Windows Events — Event ID Reference & Troubleshooting

Complete Windows Event ID reference. Understand every system event, its causes and solutions.

389

Documented Events

389 events

4735InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4735 – Microsoft-Windows-Security-Auditing: Security-Enabled Local Group Changed

Event ID 4735 fires when a security-enabled local group is modified on Windows systems. This security audit event tracks changes to local group membership, properties, or permissions for compliance and security monitoring.

Mar 18, 20265412m

4734InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4734 – Microsoft-Windows-Security-Auditing: Security-Enabled Local Group Member Removed

Event ID 4734 fires when a member is removed from a security-enabled local group. This security audit event tracks group membership changes for compliance and security monitoring purposes.

Mar 18, 20264712m

4732InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4732 – Microsoft-Windows-Security-Auditing: A Member Was Added to a Security-Enabled Local Group

Event ID 4732 fires when a user or computer account is added to a security-enabled local group. This security audit event helps administrators track group membership changes for compliance and security monitoring.

Mar 18, 2026529m

4731InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4731 – Microsoft-Windows-Security-Auditing: Security-Enabled Local Group Member Added

Event ID 4731 fires when a member is added to a security-enabled local group on Windows systems. This security audit event tracks local group membership changes for compliance and security monitoring.

Mar 18, 2026479m

4730InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4730 – Microsoft-Windows-Security-Auditing: Security-Enabled Universal Group Deleted

Event ID 4730 logs when a security-enabled universal group is deleted from Active Directory. This audit event tracks group management changes for security compliance and forensic analysis.

Mar 18, 2026439m

4729InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4729 – Microsoft-Windows-Security-Auditing: A Member was Removed from a Security-Enabled Global Group

Event ID 4729 logs when a user or computer account is removed from a security-enabled global group in Active Directory. This audit event tracks group membership changes for security monitoring and compliance.

Mar 18, 20265512m

4728InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4728 – Microsoft-Windows-Security-Auditing: A Member Was Added to a Security-Enabled Global Group

Event ID 4728 fires when a user or computer account is added to a security-enabled global group in Active Directory. This audit event tracks group membership changes for security monitoring and compliance.

Mar 18, 20265912m

4727InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4727 – Microsoft-Windows-Security-Auditing: Security-Enabled Global Group Created

Event ID 4727 fires when a security-enabled global group is created in Active Directory. This audit event tracks group creation activities for security monitoring and compliance purposes.

Mar 18, 20264412m

4733InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4733 – Microsoft-Windows-Security-Auditing: Security Group Member Removed

Event ID 4733 logs when a user or computer account is removed from a security group in Active Directory, providing critical audit information for access control changes.

Mar 18, 20267512m

4726InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4726 – Microsoft-Windows-Security-Auditing: User Account Deleted

Event ID 4726 fires when a user account is deleted from Active Directory or local system. Critical security event for tracking account lifecycle and potential unauthorized deletions.

Mar 18, 20264612m

4725InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4725 – Microsoft-Windows-Security-Auditing: User Account Disabled

Event ID 4725 fires when a user account is disabled in Active Directory or on a local Windows system, providing audit trail for account management activities.

Mar 18, 2026579m

4724InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4724 – Microsoft-Windows-Security-Auditing: User Account Password Reset by Administrator

Event ID 4724 logs when an administrator resets another user's password in Active Directory or local accounts, providing critical security audit trail for password management activities.

Mar 18, 20265012m

4722InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4722 – Microsoft-Windows-Security-Auditing: User Account Enabled

Event ID 4722 fires when a user account is enabled in Active Directory or local SAM database. Critical for security auditing and tracking account state changes.

Mar 18, 20264512m

4720InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4720 – Microsoft-Windows-Security-Auditing: User Account Created

Event ID 4720 logs when a new user account is created on Windows systems. This security audit event tracks account creation activities for compliance and security monitoring purposes.

Mar 18, 20264812m

4719InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4719 – Microsoft-Windows-Security-Auditing: System Audit Policy Changed

Event ID 4719 fires when Windows audit policy settings are modified, indicating changes to security auditing configuration that affect what events get logged.

Mar 18, 2026869m

4672InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4672 – Security: Special Privileges Assigned to New Logon

Event ID 4672 fires when Windows assigns special privileges to a new user logon session, indicating elevated access rights have been granted to an account.

Mar 18, 2026579m

4670InformationSecurity

Windows Event ID 4670 – Security: Object Permissions Changed

Event ID 4670 logs when permissions are modified on securable objects like files, folders, or registry keys. Critical for security auditing and compliance monitoring.

Mar 18, 20263812m

4663InformationSecurity

Windows Event ID 4663 – Security: An Attempt Was Made to Access an Object

Event ID 4663 logs when a process attempts to access a file, folder, registry key, or other securable object. This security audit event tracks object access attempts for compliance and forensic analysis.

Mar 18, 20265112m

4662InformationSecurity

Windows Event ID 4662 – Security: Object Access Auditing

Event ID 4662 logs when an operation is performed on an object with configured auditing. This security event tracks access attempts to files, folders, registry keys, and Active Directory objects.

Mar 18, 20267412m

4660InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4660 – Microsoft-Windows-Security-Auditing: Object Deleted

Event ID 4660 logs when an object is deleted from Active Directory or the local security database, providing audit trail for security-sensitive deletions including user accounts, groups, and organizational units.

Mar 18, 20264612m

4658InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4658 – Microsoft-Windows-Security-Auditing: Handle to an Object was Closed

Event ID 4658 logs when a handle to a system object is closed, providing audit trail for object access tracking in Windows security monitoring.

Mar 18, 20264312m