Windows Events — Event ID Reference & Troubleshooting
Windows Event ID 2004 – Perflib: Performance Counter Provider Registration Failed
Event ID 2004 indicates a performance counter provider failed to register with the Windows Performance Toolkit. This typically occurs when performance counter DLLs are corrupted, missing, or incompatible with the current system.
Windows Event ID 12010 – Microsoft-Windows-Kernel-General: System Time Change Detected
Event ID 12010 fires when Windows detects a system time change, either manual or automatic. Critical for security auditing and troubleshooting time synchronization issues in domain environments.
Windows Event ID 823 – Ntfs: Critical Disk I/O Error Detected
Event ID 823 indicates a critical disk I/O error where the NTFS file system detected corrupted data during read/write operations, potentially signaling hardware failure or data corruption.
Windows Event ID 4004 – WinLogon: Interactive Logon Process Initialization
Event ID 4004 indicates the Windows interactive logon process has been initialized. This informational event fires during system startup when WinLogon prepares the interactive desktop environment for user authentication.
Windows Event ID 2042 – DNS Client: DNS Client Service Failed to Start
Event ID 2042 indicates the DNS Client service failed to start during system boot, preventing DNS resolution and network connectivity for applications requiring domain name lookups.
Windows Event ID 1500 – Application Error: Application Crash or Failure
Event ID 1500 indicates an application has crashed or encountered a critical error. This event helps administrators track application stability and identify problematic software components.
Windows Event ID 1102 – Microsoft-Windows-Eventlog: Security Log Cleared
Event ID 1102 indicates the Windows Security log has been manually cleared by an administrator or system process, triggering immediate audit trail documentation.
Windows Event ID 1006 – WinMgmt: WMI Performance Adapter Registration Failure
Event ID 1006 indicates WMI performance adapter registration failures, typically occurring during system startup or when WMI services attempt to initialize performance counters for system monitoring.
Windows Event ID 1311 – MSI Installer: Product Installation Failure
Event ID 1311 indicates a Windows Installer (MSI) package failed to install or configure properly. This error typically occurs when the installer cannot access required files, encounters permission issues, or faces corrupted installation media during software deployment.
Windows Event ID 1925 – MSExchange Store: Database Mount Failure or Corruption
Event ID 1925 indicates Microsoft Exchange Store service encountered a critical database mount failure or corruption issue, preventing mailbox databases from mounting properly during startup or maintenance operations.
Windows Event ID 98 – System: Processor Thermal Throttling Event
Event ID 98 indicates processor thermal throttling has occurred due to high CPU temperatures. This system-level event fires when Windows reduces CPU performance to prevent overheating damage.
Windows Event ID 13 – Kernel-General: System Boot Performance Monitoring
Event ID 13 from Kernel-General tracks system boot performance metrics, recording boot duration and initialization phases during Windows startup sequences.
Windows Event ID 1500 – Application Error: Application Crash or Hang Detection
Event ID 1500 indicates an application has crashed, hung, or encountered a critical error. This event helps administrators track application stability and identify problematic software components.
Windows Event ID 33 – System: Time Service Provider Time Synchronization
Event ID 33 indicates Windows Time Service has successfully synchronized system time with an external time source or encountered synchronization issues during the process.
Windows Event ID 25 – Application Popup: System Process Terminated Unexpectedly
Event ID 25 indicates a critical system process has terminated unexpectedly, triggering Windows Error Reporting. This event typically signals driver issues, memory corruption, or system instability requiring immediate investigation.
Windows Event ID 8 – Kernel-General: Page Fault in Nonpaged Area
Event ID 8 indicates a critical page fault in the nonpaged memory area, typically caused by faulty drivers, hardware issues, or memory corruption that can lead to system instability.
Windows Event ID 219 – Kernel-PnP: Device Driver Installation or Removal Event
Event ID 219 from Kernel-PnP indicates device driver installation, removal, or configuration changes in Windows. This informational event helps track Plug and Play device management activities.
Windows Event ID 38 – Kernel-Power: System Thermal Zone Temperature
Event ID 38 from Kernel-Power indicates thermal zone temperature changes or thermal management events in Windows systems, typically logged when CPU or system temperatures exceed normal operating thresholds.
Windows Event ID 29 – Kernel-Power: Critical System Power Event
Event ID 29 from Kernel-Power indicates critical power-related issues including unexpected shutdowns, power supply failures, or thermal protection events that can cause system instability.
Windows Event ID 7045 – Service Control Manager: New Service Installation
Event ID 7045 fires when a new Windows service is installed on the system. This informational event logs service creation details including name, path, and startup type for security monitoring.
Windows Event ID 7 – Kernel-General: Bad Block Detected on Device
Event ID 7 indicates Windows detected a bad block on a storage device. This critical hardware event signals potential disk failure and requires immediate investigation to prevent data loss.