Windows Event Viewer IDs and What They Mean
Windows’ built-in Event Viewer can be a powerful log analysis tool in the right hands, but is not exactly easy to use. The first challenge for most admins is the sheer volume of event data contained in this log, which both Windows services and third-party applications write to. To help you distinguish between different event types, the Event Viewer assigns each a unique four-digit Event ID. In this guide, you will find some of the most common and important Event IDs to look out for.
Windows Event ID List
The Windows Event Viewer differentiates between hundreds of different events, ranging from accounts being created to logon events, devices shutting down or changes to group policy or to firewall settings. Most Event IDs relate to trivial, commonplace and unimportant events – the normal background noise present in any IT environment.
However, by looking at specific events and their surrounding context, the Event Viewer can also help you identify potential security incidents: A spike in unsuccessful logon attempts. A new user being added to a security group without an approved request. Access attempts outside of normal work hours. Unfortunately, finding relevant information in the vast amounts of normal event data is akin to searching for the proverbial needle in the haystack.
To help you filter for specific events happening in your Active Directory domain, here is a list of the most common and most important Windows Event IDs to look out for.
Windows Event Viewer Logon Events
| Event ID | Description |
|---|---|
| 4624 | An account was successfully logged on. |
| 4625 | An account failed to log on. |
| 4634 | The logoff process was completed for a user. |
| 4647 | A user initiated the logoff process. |
| 4648 | A logon was attempted using explicit credentials. |
| 4672 | Special privileges have been assigned to a new logon.* |
| 4723 | An attempt was made to change an account’s password. |
| 4724 | An attempt was made to reset an account’s password. |
| 4740 | A user account was locked out. |
| 4767 | A user account was unlocked. |
| 4779 | A session was disconnected from a Window Station. |
| 4964 | Special groups have been assigned to a new logon.* |
| 5378 | The requested credentials delegation was disallowed by policy. |
Windows Event Viewer: What Are Special Privileges & Groups?
The Event IDs 4672 and 4964 show that a newly logged on user has been assigned special groups or privileges. This indicates a user with sensitive levels of access has logged on.
Organizations can decide for themselves which groups count as special groups by adding a group’s security identifier to the list of special groups (for example, admin groups). Special privileges include a number of specific privileges outside of regular admin access that can still cause significant damage if used improperly.
The special privileges identified by Event ID 4672 are:
SeTcbPrivilege: Can act as part of the operating system.
SeBackupPrivilege: Can back up files and directories.
SeCreateTokenPrivilege: Can create access token objects.
SeDebugPrivilege: Can debug programs.
SeEnableDelegationPrivilege: Can enable computer and user accounts to be trusted for delegation.
SeAuditPrivilege: Can generate security audits.
SeImpersonatePrivilege: Can impersonate a client after authentication.
SeLoadDriverPrivilege: Can load and unload device drivers.
SeSecurityPrivilege: Can manage auditing and security logs.
SeSystemEnvironmentPrivilege: Can modify firmware environment values.
SeAssignPrimaryTokenPrivilege: Can replace a process level token.
SeRestorePrivilege: Can restore files and directories.
SeTakeOwnershipPrivilege: Can take ownership of files and objects.
To track special groups and privileges being assigned to users you need to enable Audit Special Logon under the Advanced Audit Policy Configuration settings.
Windows Event Viewer: What Different Logon Types Are There?
As additional context for the Event ID 4624 (successful logon), the Event Viewer also shows the logon type of the event, i.e. which kind of logon took place. You can find the full list of logon types below:
#2 – Interactive: Local logon through the Windows login screen.
#3 – Network: A user or computer has logged onto a computer through the network, occurs when accessing network resources.
#4 – Batch: A batch process or server has logged on a user.
#5 – Service: A service has been started by the Service Control Manager.
#7 – Unlock: A user has unlocked their workstation.
#8 – NetworkCleartext: A user has logged on through the network, but their credentials were transferred in clear text. This logon type should not occur.
#9 – NewCredentials: Occurs when the command RunAs is used with the parameter /netonly. This means the application itself is launched by the locally signed in user, but new credentials are used when signing into the network.
#10 – RemoteInteractive: A user has logged onto a computer using the Remote Desktop Protocol. Distinguishes remote access from local interactive logons.
