Windows Events ID – Part 4

Here are some of the Windows Event ID which will be helpful in determining the cause of the event.

Subcategory: MPSSVC Rule-Level Policy Change

ID Message
4944 The following policy was active when the Windows Firewall started.
4945 A rule was listed when the Windows Firewall started.
4946 A change has been made to Windows Firewall exception list. A rule was added.
4947 A change has been made to Windows Firewall exception list. A rule was modified.
4948 A change has been made to Windows Firewall exception list. A rule was deleted.
4949 Windows Firewall settings were restored to the default values.
4950 A Windows Firewall setting has changed.
4951 A rule has been ignored because its major version number was not recognized by Windows Firewall.
4952 Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
4953 A rule has been ignored by Windows Firewall because it could not parse the rule.
4954 Windows Firewall Group Policy settings have changed. The new settings have been applied.
4956 Windows Firewall has changed the active profile.
4957 Windows Firewall did not apply the following rule:
4958 Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
5050 An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected because this API is not supported on Windows Vista. This has most likely occurred due to a program which is incompatible with Windows Vista. Please contact the program’s manufacturer to make sure you have a Windows Vista compatible program version.

Subcategory: Other Policy Change Events

ID Message
4909 The local policy settings for the TBS were changed.
4910 The group policy settings for the TBS were changed.
5063 A cryptographic provider operation was attempted.
5064 A cryptographic context operation was attempted.
5065 A cryptographic context modification was attempted.
5066 A cryptographic function operation was attempted.
5067 A cryptographic function modification was attempted.
5068 A cryptographic function provider operation was attempted.
5069 A cryptographic function property operation was attempted.
5070 A cryptographic function property modification was attempted.
5447 A Windows Filtering Platform filter has been changed.
6144 Security policy in the group policy objects has been applied successfully.
6145 One or more errors occurred while processing security policy in the group policy objects.
Read Article :  Windows Events ID - Part 2

Note The following event may be generated by any resource manager when its subcategory is enabled. For example, the following event may be generated by the Registry resource manager or by the File System resource manager.

Subcategory: Special Multi-use Subcategory

ID Message
4670 Permissions on an object were changed.

Category: Privilege Use

Subcategory: Sensitive Privilege Use / Non-Sensitive Privilege Use

ID Message
4672 Special privileges assigned to new logon.
4673 A privileged service was called.
4674 An operation was attempted on a privileged object.

Category: System

Subcategory: IPsec Driver

ID Message
4960 IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
4961 IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
4962 IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
4963 IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
4965 IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
5478 IPsec Services has started successfully.
5479 IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
5480 IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
5483 IPsec Services failed to initialize RPC server. IPsec Services could not be started.
5484 IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
5485 IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
Read Article :  Powershell Command : Clear-Host

Subcategory: Other System Events

ID Message
5024 The Windows Firewall Service has started successfully.
5025 The Windows Firewall Service has been stopped.
5027 The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
5028 The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
5029 The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
5030 The Windows Firewall Service failed to start.
5032 Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033 The Windows Firewall Driver has started successfully.
5034 The Windows Firewall Driver has been stopped.
5035 The Windows Firewall Driver failed to start.
5037 The Windows Firewall Driver detected critical runtime error. Terminating.
5058 Key file operation.
5059 Key migration operation.
Read Article :  Microsoft Windows 8.1 Download

Subcategory: Security State Change

ID Message
4608 Windows is starting up.
4616 The system time was changed.
4621 Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.

Subcategory: Security System Extension

ID Message
4610 An authentication package has been loaded by the Local Security Authority.
4611 A trusted logon process has been registered with the Local Security Authority.
4614 A notification package has been loaded by the Security Account Manager.
4622 A security package has been loaded by the Local Security Authority.
4697 A service was installed in the system.

Subcategory: System Integrity

ID Message
4612 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
4615 Invalid use of LPC port.
4618 A monitored security event pattern has occurred.
4816 RPC detected an integrity violation while decrypting an incoming message.
5038 Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
5056 A cryptographic self test was performed.
5057 A cryptographic primitive operation failed.
5060 Verification operation failed.
5061 Cryptographic operation.
5062 A kernel-mode cryptographic self test was performed.

Source : Microsoft Security Events

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

four × three =