Windows Events — Event ID Reference & Troubleshooting

Windows Event ID 5061 – Microsoft-Windows-Security-Auditing: Cryptographic Operation Failed

Event ID 5061 indicates a cryptographic operation failure in Windows security auditing, typically related to certificate validation, encryption processes, or digital signature verification issues.

Windows Event ID 5058 – Microsoft-Windows-Kernel-General: Key File Operation Failure

Event ID 5058 indicates a critical kernel-level file operation failure, typically involving system files, registry hives, or security databases that Windows cannot access or modify properly.

Windows Event ID 5056 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5056 fires when Windows detects a system time change, typically during boot or when time synchronization occurs. Critical for audit trails and troubleshooting time-related issues.

Windows Event ID 5050 – DNS Client: DNS Client Service Failed to Start

Event ID 5050 indicates the DNS Client service failed to initialize or start properly, causing name resolution failures and network connectivity issues across Windows systems.

Windows Event ID 5027 – WinRM: WS-Management Service Cannot Process Request

Event ID 5027 indicates the Windows Remote Management (WinRM) service cannot process a request due to configuration issues, authentication failures, or service problems.

Windows Event ID 5025 – Windows Firewall: Service Failed to Start

Event ID 5025 indicates the Windows Firewall service failed to start, typically due to corrupted service configuration, missing dependencies, or registry corruption affecting system security.

Windows Event ID 5024 – Windows Filtering Platform: Filter Engine Initialization Failed

Event ID 5024 indicates the Windows Filtering Platform (WFP) filter engine failed to initialize or encountered a critical error during startup, potentially affecting network security and firewall functionality.

Windows Event ID 4983 – Microsoft-Windows-Security-Auditing: IPsec Main Mode Authentication Failed

Event ID 4983 indicates an IPsec Main Mode authentication failure during VPN or secure network connection establishment. This security audit event helps identify authentication issues in IPsec communications.

Windows Event ID 4978 – Security: IPsec Main Mode Negotiation Failed

Event ID 4978 indicates that IPsec Main Mode negotiation failed during the establishment of a secure connection. This security event occurs when two endpoints cannot agree on cryptographic parameters or authentication methods.

Windows Event ID 4977 – Microsoft-Windows-Security-Auditing: IPsec Main Mode Security Association Established

Event ID 4977 indicates successful establishment of an IPsec Main Mode security association between two endpoints, confirming secure tunnel creation for encrypted network communication.

Windows Event ID 4976 – Microsoft-Windows-Security-Auditing: Special Logon

Event ID 4976 records when a user account is granted special privileges during logon, typically for service accounts or administrative access requiring elevated permissions.

Windows Event ID 4963 – Microsoft-Windows-Security-Auditing: Object Access Auditing Disabled

Event ID 4963 indicates that object access auditing has been disabled on a Windows system. This security event fires when audit policies for file, folder, or registry access monitoring are turned off.

Windows Event ID 4962 – Microsoft-Windows-Security-Auditing: IPsec Main Mode Security Association Established

Event ID 4962 logs when Windows successfully establishes an IPsec Main Mode security association between two endpoints, indicating secure tunnel creation for network communications.

Windows Event ID 4960 – Microsoft-Windows-Security-Auditing: IPsec Main Mode Authentication Failed

Event ID 4960 indicates IPsec Main Mode authentication failed during IKE negotiation. This security audit event fires when Windows cannot establish secure IPsec tunnels due to authentication issues.

Windows Event ID 4950 – Microsoft-Windows-Kernel-General: System Time Changed

Event ID 4950 fires when the system time is changed on a Windows machine, either manually by a user or automatically by time synchronization services.

Windows Event ID 4948 – Microsoft-Windows-Security-Auditing: IPsec Main Mode Security Association Established

Event ID 4948 indicates successful establishment of an IPsec Main Mode security association between two endpoints, confirming secure tunnel creation for encrypted network communications.

Windows Event ID 4947 – Microsoft-Windows-Security-Auditing: IPsec Policy Agent Service Started

Event ID 4947 indicates the IPsec Policy Agent service has successfully started on the system. This security audit event confirms IPsec policy enforcement is active and ready to secure network communications.

Windows Event ID 4946 – Microsoft-Windows-Kernel-Power: System Power State Transition

Event ID 4946 indicates a system power state transition, typically when Windows enters or exits sleep, hibernation, or other power management states. Critical for diagnosing power-related issues.

Windows Event ID 4944 – Microsoft-Windows-Security-Auditing: An account was locked out

Event ID 4944 indicates that a user account has been locked out due to exceeding the maximum number of failed logon attempts within the configured lockout threshold period.

Windows Event ID 4936 – Microsoft-Windows-Security-Auditing: User Account Management Policy Change

Event ID 4936 logs changes to user account management policies in Active Directory. This security audit event fires when administrators modify password policies, account lockout settings, or Kerberos authentication policies.

Windows Event ID 4935 – Microsoft-Windows-Security-Auditing: Maximum Daily Password Reset Attempts Exceeded

Event ID 4935 fires when a user account exceeds the maximum allowed password reset attempts within a 24-hour period, triggering security lockout mechanisms to prevent brute force attacks.