Windows 2012 Security Events

<< Click to Display Table of Contents >>

Navigation:  Additional Tips and Resources > Event Log Reference > Security Events >

Windows 2012 Security Events

Category

Subcategory

Event ID

Message Summary

Minimum Operating System Requirement

System

Security State Change

4608

Windows is starting up.

Windows Vista, Windows Server 2008

4609

Windows is shutting down.

Security System Extension

4610

An authentication package has been loaded by the Local Security Authority.

4611

A trusted logon process has been registered with the Local Security Authority.

System Integrity

4612

Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.

Security System Extension

4614

A notification package has been loaded by the Security Account Manager.

System Integrity

4615

Invalid use of LPC port.

Security State Change

4616

The system time was changed.

System Integrity

4618

A monitored security event pattern has occurred.

Security State Change

4621

Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.

Security System Extension

4622

A security package has been loaded by the Local Security Authority.

Logon/Logoff

Logon

4624

An account was successfully logged on.

4625

An account failed to log on.

4626

User/Device claims information.

Windows 8, Windows Server 2012

Group Membership

4627

Group membership information.

Windows 10

Logoff

4634

An account was logged off.

Windows Vista, Windows Server 2008

IPsec Main Mode

4646

%1

Logoff

4647

User initiated logoff.

Logon

4648

A logon was attempted using explicit credentials.

Other Logon/Logoff Events

4649

A replay attack was detected.

IPsec Main Mode

4650

An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.

4651

An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.

4652

An IPsec Main Mode negotiation failed.

4653

An IPsec Main Mode negotiation failed.

IPsec Quick Mode

4654

An IPsec Quick Mode negotiation failed.

IPsec Main Mode

4655

An IPsec Main Mode security association ended.

Object Access

Handle Manipulation

4656

A handle to an object was requested.

Registry

4657

A registry value was modified.

Handle Manipulation

4658

The handle to an object was closed.

SAM

4659

A handle to an object was requested with intent to delete.

Kernel

4659

A handle to an object was requested with intent to delete.

SAM

4660

An object was deleted.

Kernel

4660

An object was deleted.

SAM

4661

A handle to an object was requested.

Kernel

4661

A handle to an object was requested.

DS Access

Directory Service Access

4662

An operation was performed on an object.

Object Access

SAM

4663

An attempt was made to access an object.

Kernel

4663

An attempt was made to access an object.

File System

4664

An attempt was made to create a hard link.

Application Generated

4665

An attempt was made to create an application client context.

4666

An application attempted an operation:

4667

An application client context was deleted.

4668

An application was initialized.

Policy Change

Subcategory (special)

4670

Permissions on an object were changed.

Object Access

Other Object Access Events

4671

An application attempted to access a blocked ordinal through the TBS.

Privilege Use

Sensitive Privilege Use / Non Sensitive Privilege Use

4672

Special privileges assigned to new logon.

4673

A privileged service was called.

4674

An operation was attempted on a privileged object.

Logon/Logoff

Logon

4675

SIDs were filtered.

Detailed Tracking

Process Creation

4688

A new process has been created.

Process Termination

4689

A process has exited.

Object Access

Handle Manipulation

4690

An attempt was made to duplicate a handle to an object.

Other Object Access Events

4691

Indirect access to an object was requested.

Detailed Tracking

DPAPI Activity

4692

Backup of data protection master key was attempted.

4693

Recovery of data protection master key was attempted.

4694

Protection of auditable protected data was attempted.

4695

Unprotection of auditable protected data was attempted.

Process Creation

4696

A primary token was assigned to process.

System

Security System Extension

4697

A service was installed in the system.

Object Access

Other Object Access Events

4698

A scheduled task was created.

4699

A scheduled task was deleted.

4700

A scheduled task was enabled.

4701

A scheduled task was disabled.

4702

A scheduled task was updated.

Policy Change

Authorization Policy Change

4703

A user right was adjusted.

Windows 10

4704

A user right was assigned.

Windows Vista, Windows Server 2008

4705

A user right was removed.

4706

A new trust was created to a domain.

4707

A trust to a domain was removed.

