Windows Events — Event ID Reference & Troubleshooting
Windows Event ID 4657 – Microsoft-Windows-Security-Auditing: Registry Value Modified
Event ID 4657 logs when a registry value is modified on Windows systems with object access auditing enabled. Critical for security monitoring and compliance tracking.
Windows Event ID 4656 – Microsoft-Windows-Security-Auditing: A Handle to an Object was Requested
Event ID 4656 logs when a process requests a handle to an object like files, registry keys, or processes. Critical for security auditing and access monitoring in Windows environments.
Windows Event ID 4612 – LSA: Security Audit Policy Changes
Event ID 4612 fires when Local Security Authority (LSA) audit policy settings are modified, indicating changes to Windows security auditing configuration that affect what events get logged.
Windows Event ID 1108 – WinMgmt: WMI Repository Corruption Detected
Event ID 1108 indicates WMI repository corruption detected by the Windows Management Instrumentation service, requiring immediate investigation and potential repository rebuild to restore system management functionality.
Windows Event ID 1104 – Microsoft-Windows-Eventlog: Event Log Service Shutdown
Event ID 1104 indicates the Windows Event Log service is shutting down, typically during system shutdown, restart, or service maintenance operations.
Windows Event ID 1101 – Winlogon: User Logon Notification for Customer Experience Improvement Program
Event ID 1101 from Winlogon indicates user logon notifications for the Customer Experience Improvement Program (CEIP). This informational event tracks user sessions for telemetry purposes.
Windows Event ID 1100 – EventLog: Event Logging Service Shutdown
Event ID 1100 indicates the Windows Event Log service has shut down, typically during system shutdown or service restart. This informational event helps track service lifecycle and system state changes.
Windows Event ID 16394 – Application Error: Critical Application Crash with Memory Access Violation
Event ID 16394 indicates a critical application crash caused by memory access violations or corrupted application data, requiring immediate investigation to prevent system instability.
Windows Event ID 16389 – Unknown: Application or Service Initialization Failure
Event ID 16389 indicates an application or service failed to initialize properly during startup, often related to dependency issues, corrupted files, or insufficient permissions.
Windows Event ID 16388 – Microsoft-Windows-Kernel-General: System Time Change Notification
Event ID 16388 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.
Windows Event ID 16384 – Microsoft-Windows-Kernel-General: System Time Change Detected
Event ID 16384 fires when Windows detects a system time change, either manual or automatic. Critical for security auditing and troubleshooting time synchronization issues in domain environments.
Windows Event ID 11728 – Microsoft-Windows-Kernel-General: System Time Change Detected
Event ID 11728 fires when Windows detects a system time change, typically from time synchronization services, manual adjustments, or hardware clock drift corrections.
Windows Event ID 11724 – Microsoft-Windows-Kernel-General: System Time Change Detected
Event ID 11724 indicates the Windows kernel detected a system time change, typically triggered by time synchronization services, manual adjustments, or hardware clock drift corrections.
Windows Event ID 11707 – Microsoft-Windows-WinRM: WinRM Service Configuration Error
Event ID 11707 indicates Windows Remote Management (WinRM) service configuration errors, typically occurring during service startup or when authentication settings are misconfigured.
Windows Event ID 10024 – DistributedCOM: DCOM Server Process Launcher Service Termination
Event ID 10024 indicates the DCOM Server Process Launcher service has terminated unexpectedly, potentially affecting distributed applications and COM+ components across the network.
Windows Event ID 10005 – DCOM: Distributed COM Error
Event ID 10005 indicates DCOM server startup failures or timeout issues when Windows attempts to launch COM+ applications or services, commonly affecting system performance and application functionality.
Windows Event ID 10001 – WinInit: System Shutdown Initiated by User
Event ID 10001 from WinInit indicates a system shutdown was initiated by a user or process. This informational event logs shutdown requests and helps track system restart patterns.
Windows Event ID 10000 – Unknown: Generic Application or System Error Event
Event ID 10000 represents a generic error condition from various Windows applications and services. This catch-all event requires detailed investigation to identify the specific component and root cause.
Windows Event ID 8303 – DNS Client: DNS Query Timeout or Resolution Failure
Event ID 8303 indicates DNS query timeouts or resolution failures from the DNS Client service, typically occurring when domain name lookups fail or exceed timeout thresholds.
Windows Event ID 8302 – VOLMGR: Volume Manager Driver Error
Event ID 8302 indicates a critical Volume Manager (VOLMGR) driver error, typically related to disk I/O failures, corrupted volume structures, or hardware issues affecting storage subsystems.
Windows Event ID 8301 – Microsoft-Windows-Kernel-General: System Time Change Notification
Event ID 8301 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.