Windows event log ids

Several event s occur on your system when you log into a system. In addition, the logged token elevation type shows what user rights are associated with the program. Here are the latest Insider stories. More Insider Sign Out. Many other events, including a logon was attempted with explicit credentials , an account was successfully logged on and the computer attempted to validate the credentials for an account , can indicate that a system is being breached collectivity.

Because Windows Firewall offers a critical line of defense, a malicious actor may attempt to modify its rules to gain access to your system. Use the firewall logging feature to check for dynamic and disabled port openings as well as analyze dropped packets on the send route. Consider investing the notifications for identifying, preventing and removing malware in Windows Defender.

Yes, even the built-in antivirus can be used to conduct malicious activity. Start by reviewing event ID , which is triggered when the Defender detects unwanted software. Then review Event to see if the antivirus acted to protect your system from potential infiltration. All these events are present in a sublog. You can use the Event Viewer to monitor these events. Open the Viewer, then expand Application and Service Logs in the console tree. Windows event logs are an indispensable tool for detecting group errors and malicious activity.

An Active Directory replica destination naming context was modified. Synchronization of a replica of an Active Directory naming context has begun. Synchronization of a replica of an Active Directory naming context has ended. Attributes of an Active Directory object were replicated. Replication failure begins.

Replication failure ends. A lingering object was removed from a replica. The following policy was active when the Windows Firewall started. A rule was listed when the Windows Firewall started. A change has been made to Windows Firewall exception list. A rule was added. A rule was modified. A rule was deleted.

Windows Firewall settings were restored to the default values. A Windows Firewall setting has changed. A rule has been ignored because its major version number was not recognized by Windows Firewall. Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. A rule has been ignored by Windows Firewall because it could not parse the rule. Windows Firewall Group Policy settings has changed.

The new settings have been applied. Windows Firewall has changed the active profile. Windows Firewall did not apply the following rule. Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.

IPsec dropped an inbound packet that failed an integrity check. IPsec dropped an inbound packet that failed a replay check. IPsec dropped an inbound clear text packet that should have been secured. Special groups have been assigned to a new logon. During Main Mode negotiation, IPsec received an invalid negotiation packet.

During Quick Mode negotiation, IPsec received an invalid negotiation packet. During Extended Mode negotiation, IPsec received an invalid negotiation packet.

An IPsec Extended Mode negotiation failed. The state of a transaction has changed. The Windows Firewall Service has started successfully. The Windows Firewall Service has been stopped.

The Windows Firewall Service was unable to retrieve the security policy from the local storage. The Windows Firewall Service was unable to parse the new security policy. The Windows Firewall Service failed to initialize the driver. The Windows Firewall Service failed to start. The Windows Firewall Service blocked an application from accepting incoming connections on the network.

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

The Windows Firewall Driver has started successfully. The Windows Firewall Driver has been stopped. The Windows Firewall Driver failed to start.

The Windows Firewall Driver detected critical runtime error. Code integrity determined that the image hash of a file is not valid. A registry key was virtualized. A change has been made to IPsec settings. An Authentication Set was modified.

An Authentication Set was deleted. A Connection Security Rule was added. A Connection Security Rule was modified. A Connection Security Rule was deleted. A Crypto Set was added. A Crypto Set was modified. A Crypto Set was deleted. An IPsec Security Association was deleted. A file was virtualized. A cryptographic self test was performed. A cryptographic primitive operation failed. Key file operation. Key migration operation. Verification operation failed. Cryptographic operation.

A kernel-mode cryptographic self test was performed. A cryptographic provider operation was attempted. A cryptographic context operation was attempted. A cryptographic context modification was attempted.

A cryptographic function operation was attempted. A cryptographic function modification was attempted. A cryptographic function provider operation was attempted. A cryptographic function property operation was attempted. Key access denied by Microsoft key distribution service. A directory service object was modified.

A directory service object was created. A directory service object was undeleted. A directory service object was moved. A network share object was accessed. A directory service object was deleted. A network share object was added. A network share object was modified. A network share object was deleted. A network share object was checked to see whether client can be granted desired access. The Windows Filtering Platform has blocked a packet.

A more restrictive Windows Filtering Platform filter has blocked a packet. The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. The DoS attack has subsided and normal processing is being resumed.

The Windows Filtering Platform blocked a packet. The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. The Windows Filtering Platform has allowed a connection. The Windows Filtering Platform has blocked a connection. The Windows Filtering Platform has permitted a bind to a local port.

The Windows Filtering Platform has blocked a bind to a local port. A directory service object was modified during a background cleanup task. Credential Manager credentials were backed up. Credential Manager credentials were restored from a backup. The requested credentials delegation was disallowed by policy. Credential Manager credentials were read. Vault Find Credential.

Submit and view feedback for This product This page. View all page feedback. In this article. Administrator recovered system from CrashOnAuditFail.

Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.

IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. The inbound packet had too low a sequence number to ensure it was not a replay. IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. This is usually caused by malfunctioning hardware that is corrupting packets.

If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations.

In that case, if connectivity is not impeded, then these events can be ignored.