Filtering Platform Policy Change

4709

IPsec Services was started.

4710

IPsec Services was disabled.

4711

May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.

PAStore Engine applied Active Directory storage IPsec policy on the computer.

PAStore Engine applied local registry storage IPsec policy on the computer.

PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.

PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.

PAStore Engine failed to apply local registry storage IPsec policy on the computer.

PAStore Engine failed to apply some rules of the active IPsec policy on the computer.

PAStore Engine failed to load directory storage IPsec policy on the computer.

PAStore Engine loaded directory storage IPsec policy on the computer.

PAStore Engine failed to load local storage IPsec policy on the computer.

PAStore Engine loaded local storage IPsec policy on the computer.

PAStore Engine polled for changes to the active IPsec policy and detected no changes.

Filtering Platform Policy Change

4712

IPsec Services encountered a potentially serious failure.

Authentication Policy Change

4713

Kerberos policy was changed.

Authorization Policy Change

4714

Encrypted data recovery policy was changed.

Audit Policy Change

4715

The audit policy (SACL) on an object was changed.

Authentication Policy Change

4716

Trusted domain information was modified.

4717

System security access was granted to an account.

4718

System security access was removed from an account.

Audit Policy Change

4719

System audit policy was changed.

Account Management

User Account Management

4720

A user account was created.

4722

A user account was enabled.

4723

An attempt was made to change an account's password.

4724

An attempt was made to reset an account's password.

4725

A user account was disabled.

4726

A user account was deleted.

Security Group Management

4727

A security-enabled global group was created.

4728

A member was added to a security-enabled global group.

4729

A member was removed from a security-enabled global group.

4730

A security-enabled global group was deleted.

4731

A security-enabled local group was created.

4732

A member was added to a security-enabled local group.

4733

A member was removed from a security-enabled local group.

4734

A security-enabled local group was deleted.

4735

A security-enabled local group was changed.

4737

A security-enabled global group was changed.

User Account Management

4738

A user account was changed.

Policy Change

Authentication Policy Change

4739

Domain Policy was changed.

Account Management

User Account Management

4740

A user account was locked out.

Computer Account Management

4742

A computer account was changed.

4743

A computer account was deleted.

Distribution Group Management

4744

A security-disabled local group was created.

4745

A security-disabled local group was changed.

4746

A member was added to a security-disabled local group.

4747

A member was removed from a security-disabled local group.

4748

A security-disabled local group was deleted.

4749

A security-disabled global group was created.

4750

A security-disabled global group was changed.

4751

A member was added to a security-disabled global group.

4752

A member was removed from a security-disabled global group.

4753

A security-disabled global group was deleted.

Security Group Management

4754

A security-enabled universal group was created.

4755

A security-enabled universal group was changed.

4756

A member was added to a security-enabled universal group.

4757

A member was removed from a security-enabled universal group.

4758

A security-enabled universal group was deleted.

Distribution Group Management

4759

A security-disabled universal group was created.

4760

A security-disabled universal group was changed.

4761

A member was added to a security-disabled universal group.

4762

A member was removed from a security-disabled universal group.

Security Group Management

4764

A group’s type was changed.

User Account Management

4765

SID History was added to an account.

4766

An attempt to add SID History to an account failed.

4767

A user account was unlocked.

Account Logon

Kerberos Authentication Service

4768

A Kerberos authentication ticket (TGT) was requested.

Kerberos Service Ticket Operations

4769

A Kerberos service ticket was requested.

4770

A Kerberos service ticket was renewed.

Kerberos Authentication Service

4771

Kerberos pre-authentication failed.

4772

A Kerberos authentication ticket request failed.

4773

A Kerberos service ticket request failed.

Credential Validation

4774

An account was mapped for logon.

4775

An account could not be mapped for logon.

4776

The domain controller attempted to validate the credentials for an account.

4777

The domain controller failed to validate the credentials for an account.

Logon/Logoff

Other Logon/Logoff Events

4778

A session was reconnected to a Window Station.

4779

A session was disconnected from a Window Station.

Account Management

User Account Management

4780

The ACL was set on accounts which are members of administrators groups.

