# Event Codes
[Ultimate Windows Security Encyclopedia](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/)
{% file src="/files/hVLmYGEOyEyz6LmbcHx4" %}
| Type | Event ID |
| :--------------------------------------------------------------------------: | :-----------------------------------------------------------------------------------------------------------------: |
| New Process Created | [4688](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688) |
| User Account Created | [4720](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720) |
| User Account Enabled | [4722](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4722) |
| Attempts to reset accounts password | [4724](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4724) |
| Delete User | [4726](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4726) |
| User added to a security-enabled **global** group | [4728](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728) |
| User added to a security-enabled **local** group | [4732](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732) |
| Clear Event Log | [1102](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1102) |
| Logon Success | [4624](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624) (Logon Type 3, 10) |
| Logon Failed | [4625](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625) (Logon Type 3, 10) |
| A service was installed in the system | [4697](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4697) |
| User Account locked out | [4740](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740) |
| User Account Unlocked | [4767](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767) |
| Terminal Service Session Reconnected | [4778](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4778) |
| Terminal Service Session Reconnected | [4779](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4779) |
| User Initiated Logoff | [4647](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4647) |
| Object Permission Changed | [4670](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4670) |
| NTLM over kerberos (DC attempted to validate the credentials for an account) | [4776](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776) |
| An attempt was made to access an object | [4663](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4663) |
| A handle to an object was requested with intent to delete | [4659](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4659) |
| An object was deleted | [4660](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4660) |
| Disable Firewall | 2003 |
| Create Services | 7030, 7045 |
| Applocker | 8003, 8004, 8006, 8007 |
| Service Terminated Unexpectedly | 7034 |
| Service Start Type Change (disabled, manual, automatic) | 7040 |
| Service Start / Stop | 7036 |
| DC sync based activity | 4662 |
| Insert USB | 7045
10000, 10001, 10100
20001, 20001, 20003
24576, 24577, 24579
|
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://cybersec.th4ntis.com/windows/event-codes.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.