Windows Security Log References
Most handy Windows Security Log Event ID’s.
User Account Changes
| Event ID |
Action |
| 4720 |
Created |
| 4722 |
Enabled |
| 4723 |
User changed own password |
| 4724 |
Privileged User changed this user’s password |
| 4725 |
Disabled |
| 4726 |
Deleted |
| 4738 |
Changed |
| 4740 |
Locked out |
| 4767 |
Unlocked |
| 4781 |
Name change |
Group Changes
| Group Changes |
Created |
Changed |
Deleted |
Member Added |
Member Removed |
| Security Local |
4731 |
4737 |
4734 |
4732 |
4733 |
| Security Global |
4727 |
4735 |
4730 |
4728 |
4729 |
| Security Universal |
4754 |
4755 |
4758 |
4756 |
4757 |
| Distribution Local |
4744 |
4745 |
4748 |
4746 |
4747 |
| Distribution Global |
4749 |
4750 |
4753 |
4751 |
4752 |
| Distribution Universal |
4759 |
4760 |
4763 |
4761 |
4762 |
Domain Controller Authentication Events
| Event ID |
Action |
| 4768 |
A Kerberos authentication ticket (TGT) was requested |
| 4771 |
Kerberos pre-authentication failed |
| 4772 |
A Kerberos authentication ticket requested failed |
For both 4771 and 4772 see the following Kerberos Failure Codes
Kerberos Failure Codes
| Event ID |
Action |
| 0x6 |
Bad user name |
| 0x7 |
New computer account? |
| 0x9 |
Administrator should reset password |
| OxC |
Workstation restriction |
| 0x12 |
Account disabled, expired, locked out,logon hours restriction |
| 0x17 |
The user’s password has expired |
| 0x18 |
Bad password |
| 0x20 |
Frequently logged by computer accounts |
| 0x25 |
Workstation’s clock too far out of sync with the DC’s |
Logon Session Events
| Event ID |
Action |
| 4624 |
Successful logon |
| 4647 |
User initiated logoff |
| 4625 |
Logon failure (See Logon Failure Codes) |
| 4778 |
Remote desktop session reconnected |
| 4779 |
Remote desktop session disconnected |
| 4800 |
Workstation locked |
| 4801 |
Workstation unlocked |
| 4802 |
Screen saver invoked |
| 4803 |
Screen saver dismissed |
Logon Types
| Event ID |
Action |
| 2 |
Interactive |
| 3 |
Network (i.e. mapped drive) |
| 4 |
Batch (i.e. schedule task) |
| 5 |
Service (service startup) |
| 7 |
Unlock (i.e. unattended workstation with password protected screen saver) |
| 8 |
Network Cleartext (Most often indicates a logon to IIS with “basic authentication”) |
| 10 |
Remote Desktop |
| 11 |
Logon with cached credentials |
Logon Failure Codes
| Event ID |
Action |
| OxC0000064 |
User name does not exist |
| 0xC000006A |
User name is correct but the password is wrong |
| 0xC0000234 |
User is currently locked out |
| 0xC0000072 |
Account is currently disabled |
| 0xC000006F |
User tried to logon outside his day of week or time of day restrictions |
| 0xC0000070 |
Workstation restriction |
| 0xC00000193 |
Account expiration |
| 0xC0000071 |
Expired password |
| OxC0000133 |
Clocks between DC and other computer too far out of sync |
| OxC0000224 |
User is required to change password at next logon |
| OxC0000225 |
Evidently a bug in Windows and not a risk |
| 0x000015b |
The user has not been granted the requested logon type (aka logon right) at this machine |
URL List