4781

The name of an account was changed:

Other Account Management Events

4782

The password hash an account was accessed.

Application Group Management

4783

A basic application group was created.

4784

A basic application group was changed.

4785

A member was added to a basic application group.

4786

A member was removed from a basic application group.

4787

A non-member was added to a basic application group.

4788

A non-member was removed from a basic application group.

4789

A basic application group was deleted.

4790

An LDAP query group was created.

4791

A basic application group was changed.

4792

An LDAP query group was deleted.

Other Account Management Events

4793

The Password Policy Checking API was called.

User Account Management

4794

An attempt was made to set the Directory Services Restore Mode.

4797

An attempt was made to query the existence of a blank password for an account.

Windows 8, Windows Server 2012

4798

A user's local group membership was enumerated.

Windows 10

Security Group Management

4799

A security-enabled local group membership was enumerated.

Logon/Logoff

Other Logon/Logoff Events

4800

The workstation was locked.

Windows Vista, Windows Server 2008

4801

The workstation was unlocked.

4802

The screen saver was invoked.

4803

The screen saver was dismissed.

System

System Integrity

4816

RPC detected an integrity violation while decrypting an incoming message.

Policy Change

Audit Policy Change

4817

Auditing settings on an object were changed.

Windows 7, Windows Server 2008 R2

Object Access

Central Access Policy Staging

4818

Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy

Windows 8, Windows Server 2012

Policy Change

Other Policy Change Events

4819

Central Access Policies on the machine have been changed.

Account Logon

Kerberos Authentication Service

4820

A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.

Kerberos Service Ticket Operations

4821

A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.

Windows 8.1, Windows Server 2012 R2

Credential Validation

4822

NTLM authentication failed because the account was a member of the Protected User group.

4823

NTLM authentication failed because access control restrictions are required.

Kerberos Authentication Service

4824

Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.

Logon/Logoff

Other Logon/Logoff Events

4825

A user was denied the access to Remote Desktop.

Windows Vista SP2, Windows Server 2008 SP2

Policy Change

Other Policy Change Events

4826

Boot Configuration Data loaded.

Windows 10

Authentication Policy Change

4864

A namespace collision was detected.

Windows Vista, Windows Server 2008

4865

A trusted forest information entry was added.

4866

A trusted forest information entry was removed.

4867

A trusted forest information entry was modified.

Object Access

Certification Services

4868

The certificate manager denied a pending certificate request.

4869

Certificate Services received a resubmitted certificate request.

4870

Certificate Services revoked a certificate.

4871

Certificate Services received a request to publish the certificate revocation list (CRL).

4872

Certificate Services published the certificate revocation list (CRL).

4873

A certificate request extension changed.

4874

One or more certificate request attributes changed.

4875

Certificate Services received a request to shut down.

4876

Certificate Services backup started.

4877

Certificate Services backup completed.

4878

Certificate Services restore started.

4879

Certificate Services restore completed.

4880

Certificate Services started.

4881

Certificate Services stopped.

4882

The security permissions for Certificate Services changed.

4883

Certificate Services retrieved an archived key.

4884

Certificate Services imported a certificate into its database.

4885

The audit filter for Certificate Services changed.

4886

Certificate Services received a certificate request.

4887

Certificate Services approved a certificate request and issued a certificate.

4888

Certificate Services denied a certificate request.

4889

Certificate Services set the status of a certificate request to pending.

4890

The certificate manager settings for Certificate Services changed.

4891

A configuration entry changed in Certificate Services.

4892

A property of Certificate Services changed.

4893

Certificate Services archived a key.

4894

Certificate Services imported and archived a key.

4895

Certificate Services published the CA certificate to Active Directory Domain Services.

4896

One or more rows have been deleted from the certificate database.

4897

Role separation enabled:

4898

Certificate Services loaded a template.

4899

A Certificate Services template was updated.

4900

Certificate Services template security was updated.

Policy Change

Audit Policy Change

4902

The Per-user audit policy table was created.

4904

An attempt was made to register a security event source.

4905

An attempt was made to unregister a security event source.

