Windows Event ID reference
A curated index of the Windows Event IDs that matter on a forensic case — grouped by channel, with the EventData fields worth reading first. Click any covered ID for a deeper guide; uncovered ones link to Microsoft Learn.
Security
| Event ID | Name | Notes |
|---|---|---|
| 1102 | The audit log was cleared | Anti-forensic action. Pair with System 104. Pivot SubjectLogonId to the matching 4624. |
| 4624 | An account was successfully logged on | Read LogonType first: 2 console, 3 network, 9 runas /netonly, 10 RDP. |
| 4625 | An account failed to log on | Status + SubStatus identify the failure mode (wrong password, account locked, account disabled, AS-REP roasting clock skew). |
| 4634 | An account was logged off | Pairs with 4624 via LogonId; not always emitted for type-3. |
| 4648 | A logon was attempted using explicit credentials | runas /user, scheduled task, NetOnly logons. Captures credential-passing patterns. |
| 4672 | Special privileges assigned to new logon | Fires when a logon gets SeDebugPrivilege, SeTcbPrivilege, etc. Useful filter for admin sessions. |
| 4688 | A new process has been created | Base-OS process creation. Command-line audit must be enabled to see arguments. |
| 4720 | A user account was created | Pair with 4724 (password reset) and 4732 (group membership). |
| 4726 | A user account was deleted | Cleanup signal — often paired with 4720 minutes earlier. |
| 4740 | A user account was locked out | WorkstationName field reveals which host triggered the lockout — often a stale stored credential, not an attacker. |
| 4768 | A Kerberos authentication ticket (TGT) was requested | Domain-controller-side record of every TGT issue. Status 0x6 = bad username; 0x18 = bad password. |
| 4769 | A Kerberos service ticket was requested | Kerberoasting fingerprint when TicketEncryptionType is 0x17 (RC4) against a service account. |
| 4776 | Credential validation attempt (NTLM) | Domain controller's NTLM authentication record. Status 0xC0000064 = unknown user, 0xC000006A = wrong password. |
| 4663 | An attempt was made to access an object | SACL-driven object access audit. SAM hive reads, .dmp file writes, ransomware sweeps — needs SACL configured per object. |
System
| Event ID | Name | Notes |
|---|---|---|
| 104 | Log was cleared (System) | Service Control Manager's counterpart to Security 1102. Often missed by attackers who only clear Security. |
| 7045 | A service was installed in the system | MITRE T1543.003. PsExec signature when ImagePath is %SystemRoot%\PSEXESVC.exe. |
| 7036 | Service entered the running/stopped state | Pair with 7045 to confirm a service actually ran, not just got installed. |
| 6005 | Event Log service was started | Boot signal. Pair with 6006 to spot reboots in a timeline. |
| 6006 | Event Log service was stopped | Clean shutdown. Missing 6006 before 6005 implies a crash. |
Microsoft-Windows-PowerShell/Operational
| Event ID | Name | Notes |
|---|---|---|
| 4104 | Scriptblock logging | Captures the script body after decoding and reflection — the highest-value PowerShell record on the system. |
| 4103 | Module logging | Per-pipeline parameter logging. Useful complement to 4104 — together they reconstruct invocation context. |
| 400 | Engine state changed (started) | PowerShell session started. Pairs with 403 on exit. |
Microsoft-Windows-Sysmon/Operational
| Event ID | Name | Notes |
|---|---|---|
| 1 | Process creation | Command-line, hashes, parent process. The richest single record an analyst can get from Windows. |
| 3 | Network connection | Per-connection record with source/dest IP, port, process. Watch for short-lived 443 to unknown hosts. |
| 7 | Image (DLL) loaded | Suspicious DLL loads from %TEMP%, unsigned modules in lsass.exe. |
| 11 | File created | Persistence drops in autorun paths, ScreenSaver hijack files, Office macro caches. |
| 13 | Registry value set | Run/RunOnce, Image File Execution Options, debugger hijacks. |
| 22 | DNS query | Per-process DNS resolution. Beacon-like cadence + unknown apex is a strong signal. |
Microsoft-Windows-TaskScheduler/Operational
| Event ID | Name | Notes |
|---|---|---|
| 106 | Task registered | MITRE T1053.005. Pair with 200/201 to see whether the task actually ran. |
| 200 | Action started | Per-action launch. The TaskName field is your pivot back to 106 (register). |
| 201 | Action completed | Pairs with 200 — gap implies action is still running or got killed. |
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
| Event ID | Name | Notes |
|---|---|---|
| 21 | Session logon succeeded | RDP session established. Source IP in the record is your attribution anchor. |
| 25 | Session reconnection succeeded | Picks up an existing disconnected RDP session. |
| 23 | Session logoff succeeded | Clean RDP logoff. |