Windows

Windows Event Logs for security, system, and application events

Vendor: Microsoft

Documentation Edit this page

Log Types

Security Event Log

Authentication, authorization, and security audit events

Windows Event Log

View Details

Event ID 4624 - Successful Logon

Successful authentication events with logon type, authentication method, and session details

Windows Event Log > Security

View Details

Event ID 4625 - Failed Logon

Failed authentication attempts with detailed failure reasons and status codes

Windows Event Log > Security

View Details

Event ID 4672 - Special Privileges Assigned

Special privileges assigned to new logon, indicating administrative or sensitive access

Windows Event Log > Security

View Details

Event ID 4688 - Process Creation

New process creation with command line, parent process, and token information

Windows Event Log > Security

View Details

Event ID 4720 - User Account Created

New user account creation with account details and creator information

Windows Event Log > Security

View Details

Event ID 4726 - User Account Deleted

User account deletion with account details and who performed the deletion

Windows Event Log > Security

View Details

Event ID 4740 - Account Lockout

User account locked out after failed logon attempts

Windows Event Log > Security

View Details

Event ID 4732 - Member Added to Security Group

Member added to a security-enabled local or domain group

Windows Event Log > Security

View Details

Event ID 4648 - Explicit Credentials Logon

Logon attempt using explicit credentials (RunAs, mapped drives)

Windows Event Log > Security

View Details

Event ID 4698 - Scheduled Task Created

New scheduled task created, potential persistence mechanism

Windows Event Log > Security

View Details

Event ID 1102 - Security Log Cleared

Security event log was cleared, potential anti-forensics activity

Windows Event Log > Security

View Details

Event ID 4663 - Object Access Attempted

Access attempt on an object (file, registry, etc.) with SACL

Windows Event Log > Security

View Details

System Event Log

System component events, drivers, and services

Windows Event Log

View Details

Application Event Log

Application-specific events

Windows Event Log

View Details

Default Paths by Platform

eventlog

Event Viewer > Windows Logs

evtx

C:\Windows\System32\winevt\Logs\

Windows

Log Types

Security Event Log

Event ID 4624 - Successful Logon

Event ID 4625 - Failed Logon

Event ID 4672 - Special Privileges Assigned

Event ID 4688 - Process Creation

Event ID 4720 - User Account Created

Event ID 4726 - User Account Deleted

Event ID 4740 - Account Lockout

Event ID 4732 - Member Added to Security Group

Event ID 4648 - Explicit Credentials Logon

Event ID 4698 - Scheduled Task Created

Event ID 1102 - Security Log Cleared

Event ID 4663 - Object Access Attempted

System Event Log

Application Event Log

Default Paths by Platform

Categories