object was added to the COM+ Catalog.

Subcategory: Registry

ID Message
4657 A registry value was modified.
5039 A registry key was virtualized.

[note]Note The following event may be generated by any resource manager when its subcategory is enabled. For example, the following event may be generated by the Registry resource manager or by the File System resource manager. The “Object Access: Kernel Object” and “Object Access: SAM” subcategories are examples of subcategories that use these events exclusively.[/note]

Subcategory: Special Multi-use Subcategory

ID Message
4659 A handle to an object was requested with intent to delete.
4660 An object was deleted.
4661 A handle to an object was requested.
4663 An attempt was made to access an object.

Category: Policy Change

Subcategory: Audit Policy Change

ID Message
4715 The audit policy (SACL) on an object was changed.
4719 System audit policy was changed.
4902 The Per-user audit policy table was created.
4904 An attempt was made to register a security event source.
4905 An attempt was made to unregister a security event source.
4906 The CrashOnAuditFail value has changed.
4907 Auditing settings on object were changed.
4908 Special Groups Logon table modified.
4912 Per User Audit Policy was changed.

Subcategory: Authentication Policy Change

ID Message
4706 A new trust was created to a domain.
4707 A trust to a domain was removed.
4713 Kerberos policy was changed.
4716 Trusted domain information was modified.
4717 System security access was granted to an account.
4718 System security access was removed from an account.
4864 A namespace collision was detected.
4865 A trusted forest information entry was added.
4866 A trusted forest information entry was removed.
4867 A trusted forest information entry was modified.

Subcategory: Authorization Policy Change

ID Message
4704 A user right was assigned.
4705 A user right was removed.
4714 Encrypted data recovery policy was changed.

Subcategory: Filtering Platform Policy Change

ID Message
4709 IPsec Services was started.
4710 IPsec Services was disabled.
4711 May contain any one of the following: 

  • PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
  • PAStore Engine applied Active Directory storage IPsec policy on the computer.
  • PAStore Engine applied local registry storage IPsec policy on the computer.
  • PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
  • PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
  • PAStore Engine failed to apply local registry storage IPsec policy on the computer.
  • PAStore Engine failed to apply some rules of the active IPsec policy on the computer.
  • PAStore Engine failed to load directory storage IPsec policy on the computer.
  • PAStore Engine loaded directory storage IPsec policy on the computer.
  • PAStore Engine failed to load local storage IPsec policy on the computer.
  • PAStore Engine loaded local storage IPsec policy on the computer.
  • PAStore Engine polled for changes to the active IPsec policy and detected no changes.
4712 IPsec Services encountered a potentially serious failure.
5040 A change has been made to IPsec settings. An Authentication Set was added.
5041 A change has been made to IPsec settings. An Authentication Set was modified.
5042 A change has been made to IPsec settings. An Authentication Set was deleted.
5043 A change has been made to IPsec settings. A Connection Security Rule was added.
5044 A change has been made to IPsec settings. A Connection Security Rule was modified.
5045 A change has been made to IPsec settings. A Connection Security Rule was deleted.
5046 A change has been made to IPsec settings. A Crypto Set was added.
5047 A change has been made to IPsec settings. A Crypto Set was modified.
5048 A change has been made to IPsec settings. A Crypto Set was deleted.
5440 The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
5441 The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
5442 The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
5443 The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
5444 The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
5446 A Windows Filtering Platform callout has been changed.
5448 A Windows Filtering Platform provider has been changed.
5449 A Windows Filtering Platform provider context has been changed.
5450 A Windows Filtering Platform sub-layer has been changed.
5456 PAStore Engine applied Active Directory storage IPsec policy on the computer.
5457 PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
5458 PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
5459 PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
5460 PAStore Engine applied local registry storage IPsec policy on the computer.
5461 PAStore Engine failed to apply local registry storage IPsec policy on the computer.
5462 PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
5463 PAStore Engine polled for changes to the active IPsec policy and detected no changes.
5464 PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
5465 PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
5466 PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
5467 PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
5468 PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
5471 PAStore Engine loaded local storage IPsec policy on the computer.
5472 PAStore Engine failed to load local storage IPsec policy on the computer.
5473 PAStore Engine loaded directory storage IPsec policy on the computer.
5474 PAStore Engine failed to load directory storage IPsec policy on the computer.
5477 PAStore Engine failed to add quick mode filter.

Source : Microsoft Security Events

You may also like...

1 Response

  1. nightshirt says:

    Hello friends, fastidious paragraph and nice urging commented
    at this place, I am in fact enjoying by these.

Leave a Reply

Your email address will not be published. Required fields are marked *