#11 – CachedInteractive: A user has logged onto a computer, but the domain controller is not available to authenticate the user – for example, when an employee uses their work laptop at home. In this event, Windows compares their credential hash to the hashes of their last successful logins on the device to authenticate the user.
Windows Event Viewer: Account and Group Events
| Event ID | Description |
|---|---|
| 4720 | A user account was created. |
| 4722 | A user account was enabled. |
| 4725 | A user account was disabled. |
| 4726 | A user account was deleted. |
| 4727 | A security-enabled global group was created. |
| 4728 | A member was added to a security-enabled global group |
| 4729 | A member was removed from a security-enabled global group. |
| 4730 | A security-enabled global group was deleted. |
| 4731 | A security-enabled local group was created. |
| 4732 | A member was added to a security-enabled local group. |
| 4733 | A member was removed from a security-enabled local group. |
| 4734 | A security-enabled local group was deleted. |
| 4735 | A security-enabled local group was changed. |
| 4737 | A security-enabled global group was changed. |
| 4738 | A user account was changed. |
| 4739 | Domain Policy was changed. |
| 4741 | A computer account was created. |
| 4742 | A computer account was changed. |
| 4743 | A computer account was deleted. |
| 4744 | A security-disabled local group was created. |
| 4745 | A security-disabled local group was changed. |
| 4746 | A member was added to a security-disabled local group. |
| 4747 | A member was removed from a security-disabled local group. |
| 4748 | A security-disabled local group was deleted. |
| 4749 | A security-disabled global group was created. |
| 4750 | A security-disabled global group was changed. |
| 4751 | A member was added to a security-disabled global group. |
| 4752 | A member was removed from a security-disabled global group. |
| 4753 | A security-disabled global group was deleted. |
| 4754 | A security-enabled universal group was created. |
| 4755 | A security-enabled universal group was changed. |
| 4756 | A member was added to a security-enabled universal group. |
| 4757 | A member was removed from a security-enabled universal group. |
| 4758 | A security-enabled universal group was deleted. |
| 4759 | A security-disabled universal group was created. |
| 4760 | A security-disabled universal group was changed. |
| 4761 | A member was added to a security-disabled universal group. |
| 4762 | A member was removed from a security-disabled universal group. |
| 4763 | A security-disabled universal group was deleted. |
| 4764 | A group type was changed. |
| 5136 | A directory service object was modified. |
| 5137 | A directory service object was created. |
| 5138 | A directory service object was undeleted. |
| 5139 | A directory service object was moved. |
| 5141 | A directory service object was deleted. |
Access Governance Best Practices for Microsoft Environments
Everything you need to know about implementing access control best practices in Active Directory, from implementation tips to common mistakes.
Windows Event Viewer: Access Events
| Event ID | Description |
|---|---|
| 4656 | A handle to an object was requested. |
| 4657 | A registry value was modified. |
| 4658 | A handle to an object was closed. |
| 4660 | An object was deleted. |
| 4663 | An attempt was made to access an object. |
| 4670 | Permissions on an object were changed. |
| 5140 | A network share object was accessed. |
| 5142 | A network share object was added. |
| 5143 | A network share object was modified. |
| 5144 | A network share object was deleted. |
Learn more about managing file server and share permissions in our blogpost on NTFS best practices.
Windows Event Viewer: Auditing Events
| Event ID | Description |
|---|---|
| 1100 | The event logging service has shut down. |
| 1101 | Audit events have been dropped by the transport. |
| 1102 | The audit log was cleared. |
| 1104 | The security log is now full. |
| 1108 | The event logging service encountered an error while processing an incoming event. |
| 4612 | Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. |
| 4719 | System audit policy was changed. |
| 4907 | Auditing settings on an object were changed. |
Where Does Windows Store Event Data?
Windows stores its event log under C:\Windows\System32\winevt\Logs. Logs of Active Directory events are stored on the domain controller that processed the event. However, each device also writes its own local log, which can be useful in order to troubleshoot crashes or hardware problems.
Important: Unlike most Active Directory data, event logs are not replicated between domain controllers. In environments with many domain controllers, this can make it challenging to consolidate event data.
How Long Does the Windows Event Viewer Store Event Data?
How long the Windows Event Viewer stores event data depends on how quickly the event log fills up. You can configure the size of the event log, but for performance reasons Microsoft recommends a maximum size of 4 GB.
