EventPeeker

Windows Event ID Reference

Security reference for analysts and threat hunters. Covers Windows Security, System, and Sysmon event IDs — what each event means, key fields to inspect, and when to escalate.

1

Process Create

Sysmon Event 1 fires every time a process is created, capturing a richer dataset than the native Windows Event 4688 — in

Sysmon
3

Network Connection

Sysmon Event 3 fires for every TCP and UDP network connection initiated by a process, recording the source process, dest

Sysmon
7

Image Loaded

Sysmon Event 7 fires every time a DLL or other image file is loaded into a process, recording the loading process, the l

Sysmon
10

Process Access

Sysmon Event 10 fires when one process opens a handle to another process using OpenProcess(), recording the source proce

Sysmon
11

File Create

Sysmon Event 11 fires every time a file is created or overwritten, recording the creating process, the full target file

Sysmon
13

Registry Value Set

Sysmon Event 13 fires every time a registry value is set — capturing the process that made the change, the full registry

Sysmon
22

DNS Query

Sysmon Event 22 fires every time a process makes a DNS query, recording the querying process, the queried hostname, and

Sysmon
41

Kernel Power — Unexpected Shutdown / Crash

Logged when Windows restarts unexpectedly without a clean shutdown — indicates a crash, power failure, or hard reset.

1000

Application Error

Logged by the Application Error Reporting service when an application crashes with an unhandled exception.

1001

Windows Error Reporting — Application or System Crash

Logged by Windows Error Reporting when an application crashes or a BSOD occurs, including the fault module and exception

1102

Audit Log Cleared

Logged when the Security event log is cleared. This is one of the clearest signs of an attacker covering their tracks.

1116

Windows Defender — Malware Detected

Logged when Windows Defender detects a threat — malware, PUA, or suspicious file.

1117

Windows Defender — Malware Remediation Action

Logged when Windows Defender takes a remediation action on a detected threat — quarantine, removal, block, or allow. Alw

4103

PowerShell Module Logging

Logged for each PowerShell pipeline execution, capturing the module and function called. Less detailed than Script Block

4104

PowerShell Script Block Logging

Logged when PowerShell executes a script block — captures the actual code being run, even if it was de-obfuscated at run

4624

Successful Logon

Logged every time an account successfully authenticates to a Windows system. One of the highest-volume events in the Sec

4625

Failed Logon

Logged every time an account fails to authenticate via NTLM or local SAM. A single failure is normal; the security signa

4634

Account Logoff

Logged when an account's logon session ends. Paired with 4624 it lets you reconstruct the full duration of a session.

4647

User Initiated Logoff

Logged when a user explicitly logs off (Start → Logoff). Complements 4634, which covers all session terminations includi

4648

Logon with Explicit Credentials

Logged when a process attempts to authenticate using explicitly provided credentials — e.g. runas, net use, or Pass-the-

4657

Registry Value Modified

Logged on the system where the change occurs when a registry value is created, modified, or deleted on a key that has a

4662

Operation Performed on Active Directory Object

Logged when an operation is performed on an Active Directory object — such as a user, computer, or the domain partition

4663

Object Access Attempt

Logged when an attempt is made to access an audited object (file, folder, registry key, etc.). Requires SACL (System Acc

4670

Permissions Changed on Object

Logged when the Discretionary Access Control List (DACL) on an object is modified, changing who can access it and with w

4672

Special Privileges Assigned to New Logon

Logged immediately after a successful 4624 logon when the authenticated account holds one or more sensitive Windows priv

4673

Privileged Service Called

Logged when a process or user attempts to use a sensitive privilege such as SeDebugPrivilege, SeImpersonatePrivilege, or

4688

Process Created

Logged every time a new process is created on Windows. Requires Process Creation auditing to be enabled via Group Policy

4689

Process Exited

Logged when a process terminates. Paired with 4688 it gives the full lifetime of a process.

4697

Service Installed in Service Control Manager

Logged in the Security log when a new service is installed in the Service Control Manager. Complements System log Event

4698

Scheduled Task Created

Logged when a new scheduled task is registered on the system via schtasks.exe, PowerShell, COM API, or Group Policy. One

4699

Scheduled Task Deleted

Logged when a scheduled task is removed from the system — via schtasks.exe /delete, PowerShell Unregister-ScheduledTask,

4700

Scheduled Task Enabled

Logged when a previously disabled scheduled task is enabled — via schtasks.exe /change /enable, PowerShell Enable-Schedu

4701

Scheduled Task Disabled

Logged when a scheduled task is disabled — via schtasks.exe /change /disable, PowerShell Disable-ScheduledTask, or the T

4702

Scheduled Task Modified

Logged when an existing scheduled task is updated — its name, trigger, action, or run-as account is changed. Fires on th

4719

System Audit Policy Changed

Logged when the system's audit policy is modified — which controls what events get recorded in the Security log.

