Windows Security Log References

Most handy Windows Security Log Event ID’s.

User Account Changes

Event ID Action
4720 Created
4722 Enabled
4723 User changed own password
4724 Privileged User changed this user’s password
4725 Disabled
4726 Deleted
4738 Changed
4740 Locked out
4767 Unlocked
4781 Name change

Group Changes

Group Changes Created Changed Deleted Member Added Member Removed
Security Local 4731 4737 4734 4732 4733
Security Global 4727 4735 4730 4728 4729
Security Universal 4754 4755 4758 4756 4757
Distribution Local 4744 4745 4748 4746 4747
Distribution Global 4749 4750 4753 4751 4752
Distribution Universal 4759 4760 4763 4761 4762

Domain Controller Authentication Events

Event ID Action
4768 A Kerberos authentication ticket (TGT) was requested
4771 Kerberos pre-authentication failed
4772 A Kerberos authentication ticket requested failed

For both 4771 and 4772 see the following Kerberos Failure Codes

Kerberos Failure Codes

Event ID Action
0x6 Bad user name
0x7 New computer account?
0x9 Administrator should reset password
OxC Workstation restriction
0x12 Account disabled, expired, locked out,logon hours restriction
0x17 The user’s password has expired
0x18 Bad password
0x20 Frequently logged by computer accounts
0x25 Workstation’s clock too far out of sync with the DC’s

Logon Session Events

Event ID Action
4624 Successful logon
4647 User initiated logoff
4625 Logon failure (See Logon Failure Codes)
4778 Remote desktop session reconnected
4779 Remote desktop session disconnected
4800 Workstation locked
4801 Workstation unlocked
4802 Screen saver invoked
4803 Screen saver dismissed

Logon Types

Event ID Action
2 Interactive
3 Network (i.e. mapped drive)
4 Batch (i.e. schedule task)
5 Service (service startup)
7 Unlock (i.e. unattended workstation with password protected screen saver)
8 Network Cleartext (Most often indicates a logon to IIS with “basic authentication”)
10 Remote Desktop
11 Logon with cached credentials

Logon Failure Codes

Event ID Action
OxC0000064 User name does not exist
0xC000006A User name is correct but the password is wrong
0xC0000234 User is currently locked out
0xC0000072 Account is currently disabled
0xC000006F User tried to logon outside his day of week or time of day restrictions
0xC0000070 Workstation restriction
0xC00000193 Account expiration
0xC0000071 Expired password
OxC0000133 Clocks between DC and other computer too far out of sync
OxC0000224 User is required to change password at next logon
OxC0000225 Evidently a bug in Windows and not a risk
0x000015b The user has not been granted the requested logon type (aka logon right) at this machine

URL list