Event Codes

Windows Common/Useful Event Codes

Ultimate Windows Security Encyclopedia

TypeEvent ID

New Process Created

User Account Created

User Account Enabled

Attempts to reset accounts password

Delete User

User added to a security-enabled global group

User added to a security-enabled local group

Clear Event Log

Logon Success

4624 (Logon Type 3, 10)

Logon Failed

4625 (Logon Type 3, 10)

A service was installed in the system

User Account locked out

User Account Unlocked

Terminal Service Session Reconnected

Terminal Service Session Reconnected

User Initiated Logoff

Object Permission Changed

NTLM over kerberos (DC attempted to validate the credentials for an account)

An attempt was made to access an object

A handle to an object was requested with intent to delete

An object was deleted

Disable Firewall


Create Services

7030, 7045


8003, 8004, 8006, 8007

Service Terminated Unexpectedly


Service Start Type Change (disabled, manual, automatic)


Service Start / Stop


DC sync based activity


Insert USB

7045 10000, 10001, 10100 20001, 20001, 20003 24576, 24577, 24579

Last updated