IT Reference & Documentation
Technical reference documentation: verified KB articles and complete Windows Event ID reference.
Windows Event ID 4871 – Microsoft-Windows-Security-Auditing: Certificate Services Denied Request
Event ID 4871 fires when Active Directory Certificate Services denies a certificate request due to policy violations, insufficient permissions, or template restrictions.
Windows Event ID 4870 – Kerberos: TGT Renewal Failure
Event ID 4870 indicates a Kerberos Ticket Granting Ticket (TGT) renewal failure, typically occurring when domain authentication encounters issues with ticket refresh operations.
Windows Event ID 4869 – Kerberos: Certificate Services Client Operation Failed
Event ID 4869 indicates a Kerberos certificate services client operation has failed, typically during certificate enrollment or renewal processes in Active Directory environments.
Windows Event ID 5378 – SCHANNEL: TLS/SSL Certificate Chain Validation Error
Event ID 5378 indicates SCHANNEL encountered a certificate chain validation error during TLS/SSL handshake, typically due to untrusted root certificates or incomplete certificate chains.
Windows Event ID 5143 – Microsoft-Windows-Security-Auditing: Network Share Object Was Accessed
Event ID 5143 logs when a user or process accesses a network share object. This security audit event tracks file share access attempts for compliance and security monitoring purposes.
Windows Event ID 4625 – Microsoft-Windows-Security-Auditing: An Account Failed to Log On
Event ID 4625 records failed logon attempts in Windows Security logs. This critical security event helps administrators track unauthorized access attempts, brute force attacks, and authentication issues across domain and local accounts.
Windows Event ID 4868 – Security: Certificate Services Denied Request
Event ID 4868 fires when Active Directory Certificate Services denies a certificate request due to policy violations, insufficient permissions, or template restrictions.
Windows Event ID 4867 – Security-Auditing: Certificate Services Template Security Descriptor Modified
Event ID 4867 fires when security permissions on a certificate template are modified in Active Directory Certificate Services, indicating changes to who can request or manage certificates.
Windows Event ID 4866 – Security: Object Operation Attempted
Event ID 4866 indicates an attempt to perform an operation on a security object, typically related to file system or registry access control modifications in Windows environments.
Windows Event ID 4865 – Microsoft-Windows-Security-Auditing: A trusted logon process has been assigned to an authentication package
Event ID 4865 records when Windows assigns a trusted logon process to an authentication package, typically during system startup or security subsystem initialization.
Windows Event ID 4816 – Security-Auditing: NTLM Authentication Package Loaded
Event ID 4816 indicates that the NTLM authentication package has been loaded by the Local Security Authority (LSA). This security audit event tracks when NTLM authentication capabilities are initialized on Windows systems.
Windows Event ID 4801 – Microsoft-Windows-WinRM: WinRM Service Started Successfully
Event ID 4801 indicates the Windows Remote Management (WinRM) service has started successfully. This informational event confirms WinRM is operational and ready to accept remote connections.
Windows Event ID 4794 – Security: An Attempt Was Made to Set the Directory Services Restore Mode Administrator Password
Event ID 4794 fires when someone attempts to set or change the Directory Services Restore Mode (DSRM) administrator password on a domain controller. This security event tracks critical DSRM password modifications.
Windows Event ID 4793 – Microsoft-Windows-Security-Auditing: An attempt was made to call a privileged service
Event ID 4793 logs when a process attempts to call a privileged service operation. This security audit event tracks service privilege usage for compliance monitoring and security analysis.
Windows Event ID 4782 – Security: User Account Password Changed
Event ID 4782 logs when a user account password is changed by an administrator or through administrative tools. This security audit event tracks password modifications for compliance and security monitoring purposes.
Windows Event ID 4781 – Security: Account Name Changed
Event ID 4781 records when a user account name is changed in Active Directory or local SAM database. Critical for security auditing and compliance tracking.
Windows Event ID 4780 – Microsoft-Windows-Security-Auditing: Computer Account Password Changed
Event ID 4780 logs when a computer account password is changed in Active Directory. This security audit event tracks machine account password updates for domain-joined computers.
Windows Event ID 4778 – Microsoft-Windows-Security-Auditing: Session Reconnected to a Window Station
Event ID 4778 logs when a user session reconnects to a Windows workstation or server, typically after Remote Desktop disconnection or console switching. Critical for tracking user activity and session management.
Windows Event ID 4769 – Microsoft-Windows-Security-Auditing: Kerberos Service Ticket Requested
Event ID 4769 logs when a Kerberos service ticket is requested from a domain controller. This security audit event tracks authentication attempts to network services and resources.
Windows Event ID 4768 – Microsoft-Windows-Security-Auditing: Kerberos Authentication Ticket (TGT) Requested
Event ID 4768 logs when a user or service requests a Kerberos Ticket Granting Ticket (TGT) from a domain controller during authentication.