Windows Events — Event ID Reference & Troubleshooting
Complete Windows Event ID reference. Understand every system event, its causes and solutions.
Windows Event ID 21 – System: Device Driver Installation Error
Event ID 21 indicates a device driver installation failure or compatibility issue. This system-level error occurs when Windows cannot properly load or initialize a hardware driver during boot or device enumeration.
Windows Event ID 16 – Application Popup: System Process Terminated Unexpectedly
Event ID 16 indicates a critical system process has terminated unexpectedly, triggering Windows Error Reporting and potentially causing system instability or blue screen crashes.
Windows Event ID 11 – Disk: Hardware Error Detected on Storage Device
Event ID 11 indicates a hardware error detected on a storage device. This critical event fires when Windows encounters disk read/write failures, bad sectors, or controller issues that could lead to data corruption or system instability.
Windows Event ID 6 – Kernel-General: System Shutdown Initiated
Event ID 6 from Kernel-General indicates a system shutdown has been initiated. This informational event logs when Windows begins the shutdown process, providing essential audit trail information for system administrators.
Windows Event ID 5141 – Microsoft-Windows-Security-Auditing: Object Access Auditing Failure
Event ID 5141 indicates a failure in object access auditing when Windows cannot log security events for file, folder, or registry access attempts due to audit policy issues or system resource constraints.
Windows Event ID 5140 – Microsoft-Windows-Security-Auditing: Network Share Object Accessed
Event ID 5140 logs when a user or process accesses a network share object. This security audit event tracks file share access attempts for compliance and security monitoring purposes.
Windows Event ID 5139 – Microsoft-Windows-Security-Auditing: Registry Value Deleted
Event ID 5139 logs when a registry value is deleted on Windows systems with object access auditing enabled. Critical for security monitoring and compliance tracking.
Windows Event ID 5138 – Microsoft-Windows-Security-Auditing: Registry Value Deleted
Event ID 5138 records when a registry value is deleted on Windows systems with audit policies enabled. This security audit event helps track registry modifications for compliance and security monitoring.
Windows Event ID 5137 – Microsoft-Windows-Security-Auditing: Directory Service Object Created
Event ID 5137 logs when a new object is created in Active Directory, providing detailed audit information about the creation event, including the object DN, class, and security principal responsible.
Windows Event ID 5136 – Microsoft-Windows-Security-Auditing: Directory Service Object Modified
Event ID 5136 logs when Active Directory objects are modified, tracking changes to user accounts, groups, organizational units, and other directory objects for security auditing purposes.
Windows Event ID 5142 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted User Access
Event ID 5142 logs when Network Policy Server (NPS) grants network access to a user after successful authentication and authorization through RADIUS policies.
Windows Event ID 4964 – Microsoft-Windows-Security-Auditing: Object Access Audit Policy Changed
Event ID 4964 logs when object access audit policy settings are modified on Windows systems, indicating changes to file, folder, or registry auditing configuration.
Windows Event ID 4907 – Microsoft-Windows-Security-Auditing: A handle to an object was requested
Event ID 4907 logs when a process requests a handle to a system object. This security audit event tracks object access attempts for compliance and security monitoring purposes.
Windows Event ID 4779 – Microsoft-Windows-Security-Auditing: User Session Disconnected
Event ID 4779 logs when a user session is disconnected from a Terminal Services or Remote Desktop session, providing audit trail for remote access monitoring.
Windows Event ID 4767 – Microsoft-Windows-Security-Auditing: User Account Unlocked
Event ID 4767 fires when a user account is unlocked by an administrator or automatically by the system after the lockout duration expires.
Windows Event ID 4764 – Microsoft-Windows-Security-Auditing: Group Member Added
Event ID 4764 logs when a user account is added to a security-enabled group in Active Directory or local system, providing audit trail for group membership changes.
Windows Event ID 4763 – Microsoft-Windows-Security-Auditing: User Account Deleted
Event ID 4763 fires when a user account is deleted from Active Directory or local computer. This security audit event tracks account deletion activities for compliance and security monitoring purposes.
Windows Event ID 4762 – Security: User Account Enabled
Event ID 4762 logs when a user account is enabled in Active Directory or local security database. This security audit event tracks account state changes for compliance and monitoring purposes.
Windows Event ID 4761 – Microsoft-Windows-Security-Auditing: Computer Account Created
Event ID 4761 logs when a computer account is created in Active Directory. This security audit event tracks domain computer additions for compliance and security monitoring purposes.
Windows Event ID 4760 – Microsoft-Windows-Security-Auditing: User Account Deleted
Event ID 4760 fires when a user account is deleted from Active Directory or local system. This security audit event tracks account deletion operations for compliance and security monitoring purposes.
Windows Event ID 4759 – Microsoft-Windows-Security-Auditing: User Account Deleted
Event ID 4759 fires when a user account is deleted from the local Security Accounts Manager (SAM) database, providing audit trail for account management activities.