You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
36 KiB
36 KiB
| 1 | EventCode | LogName | desc |
|---|---|---|---|
| 2 | 614 | Directory Service | A corrupt index has been detected |
| 3 | 1014 | Directory Service | The KCC failed to update the replication topology for the local DS |
| 4 | 1083 | Directory Service | Directory is busy and cannot complete replication (KB296714) |
| 5 | 1084 | Directory Service | Inbound Replication Failure |
| 6 | 1115 | Directory Service | Outbound replication has been disabled by the user |
| 7 | 1173 | Directory Service | AD DS encountered an exception (see event details) |
| 8 | 1188 | Directory Service | A replication thread "hung" and was cancelled |
| 9 | 1203 | Directory Service | Replication failed because of a schema mismatch |
| 10 | 1220 | Directory Service | LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate |
| 11 | 1232 | Directory Service | An RPC Call initiated by AD DS timed out |
| 12 | 1307 | Directory Service | Attempts to connect for replication have failed |
| 13 | 1308 | Directory Service | Attempts to connect for replication have failed |
| 14 | 1311 | Directory Service | Not enough information to generate a complete spanning tree topology (KB214745) |
| 15 | 1419 | Directory Service | Local DC is both GC and Infrastructure Master. These are incompatible roles |
| 16 | 1458 | Directory Service | A FSMO Role has moved |
| 17 | 1463 | Directory Service | Corrupt indices have been detected and will be rebuilt. |
| 18 | 1481 | Directory Service | Operation on an object failed (see event details) |
| 19 | 1566 | Directory Service | No available DCs in the site are available for replication |
| 20 | 1659 | Directory Service | Removal of a directory partition has resumed |
| 21 | 1699 | Directory Service | Replication access was denied (KB953392) |
| 22 | 1800 | Directory Service | Partial replica found,but no writeable source found |
| 23 | 1801 | Directory Service | Directory Partition has not been instantiated and no replication hosts found |
| 24 | 1844 | Directory Service | Local DC cannot connect to a remote DC for name resolution |
| 25 | 1865 | Directory Service | Production of the AD Spanning Tree failed (replication will fail) |
| 26 | 1925 | Directory Service | Attempt to establish a writable replication link failed |
| 27 | 1926 | Directory Service | Attempt to establish a replication link failed |
| 28 | 1988 | Directory Service | Attempt to replicate a non-existant object (KB870695) |
| 29 | 2002 | Directory Service | The KCC did not run successfully (problem with object) |
| 30 | 2041 | Directory Service | Duplicate Event Log Entries were suppressed |
| 31 | 2052 | Directory Service | Replication: Bridgeheads created back channel due to issues connecting for Replication |
| 32 | 2054 | Directory Service | Replciation: KCC detected a back channel between bridgeheads (Replication Failure) |
| 33 | 2087 | Directory Service | DNS Name Resolution of a DC Failed (KB824449) |
| 34 | 2088 | Directory Service | Replication used NetBIOS because DNS Failed (KB824449) |
| 35 | 2089 | Directory Service | A Directory Partition has not been backed up (KB914034) |
| 36 | 2108 | Directory Service | Repair Procedures for a preceding Event ID 1084 (KB837932) |
| 37 | 2513 | Directory Service | Failed to set the desired authentication protocol for a connection to a DSA |
| 38 | 2886 | Directory Service | AD Server is accepting insecure SASL LDAP binds |
| 39 | 2887 | Directory Service | Some clients performed insecure LDAP binds |
| 40 | 16650 | Directory Service | Account Identifier Allocator failed to initialize properly (KB839879) |
| 41 | 36886 | Directory Service | No default server credentials available |
| 42 | 512 | Security | Windows NT is starting up |
| 43 | 513 | Security | Windows is shutting down |
| 44 | 514 | Security | An authentication package has been loaded by the Local Security Authority |
| 45 | 515 | Security | A trusted logon process has registered with the Local Security Authority |
| 46 | 516 | Security | Internal resources exhausted - loss of events |
| 47 | 517 | Security | The audit log was cleared |
| 48 | 518 | Security | A notification package has been loaded by the Security Account Manager |
| 49 | 519 | Security | A process is using an invalid local procedure call (LPC) port |
| 50 | 520 | Security | The system time was changed |
| 51 | 528 | Security | Successful Logon |
| 52 | 529 | Security | Logon Failure - Unknown user name or bad password |
| 53 | 530 | Security | Logon Failure - Account logon time restriction violation |
| 54 | 531 | Security | Logon Failure - Account currently disabled |
| 55 | 532 | Security | Logon Failure - The specified user account has expired |
| 56 | 533 | Security | Logon Failure - User not allowed to logon at this computer |
| 57 | 534 | Security | Logon Failure - The user has not been granted the requested logon type at this machine |
| 58 | 535 | Security | Logon Failure - The specified account's password has expired |
| 59 | 536 | Security | Logon Failure - The NetLogon component is not active |
| 60 | 537 | Security | Logon failure - The logon attempt failed for other reasons. |
| 61 | 538 | Security | User Logoff |
| 62 | 539 | Security | Logon Failure - Account locked out |
| 63 | 540 | Security | Successful Network Logon |
| 64 | 551 | Security | User initiated logoff |
| 65 | 552 | Security | Logon attempt using explicit credentials |
| 66 | 560 | Security | Object Open |
| 67 | 561 | Security | Handle Allocated |
| 68 | 562 | Security | Handle Closed |
