Windows - List of Audit Events

Audit Event IDs list

Audit account logon events

Event ID	Description
4776	The domain controller attempted to validate the credentials for an account
4777	The domain controller failed to validate the credentials for an account
4768	A Kerberos authentication ticket (TGT) was requested
4769	A Kerberos service ticket was requested
4770	A Kerberos service ticket was renewed

Audit account management

Event ID	Description
4741	A computer account was created.
4742	A computer account was changed.
4743	A computer account was deleted.
4739	Domain Policy was changed.
4782	The password hash an account was accessed.
4727	A security enabled global group was created.
4728	A member was added to a security enabled global group.
4729	A member was removed from a security enabled global group.
4730	A security enabled global group was deleted.
4731	A security enabled local group was created.
4732	A member was added to a security enabled local group.
4733	A member was removed from a security enabled local group.
4734	A security enabled local group was deleted.
4735	A security enabled local group was changed.
4737	A security enabled global group was changed.
4754	A security enabled universal group was created.
4755	A security enabled universal group was changed.
4756	A member was added to a security enabled universal group.
4757	A member was removed from a security enabled universal group.
4758	A security enabled universal group was deleted.
4720	A user account was created.
4722	A user account was enabled.
4723	An attempt was made to change an account's password.
4724	An attempt was made to reset an account's password.
4725	A user account was disabled.
4726	A user account was deleted.
4738	A user account was changed.
4740	A user account was locked out.
4765	SID History was added to an account.
4766	An attempt to add SID History to an account failed.
4767	A user account was unlocked.
4780	The ACL was set on accounts which are members of administrators groups.
4781	The name of an account was changed:

Audit directory service access

Event ID	Description
4934	Attributes of an Active Directory object were replicated.
4935	Replication failure begins.
4936	Replication failure ends.
5136	A directory service object was modified.
5137	A directory service object was created.
5138	A directory service object was undeleted.
5139	A directory service object was moved.
5141	A directory service object was deleted.
4932	Synchronization of a replica of an Active Directory naming context has begun.
4933	Synchronization of a replica of an Active Directory naming context has ended.

Audit logon events

Event ID	Description
4634	An account was logged off.
4647	User initiated logoff.
4624	An account was successfully logged on.
4625	An account failed to log on.
4648	A logon was attempted using explicit credentials.
4675	SIDs were filtered.
4649	A replay attack was detected.
4778	A session was reconnected to a Window Station.
4779	A session was disconnected from a Window Station.
4800	The workstation was locked.
4801	The workstation was unlocked.
4802	The screen saver was invoked.
4803	The screen saver was dismissed.
5378	The requested credentials delegation was disallowed by policy.
5632	A request was made to authenticate to a wireless network.
5633	A request was made to authenticate to a wired network.

Audit object access

Event ID	Description
5140	A network share object was accessed.
4664	An attempt was made to create a hard link.
4985	The state of a transaction has changed.
5051	A file was virtualized.
5031	The Windows Firewall Service blocked an application from accepting incoming connections on the network.
4698	A scheduled task was created.
4699	A scheduled task was deleted.
4700	A scheduled task was enabled.
4701	A scheduled task was disabled.
4702	A scheduled task was updated.
4657	A registry value was modified.
5039	A registry key was virtualized.
4660	An object was deleted.
4663	An attempt was made to access an object.

Audit policy change

Event ID	Description
4715	The audit policy (SACL) on an object was changed.
4719	System audit policy was changed.
4902	The Per user audit policy table was created.
4906	The CrashOnAuditFail value has changed.
4907	Auditing settings on object were changed.
4706	A new trust was created to a domain.
4707	A trust to a domain was removed.
4713	Kerberos policy was changed.
4716	Trusted domain information was modified.
4717	System security access was granted to an account.
4718	System security access was removed from an account.
4864	A namespace collision was detected.
4865	A trusted forest information entry was added.
4866	A trusted forest information entry was removed.
4867	A trusted forest information entry was modified.
4704	A user right was assigned.
4705	A user right was removed.
4714	Encrypted data recovery policy was changed.
4944	The following policy was active when the Windows Firewall started.
4945	A rule was listed when the Windows Firewall started.
4946	A change has been made to Windows Firewall exception list. A rule was added.
4947	A change has been made to Windows Firewall exception list. A rule was modified.
4948	A change has been made to Windows Firewall exception list. A rule was deleted.
4949	Windows Firewall settings were restored to the default values.
4950	A Windows Firewall setting has changed.
4951	A rule has been ignored because its major version number was not recognized by Windows Firewall.
4952	Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
4953	A rule has been ignored by Windows Firewall because it could not parse the rule.
4954	Windows Firewall Group Policy settings have changed. The new settings have been applied.
4956	Windows Firewall has changed the active profile.
4957	Windows Firewall did not apply the following rule:
4958	Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
6144	Security policy in the group policy objects has been applied successfully.
6145	One or more errors occurred while processing security policy in the group policy objects.
4670	Permissions on an object were changed.

Audit privilege use

Event ID	Description
4672	Special privileges assigned to new logon.
4673	A privileged service was called.
4674	An operation was attempted on a privileged object.

Audit system events

Event ID	Description
5024	The Windows Firewall Service has started successfully.
5025	The Windows Firewall Service has been stopped.
5027	The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
5028	The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
5029	The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
5030	The Windows Firewall Service failed to start.
5032	Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033	The Windows Firewall Driver has started successfully.
5034	The Windows Firewall Driver has been stopped.
5035	The Windows Firewall Driver failed to start.
5037	The Windows Firewall Driver detected critical runtime error. Terminating.
4608	Windows is starting up.
4609	Windows is shutting down.
4616	The system time was changed.
4621	Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.
4697	A service was installed in the system.
4618	A monitored security event pattern has occurred.