Active Directory Issues
List of most common and useful Windows Event IDs
Here is a list of the most common / useful Windows Event IDs.
Event Log, Source EventID EventID Description
Pre-vista Post-Vista
Security, Security 512 4608 Windows NT is starting up.
Security, Security 513 4609 Windows is shutting down.
Security, USER32 --- 1074 The process nnn has initiated the restart of computer.
Security, Security 514 4610 An authentication package has been loaded by the Local Security Authority.
Security, Security 515 4611 A trusted logon process has registered with the Local Security Authority.
Security, Security 516 4612 Internal resources allocated for the queuing of audit messages
have been exhausted, leading to the loss of some audits.
Security, Security 518 4614 A notification package has been loaded by the Security Account Manager.
Security, Security, 519 4615 A process is using an invalid local procedure call (LPC) port.
Security, Security 520 4616 The system time was changed.
Security, Security 521 --- Unable to log events to security log.
Security, Security(Logon/Logoff) 528 4624 Successful Logon.
Security, Security(Logon/Logoff) 540 4624 Successful Network Logon.
Security, Security(Logon/Logoff) 529 4625 Logon Failure - Unknown user name or bad password.
Security, Security(Logon/Logoff) 530 4625 Logon Failure - Account logon time restriction violation.
Security, Security(Logon/Logoff) 531 4625 Logon Failure - Account currently disabled.
Security, Security(Logon/Logoff) 532 4625 Logon Failure - The specified user account has expired.
Security, Security(Logon/Logoff) 533 4625 Logon Failure - User not allowed to logon at this computer.
Security, Security(Logon/Logoff) 534 4625 Logon Failure - The user has not been granted the requested logon type
at this machine.
Security, Security(Logon/Logoff) 535 4625 Logon Failure - The specified account's password has expired.
Security, Security(Logon/Logoff) 536 4625 Logon Failure - The NetLogon component is not active.
Security, Security(Logon/Logoff) 537 4625 Logon failure - The logon attempt failed for other reasons.
Security, Security(Logon/Logoff) 538 4634 User Logoff.
Security, Security(Logon/Logoff) 539 4625 Logon Failure - Account locked out.
Security, Security(Logon/Logoff) --- 4646 IKE DoS-prevention mode started.
Security, Security(Logon/Logoff) 551 4647 User initiated logoff.
Security, Security(Logon/Logoff) 552 4648 A logon was attempted using explicit credentials.
Security, Security(Logon/Logoff) 553 4649 A replay attack was detected.
Security, Security(Logon/Logoff) 601 4697 A service was installed in the system.
Security, Object access --- 4688 A new process created.
Security, Object access --- 4697 A new service installed.
Security, Object access 602 4698 A scheduled task was created.
Security, Object access 602 4699 A scheduled task was deleted.
Security, Object access 602 4700 A scheduled task was enabled.
Security, Object access 602 4701 A scheduled task was disabled.
Security, Object access 602 4702 A scheduled task was updated.
Security, Account Management 624 4720 User Account Created.
Security, Account Management 626 4722 User Account Enabled.
Security, Account Management 627 4723 Change Password Attempt.
Security, Account Management 628 4724 User Account password set.
Security, Account Management 629 4725 User Account Disabled.
Security, Account Management 630 4726 User Account Deleted.
Security, Account Management 636 4732 Local User Account Created.
Security, Account Management 642 4738 User Account Changed.
Security, Account Management 643 4739 GPO changed.
Security, Account Management 644 4740 User Account Locked Out.
Security, Account Management 645 4741 Computer Account Created.
Security, Account Management 646 4742 Computer Account Changed.
Security, Account Management 647 4743 Computer Account Deleted.
Security, Account Management 671 4767 A user account was unlocked.
Security, Security(Logon/Logoff) --- 4768 Kerberos TGT was requested.
Security, Security(Logon/Logoff) --- 4771 Kerberos pre-authentication failed.
Security, Security(Logon/Logoff) --- 4772 Kerberos TGT request failed.
Security, Security(Logon/Logoff) 678 4774 An account was mapped for logon.
Security, Security(Logon/Logoff) 679 4775 The name: %2 could not be mapped for logon by: %1
Security, Security(Logon/Logoff) 680 4776 Account Used for Logon by.
