Event Codes

Windows Common/Useful Event Codes

Type

Event ID

New Process Created

4688

User Account Created

4720

User Account Enabled

4722

Attempts to reset accounts password

4724

Delete User

4726

User added to a security-enabled global group

4728

User added to a security-enabled local group

4732

Clear Event Log

1102

Logon Success

4624 (Logon Type 3, 10)

Logon Failed

4625 (Logon Type 3, 10)

A service was installed in the system

4697

User Account locked out

4740

User Account Unlocked

4767

Terminal Service Session Reconnected

4778

Terminal Service Session Reconnected

4779

User Initiated Logoff

4647

Object Permission Changed

4670

NTLM over kerberos (DC attempted to validate the credentials for an account)

4776

An attempt was made to access an object

4663

A handle to an object was requested with intent to delete

4659

An object was deleted

4660

Disable Firewall

2003

Create Services

7030, 7045

Applocker

8003, 8004, 8006, 8007

Service Terminated Unexpectedly

7034

Service Start Type Change (disabled, manual, automatic)

7040

Service Start / Stop

7036

DC sync based activity

4662

Insert USB

7045 10000, 10001, 10100 20001, 20001, 20003 24576, 24577, 24579

Last updated 1 year ago