| 69 | 563 | Security | Object Open for Delete |
| 70 | 564 | Security | Object Deleted |
| 71 | 565 | Security | Object Open (Active Directory) |
| 72 | 566 | Security | Object Operation (W3 Active Directory) |
| 73 | 567 | Security | Object Access Attempt |
| 74 | 576 | Security | Special privileges assigned to new logon |
| 75 | 577 | Security | Privileged Service Called |
| 76 | 578 | Security | Privileged object operation |
| 77 | 592 | Security | A new process has been created |
| 78 | 593 | Security | A process has exited |
| 79 | 594 | Security | A handle to an object has been duplicated |
| 80 | 595 | Security | Indirect access to an object has been obtained |
| 81 | 600 | Security | A process was assigned a primary token |
| 82 | 601 | Security | Attempt to install service |
| 83 | 602 | Security | Scheduled Task created |
| 84 | 608 | Security | User Right Assigned |
| 85 | 609 | Security | User Right Removed |
| 86 | 610 | Security | New Trusted Domain |
| 87 | 611 | Security | Removing Trusted Domain |
| 88 | 612 | Security | Audit Policy Change |
| 89 | 613 | Security | IPSec policy agent started |
| 90 | 614 | Security | IPSec policy agent disabled |
| 91 | 615 | Security | IPSEC PolicyAgent Service |
| 92 | 616 | Security | IPSec policy agent encountered a potentially serious failure. |
| 93 | 617 | Security | Kerberos Policy Changed |
| 94 | 618 | Security | Encrypted Data Recovery Policy Changed |
| 95 | 619 | Security | Quality of Service Policy Changed |
| 96 | 620 | Security | Trusted Domain Information Modified |
| 97 | 621 | Security | System Security Access Granted |
| 98 | 622 | Security | System Security Access Removed |
| 99 | 623 | Security | Per User Audit Policy was refreshed |
| 100 | 624 | Security | User Account Created |
| 101 | 625 | Security | User Account Type Changed |
| 102 | 626 | Security | User Account Enabled |
| 103 | 627 | Security | Change Password Attempt |
| 104 | 628 | Security | User Account password set |
| 105 | 629 | Security | User Account Disabled |
| 106 | 630 | Security | User Account Deleted |
| 107 | 631 | Security | Security Enabled Global Group Created |
| 108 | 632 | Security | Security Enabled Global Group Member Added |
| 109 | 633 | Security | Security Enabled Global Group Member Removed |
| 110 | 634 | Security | Security Enabled Global Group Deleted |
| 111 | 635 | Security | Security Enabled Local Group Created |
| 112 | 636 | Security | Security Enabled Local Group Member Added |
| 113 | 637 | Security | Security Enabled Local Group Member Removed |
| 114 | 638 | Security | Security Enabled Local Group Deleted |
| 115 | 639 | Security | Security Enabled Local Group Changed |
| 116 | 640 | Security | General Account Database Change |
| 117 | 641 | Security | Security Enabled Global Group Changed |
| 118 | 642 | Security | User Account Changed |
| 119 | 643 | Security | Domain Policy Changed |
| 120 | 644 | Security | User Account Locked Out |
| 121 | 645 | Security | Computer Account Created |
| 122 | 646 | Security | Computer Account Changed |
| 123 | 647 | Security | Computer Account Deleted |
| 124 | 648 | Security | Security Disabled Local Group Created |
| 125 | 649 | Security | Security Disabled Local Group Changed |
| 126 | 650 | Security | Security Disabled Local Group Member Added |
| 127 | 651 | Security | Security Disabled Local Group Member Removed |
| 128 | 652 | Security | Security Disabled Local Group Deleted |
| 129 | 653 | Security | Security Disabled Global Group Created |
| 130 | 654 | Security | Security Disabled Global Group Changed |
| 131 | 655 | Security | Security Disabled Global Group Member Added |
| 132 | 656 | Security | Security Disabled Global Group Member Removed |
| 133 | 657 | Security | Security Disabled Global Group Deleted |
| 134 | 658 | Security | Security Enabled Universal Group Created |
| 135 | 659 | Security | Security Enabled Universal Group Changed |
| 136 | 660 | Security | Security Enabled Universal Group Member Added |
| 137 | 661 | Security | Security Enabled Universal Group Member Removed |
| 138 | 662 | Security | Security Enabled Universal Group Deleted |
| 139 | 663 | Security | Security Disabled Universal Group Created |
| 140 | 664 | Security | Security Disabled Universal Group Changed |
| 141 | 665 | Security | Security Disabled Universal Group Member Added |
| 142 | 666 | Security | Security Disabled Universal Group Member Removed |
| 143 | 667 | Security | Security Disabled Universal Group Deleted |
| 144 | 668 | Security | Group Type Changed |
| 145 | 669 | Security | Add SID History |
| 146 | 670 | Security | Add SID History |
| 147 | 671 | Security | User Account Unlocked |
| 148 | 672 | Security | Authentication Ticket Granted |
| 149 | 673 | Security | Service Ticket Granted |
| 150 | 674 | Security | Ticket Granted Renewed |
| 151 | 675 | Security | Pre-authentication failed |
| 152 | 676 | Security | Authentication Ticket Request Failed |
| 153 | 677 | Security | Service Ticket Request Failed |
| 154 | 678 | Security | Account Mapped for Logon by |
| 155 | 679 | Security | Account could not be mapped for logon |
| 156 | 680 | Security | Account Used for Logon by |
| 157 | 681 | Security | Logon to Account failed |
| 158 | 682 | Security | Session reconnected to winstation |
| 159 | 683 | Security | Session disconnected from winstation |
| 160 | 684 | Security | Set ACLs of members in administrators groups |
| 161 | 685 | Security | Account Name Changed |
| 162 | 686 | Security | Password of the following user accessed |
