Windows Logs
Account Management Logs
| Event ID | Explanation |
|---|---|
Event ID 624 | User Account Created |
Event ID 626 | User Account enabled |
Event ID 627 | password change attempted |
Event ID 628 | user account password set |
Event ID 629 | user account disabled |
Event ID 630 | user account deleted |
Event ID 631 | security enabled global group created |
Event ID 632 | security enabled global group member added |
Event ID 633 | security enabled global group member removed |
Event ID 634 | security enabled global group deleted |
Event ID 635 | security enabled local group created |
Event ID 636 | security enabled local group member added |
Event ID 637 | security enabled local group member removed |
Event ID 638 | security enabled local group deleted |
Event ID 639 | security enabled local group changed |
Event ID 641 | security enabled global group changed |
Event ID 642 | user account changed |
Event ID 643 | domain policy changed |
System Events
| Event ID | Explanation |
|---|---|
Event ID 512 | Windows is starting up |
Event ID 513 | windows is shutting down |
Event ID 516 | internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits |
Event ID 517 | the security log was cleared |
Policy Changes
| Event ID | Explanation |
|---|---|
Event ID 608 | A user right was assigned |
Event ID 609 | a user right was removed |
Event ID 610 | a trust relationship with another domain was created |
Event ID 611 | a trust relationship with another domain was removed |
Event ID 612 | an audit policy was changed |
Event ID 4864 | a collision was detected between a namespace element in one forest and a namespace element in another forest |
Query for Windows Event Logs
Last updated