In large IT environments, a log of this size may only provide a retention period of a few hours. During times of peak activity, such as when a security incident or network problem occurs, the log may fill up even faster.
As a workaround for the limited storage capacity of the event log, you can script regular export jobs. However, the sheer amount of event data produced by the Event Viewer again leads to questions regarding performance and long-term storage.
Windows Event Viewer: Strengths & Weaknesses
With its Event Viewer, Windows provides a powerful tool for analyzing IT events. However, it’s clear that the Event Viewer is built for a limited set of use cases. On top of that, there are significant usability concerns with the Event Viewer, as finding what you are looking for in this firehose of data is not exactly easy.
From data retention to event consolidation: These are the biggest downsides you need to be aware of when using the Windows Event Viewer to audit IT events.
Problem #1: Event Data Is Split Between Different DCs
Domain controllers continuously replicate Active Directory data such as users and groups between each other to ensure it remains available even if one DC fails. This is one of the main reason why Microsoft recommends having at least two domain controllers per AD domain (or more depending on performance reasons).
However, unlike users, groups and policies, event data is not replicated between domain controllers. This means that Active Directory events are only logged on the the domain controller that processed them. This can make it difficult to piece together all relevant data when you are analyzing a chain of events.
There are ways to centralize Active Directory events in a single event log, either by setting up Windows Event Forwarding or creating your own workarounds and recurring exports.
The problem? These types of setups tend to be error-prone, meaning the event data forwarding might break and event data could be lost. And since you won’t get any kind of notification about missing data, you might not realize until it’s too late.
Problem #2: No Consolidation of Related Events
User actions and event log entries are not always one to one. In fact, a single user action can create multiple event log entries. Take the process of an admin resetting a user password for example. The password reset itself has the Event ID 4724. However, this action also creates entries for Event 4738 (A user account was changed) and Event 5136 (A directory service object was modified).
Or let’s look at the event chain for creating a new group policy object:
5137: A directory service object was created.
5136: A directory service object was modified.
4662: An operation was performed on an object.
The issue here is that the Windows Event Viewer shows all these as isolated events without giving you the context of how they relate to each other. Instead, admins have to piece that information together themselves: Which user is behind this session ID? Who modified this object and why?
Problem #3: Limited Filter Options
When it comes to analyzing event data, the Event Viewer provides only very basic filters. While you can search for specific event types or apps, creating customized views is slow and difficult. There is no way to search event details or descriptions, where most of the information about who, what and where is located. This makes tracking down specific events so difficult that most admins prefer third-party log analysis tools.
Problem #4: Event Data Retention
In larger IT environments, even a log size at the upper limit of 4GB will only reach back a few hours. Once the log fills up, each new entry drops the oldest entry from the log. If you want to retain event data for longer, you need to set up your own custom export.
However, performance and storage limitations make it impossible to save the entire Windows event log, so you need to choose: Which events do you want to retain? Which apps and systems do you want to include? Then there are the maintenance concerns. Who will set up and test the export? Who will check the integrity of exported logs and make sure they are backed up?
The amount of effort it takes to trim event logs, set up an export and monitor it continuously is another reason organizations tend to choose professional solutions for their log analysis and consolidation needs.
tenfold: Streamlined Event Auditing for Your AD
Are you looking for a way to analyze Windows event data without the struggle of manually collecting, consolidating and filtering event data? Do you want a streamlined solution that shows you exactly what is happening in your IT in one central hub?
With tenfold‘s event auditing feature, you will never miss a critical change or security incident again. tenfold automatically collects Windows event data, stores it in its own database, and consolidates the log to show important context. This means that:
All events are streamlined into a single event log.
Related events and multi-step actions are automatically consolidated to a single entry.
tenfold looks up group, user and session IDs to show you who is behind a change.
Detailed filter and search options make it easy to analyze logs.
Event types, audit policies and retention periods are fully customizable.
Our event auditing feature is being actively developed and continuously improved. Future releases will add even more features such as support for Microsoft 365 events and automated alerts. The best part: All of these new improvements are included in our core Identity Governance platform at no additional cost to our users. Learn more about tenfold‘s comprehensive IGA feature set and growing ITDR capabilities by booking a personal software demo today.