IT Reference & Documentation

Windows Event ID 4944 – Microsoft-Windows-Security-Auditing: An account was locked out

Event ID 4944 indicates that a user account has been locked out due to exceeding the maximum number of failed logon attempts within the configured lockout threshold period.

Windows Event ID 4936 – Microsoft-Windows-Security-Auditing: User Account Management Policy Change

Event ID 4936 logs changes to user account management policies in Active Directory. This security audit event fires when administrators modify password policies, account lockout settings, or Kerberos authentication policies.

Windows Event ID 4935 – Microsoft-Windows-Security-Auditing: Maximum Daily Password Reset Attempts Exceeded

Event ID 4935 fires when a user account exceeds the maximum allowed password reset attempts within a 24-hour period, triggering security lockout mechanisms to prevent brute force attacks.

Windows Event ID 4933 – Microsoft-Windows-Security-Auditing: Per-user audit policy table creation

Event ID 4933 fires when Windows creates a per-user audit policy table during system startup or when audit policies are modified. This security auditing event tracks the initialization of user-specific audit settings.

Windows Event ID 4932 – Microsoft-Windows-Security-Auditing: An attempt was made to access an object

Event ID 4932 logs when a process attempts to access a security-protected object. This audit event fires when object access auditing is enabled and helps track file, registry, or service access attempts.

Windows Event ID 4928 – Microsoft-Windows-Security-Auditing: Active Directory Replica Source Naming Context Established

Event ID 4928 indicates that an Active Directory replica source naming context has been successfully established between domain controllers during replication operations.

Windows Event ID 4912 – Microsoft-Windows-Kernel-General: Object Manager Symbolic Link Creation

Event ID 4912 logs when the Windows Object Manager creates symbolic links in the kernel namespace, typically during system startup or driver initialization processes.

Windows Event ID 4908 – Security: Trusted Domain Information Changed

Event ID 4908 indicates that trusted domain information has been modified on a domain controller, typically during domain trust establishment, modification, or removal operations.

Windows Event ID 4906 – Microsoft-Windows-Security-Auditing: An attempt was made to register a security event source

Event ID 4906 fires when an application or service attempts to register itself as a security event source in the Windows Event Log system, typically during software installation or service startup.

Windows Event ID 4897 – Microsoft-Windows-Security-Auditing: Certificate Services Template Security Descriptor Changed

Event ID 4897 fires when security permissions on a Certificate Authority template are modified, indicating changes to who can request, manage, or enroll certificates from that template.

Windows Event ID 4896 – Microsoft-Windows-Security-Auditing: Certificate Services Template Security Descriptor Modified

Event ID 4896 fires when security permissions on a Certificate Authority template are modified, indicating changes to who can request, approve, or manage specific certificate types.

Windows Event ID 4892 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 4892 fires when Windows detects a system time change, typically during time synchronization, manual adjustments, or hardware clock drift corrections.

Windows Event ID 4890 – Microsoft-Windows-Security-Auditing: A handle to an object was requested

Event ID 4890 logs when a process requests a handle to a system object. This security audit event tracks object access attempts for compliance and security monitoring purposes.

Windows Event ID 4888 – Kernel-Power: System Power State Transition

Event ID 4888 from Kernel-Power indicates a system power state transition, typically logged when Windows enters or exits sleep, hibernate, or shutdown states during power management operations.

Windows Event ID 5028 – Windows Filtering Platform: Failed to Load Security Policy

Event ID 5028 indicates Windows Filtering Platform (WFP) failed to load security policy during system startup, potentially affecting firewall rules and network filtering capabilities.

Windows Event ID 4881 – Security: Certificate Services Template Security Permissions Changed

Event ID 4881 logs when security permissions on a Certificate Authority template are modified, indicating changes to who can request or manage specific certificate types in your PKI infrastructure.

Windows Event ID 4880 – Security: Certificate Services Template Security Permissions Changed

Event ID 4880 logs when security permissions on a Certificate Authority template are modified, indicating changes to who can request or manage specific certificate types in your PKI infrastructure.

Windows Event ID 4877 – Security-Auditing: Certificate Services Template Security Permissions Changed

Event ID 4877 fires when security permissions on a Certificate Authority template are modified. Critical for PKI security monitoring and compliance auditing in enterprise environments.

Windows Event ID 4876 – Security: Special Privileges Assigned to New Logon

Event ID 4876 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted during authentication.

Windows Event ID 4872 – Microsoft-Windows-Security-Auditing: Certificate Services Template Security Permissions Changed

Event ID 4872 fires when security permissions on a Certificate Authority template are modified. This audit event tracks changes to certificate template access control lists and helps monitor PKI security modifications.