Windows Events — Event ID Reference & Troubleshooting

Windows Event ID 5143 – Microsoft-Windows-Security-Auditing: Network Share Object Was Accessed

Event ID 5143 logs when a user or process accesses a network share object. This security audit event tracks file share access attempts for compliance and security monitoring purposes.

Windows Event ID 4625 – Microsoft-Windows-Security-Auditing: An Account Failed to Log On

Event ID 4625 records failed logon attempts in Windows Security logs. This critical security event helps administrators track unauthorized access attempts, brute force attacks, and authentication issues across domain and local accounts.

Windows Event ID 4868 – Security: Certificate Services Denied Request

Event ID 4868 fires when Active Directory Certificate Services denies a certificate request due to policy violations, insufficient permissions, or template restrictions.

Windows Event ID 4867 – Security-Auditing: Certificate Services Template Security Descriptor Modified

Event ID 4867 fires when security permissions on a certificate template are modified in Active Directory Certificate Services, indicating changes to who can request or manage certificates.

Windows Event ID 4866 – Security: Object Operation Attempted

Event ID 4866 indicates an attempt to perform an operation on a security object, typically related to file system or registry access control modifications in Windows environments.

Windows Event ID 4865 – Microsoft-Windows-Security-Auditing: A trusted logon process has been assigned to an authentication package

Event ID 4865 records when Windows assigns a trusted logon process to an authentication package, typically during system startup or security subsystem initialization.

Windows Event ID 4816 – Security-Auditing: NTLM Authentication Package Loaded

Event ID 4816 indicates that the NTLM authentication package has been loaded by the Local Security Authority (LSA). This security audit event tracks when NTLM authentication capabilities are initialized on Windows systems.

Windows Event ID 4801 – Microsoft-Windows-WinRM: WinRM Service Started Successfully

Event ID 4801 indicates the Windows Remote Management (WinRM) service has started successfully. This informational event confirms WinRM is operational and ready to accept remote connections.

Windows Event ID 4794 – Security: An Attempt Was Made to Set the Directory Services Restore Mode Administrator Password

Event ID 4794 fires when someone attempts to set or change the Directory Services Restore Mode (DSRM) administrator password on a domain controller. This security event tracks critical DSRM password modifications.

Windows Event ID 4793 – Microsoft-Windows-Security-Auditing: An attempt was made to call a privileged service

Event ID 4793 logs when a process attempts to call a privileged service operation. This security audit event tracks service privilege usage for compliance monitoring and security analysis.

Windows Event ID 4782 – Security: User Account Password Changed

Event ID 4782 logs when a user account password is changed by an administrator or through administrative tools. This security audit event tracks password modifications for compliance and security monitoring purposes.

Windows Event ID 4781 – Security: Account Name Changed

Event ID 4781 records when a user account name is changed in Active Directory or local SAM database. Critical for security auditing and compliance tracking.

Windows Event ID 4780 – Microsoft-Windows-Security-Auditing: Computer Account Password Changed

Event ID 4780 logs when a computer account password is changed in Active Directory. This security audit event tracks machine account password updates for domain-joined computers.

Windows Event ID 4778 – Microsoft-Windows-Security-Auditing: Session Reconnected to a Window Station

Event ID 4778 logs when a user session reconnects to a Windows workstation or server, typically after Remote Desktop disconnection or console switching. Critical for tracking user activity and session management.

Windows Event ID 4769 – Microsoft-Windows-Security-Auditing: Kerberos Service Ticket Requested

Event ID 4769 logs when a Kerberos service ticket is requested from a domain controller. This security audit event tracks authentication attempts to network services and resources.

Windows Event ID 4768 – Microsoft-Windows-Security-Auditing: Kerberos Authentication Ticket (TGT) Requested

Event ID 4768 logs when a user or service requests a Kerberos Ticket Granting Ticket (TGT) from a domain controller during authentication.

Windows Event ID 4766 – Microsoft-Windows-Security-Auditing: Computer Account Authentication Failed

Event ID 4766 indicates a computer account failed to authenticate with the domain controller. This security audit event fires when machine authentication fails during domain logon processes.

Windows Event ID 4765 – Microsoft-Windows-Security-Auditing: User Account Management Failure

Event ID 4765 indicates a failed attempt to manage user account properties or group memberships in Active Directory, typically due to insufficient permissions or policy violations.

Windows Event ID 4717 – Microsoft-Windows-Security-Auditing: System Security Access Was Granted

Event ID 4717 logs when a user or process is granted system security access privileges, typically involving sensitive security operations like backup, restore, or system-level access rights.

Windows Event ID 4887 – Microsoft-Windows-Security-Auditing: A handle to an object was requested

Event ID 4887 logs when a process requests a handle to a system object for access. This security audit event tracks object access attempts and helps monitor file, registry, and kernel object interactions across Windows systems.

Windows Event ID 4886 – Microsoft-Windows-Security-Auditing: Certificate Services Template Security Descriptor Modified

Event ID 4886 fires when security permissions on a Certificate Authority template are modified. Critical for PKI security monitoring and compliance auditing in Active Directory environments.