Security, Security(Logon/Logoff) 681 4777 The logon to account: %2 by: %1 from workstation: %3 failed.
Security, Security(Logon/Logoff) 682 4778 Session reconnected to winstation.
Security, Security(Logon/Logoff) 683 4779 Session disconnected from winstation.
Security, Security(Logon/Logoff) --- 4800 The workstation was locked.
Security, Security(Logon/Logoff) --- 4801 The workstation was unlocked.
Security, Security(Logon/Logoff) --- 4802 The screen saver was invoked.
Security, Security(Logon/Logoff) --- 4803 The screen saver was dismissed.
Security, Account Management --- 5136 GPO changed.
Security, Account Management --- 5137 GPO created.
Security, Account Management --- 5141 GPO deleted.
System, EventLog, 6005 6005 The event log was started.
System, EventLog, 6006 6006 The Event log service was stopped.
System, EventLog, 6013 6013 System uptime.
System, EventLog, 517 1102 The audit log was cleared.
System, EventLog, --- 1104 The security Log is now full.
System, EventLog, --- 1105 Event log automatic backup.
System, EventLog, --- 1108 The event logging service encountered an error.
System, Service Control Manager 7035 7035 The nnn service was successfully sent a start/Stop control.
System, Service Control Manager 7036 7036 The nnn service entered the Running/Stopped state.
System, W32Time, 29 29 The time provider NtpClient is configured to acquire time from
one or more time sources; however none of the sources are currently accessible.
System, W32Time, 38 38 The time provider NtpClient cannot reach or is currently receiving invalid time data.
System, W32Time, 47 47 Time Provider NtpClient: No valid response received.
External media detection -- 43 new device information.
External media detection -- 400 new mass storage installation.
Software and service installation -- 903,903 new application installation.
Software and service installation -- 905,906 updated application.
Software and service installation -- 907,908 removed application.
Software and service installation -- 1022,1033 new MSI file installed.
Software and service installation -- 6 new kernel filter driver. AD/Server groups Event IDs:
| GROUP CHANGES | CREATED | CHANGED | DELETED | MEMBERS | ||
|---|---|---|---|---|---|---|
| ADDED | REMOVED | |||||
| SECURITY | Local | 4731 | 4737 | 4734 | 4732 | 4733 |
| Global | 4727 | 4735 | 4730 | 4728 | 4729 | |
| Universal | 4754 | 4755 | 4758 | 4756 | 4757 | |
| DISTRIBUTION | Local | 4744 | 4745 | 4748 | 4746 | 4747 |
| Global | 4749 | 4750 | 4753 | 4751 | 4752 | |
| Universal | 4759 | 4760 | 4763 | 4761 | 4762 | |
All logon/logoff events include a Logon Type code, the precise type of logon or logoff: 2 Interactive 3 Network (remote file shares / printers/iis) 4 Batch (scheduled task) 5 Service (service account) 7 Unlock 8 NetworkCleartext (IIS) 9 NewCredentials (RunAs /netonly) 10 RemoteInteractive (Terminal Services,RDP) 11 CachedInteractive (cached credentials) When working with Event IDs it can be important to specify the source in addition to the ID, the same number can have different meanings in different logs from different sources.
So, that’s all in this blog. I will meet you soon with some other stuff. Have a nice day !!!
Recommended content
RODC Installation Guide- Step by step guide to install read only domain controller
RODC Filtered Attribute Set
Installing and configuring a RODC in Windows Server-2012
How to find the GUID of Domain Controller
Group Policy Understanding Group Policy Preferences
Group Policy Verification Tool GPOTool Exe
Group Policy Health Check on Specific Domain Controller
What is Netlogon Folder in Active Directory
How to Create Custom Attributes in Active Directory
How Can I Check the Tombstone Lifetime of My Active Directory Forest
How to Determine a Computers AD Site From the Command Line
How to Check the Active Directory Database Integrity
How to Check the Active Directory Database Integrity
Disabling and Enabling the Outbound Replication
DFS Replication Service Stopped Replication
What is Strict Replication Consistency
The replication operation failed because of a schema mismatch between the servers involved
Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers
How to export replication information in txt file
Repadmin Replsummary
Enabling the outbound replication
Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .
You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.
Was this article helpful?
YesNo
