Windows Logs

Account Management Logs

Event ID
Explanation

Event ID 624

User Account Created

Event ID 626

User Account enabled

Event ID 627

password change attempted

Event ID 628

user account password set

Event ID 629

user account disabled

Event ID 630

user account deleted

Event ID 631

security enabled global group created

Event ID 632

security enabled global group member added

Event ID 633

security enabled global group member removed

Event ID 634

security enabled global group deleted

Event ID 635

security enabled local group created

Event ID 636

security enabled local group member added

Event ID 637

security enabled local group member removed

Event ID 638

security enabled local group deleted

Event ID 639

security enabled local group changed

Event ID 641

security enabled global group changed

Event ID 642

user account changed

Event ID 643

domain policy changed

System Events

Event ID
Explanation

Event ID 512

Windows is starting up

Event ID 513

windows is shutting down

Event ID 516

internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits

Event ID 517

the security log was cleared

Policy Changes

Event ID
Explanation

Event ID 608

A user right was assigned

Event ID 609

a user right was removed

Event ID 610

a trust relationship with another domain was created

Event ID 611

a trust relationship with another domain was removed

Event ID 612

an audit policy was changed

Event ID 4864

a collision was detected between a namespace element in one forest and a namespace element in another forest

Query for Windows Event Logs

wevtutil qe Security /c:100 /rd:true /q:"*[System[(EventID=612)]]"

Security --> Log name you want to query
/c: --> count returned
/rd: --> reverse direction true|false
/q: --> your query

Last updated