4906

The CrashOnAuditFail value has changed.

4907

Auditing settings on object were changed.

4908

Special Groups Logon table modified.

Other Policy Change Events

4909

The local policy settings for the TBS were changed.

4910

The group policy settings for the TBS were changed.

Authorization Policy Change

4911

Resource attributes of the object were changed.

Windows 8, Windows Server 2012

Audit Policy Change

4912

Per User Audit Policy was changed.

Windows Vista, Windows Server 2008

Authorization Policy Change

4913

Central Access Policy on the object was changed.

Windows 8, Windows Server 2012

DS Access

Detailed Directory Service Replication

4928

An Active Directory replica source naming context was established.

Windows Vista, Windows Server 2008

4929

An Active Directory replica source naming context was removed.

4930

An Active Directory replica source naming context was modified.

4931

An Active Directory replica destination naming context was modified.

Directory Service Replication

4932

Synchronization of a replica of an Active Directory naming context has begun.

4933

Synchronization of a replica of an Active Directory naming context has ended.

Detailed Directory Service Replication

4934

Attributes of an Active Directory object were replicated.

4935

Replication failure begins.

4936

Replication failure ends.

4937

A lingering object was removed from a replica.

Policy Change

MPSSVC Rule-Level Policy Change

4944

The following policy was active when the Windows Firewall started.

4945

A rule was listed when the Windows Firewall started.

4946

A change has been made to Windows Firewall exception list. A rule was added.

4947

A change has been made to Windows Firewall exception list. A rule was modified.

4948

A change has been made to Windows Firewall exception list. A rule was deleted.

4949

Windows Firewall settings were restored to the default values.

4950

A Windows Firewall setting has changed.

4951

A rule has been ignored because its major version number was not recognized by Windows Firewall.

4952

Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.

4953

A rule has been ignored by Windows Firewall because it could not parse the rule.

4954

Windows Firewall Group Policy settings have changed. The new settings have been applied.

4956

Windows Firewall has changed the active profile.

4957

Windows Firewall did not apply the following rule:

4958

Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:

System

IPsec Driver

4960

IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.

4961

IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.

4962

IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.

4963

IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.

Logon/Logoff

Special Logon

4964

Special groups have been assigned to a new logon.

System

IPsec Driver

4965

IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.

Logon/Logoff

IPsec Main Mode

4976

During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

IPsec Quick Mode

4977

During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

IPsec Extended Mode

4978

During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.

4979

IPsec Main Mode and Extended Mode security associations were established.

4980

IPsec Main Mode and Extended Mode security associations were established.

4981

IPsec Main Mode and Extended Mode security associations were established.

4982

IPsec Main Mode and Extended Mode security associations were established.

4983

An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

4984

An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.

Object Access

File System

4985

The state of a transaction has changed.

System

Other System Events

5024

The Windows Firewall Service has started successfully.

5025

The Windows Firewall Service has been stopped.

5027

The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.

5028

The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.

5029

The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.

5030

The Windows Firewall Service failed to start.

Object Access

Filtering Platform Connection

5031

The Windows Firewall Service blocked an application from accepting incoming connections on the network.

System

Other System Events

5032

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

5033

The Windows Firewall Driver has started successfully.

5034

The Windows Firewall Driver has been stopped.

5035

The Windows Firewall Driver failed to start.

5037

The Windows Firewall Driver detected critical runtime error. Terminating.

System Integrity

5038

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

Object Access

Registry

5039

A registry key was virtualized.

Policy Change

Filtering Platform Policy Change

5040

A change has been made to IPsec settings. An Authentication Set was added.

5041

A change has been made to IPsec settings. An Authentication Set was modified.

5042

A change has been made to IPsec settings. An Authentication Set was deleted.

5043

A change has been made to IPsec settings. A Connection Security Rule was added.

5044

A change has been made to IPsec settings. A Connection Security Rule was modified.

5045

A change has been made to IPsec settings. A Connection Security Rule was deleted.

5046

A change has been made to IPsec settings. A Crypto Set was added.

5047

A change has been made to IPsec settings. A Crypto Set was modified.

