Windows Events — Event ID Reference & Troubleshooting

Windows Event ID 4885 – Security: Certificate Services Template Security Permissions Changed

Event ID 4885 fires when security permissions on a Certificate Authority template are modified, indicating changes to who can request or manage specific certificate types.

Windows Event ID 4882 – Security: Certificate Services Received a Certificate Request

Event ID 4882 logs when Active Directory Certificate Services receives a certificate request. This security audit event tracks certificate enrollment activity and helps monitor PKI operations in Windows environments.

Windows Event ID 5144 – Microsoft-Windows-Security-Auditing: Network Share Object Access Attempted

Event ID 5144 logs when a user or process attempts to access a network share object. This security audit event helps track file share access attempts for compliance and security monitoring.

Windows Event ID 4716 – Security: A Trusted Domain Information Was Modified

Event ID 4716 logs when trusted domain information is modified in Active Directory, indicating changes to domain trust relationships that affect authentication and authorization across domains.

Windows Event ID 4715 – Microsoft-Windows-Security-Auditing: System Security Access Control Policy Changed

Event ID 4715 fires when system security access control policies are modified, indicating changes to security settings that control access to system resources and audit configurations.

Windows Event ID 4714 – Microsoft-Windows-Security-Auditing: System Security Access Control List Was Changed

Event ID 4714 fires when the System Access Control List (SACL) is modified on a Windows system, indicating changes to audit policies or security monitoring configurations.

Windows Event ID 4713 – Microsoft-Windows-Security-Auditing: Kerberos Policy Changed

Event ID 4713 fires when Kerberos authentication policy settings are modified on a domain controller, indicating changes to ticket lifetime, renewal settings, or other Kerberos security parameters.

Windows Event ID 4707 – Microsoft-Windows-Security-Auditing: Cryptographic Trust Removed

Event ID 4707 indicates that a cryptographic trust relationship has been removed from the system, typically when certificates are deleted or trust relationships are revoked in Active Directory environments.

Windows Event ID 4706 – Microsoft-Windows-Security-Auditing: Directory Service Object Created

Event ID 4706 logs when a new object is created in Active Directory Domain Services. This security audit event tracks organizational unit, user, group, and computer account creation for compliance monitoring.

Windows Event ID 4705 – Microsoft-Windows-Security-Auditing: User Account Locked Out

Event ID 4705 indicates a user account has been locked out due to security policy violations, typically from repeated failed authentication attempts or password policy breaches.

Windows Event ID 4704 – Microsoft-Windows-Security-Auditing: User Right Assigned

Event ID 4704 logs when a user right is assigned to a security principal through Group Policy or local security policy changes. Critical for security auditing and compliance monitoring.

Windows Event ID 4702 – Security: Scheduled Task Created

Event ID 4702 logs when a new scheduled task is created on Windows systems. This security audit event helps administrators track task creation for compliance and security monitoring purposes.

Windows Event ID 4701 – Security: A Scheduled Task Was Disabled

Event ID 4701 logs when a scheduled task is disabled on Windows systems. This security audit event tracks task management changes for compliance and security monitoring purposes.

Windows Event ID 4700 – Security: A User Account was Created

Event ID 4700 records when a new user account is created on a Windows system. This security audit event provides detailed information about who created the account, when it was created, and the account properties configured during creation.

Windows Event ID 4699 – Security: A Token Right Was Adjusted

Event ID 4699 logs when Windows adjusts user or process token privileges, typically during privilege escalation or security context changes. Critical for security auditing and privilege monitoring.

Windows Event ID 4698 – Microsoft-Windows-Security-Auditing: Scheduled Task Created

Event ID 4698 logs when a new scheduled task is created on Windows systems. This security audit event helps administrators track task creation for compliance and security monitoring purposes.

Windows Event ID 4697 – Security-Auditing: A Service Was Installed on the System

Event ID 4697 fires when a new Windows service is installed on the system. This security audit event helps track service installations for compliance and security monitoring purposes.

Windows Event ID 4696 – Microsoft-Windows-Security-Auditing: Primary Token Assigned to Process

Event ID 4696 records when Windows assigns a primary token to a new process during creation, providing detailed security context for process auditing and forensic analysis.

Windows Event ID 4693 – Microsoft-Windows-Security-Auditing: Attempt to Access Protected System Object

Event ID 4693 logs when a process attempts to access a protected system object, typically indicating security policy enforcement or potential unauthorized access attempts in Windows environments.

Windows Event ID 4692 – Microsoft-Windows-Security-Auditing: An attempt was made to backup the security audit policy

Event ID 4692 fires when Windows attempts to backup the security audit policy configuration. This security audit event tracks policy backup operations for compliance and forensic purposes.

Windows Event ID 4689 – Security: Process Termination Auditing

Event ID 4689 records when a process terminates on Windows systems with process auditing enabled. This security event provides detailed information about process lifecycle management and is essential for forensic analysis and security monitoring.