Windows Security Log References
Most handy Windows Security Log Event ID’s.
User Account Changes
| Event ID | Action |
|---|---|
| 4720 | Created |
| 4722 | Enabled |
| 4723 | User changed own password |
| 4724 | Privileged User changed this user’s password |
| 4725 | Disabled |
| 4726 | Deleted |
| 4738 | Changed |
| 4740 | Locked out |
| 4767 | Unlocked |
| 4781 | Name change |
Group Changes
| Group Changes | Created | Changed | Deleted | Member Added | Member Removed |
|---|---|---|---|---|---|
| Security Local | 4731 | 4737 | 4734 | 4732 | 4733 |
| Security Global | 4727 | 4735 | 4730 | 4728 | 4729 |
| Security Universal | 4754 | 4755 | 4758 | 4756 | 4757 |
| Distribution Local | 4744 | 4745 | 4748 | 4746 | 4747 |
| Distribution Global | 4749 | 4750 | 4753 | 4751 | 4752 |
| Distribution Universal | 4759 | 4760 | 4763 | 4761 | 4762 |
Domain Controller Authentication Events
| Event ID | Action |
|---|---|
| 4768 | A Kerberos authentication ticket (TGT) was requested |
| 4771 | Kerberos pre-authentication failed |
| 4772 | A Kerberos authentication ticket requested failed |
For both 4771 and 4772 see the following Kerberos Failure Codes
Kerberos Failure Codes
| Event ID | Action |
|---|---|
| 0x6 | Bad user name |
| 0x7 | New computer account? |
| 0x9 | Administrator should reset password |
| OxC | Workstation restriction |
| 0x12 | Account disabled, expired, locked out,logon hours restriction |
| 0x17 | The user’s password has expired |
| 0x18 | Bad password |
| 0x20 | Frequently logged by computer accounts |
| 0x25 | Workstation’s clock too far out of sync with the DC’s |
Logon Session Events
| Event ID | Action |
|---|---|
| 4624 | Successful logon |
| 4647 | User initiated logoff |
| 4625 | Logon failure (See Logon Failure Codes) |
| 4778 | Remote desktop session reconnected |
| 4779 | Remote desktop session disconnected |
| 4800 | Workstation locked |
| 4801 | Workstation unlocked |
| 4802 | Screen saver invoked |
| 4803 | Screen saver dismissed |
Logon Types
| Event ID | Action |
|---|---|
| 2 | Interactive |
| 3 | Network (i.e. mapped drive) |
| 4 | Batch (i.e. schedule task) |
| 5 | Service (service startup) |
| 7 | Unlock (i.e. unattended workstation with password protected screen saver) |
| 8 | Network Cleartext (Most often indicates a logon to IIS with “basic authentication”) |
| 10 | Remote Desktop |
| 11 | Logon with cached credentials |
Logon Failure Codes
| Event ID | Action |
|---|---|
| OxC0000064 | User name does not exist |
| 0xC000006A | User name is correct but the password is wrong |
| 0xC0000234 | User is currently locked out |
| 0xC0000072 | Account is currently disabled |
| 0xC000006F | User tried to logon outside his day of week or time of day restrictions |
| 0xC0000070 | Workstation restriction |
| 0xC00000193 | Account expiration |
| 0xC0000071 | Expired password |
| OxC0000133 | Clocks between DC and other computer too far out of sync |
| OxC0000224 | User is required to change password at next logon |
| OxC0000225 | Evidently a bug in Windows and not a risk |
| 0x000015b | The user has not been granted the requested logon type (aka logon right) at this machine |