5048

A change has been made to IPsec settings. A Crypto Set was deleted.

Logon/Logoff

IPsec Main Mode

5049

An IPsec Security Association was deleted.

System

Other System Events

5050

An attempt to programmatically disable the Windows Firewall was rejected because this API is not supported on Windows Vista.

Object Access

File System

5051

A file was virtualized.

System

System Integrity

5056

A cryptographic self test was performed.

5057

A cryptographic primitive operation failed.

Other System Events

5058

Key file operation.

5059

Key migration operation.

System Integrity

5060

Verification operation failed.

5061

Cryptographic operation.

5062

A kernel-mode cryptographic self test was performed.

Policy Change

Other Policy Change Events

5063

A cryptographic provider operation was attempted.

5064

A cryptographic context operation was attempted.

5065

A cryptographic context modification was attempted.

5066

A cryptographic function operation was attempted.

5067

A cryptographic function modification was attempted.

5068

A cryptographic function provider operation was attempted.

5069

A cryptographic function property operation was attempted.

5070

A cryptographic function property modification was attempted.

System

Other System Events

5071

Key access denied by Microsoft key distribution service.

Windows 8, Windows Server 2012

Object Access

Certification Services

5120

OCSP Responder Service Started.

Windows Vista, Windows Server 2008

5121

OCSP Responder Service Stopped.

5122

A Configuration entry changed in the OCSP Responder Service.

5123

A configuration entry changed in the OCSP Responder Service.

5124

A security setting was updated on OCSP Responder Service.

5125

A request was submitted to OCSP Responder Service.

5126

Signing Certificate was automatically updated by the OCSP Responder Service.

5127

The OCSP Revocation Provider successfully updated the revocation information.

DS Access

Directory Service Changes

5136

A directory service object was modified.

5137

A directory service object was created.

5138

A directory service object was undeleted.

5139

A directory service object was moved.

Object Access

File Share

5140

A network share object was accessed.

DS Access

Directory Service Changes

5141

A directory service object was deleted.

Windows Vista SP1, Windows Server 2008

Object Access

File Share

5142

A network share object was added.

Windows 7, Windows Server 2008 R2

5143

A network share object was modified.

5144

A network share object was deleted.

Detailed File Share

5145

A network share object was checked to see whether the client can be granted desired access.

Filtering Platform Packet Drop

5146

The Windows Filtering Platform has blocked a packet.

Windows 8, Windows Server 2012

5147

A more restrictive Windows Filtering Platform filter has blocked a packet.

Other Object Access Events

5148

The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.

Windows 7, Windows Server 2008 R2

5149

The DoS attack has subsided and normal processing is being resumed.

Filtering Platform Connection

5150

The Windows Filtering Platform has blocked a packet.

5151

A more restrictive Windows Filtering Platform filter has blocked a packet.

Filtering Platform Packet Drop

5152

The Windows Filtering Platform blocked a packet.

Windows Vista, Windows Server 2008

5153

A more restrictive Windows Filtering Platform filter has blocked a packet.

Filtering Platform Connection

5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.

5156

The Windows Filtering Platform has allowed a connection.

5157

The Windows Filtering Platform has blocked a connection.

5158

The Windows Filtering Platform has permitted a bind to a local port.

5159

The Windows Filtering Platform has blocked a bind to a local port.

File Share

5168

Spn check for SMB/SMB2 failed.

Windows 7, Windows Server 2008 R2

DS Access

Directory Service Access

5169

A directory service object was modified.    

Windows 10

Account Management

User Account Management

5376

Credential Manager credentials were backed up.

Windows Vista, Windows Server 2008

5377

Credential Manager credentials were restored from a backup.

Logon/Logoff

Other Logon/Logoff Events

5378

The requested credentials delegation was disallowed by policy.

Policy Change

Filtering Platform Policy Change

5440

The following callout was present when the Windows Filtering Platform Base Filtering Engine started.

5441

The following filter was present when the Windows Filtering Platform Base Filtering Engine started.

5442

The following provider was present when the Windows Filtering Platform Base Filtering Engine started.

5443

The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.

5444

The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.

