Windows Events — Event ID Reference & Troubleshooting

Windows Event ID 3603 – WinRM: Remote Management Service Authentication Error

Event ID 3603 indicates Windows Remote Management (WinRM) authentication failures when clients attempt to connect to remote systems using PowerShell remoting or other WinRM-based services.

Windows Event ID 2562 – ESENT: Database Page Read Operation Failed

Event ID 2562 indicates ESENT database engine failed to read a specific page from a database file, typically due to disk corruption, hardware issues, or file system problems affecting Windows services.

Windows Event ID 3086 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 3086 fires when Windows detects a significant system time change, either from manual adjustment, NTP synchronization, or hardware clock drift requiring investigation.

Windows Event ID 2101 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 2101 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

Windows Event ID 2003 – Srv: Server Service Connection Limit Reached

Event ID 2003 indicates the Windows Server service has reached its maximum concurrent connection limit, preventing new client connections until existing sessions are freed.

Windows Event ID 2000 – Service Control Manager: Service Started Successfully

Event ID 2000 indicates a Windows service has started successfully. This informational event helps administrators track service startup activities and troubleshoot service dependencies during system boot or manual service operations.

Windows Event ID 1532 – User32: Desktop Window Manager Session Ended

Event ID 1532 from User32 indicates the Desktop Window Manager (DWM) session has ended, typically during user logoff, system shutdown, or when switching between user sessions.

Windows Event ID 1531 – User32: Desktop Window Manager Session Ended

Event ID 1531 from User32 indicates the Desktop Window Manager (DWM) session has terminated, typically during user logoff, system shutdown, or when DWM crashes unexpectedly.

Windows Event ID 1130 – Microsoft-Windows-User Profiles Service: User Profile Service Failed

Event ID 1130 indicates the User Profile Service encountered a critical failure during profile loading or management operations, potentially preventing users from accessing their profiles or causing profile corruption.

Windows Event ID 1066 – WinLogon: Session Manager Subsystem Initialization

Event ID 1066 indicates the Windows Session Manager subsystem has successfully initialized during system startup, marking a critical milestone in the boot process.

Windows Event ID 1042 – Kernel-Power: System Reboot Without Clean Shutdown

Event ID 1042 indicates the system rebooted without cleanly shutting down first. This critical event signals unexpected power loss, hardware failure, or forced restart scenarios.

Windows Event ID 1040 – Microsoft-Windows-WinRM: WinRM Service Started Successfully

Event ID 1040 indicates the Windows Remote Management (WinRM) service has started successfully. This informational event confirms WinRM is operational and ready to accept remote connections.

Windows Event ID 1038 – Kernel-Power: Critical System Power Event

Event ID 1038 indicates a critical system power event where Windows detected an unexpected power loss or system shutdown without proper shutdown procedures.

Windows Event ID 1035 – MsiInstaller: Windows Installer Service Reconfiguration

Event ID 1035 from MsiInstaller indicates Windows Installer service has reconfigured an installed product, typically during repair operations or feature modifications.

Windows Event ID 1034 – MsiInstaller: Windows Installer Reconfiguration Event

Event ID 1034 from MsiInstaller indicates Windows Installer has completed a product reconfiguration or repair operation, typically triggered by application self-repair or administrative maintenance tasks.

Windows Event ID 1033 – WinMgmt: WMI Repository Corruption or Initialization Error

Event ID 1033 indicates WMI (Windows Management Instrumentation) repository corruption or initialization failures, typically requiring repository rebuild or service restart to resolve.

Windows Event ID 1026 – Application Error: Application Crash or Hang Detection

Event ID 1026 indicates an application has crashed, hung, or encountered a critical error. This event helps administrators track application stability and identify problematic software components.

Windows Event ID 1023 – Perflib: Performance Counter Registry Corruption

Event ID 1023 indicates performance counter registry corruption in Windows. This error affects system monitoring tools and performance data collection, requiring registry repair or counter rebuilding.

Windows Event ID 1022 – MsiInstaller: Windows Installer Reconfiguration Event

Event ID 1022 from MsiInstaller indicates Windows Installer has begun reconfiguring an installed product, typically triggered by repair operations, feature modifications, or automatic maintenance tasks.

Windows Event ID 1016 – WinLogon: Group Policy Application Failed

Event ID 1016 indicates Group Policy processing failures during user logon or computer startup, typically caused by network connectivity issues, domain controller problems, or corrupted policy files.

Windows Event ID 1013 – Kernel-General: System Uptime Information

Event ID 1013 records system uptime information when Windows starts or resumes from hibernation, providing administrators with boot time tracking and system availability metrics.