MSP & Windows

Windows Event Lookup

Look up Windows Event IDs with source, severity and common causes.

22 results

4624 Audit Security · Microsoft-Windows-Security-Auditing

An account was successfully logged on.

Successful logon. Logon Type tells you how (2=interactive, 3=network, 10=RDP).

4625 Audit Security · Microsoft-Windows-Security-Auditing

An account failed to log on.

Failed logon — bad password, locked/disabled account, or brute force. Check Logon Type and source IP.

4634 Audit Security · Microsoft-Windows-Security-Auditing

An account was logged off.

Normal logoff event.

4648 Audit Security · Microsoft-Windows-Security-Auditing

A logon was attempted using explicit credentials.

RunAs / scheduled task / lateral movement indicator.

4720 Audit Security · Microsoft-Windows-Security-Auditing

A user account was created.

New account created — verify it was authorized.

4740 Audit Security · Microsoft-Windows-Security-Auditing

A user account was locked out.

Account lockout threshold reached. Check the Caller Computer Name for the source.

4768 Audit Security · Microsoft-Windows-Security-Auditing

A Kerberos authentication ticket (TGT) was requested.

Kerberos auth. Failure codes indicate bad password / disabled account.

4771 Audit Security · Microsoft-Windows-Security-Auditing

Kerberos pre-authentication failed.

Bad password via Kerberos (the Kerberos equivalent of 4625).

1102 Audit Security · Microsoft-Windows-Eventlog

The audit log was cleared.

Someone cleared the Security log — possible tampering. Investigate.

6005 Information System · EventLog

The Event log service was started.

System boot — the "uptime started here" marker.

6006 Information System · EventLog

The Event log service was stopped.

Clean shutdown marker.

6008 Error System · EventLog

The previous system shutdown was unexpected.

Dirty shutdown / crash / power loss.

41 Critical System · Microsoft-Windows-Kernel-Power

The system rebooted without cleanly shutting down first.

Power loss, hard crash, or BSOD that did not log. Check PSU / overheating / drivers.

7000 Error System · Service Control Manager

A service failed to start.

Service start failure — bad config, missing dependency, or permissions.

7045 Information System · Service Control Manager

A new service was installed in the system.

New service installed — common persistence technique; verify legitimacy.

1000 Error Application · Application Error

Application crash (faulting module).

An app crashed. The faulting module name points at the culprit DLL.

1001 Information Application · Windows Error Reporting

Windows Error Reporting bucket for a crash/BSOD.

Crash report — contains the BugCheck code for BSODs.

1026 Error Application · .NET Runtime

An unhandled .NET exception occurred.

.NET application crash — see the exception stack in the details.

36 Warning System · Microsoft-Windows-Time-Service

The time service has not synchronized.

Time drift — can break Kerberos auth if > 5 minutes off.

51 Warning System · Disk

An error was detected on the device during a paging operation.

Failing disk / storage controller. Run diagnostics, check SMART.

153 Warning System · disk

The IO operation was retried.

Storage timeouts — failing drive, cable, or controller.

55 Error System · Ntfs

The file system structure on the disk is corrupt.

NTFS corruption — run chkdsk; possible failing disk.