| 163 | 687 | Security | Basic Application Group Created |
| 164 | 688 | Security | Basic Application Group Changed |
| 165 | 689 | Security | Basic Application Group Member Added |
| 166 | 690 | Security | Basic Application Group Member Removed |
| 167 | 691 | Security | Basic Application Group Non-Member Added |
| 168 | 692 | Security | Basic Application Group Non-Member Removed |
| 169 | 693 | Security | Basic Application Group Deleted |
| 170 | 694 | Security | LDAP Query Group Created |
| 171 | 695 | Security | LDAP Query Group Changed |
| 172 | 696 | Security | LDAP Query Group Deleted |
| 173 | 697 | Security | Password Policy Checking API is called |
| 174 | 806 | Security | Per User Audit Policy was refreshed |
| 175 | 807 | Security | Per user auditing policy set for user |
| 176 | 808 | Security | A security event source has attempted to register |
| 177 | 809 | Security | A security event source has attempted to unregister |
| 178 | 848 | Security | The following policy was active when the Windows Firewall started |
| 179 | 849 | Security | An application was listed as an exception when the Windows Firewall started |
| 180 | 850 | Security | A port was listed as an exception when the Windows Firewall started |
| 181 | 851 | Security | A change has been made to Windows Firewall exception list |
| 182 | 852 | Security | A change has been made to the Windows Firewall port exception list |
| 183 | 854 | Security | A Windows Firewall setting has changed |
| 184 | 855 | Security | ICMP settings changed |
| 185 | 856 | Security | A rule has been partially ignored by Windows Firewall |
| 186 | 857 | Security | A rule has been rejected by Windows Firewall |
| 187 | 858 | Security | The Windows Firewall group policy settings have been removed |
| 188 | 859 | Security | The Windows Firewall group policy settings have been removed |
| 189 | 860 | Security | The Windows Firewall has switched the active policy profile |
| 190 | 861 | Security | The Windows Firewall has detected an application listening for incoming traffic |
| 191 | 1100 | Security | The event logging service has shut down |
| 192 | 1101 | Security | Audit events have been dropped by the transport. |
| 193 | 1102 | Security | The audit log was cleared |
| 194 | 1104 | Security | The security Log is now full |
| 195 | 1105 | Security | Event log automatic backup |
| 196 | 1108 | Security | The event logging service encountered an error |
| 197 | 4500 | Security | Metabase Add Key |
| 198 | 4501 | Security | Metabase Delete Key |
| 199 | 4502 | Security | Metabase Delete Chid Keys |
| 200 | 4503 | Security | Metabase Copy Key |
| 201 | 4504 | Security | Metabase Rename Key |
| 202 | 4505 | Security | Metabase Set Data |
| 203 | 4506 | Security | Metabase Delete Data |
| 204 | 4507 | Security | Metabase Delete All Data |
| 205 | 4508 | Security | Metabase Copy Data |
| 206 | 4509 | Security | Metabase Set Last Change Time |
| 207 | 4510 | Security | Metabase Restore |
| 208 | 4511 | Security | Metabase Delete Backup |
| 209 | 4512 | Security | Metabase Import |
| 210 | 4608 | Security | Windows is starting up |
| 211 | 4609 | Security | Windows is shutting down |
| 212 | 4610 | Security | An authentication package has been loaded by the Local Security Authority |
| 213 | 4611 | Security | A trusted logon process has been registered with the Local Security Authority |
| 214 | 4612 | Security | Internal resources exhausted - loss of events |
| 215 | 4614 | Security | A notification package has been loaded by the Security Account Manager. |
| 216 | 4615 | Security | Invalid use of LPC port |
| 217 | 4616 | Security | The system time was changed. |
| 218 | 4618 | Security | A monitored security event pattern has occurred |
| 219 | 4621 | Security | Administrator recovered system from CrashOnAuditFail |
| 220 | 4622 | Security | A security package has been loaded by the Local Security Authority. |
| 221 | 4624 | Security | An account was successfully logged on |
| 222 | 4625 | Security | An account failed to log on |
| 223 | 4634 | Security | An account was logged off |
| 224 | 4646 | Security | IKE DoS-prevention mode started. |
| 225 | 4647 | Security | User initiated logoff |
| 226 | 4648 | Security | A logon was attempted using explicit credentials |
| 227 | 4649 | Security | A replay attack was detected |
| 228 | 4650 | Security | An IPsec Main Mode security association was established |
| 229 | 4651 | Security | An IPsec Main Mode security association was established |
| 230 | 4652 | Security | An IPsec Main Mode negotiation failed |
| 231 | 4653 | Security | An IPsec Main Mode negotiation failed |
| 232 | 4654 | Security | An IPsec Quick Mode negotiation failed |
| 233 | 4655 | Security | An IPsec Main Mode security association ended |
| 234 | 4656 | Security | A handle to an object was requested |
| 235 | 4657 | Security | A registry value was modified |
| 236 | 4658 | Security | The handle to an object was closed |
| 237 | 4659 | Security | A handle to an object was requested with intent to delete |
| 238 | 4660 | Security | An object was deleted |
| 239 | 4661 | Security | A handle to an object was requested |
| 240 | 4662 | Security | An operation was performed on an object |
| 241 | 4663 | Security | An attempt was made to access an object |
| 242 | 4664 | Security | An attempt was made to create a hard link |
| 243 | 4665 | Security | An attempt was made to create an application client context. |
| 244 | 4666 | Security | An application attempted an operation |
| 245 | 4667 | Security | An application client context was deleted |
