Windows Events — Event ID Reference & Troubleshooting

Complete Windows Event ID reference. Understand every system event, its causes and solutions.

389

Documented Events

389 events

5143InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 5143 – Microsoft-Windows-Security-Auditing: Network Share Object Was Accessed

Event ID 5143 logs when a user or process accesses a network share object. This security audit event tracks file share access attempts for compliance and security monitoring purposes.

Mar 18, 20264412m

4625InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4625 – Microsoft-Windows-Security-Auditing: An Account Failed to Log On

Event ID 4625 records failed logon attempts in Windows Security logs. This critical security event helps administrators track unauthorized access attempts, brute force attacks, and authentication issues across domain and local accounts.

Mar 18, 20264812m

4868WarningSecurity

Windows Event ID 4868 – Security: Certificate Services Denied Request

Event ID 4868 fires when Active Directory Certificate Services denies a certificate request due to policy violations, insufficient permissions, or template restrictions.

Mar 18, 20264612m

4867InformationSecurity-Auditing

Windows Event ID 4867 – Security-Auditing: Certificate Services Template Security Descriptor Modified

Event ID 4867 fires when security permissions on a certificate template are modified in Active Directory Certificate Services, indicating changes to who can request or manage certificates.

Mar 18, 2026509m

4866InformationSecurity

Windows Event ID 4866 – Security: Object Operation Attempted

Event ID 4866 indicates an attempt to perform an operation on a security object, typically related to file system or registry access control modifications in Windows environments.

Mar 18, 20264912m

4865InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4865 – Microsoft-Windows-Security-Auditing: A trusted logon process has been assigned to an authentication package

Event ID 4865 records when Windows assigns a trusted logon process to an authentication package, typically during system startup or security subsystem initialization.

Mar 18, 2026559m

4816InformationSecurity-Auditing

Windows Event ID 4816 – Security-Auditing: NTLM Authentication Package Loaded

Event ID 4816 indicates that the NTLM authentication package has been loaded by the Local Security Authority (LSA). This security audit event tracks when NTLM authentication capabilities are initialized on Windows systems.

Mar 18, 2026529m

4801InformationMicrosoft-Windows-WinRM

Windows Event ID 4801 – Microsoft-Windows-WinRM: WinRM Service Started Successfully

Event ID 4801 indicates the Windows Remote Management (WinRM) service has started successfully. This informational event confirms WinRM is operational and ready to accept remote connections.

Mar 18, 2026478m

4794InformationSecurity

Windows Event ID 4794 – Security: An Attempt Was Made to Set the Directory Services Restore Mode Administrator Password

Event ID 4794 fires when someone attempts to set or change the Directory Services Restore Mode (DSRM) administrator password on a domain controller. This security event tracks critical DSRM password modifications.

Mar 18, 2026569m

4793InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4793 – Microsoft-Windows-Security-Auditing: An attempt was made to call a privileged service

Event ID 4793 logs when a process attempts to call a privileged service operation. This security audit event tracks service privilege usage for compliance monitoring and security analysis.

Mar 18, 20264912m

4782InformationSecurity

Windows Event ID 4782 – Security: User Account Password Changed

Event ID 4782 logs when a user account password is changed by an administrator or through administrative tools. This security audit event tracks password modifications for compliance and security monitoring purposes.

Mar 18, 20265212m

4781InformationSecurity

Windows Event ID 4781 – Security: Account Name Changed

Event ID 4781 records when a user account name is changed in Active Directory or local SAM database. Critical for security auditing and compliance tracking.

Mar 18, 2026499m

4780InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4780 – Microsoft-Windows-Security-Auditing: Computer Account Password Changed

Event ID 4780 logs when a computer account password is changed in Active Directory. This security audit event tracks machine account password updates for domain-joined computers.

Mar 18, 2026539m

4778InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4778 – Microsoft-Windows-Security-Auditing: Session Reconnected to a Window Station

Event ID 4778 logs when a user session reconnects to a Windows workstation or server, typically after Remote Desktop disconnection or console switching. Critical for tracking user activity and session management.

Mar 18, 2026509m

4769InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4769 – Microsoft-Windows-Security-Auditing: Kerberos Service Ticket Requested

Event ID 4769 logs when a Kerberos service ticket is requested from a domain controller. This security audit event tracks authentication attempts to network services and resources.

Mar 18, 20264812m

4768InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4768 – Microsoft-Windows-Security-Auditing: Kerberos Authentication Ticket (TGT) Requested

Event ID 4768 logs when a user or service requests a Kerberos Ticket Granting Ticket (TGT) from a domain controller during authentication.

Mar 18, 202610212m

4766InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4766 – Microsoft-Windows-Security-Auditing: Computer Account Authentication Failed

Event ID 4766 indicates a computer account failed to authenticate with the domain controller. This security audit event fires when machine authentication fails during domain logon processes.

Mar 18, 2026449m

4765WarningMicrosoft-Windows-Security-Auditing

Windows Event ID 4765 – Microsoft-Windows-Security-Auditing: User Account Management Failure

Event ID 4765 indicates a failed attempt to manage user account properties or group memberships in Active Directory, typically due to insufficient permissions or policy violations.

Mar 18, 20264512m

4717InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4717 – Microsoft-Windows-Security-Auditing: System Security Access Was Granted

Event ID 4717 logs when a user or process is granted system security access privileges, typically involving sensitive security operations like backup, restore, or system-level access rights.

Mar 18, 2026489m

4887InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4887 – Microsoft-Windows-Security-Auditing: A handle to an object was requested

Event ID 4887 logs when a process requests a handle to a system object for access. This security audit event tracks object access attempts and helps monitor file, registry, and kernel object interactions across Windows systems.

Mar 18, 20262112m

4886InformationMicrosoft-Windows-Security-Auditing

Windows Event ID 4886 – Microsoft-Windows-Security-Auditing: Certificate Services Template Security Descriptor Modified

Event ID 4886 fires when security permissions on a Certificate Authority template are modified. Critical for PKI security monitoring and compliance auditing in Active Directory environments.

Mar 18, 20262312m