Windows Logs
Account Management Logs
Event ID 624
User Account Created
Event ID 626
User Account enabled
Event ID 627
password change attempted
Event ID 628
user account password set
Event ID 629
user account disabled
Event ID 630
user account deleted
Event ID 631
security enabled global group created
Event ID 632
security enabled global group member added
Event ID 633
security enabled global group member removed
Event ID 634
security enabled global group deleted
Event ID 635
security enabled local group created
Event ID 636
security enabled local group member added
Event ID 637
security enabled local group member removed
Event ID 638
security enabled local group deleted
Event ID 639
security enabled local group changed
Event ID 641
security enabled global group changed
Event ID 642
user account changed
Event ID 643
domain policy changed
System Events
Event ID 512
Windows is starting up
Event ID 513
windows is shutting down
Event ID 516
internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
Event ID 517
the security log was cleared
Policy Changes
Event ID 608
A user right was assigned
Event ID 609
a user right was removed
Event ID 610
a trust relationship with another domain was created
Event ID 611
a trust relationship with another domain was removed
Event ID 612
an audit policy was changed
Event ID 4864
a collision was detected between a namespace element in one forest and a namespace element in another forest
Query for Windows Event Logs
Last updated