| 246 | 4668 | Security | An application was initialized |
| 247 | 4670 | Security | Permissions on an object were changed |
| 248 | 4671 | Security | An application attempted to access a blocked ordinal through the TBS |
| 249 | 4672 | Security | Special privileges assigned to new logon |
| 250 | 4673 | Security | A privileged service was called |
| 251 | 4674 | Security | An operation was attempted on a privileged object |
| 252 | 4675 | Security | SIDs were filtered |
| 253 | 4688 | Security | A new process has been created |
| 254 | 4689 | Security | A process has exited |
| 255 | 4690 | Security | An attempt was made to duplicate a handle to an object |
| 256 | 4691 | Security | Indirect access to an object was requested |
| 257 | 4692 | Security | Backup of data protection master key was attempted |
| 258 | 4693 | Security | Recovery of data protection master key was attempted |
| 259 | 4694 | Security | Protection of auditable protected data was attempted |
| 260 | 4695 | Security | Unprotection of auditable protected data was attempted |
| 261 | 4696 | Security | A primary token was assigned to process |
| 262 | 4697 | Security | A service was installed in the system |
| 263 | 4698 | Security | A scheduled task was created |
| 264 | 4699 | Security | A scheduled task was deleted |
| 265 | 4700 | Security | A scheduled task was enabled |
| 266 | 4701 | Security | A scheduled task was disabled |
| 267 | 4702 | Security | A scheduled task was updated |
| 268 | 4704 | Security | A user right was assigned |
| 269 | 4705 | Security | A user right was removed |
| 270 | 4706 | Security | A new trust was created to a domain |
| 271 | 4707 | Security | A trust to a domain was removed |
| 272 | 4709 | Security | IPsec Services was started |
| 273 | 4710 | Security | IPsec Services was disabled |
| 274 | 4711 | Security | PAStore Engine (1%) |
| 275 | 4712 | Security | IPsec Services encountered a potentially serious failure |
| 276 | 4713 | Security | Kerberos policy was changed |
| 277 | 4714 | Security | Encrypted data recovery policy was changed |
| 278 | 4715 | Security | The audit policy (SACL) on an object was changed |
| 279 | 4716 | Security | Trusted domain information was modified |
| 280 | 4717 | Security | System security access was granted to an account |
| 281 | 4718 | Security | System security access was removed from an account |
| 282 | 4719 | Security | System audit policy was changed |
| 283 | 4720 | Security | A user account was created |
| 284 | 4722 | Security | A user account was enabled |
| 285 | 4723 | Security | An attempt was made to change an account's password |
| 286 | 4724 | Security | An attempt was made to reset an accounts password |
| 287 | 4725 | Security | A user account was disabled |
| 288 | 4726 | Security | A user account was deleted |
| 289 | 4727 | Security | A security-enabled global group was created |
| 290 | 4728 | Security | A member was added to a security-enabled global group |
| 291 | 4729 | Security | A member was removed from a security-enabled global group |
| 292 | 4730 | Security | A security-enabled global group was deleted |
| 293 | 4731 | Security | A security-enabled local group was created |
| 294 | 4732 | Security | A member was added to a security-enabled local group |
| 295 | 4733 | Security | A member was removed from a security-enabled local group |
| 296 | 4734 | Security | A security-enabled local group was deleted |
| 297 | 4735 | Security | A security-enabled local group was changed |
| 298 | 4737 | Security | A security-enabled global group was changed |
| 299 | 4738 | Security | A user account was changed |
| 300 | 4739 | Security | Domain Policy was changed |
| 301 | 4740 | Security | A user account was locked out |
| 302 | 4741 | Security | A computer account was created |
| 303 | 4742 | Security | A computer account was changed |
| 304 | 4743 | Security | A computer account was deleted |
| 305 | 4744 | Security | A security-disabled local group was created |
| 306 | 4745 | Security | A security-disabled local group was changed |
| 307 | 4746 | Security | A member was added to a security-disabled local group |
| 308 | 4747 | Security | A member was removed from a security-disabled local group |
| 309 | 4748 | Security | A security-disabled local group was deleted |
| 310 | 4749 | Security | A security-disabled global group was created |
| 311 | 4750 | Security | A security-disabled global group was changed |
| 312 | 4751 | Security | A member was added to a security-disabled global group |
| 313 | 4752 | Security | A member was removed from a security-disabled global group |
| 314 | 4753 | Security | A security-disabled global group was deleted |
| 315 | 4754 | Security | A security-enabled universal group was created |
| 316 | 4755 | Security | A security-enabled universal group was changed |
| 317 | 4756 | Security | A member was added to a security-enabled universal group |
| 318 | 4757 | Security | A member was removed from a security-enabled universal group |
| 319 | 4758 | Security | A security-enabled universal group was deleted |
| 320 | 4759 | Security | A security-disabled universal group was created |
| 321 | 4760 | Security | A security-disabled universal group was changed |
| 322 | 4761 | Security | A member was added to a security-disabled universal group |
| 323 | 4762 | Security | A member was removed from a security-disabled universal group |
| 324 | 4763 | Security | A security-disabled universal group was deleted |
| 325 | 4764 | Security | A groups type was changed |