4720

User Account Created

Logged when a new user account is created in Active Directory or locally on a Windows system. Fires on the domain contro

4722

User Account Enabled

Logged when a previously disabled user account is re-enabled. Attackers re-enable dormant accounts to gain access that i

4723

Password Change Attempted

Logged when a user attempts to change their own password — a self-service action that does not require admin privileges.

4724

Password Reset Attempted

Logged when an administrator resets another user's password. Unlike Event ID 4723 (self-service), this requires elevated

4725

User Account Disabled

Logged when a user account is disabled, preventing future logons without permanently deleting the account. While usually

4726

User Account Deleted

Logged when a user account is permanently deleted from Active Directory or a local system. Fires on the DC for domain ac

4727

Security-Enabled Global Group Created

Logged when a new security-enabled global group is created in Active Directory. Global security groups replicate to all

4728

Member Added to Global Security Group

Logged when an account is added to an Active Directory global security group — including the most sensitive groups in th

4729

Member Removed from Global Security Group

Logged when an account is removed from an Active Directory global security group. The complement to Event ID 4728 (membe

4731

Security-Enabled Local Group Created

Logged when a new security-enabled local group is created on a Windows system. Local groups are machine-specific — unlik

4732

Member Added to Local Security Group

Logged when an account is added to a local security group on a Windows system. The most security-critical groups are loc

4733

Member Removed from Local Security Group

Logged when an account is removed from a local security group on a Windows system. The complement to Event ID 4732 (memb

4735

Security-Enabled Local Group Changed

Logged when a local security group's properties are modified — including its name, description, or type. This event cove

4738

User Account Changed

Logged when a user account's attributes are modified — not creation, deletion, or group membership. Covers changes to ac

4740

Account Lockout

Logged on the domain controller when a user account is locked out after exceeding the failed logon threshold.

4741

Computer Account Created

Logged when a new computer account is created in Active Directory. The default MachineAccountQuota (10) allows any domai

4742

Computer Account Changed

Logged when an existing computer account in Active Directory is modified. Attackers modify computer accounts to enable p

4743

Computer Account Deleted

Logged when a computer account is deleted from Active Directory. Attackers delete computer accounts as post-attack clean

4754

Security-Enabled Universal Group Created

Logged when a new security-enabled universal group is created in Active Directory. Universal security groups replicate t

4756

Member Added to Universal Security Group

Logged when an account is added to a universal security group in Active Directory.

4767

User Account Unlocked

Logged when a locked-out user account is unlocked by an administrator or automated system. Account lockouts (Event ID 47

4768

Kerberos Authentication Ticket (TGT) Requested

Logged on the domain controller when a client requests a Kerberos Ticket Granting Ticket (TGT) — the first step in Kerbe

4769

Kerberos Service Ticket Requested

Logged on the domain controller each time a client requests a Kerberos Service Ticket (TGS) to access a specific service

4770

Kerberos Service Ticket Renewed

Fires on the domain controller when a Kerberos service ticket (TGS) is renewed. Kerberos tickets have a maximum lifetime

4771

Kerberos Pre-authentication Failed

Logged on the domain controller when Kerberos pre-authentication fails — effectively the Kerberos equivalent of Event ID

4776

NTLM Credential Validation

Logged on the domain controller each time it validates NTLM credentials — for both successful and failed authentications

4778

Session Reconnected to Window Station

Logged when a user reconnects to an existing Remote Desktop session. Indicates RDP re-connection activity.

4779

Session Disconnected from Window Station

Logged when a user disconnects from a Remote Desktop session without fully logging off — the session remains active in m

4794

DSRM Admin Password Set

Logged on a domain controller whenever the Directory Services Restore Mode (DSRM) administrator password is set or chang

4907

Auditing Settings Changed on Object

Logged when the System Access Control List (SACL) on an object is modified, changing what activity is audited on that ob

4946

Windows Firewall Exception Added

Logged when a new firewall exception rule is added to the Windows Firewall.

5140

Network Share Accessed

Logged when a network share is accessed. Captures who accessed which share and from where.

5145

Network Share Object Access Checked

Logged when access is checked on a file or folder within a network share — more granular than 5140 (share level) but ver

5857

WMI Provider Activity

Logged when a WMI provider is loaded or invoked. Captures the WMI namespace, provider name, and the initiating process,

5858

WMI Provider Error

Logged when a WMI provider operation fails. Contains the provider name, error code, and the initiating process — useful

6005

Event Log Service Started

Logged when the Windows Event Log service starts — effectively marks system startup.

6006

Event Log Service Stopped

Logged when the Windows Event Log service stops — marks a clean, controlled shutdown.

6008

Unexpected System Shutdown

Logged at startup to record that the previous shutdown was unexpected — power loss, crash, or forced reset.

7034

Service Crashed Unexpectedly

Logged when a Windows service terminates unexpectedly (not by request).

7036

Service State Changed

Logged when a service enters a running or stopped state.

7045

New Service Installed

Logged when a new service is installed on the system. The System log equivalent of Security Event 4697.

← Analyze your own log file