Windows Events — Event ID Reference & Troubleshooting

Windows Event ID 4688 – Microsoft-Windows-Security-Auditing: Process Creation Audit Event

Event ID 4688 logs every new process creation on Windows systems when process auditing is enabled. Critical for security monitoring, forensics, and detecting unauthorized program execution.

Windows Event ID 4675 – Microsoft-Windows-Security-Auditing: User Account Logon Rights Assignment

Event ID 4675 records when user account logon rights are assigned or removed, typically during group policy application or manual security policy changes.

Windows Event ID 4674 – Security: Privileged Object Operation Attempted

Event ID 4674 logs when a user or process attempts to perform a privileged operation on a protected object, providing detailed audit information for security monitoring and compliance tracking.

Windows Event ID 4673 – Security: Sensitive Privilege Use

Event ID 4673 logs when a user or process attempts to use a sensitive privilege on Windows systems. This security audit event helps track privileged operations and potential security risks.

Windows Event ID 4649 – Microsoft-Windows-Security-Auditing: A replay attack was detected

Event ID 4649 indicates Windows detected a potential Kerberos replay attack where authentication credentials were reused maliciously. This security audit event requires immediate investigation to prevent unauthorized access.

Windows Event ID 4621 – LSA: Administrator Recovery Agent Policy Changed

Event ID 4621 fires when the Administrator Recovery Agent policy for Encrypting File System (EFS) is modified, indicating changes to data recovery capabilities on the system.

Windows Event ID 4618 – Security: A Monitored Security Event Pattern Has Occurred

Event ID 4618 indicates that Windows Security has detected a monitored security event pattern, typically related to audit policy changes or security monitoring configuration updates.

Windows Event ID 4616 – Security: System Time Changed

Event ID 4616 logs when the system time is changed on a Windows machine. This security audit event tracks time modifications for compliance and forensic purposes.

Windows Event ID 4611 – LSA: A trusted logon process has been assigned to an authentication package

Event ID 4611 fires when the Local Security Authority (LSA) assigns a trusted logon process to an authentication package, indicating normal authentication subsystem initialization or configuration changes.

Windows Event ID 4610 – LSA: Authentication Package Loaded

Event ID 4610 records when the Local Security Authority (LSA) loads an authentication package during system startup, indicating security subsystem initialization.

Windows Event ID 4609 – Security: Windows is Starting Up

Event ID 4609 records when Windows begins its startup process. This security audit event fires during system boot and provides critical timing information for security monitoring and forensic analysis.

Windows Event ID 1503 – Group Policy: Group Policy Processing Failed

Event ID 1503 indicates Group Policy processing has failed during startup or refresh cycles. This error prevents policy settings from applying correctly to the computer or user.

Windows Event ID 1502 – WinLogon: User Profile Service Failed to Load User Profile

Event ID 1502 indicates the User Profile Service failed to load a user profile during logon, typically due to corrupted profile data, insufficient permissions, or registry corruption.

Windows Event ID 1501 – MsiInstaller: Windows Installer Reconfiguration Started

Event ID 1501 indicates Windows Installer has begun reconfiguring an installed application or feature, typically triggered by repair operations, feature modifications, or automatic maintenance tasks.

Windows Event ID 1125 – User32: User Logon Session Notification

Event ID 1125 from User32 indicates a user logon session notification event, typically fired during interactive logon processes or session state changes in Windows environments.

Windows Event ID 1085 – EventLog: Event Log Service Automatic Backup

Event ID 1085 indicates the Windows Event Log service has automatically backed up a log file when it reached maximum size or retention limits.

Windows Event ID 1074 – User32: System Restart or Shutdown Initiated

Event ID 1074 records when a system restart or shutdown is initiated by a user or application. This informational event tracks who initiated the action and the reason code.

Windows Event ID 51 – Disk: Page Fault in Nonpaged Area

Event ID 51 indicates a critical disk error where Windows encountered a page fault in the nonpaged memory area, typically caused by hardware failures, driver issues, or memory corruption.

Windows Event ID 44 – Kernel-Power: Critical System Power Event

Event ID 44 from Kernel-Power indicates a critical system power event, typically recording unexpected shutdowns, power failures, or system crashes that prevent proper shutdown procedures.

Windows Event ID 43 – Kernel-PnP: Device Installation Failure

Event ID 43 from Kernel-PnP indicates a critical device installation or driver failure. This error occurs when Windows cannot properly initialize a hardware device, typically due to driver issues, hardware conflicts, or corrupted device configurations.

Windows Event ID 22 – Application Error: Application Hang Detection

Event ID 22 indicates Windows has detected an application hang or unresponsive program. This event fires when applications stop responding to user input or system messages for extended periods.