| 326 | 4765 | Security | SID History was added to an account |
| 327 | 4766 | Security | An attempt to add SID History to an account failed |
| 328 | 4767 | Security | A user account was unlocked |
| 329 | 4768 | Security | A Kerberos authentication ticket (TGT) was requested |
| 330 | 4769 | Security | A Kerberos service ticket was requested |
| 331 | 4770 | Security | A Kerberos service ticket was renewed |
| 332 | 4771 | Security | Kerberos pre-authentication failed |
| 333 | 4772 | Security | A Kerberos authentication ticket request failed |
| 334 | 4773 | Security | A Kerberos service ticket request failed |
| 335 | 4774 | Security | An account was mapped for logon |
| 336 | 4775 | Security | An account could not be mapped for logon |
| 337 | 4776 | Security | The domain controller attempted to validate the credentials for an account |
| 338 | 4777 | Security | The domain controller failed to validate the credentials for an account |
| 339 | 4778 | Security | A session was reconnected to a Window Station |
| 340 | 4779 | Security | A session was disconnected from a Window Station |
| 341 | 4780 | Security | The ACL was set on accounts which are members of administrators groups |
| 342 | 4781 | Security | The name of an account was changed |
| 343 | 4782 | Security | The password hash an account was accessed |
| 344 | 4783 | Security | A basic application group was created |
| 345 | 4784 | Security | A basic application group was changed |
| 346 | 4785 | Security | A member was added to a basic application group |
| 347 | 4786 | Security | A member was removed from a basic application group |
| 348 | 4787 | Security | A non-member was added to a basic application group |
| 349 | 4788 | Security | A non-member was removed from a basic application group.. |
| 350 | 4789 | Security | A basic application group was deleted |
| 351 | 4790 | Security | An LDAP query group was created |
| 352 | 4791 | Security | A basic application group was changed |
| 353 | 4792 | Security | An LDAP query group was deleted |
| 354 | 4793 | Security | The Password Policy Checking API was called |
| 355 | 4794 | Security | An attempt was made to set the Directory Services Restore Mode administrator password |
| 356 | 4800 | Security | The workstation was locked |
| 357 | 4801 | Security | The workstation was unlocked |
| 358 | 4802 | Security | The screen saver was invoked |
| 359 | 4803 | Security | The screen saver was dismissed |
| 360 | 4816 | Security | RPC detected an integrity violation while decrypting an incoming message |
| 361 | 4817 | Security | Auditing settings on object were changed. |
| 362 | 4864 | Security | A namespace collision was detected |
| 363 | 4865 | Security | A trusted forest information entry was added |
| 364 | 4866 | Security | A trusted forest information entry was removed |
| 365 | 4867 | Security | A trusted forest information entry was modified |
| 366 | 4868 | Security | The certificate manager denied a pending certificate request |
| 367 | 4869 | Security | Certificate Services received a resubmitted certificate request |
| 368 | 4870 | Security | Certificate Services revoked a certificate |
| 369 | 4871 | Security | Certificate Services received a request to publish the certificate revocation list (CRL) |
| 370 | 4872 | Security | Certificate Services published the certificate revocation list (CRL) |
| 371 | 4873 | Security | A certificate request extension changed |
| 372 | 4874 | Security | One or more certificate request attributes changed. |
| 373 | 4875 | Security | Certificate Services received a request to shut down |
| 374 | 4876 | Security | Certificate Services backup started |
| 375 | 4877 | Security | Certificate Services backup completed |
| 376 | 4878 | Security | Certificate Services restore started |
| 377 | 4879 | Security | Certificate Services restore completed |
| 378 | 4880 | Security | Certificate Services started |
| 379 | 4881 | Security | Certificate Services stopped |
| 380 | 4882 | Security | The security permissions for Certificate Services changed |
| 381 | 4883 | Security | Certificate Services retrieved an archived key |
| 382 | 4884 | Security | Certificate Services imported a certificate into its database |
| 383 | 4885 | Security | The audit filter for Certificate Services changed |
| 384 | 4886 | Security | Certificate Services received a certificate request |
| 385 | 4887 | Security | Certificate Services approved a certificate request and issued a certificate |
| 386 | 4888 | Security | Certificate Services denied a certificate request |
| 387 | 4889 | Security | Certificate Services set the status of a certificate request to pending |
| 388 | 4890 | Security | The certificate manager settings for Certificate Services changed. |
| 389 | 4891 | Security | A configuration entry changed in Certificate Services |
| 390 | 4892 | Security | A property of Certificate Services changed |
| 391 | 4893 | Security | Certificate Services archived a key |
| 392 | 4894 | Security | Certificate Services imported and archived a key |
| 393 | 4895 | Security | Certificate Services published the CA certificate to Active Directory Domain Services |
| 394 | 4896 | Security | One or more rows have been deleted from the certificate database |
| 395 | 4897 | Security | Role separation enabled |
| 396 | 4898 | Security | Certificate Services loaded a template |
| 397 | 4899 | Security | A Certificate Services template was updated |
| 398 | 4900 | Security | Certificate Services template security was updated |
