Scribd
Upload
76 views3 pages

Windows Security Event IDs Guide

The document lists various Windows event IDs related to security events like login failures, account changes, hardware failures, and log clearing. It provides event IDs for different Windows versions for these common security-related events.

Uploaded by

panthergamer539
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
76 views3 pages

Windows Security Event IDs Guide

The document lists various Windows event IDs related to security events like login failures, account changes, hardware failures, and log clearing. It provides event IDs for different Windows versions for these common security-related events.

Uploaded by

panthergamer539
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

1.

windows stopped Login


521 - A windows machine stopped logging security events

2. Windows System Audit policy Changes:

Event ID 4719 - System audit policy was changed


Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022

Corresponding events in Windows 2003 and before - Event ID 612 : Audit Policy Change

3. Windows Machine Rebooted

Event ID 4609: Windows is shutting down


Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022

Event ID: 513: Windows is shutting down


Is Corresponding events in Windows 2003 and before

4608: Windows is starting up


Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022

513: Windows is shutting down


Is Corresponding events in Windows 2003 and before

Also you have observe for this as well


Event ID 6008

4. Logs Cleared

EventID 1102: The audit log was cleared


Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022

Event ID: 517: The audit log was cleared


Corresponding events in Windows 2003 and before

5. Hardware Failure
EventID 474: Hardware Failure
also EventID 1003

6. Event Logs Discorded

Event ID 4612: Internal resources allocated for the queuing of audit messages have been
exhausted, leading to the loss of some audits.
Event ID 516

7. Account Lockout (5 Matches in 2 Hours)


Event ID - 4740: A user account was locked out
Event ID - 644 Corresponding events in Windows 2003 and before
Event ID - 6279: Network Policy Server locked the user account due to repeated failed
authentication attempts

8. High Number of Login Failures (More than 30 in 2 min)


529: Logon Failure - Unknown user name or bad password
530: Logon Failure - Account logon time restriction violation
531: Logon Failure - Account currently disabled
532: Logon Failure - The specified user account has expired
533: Logon Failure - User not allowed to logon at this computer
534: Logon Failure - The user has not been granted the requested logon type at this
machine
535: Logon Failure - The specified account's password has expired
536: Logon Failure - The NetLogon component is not active
537: Logon failure - The logon attempt failed for other reasons.
539: Logon Failure - Account locked out
675: Pre-authentication failed

9. Account Deleted
647: A computer account was deleted
4743: A computer account was deleted
630: User Account Deleted
4726: A user account was deleted

10. Account Created and Deleted within 24 Hours


645: Computer Account Created
4741: A computer account was created
624: User Account Created
4720: A user account was created
A user account represents you to the Active Directory. There is an account name and an
account ID number associated with your user account.
Your user account is checked every time you type your user name and password to verify
that you are who you say you are.
Your user account is also checked every time you attempt to access a resource on the
Berkeley Lab network to verify that you are allowed to do what you are attempting to do.
A computer account represents your desktop or laptop computer to the Active Directory.
There is an account name and an account ID number associated with your computer
account.
Your computer account is checked every time you type your user name and password to
verify that you are connecting to the Berkeley Lab network from an authorized computer.

11. Account desabled


4725: A user account was disabled
629: User Account Disabled

12. Account changed


646: Computer Account Changed
4742: A computer account was changed
4738: A user account was changed
642: User Account Changed

13. Login Attempt for the same account from multiple machines

14. Failed Login attempt


4625: An account failed to log on
Corresponding events in Windows 2003 and before 529 , 530 , 531 , 532 , 533 , 534 , 535 ,
536 , 537 , 539

15. Successful login attempt after multiple failed logins

16. Same credentials Login attempts on multiple Machines - 2 Matches in 5 min

17. Different dredentials login attempts on same machine - 4 matches in 2 min

18. USB storage inserted on to a device


Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\
Enum

You might also like