5446

A Windows Filtering Platform callout has been changed.

Other Policy Change Events

5447

A Windows Filtering Platform filter has been changed.

Filtering Platform Policy Change

5448

A Windows Filtering Platform provider has been changed.

5449

A Windows Filtering Platform provider context has been changed.

5450

A Windows Filtering Platform sub-layer has been changed.

Logon/Logoff

IPsec Quick Mode

5451

An IPsec Quick Mode security association was established.

5452

An IPsec Quick Mode security association ended.

IPsec Main Mode

5453

An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.

Policy Change

Filtering Platform Policy Change

5456

PAStore Engine applied Active Directory storage IPsec policy on the computer.

5457

PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.

5458

PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.

5459

PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.

5460

PAStore Engine applied local registry storage IPsec policy on the computer.

5461

PAStore Engine failed to apply local registry storage IPsec policy on the computer.

5462

PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.

5463

PAStore Engine polled for changes to the active IPsec policy and detected no changes.

5464

PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.

5465

PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.

5466

PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.

5467

PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.

5468

PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.

5471

PAStore Engine loaded local storage IPsec policy on the computer.

5472

PAStore Engine failed to load local storage IPsec policy on the computer.

5473

PAStore Engine loaded directory storage IPsec policy on the computer.

5474

PAStore Engine failed to load directory storage IPsec policy on the computer.

5477

PAStore Engine failed to add quick mode filter.

System

IPsec Driver

5478

IPsec Services has started successfully.

5479

IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.

5480

IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

5483

IPsec Services failed to initialize RPC server. IPsec Services could not be started.

5484

IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.

5485

IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.

Logon/Logoff

Other Logon/Logoff Events

5632

A request was made to authenticate to a wireless network.

5633

A request was made to authenticate to a wired network.

Detailed Tracking

RPC Events

5712

A Remote Procedure Call (RPC) was attempted.

Object Access

Other Object Access Events

5888

An object in the COM+ Catalog was modified.

5889

An object was deleted from the COM+ Catalog.

5890

An object was added to the COM+ Catalog.

Policy Change

Other Policy Change Events

6144

Security policy in the group policy objects has been applied successfully.

6145

One or more errors occurred while processing security policy in the group policy objects.

Logon/Logoff

Network Policy Server

6272

Network Policy Server granted access to a user.

Windows Vista SP1, Windows Server 2008

6273

Network Policy Server denied access to a user.

6274

Network Policy Server discarded the request for a user.

6275

Network Policy Server discarded the accounting request for a user.

6276

Network Policy Server quarantined a user.

6277

Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.

6278

Network Policy Server granted full access to a user because the host met the defined health policy.

6279

Network Policy Server locked the user account due to repeated failed authentication attempts.

6280

Network Policy Server unlocked the user account.

System

System Integrity

6281

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error

Windows 7, Windows Server 2008 R2

Other System Events

6400

BranchCache: Received an incorrectly formatted response while discovering availability of content.

6401

BranchCache: Received invalid data from a peer. Data discarded.

6402

BranchCache: The message to the hosted cache offering it data is incorrectly formatted.

6403

BranchCache: The hosted cache sent an incorrectly formatted response to the client.

6404

BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.

6405

BranchCache: %2 instance(s) of event id %1 occurred.

6406

%1 registered to Windows Firewall to control filtering for the following: %2

6407

1%

6408

Registered product %1 failed and Windows Firewall is now controlling the filtering for %2

6409

BranchCache: A service connection point object could not be parsed.

Windows 8.1, Windows Server 2012 R2

System Integrity

6410

Code integrity determined that a file does not meet the security requirements to load into a process.

Plug and Play Events

6416

A new external device was recognized by the System

Windows 10

System Integrity

6417

The FIPS mode crypto selftests succeeded.

Windows 10 [Version 1511]

6418

The FIPS mode crypto selftests failed.

Plug and Play Events

6419

A request was made to disable a device

6420

A device was disabled.

6421

A request was made to enable a device.

6422

A device was enabled.

6423

The installation of this device is forbidden by system policy

6424

The installation of this device was allowed, after having previously been forbidden by policy.