| 399 | 4902 | Security | The Per-user audit policy table was created |
| 400 | 4904 | Security | An attempt was made to register a security event source |
| 401 | 4905 | Security | An attempt was made to unregister a security event source |
| 402 | 4906 | Security | The CrashOnAuditFail value has changed |
| 403 | 4907 | Security | Auditing settings on object were changed |
| 404 | 4908 | Security | Special Groups Logon table modified |
| 405 | 4909 | Security | The local policy settings for the TBS were changed |
| 406 | 4910 | Security | The group policy settings for the TBS were changed |
| 407 | 4912 | Security | Per User Audit Policy was changed |
| 408 | 4928 | Security | An Active Directory replica source naming context was established |
| 409 | 4929 | Security | An Active Directory replica source naming context was removed |
| 410 | 4930 | Security | An Active Directory replica source naming context was modified |
| 411 | 4931 | Security | An Active Directory replica destination naming context was modified |
| 412 | 4932 | Security | Synchronization of a replica of an Active Directory naming context has begun |
| 413 | 4933 | Security | Synchronization of a replica of an Active Directory naming context has ended |
| 414 | 4934 | Security | Attributes of an Active Directory object were replicated |
| 415 | 4935 | Security | Replication failure begins |
| 416 | 4936 | Security | Replication failure ends |
| 417 | 4937 | Security | A lingering object was removed from a replica |
| 418 | 4944 | Security | The following policy was active when the Windows Firewall started |
| 419 | 4945 | Security | A rule was listed when the Windows Firewall started |
| 420 | 4946 | Security | A change has been made to Windows Firewall exception list. A rule was added |
| 421 | 4947 | Security | A change has been made to Windows Firewall exception list. A rule was modified |
| 422 | 4948 | Security | A change has been made to Windows Firewall exception list. A rule was deleted |
| 423 | 4949 | Security | Windows Firewall settings were restored to the default values |
| 424 | 4950 | Security | A Windows Firewall setting has changed |
| 425 | 4951 | Security | A rule has been ignored by Windows Firewall |
| 426 | 4952 | Security | Parts of a rule have been ignored by Windows Firewall |
| 427 | 4953 | Security | A rule has been ignored by Windows Firewall because it could not parse the rule |
| 428 | 4954 | Security | Windows Firewall Group Policy settings has changed. The new settings have been applied |
| 429 | 4956 | Security | Windows Firewall has changed the active profile |
| 430 | 4957 | Security | Windows Firewall did not apply a rule |
| 431 | 4958 | Security | Windows Firewall did not apply a rule |
| 432 | 4960 | Security | IPsec dropped an inbound packet that failed an integrity check |
| 433 | 4961 | Security | IPsec dropped an inbound packet that failed a replay check |
| 434 | 4962 | Security | IPsec dropped an inbound packet that failed a replay check |
| 435 | 4963 | Security | IPsec dropped an inbound clear text packet that should have been secured |
| 436 | 4964 | Security | Special groups have been assigned to a new logon |
| 437 | 4965 | Security | IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). |
| 438 | 4976 | Security | During Main Mode negotiation,Security,IPsec received an invalid negotiation packet. |
| 439 | 4977 | Security | During Quick Mode negotiation,Security,IPsec received an invalid negotiation packet. |
| 440 | 4978 | Security | During Extended Mode negotiation,Security,IPsec received an invalid negotiation packet. |
| 441 | 4979 | Security | IPsec Main Mode and Extended Mode security associations were established. |
| 442 | 4980 | Security | IPsec Main Mode and Extended Mode security associations were established |
| 443 | 4981 | Security | IPsec Main Mode and Extended Mode security associations were established |
| 444 | 4982 | Security | IPsec Main Mode and Extended Mode security associations were established |
| 445 | 4983 | Security | An IPsec Extended Mode negotiation failed |
| 446 | 4984 | Security | An IPsec Extended Mode negotiation failed |
| 447 | 4985 | Security | The state of a transaction has changed |
| 448 | 5024 | Security | The Windows Firewall Service has started successfully |
| 449 | 5025 | Security | The Windows Firewall Service has been stopped |
| 450 | 5027 | Security | The Windows Firewall Service was unable to retrieve the security policy from the local storage |
| 451 | 5028 | Security | The Windows Firewall Service was unable to parse the new security policy. |
| 452 | 5029 | Security | The Windows Firewall Service failed to initialize the driver |
| 453 | 5030 | Security | The Windows Firewall Service failed to start |
| 454 | 5031 | Security | The Windows Firewall Service blocked an application on the network. |
| 455 | 5032 | Security | Windows Firewall was unable to notify the user about blocked connections |
| 456 | 5033 | Security | The Windows Firewall Driver has started successfully |
| 457 | 5034 | Security | The Windows Firewall Driver has been stopped |
| 458 | 5035 | Security | The Windows Firewall Driver failed to start |
| 459 | 5037 | Security | The Windows Firewall Driver detected critical runtime error. Terminating |
| 460 | 5038 | Security | Code integrity determined that the image hash of a file is not valid |
| 461 | 5039 | Security | A registry key was virtualized. |
| 462 | 5040 | Security | A change has been made to IPsec settings. An Authentication Set was added. |
| 463 | 5041 | Security | A change has been made to IPsec settings. An Authentication Set was modified |
| 464 | 5042 | Security | A change has been made to IPsec settings. An Authentication Set was deleted |
| 465 | 5043 | Security | A change has been made to IPsec settings. A Connection Security Rule was added |
| 466 | 5044 | Security | A change has been made to IPsec settings. A Connection Security Rule was modified |
| 467 | 5045 | Security | A change has been made to IPsec settings. A Connection Security Rule was deleted |
| 468 | 5046 | Security | A change has been made to IPsec settings. A Crypto Set was added |
| 469 | 5047 | Security | A change has been made to IPsec settings. A Crypto Set was modified |
| 470 | 5048 | Security | A change has been made to IPsec settings. A Crypto Set was deleted |
| 471 | 5049 | Security | An IPsec Security Association was deleted |
| 472 | 5050 | Security | An attempt to programmatically disable the Windows Firewall |
| 473 | 5051 | Security | A file was virtualized |
| 474 | 5056 | Security | A cryptographic self test was performed |
| 475 | 5057 | Security | A cryptographic primitive operation failed |
| 476 | 5058 | Security | Key file operation |
| 477 | 5059 | Security | Key migration operation |
| 478 | 5060 | Security | Verification operation failed |
| 479 | 5061 | Security | Cryptographic operation |
| 480 | 5062 | Security | A kernel-mode cryptographic self test was performed |
| 481 | 5063 | Security | A cryptographic provider operation was attempted |
| 482 | 5064 | Security | A cryptographic context operation was attempted |
| 483 | 5065 | Security | A cryptographic context modification was attempted |
| 484 | 5066 | Security | A cryptographic function operation was attempted |
| 485 | 5067 | Security | A cryptographic function modification was attempted |
| 486 | 5068 | Security | A cryptographic function provider operation was attempted |
| 487 | 5069 | Security | A cryptographic function property operation was attempted |
| 488 | 5070 | Security | A cryptographic function property operation was attempted |
| 489 | 5120 | Security | OCSP Responder Service Started |
| 490 | 5121 | Security | OCSP Responder Service Stopped |
| 491 | 5122 | Security | A Configuration entry changed in the OCSP Responder Service |
| 492 | 5123 | Security | A configuration entry changed in the OCSP Responder Service |
| 493 | 5124 | Security | A security setting was updated on OCSP Responder Service |
| 494 | 5125 | Security | A request was submitted to OCSP Responder Service |
| 495 | 5126 | Security | Signing Certificate was automatically updated by the OCSP Responder Service |
| 496 | 5127 | Security | The OCSP Revocation Provider successfully updated the revocation information |
| 497 | 5136 | Security | A directory service object was modified |
| 498 | 5137 | Security | A directory service object was created |
| 499 | 5138 | Security | A directory service object was undeleted |
| 500 | 5139 | Security | A directory service object was moved |
| 501 | 5140 | Security | A network share object was accessed |
| 502 | 5141 | Security | A directory service object was deleted |
| 503 | 5142 | Security | A network share object was added. |
| 504 | 5143 | Security | A network share object was modified |
| 505 | 5144 | Security | A network share object was deleted. |
| 506 | 5145 | Security | A network share object was checked to see whether client can be granted desired access |
| 507 | 5148 | Security | The Windows Filtering Platform has detected a DoS attack and entered a defensive mode |
| 508 | 5149 | Security | The DoS attack has subsided and normal processing is being resumed. |
| 509 | 5150 | Security | The Windows Filtering Platform has blocked a packet. |
| 510 | 5151 | Security | A more restrictive Windows Filtering Platform filter has blocked a packet. |
| 511 | 5152 | Security | The Windows Filtering Platform blocked a packet |
| 512 | 5153 | Security | A more restrictive Windows Filtering Platform filter has blocked a packet |
| 513 | 5154 | Security | The Windows Filtering Platform has permitted an application or service to listen |
| 514 | 5155 | Security | The Windows Filtering Platform has blocked an application or service from listening |
| 515 | 5156 | Security | The Windows Filtering Platform has allowed a connection |
| 516 | 5157 | Security | The Windows Filtering Platform has blocked a connection |
| 517 | 5158 | Security | The Windows Filtering Platform has permitted a bind to a local port |
| 518 | 5159 | Security | The Windows Filtering Platform has blocked a bind to a local port |
| 519 | 5168 | Security | Spn check for SMB/SMB2 fails. |
| 520 | 5376 | Security | Credential Manager credentials were backed up |
| 521 | 5377 | Security | Credential Manager credentials were restored from a backup |
| 522 | 5378 | Security | The requested credentials delegation was disallowed by policy |
| 523 | 5440 | Security | The following callout was present when the Windows Filtering Platform Base Filtering Engine started |
| 524 | 5441 | Security | The following filter was present when the Windows Filtering Platform Base Filtering Engine started |
| 525 | 5442 | Security | The following provider was present when the Windows Filtering Platform Base Filtering Engine started |
| 526 | 5443 | Security | The following provider context was present when the Windows Filtering Platform Base Filtering Engine started |
| 527 | 5444 | Security | The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started |
| 528 | 5446 | Security | A Windows Filtering Platform callout has been changed |
| 529 | 5447 | Security | A Windows Filtering Platform filter has been changed |
| 530 | 5448 | Security | A Windows Filtering Platform provider has been changed |
| 531 | 5449 | Security | A Windows Filtering Platform provider context has been changed |
| 532 | 5450 | Security | A Windows Filtering Platform sub-layer has been changed |
| 533 | 5451 | Security | An IPsec Quick Mode security association was established |
| 534 | 5452 | Security | An IPsec Quick Mode security association ended |
| 535 | 5453 | Security | An IPsec negotiation with a remote computer failed |
| 536 | 5456 | Security | PAStore Engine applied Active Directory storage IPsec policy on the computer |
| 537 | 5457 | Security | PAStore Engine failed to apply Active Directory storage IPsec policy on the computer |
| 538 | 5458 | Security | PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer |
| 539 | 5459 | Security | PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer |
| 540 | 5460 | Security | PAStore Engine applied local registry storage IPsec policy on the computer |
| 541 | 5461 | Security | PAStore Engine failed to apply local registry storage IPsec policy on the computer |
| 542 | 5462 | Security | PAStore Engine failed to apply some rules of the active IPsec policy on the computer |
| 543 | 5463 | Security | PAStore Engine polled for changes to the active IPsec policy and detected no changes |
| 544 | 5464 | Security | PAStore Engine applied changes to IPsec Services |
| 545 | 5465 | Security | PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully |
| 546 | 5466 | Security | PAStore Engine determined that Active Directory cannot be reached and will use the cached copy of the Active Directory IPsec policy instead |
| 547 | 5467 | Security | PAStore Engine found no changes to the IPSec policy |
| 548 | 5468 | Security | PAStore Engine found changes to the policy and applied those changes |
| 549 | 5471 | Security | PAStore Engine loaded local storage IPsec policy on the computer |
| 550 | 5472 | Security | PAStore Engine failed to load local storage IPsec policy on the computer |
| 551 | 5473 | Security | PAStore Engine loaded directory storage IPsec policy on the computer |
| 552 | 5474 | Security | PAStore Engine failed to load directory storage IPsec policy on the computer |
| 553 | 5477 | Security | PAStore Engine failed to add quick mode filter |
| 554 | 5478 | Security | IPsec Services has started successfully |
| 555 | 5479 | Security | IPsec Services has been shut down successfully |
| 556 | 5480 | Security | IPsec Services failed to get the complete list of network interfaces on the computer |
| 557 | 5483 | Security | IPsec Services failed to initialize RPC server. IPsec Services could not be started |
| 558 | 5484 | Security | IPsec Services has experienced a critical failure and has been shut down |
| 559 | 5485 | Security | IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces |
| 560 | 5632 | Security | A request was made to authenticate to a wireless network |
| 561 | 5633 | Security | A request was made to authenticate to a wired network |
| 562 | 5712 | Security | A Remote Procedure Call (RPC) was attempted |
| 563 | 5888 | Security | An object in the COM+ Catalog was modified |
| 564 | 5889 | Security | An object was deleted from the COM+ Catalog |
| 565 | 5890 | Security | An object was added to the COM+ Catalog |
| 566 | 6144 | Security | Security policy in the group policy objects has been applied successfully |
| 567 | 6145 | Security | One or more errors occured while processing security policy in the group policy objects |
| 568 | 6272 | Security | Network Policy Server granted access to a user |
| 569 | 6273 | Security | Network Policy Server denied access to a user |
| 570 | 6274 | Security | Network Policy Server discarded the request for a user |
| 571 | 6275 | Security | Network Policy Server discarded the accounting request for a user |
| 572 | 6276 | Security | Network Policy Server quarantined a user |
| 573 | 6277 | Security | Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy |
| 574 | 6278 | Security | Network Policy Server granted full access to a user because the host met the defined health policy |
| 575 | 6279 | Security | Network Policy Server locked the user account due to repeated failed authentication attempts |
| 576 | 6280 | Security | Network Policy Server unlocked the user account |
| 577 | 6281 | Security | Code Integrity determined that the page hashes of an image file are not valid... |
| 578 | 6400 | Security | BranchCache: Received an incorrectly formatted response while discovering availability of content. |
| 579 | 6401 | Security | BranchCache: Received invalid data from a peer. Data discarded. |
| 580 | 6402 | Security | BranchCache: The message to the hosted cache offering it data is incorrectly formatted. |
| 581 | 6403 | Security | BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data. |
| 582 | 6404 | Security | BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. |
| 583 | 6405 | Security | BranchCache: Multiple instances of another Event ID |
| 584 | 6406 | Security | A application registered to Windows Firewall to control filtering for the following: |
| 585 | 6407 | Security | Unknown - see event |
| 586 | 6408 | Security | Registered product failed and Windows Firewall is now controlling the filtering. |
| 587 | 1014 | System | Name resolution for critical SRV timed out |
| 588 | 1056 | System | Dynamic DNS Registration credentials not set |
| 589 | 5782 | System | No DNS servers configured for local system |