Event IDs for Windows Server 2008 and Vista Revealed!

by [Published on 1 July 2009 / Last Updated on 1 July 2009]

How to track every event that is logged on a Windows Server 2008 and Windows Vista computer.

Introduction

Have you ever wanted to track something happening on a computer, but did not have all of the information available to track the event? Well, this article is going to give you the arsenal to track nearly every event that is logged on a Windows Server 2008 and Windows Vista computer. If you use these events in conjunction with the article that I just posted regarding centralized log computers, you can now create an ideal situation, where you are logging only the events that you will review in a centralized location! And best thing about it is that it is all free!

Setting up Security Logging

In order for you to understand how the events track specific aspects of the computer security logging feature, you need to understand how to initiate security logging. Most Windows computers (with the exception of some domain controller versions) do not start logging information to the Security Log by default. This is both a good thing and a bad thing. The bad thing about it is that nothing is being tracked without you forcing the computer to start logging security events. On the other hand, it is positive in that the log will not fill up and potentially cause an error message indicating that the log is full. This is something that Windows Server 2003 domain controllers did without any forewarning.

Securing log event tracking is established and configured using Group Policy. You can, of course, configure the local Group Policy Object, but this is not ideal as it will cause you to configure each computer separately. You want to use Group Policy within Active Directory to set up logging on many computers with only one set of configurations. To set up security log tracking, first open up the Group Policy Management Console (GPMC) on a computer that is joined to the domain and log on with administrative credentials.

Within the GPMC, you can see all of your organizational units (OUs) (if you have any created) as well as all of your GPOs (if you have created more than the default two). For this example, we will assume you have an OU which contains computers that all need the same security log information tracked. We will use the Desktops OU and the AuditLog GPO.

Edit the AuditLog GPO and then expand to the following node:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy

Once you expand this node, you will see a list of possible audit categories you can configure, as shown in Figure 1.


Figure 1: Audit Policy categories allow you to specify which security areas you want to log

Each of the policy settings has two options: Success and/or Failure. To configure any of the categories for Success and/or Failure, you need to check the Define These Policy Settings check box, shown in Figure 2.


Figure 2: Each audit policy needs to first be defined, then the audit type(s) need to be configured

Here is a quick breakdown on what each category controls:

Audit account logon events – This will audit each time a user is logging on or off from another computer were the computer performing the auditing is used to validate the account. The best example of this is when a user logs on to their Windows XP Professional computer, but is authenticated by the domain controller. Since the domain controller is validating the user, the event would be generated on the domain controller. This setting is not enabled for any operating system, except for Windows Server 2003 domain controllers, which is configured to audit success of these events. It is common and a best practice to have all domain controllers and servers audit these events. I also find that in many environments, clients are also configured to audit these events. 

Audit account management – This will audit each event that is related to a user managing an account (user, group, or computer) in the user database on the computer where the auditing is configured. Examples of these events include:

  • Creating a user account
  • Adding a user to a group
  • Renaming a user account
  • Changing a password for a user account

For domain controllers, this will audit changes to domain accounts, as described in the following article: Auditing Users and Groups with the Windows Security Log. For a server or client, it will audit the local Security Accounts Manager and the accounts that reside there. This setting is not enabled for any operating system, except for Windows Server 2003 domain controllers, which is configured to audit success of these events. It is common and a best practice to have all domain controllers and servers audit these events. For auditing of the user accounts that the security logs and audit settings can not capture, refer to the article titled; Auditing User Accounts.

Audit directory service access – This will audit each event that is related to a user accessing an Active Directory object which has been configured to track user access through the System Access Control List (SACL) of the object.  The SACL of an Active Directory object specifies three things:

  • The account (typically user or group) that will be tracked
  • The type of access that will be tracked, such as read, create, modify, etc
  • Success or failure access to the object

Since each object has its own unique SACL, the level of control over which the Active Directory object will be tracked can be very precise. This setting is not enabled for any operating system, except for Windows Server 2003 domain controllers, which is configured to audit success of these events. It is best practice to enable both success and failure auditing of directory service access for all domain controllers.

Audit logon events – This will audit each event that is related to a user logging on to, logging off from, or making a network connection to the computer configured to audit logon events. A good example of when these events are logged is when a user logs on interactively to their workstation using a domain user account. This will generate an event on the workstation, but not on the domain controller that performed the authentication. In essence, logon events are tracked where the logon attempt occur, not where the user account resides. This setting is not enabled for any operating system, except for Windows Server 2003 domain controllers, which is configured to audit success of these events. It is common to log these events on all computers on the network.

Audit object access – This will audit each event when a user accesses an object. Objects include files, folders, printers, Registry keys, and Active Directory objects. In reality, any object that has an SACL will be included in this form of auditing. Like the Auditing of directory access, each object has its own unique SACL, allowing for targeted auditing of individual objects. There are no objects configured to be audited by default, which means that enabling this setting will not produce any logged information. Once this setting is established and a SACL for an object is configured, entries will start to show up in the log on access attempts for the object. It is typically not common to configure this level of auditing until there is a specific need to track access to resources. In highly secure environments, this level of auditing is usually enabled and numerous resources are configured to audit access.

Audit policy change – This will audit each event that is related to a change of one of the three “policy” areas on a computer. These policy areas include:

  • User Rights Assignment
  • Audit Policies
  • Trust relationships

This setting is not enabled for any operating system, except for Windows Server 2003 domain controllers, which is configured to audit success of these events. The best thing to do is to configure this level of auditing for all computers on the network.

Audit privilege use – This will audit each event that is related to a user performing a task that is controlled by a user right. The list of user rights is rather extensive, as shown in Figure 3.


Figure 3: List of User Rights for a Windows computer

This level of auditing is not configured to track events for any operating system by default. The best thing to do is to configure this level of auditing for all computers on the network.

Audit process tracking – This will audit each event that is related to processes on the computer. Examples would include program activation, process exit, handle duplication, and indirect object access. This level of auditing produces an excessive number of events and is typically not configured unless an application is being tracked for troubleshooting purposes.

Audit system events – This will audit even event that is related to a computer restarting or being shut down. Events that are related to the system security and security log will also be tracked when this auditing is enabled. This is a required audit configuration for a computer that needs to track not only when events occur that need to be logged, but when the log itself is cleaned. This setting is not enabled for any operating system, except for Windows Server 2003 domain controllers, which is configured to audit success of these events. It is a best practice to configure this level of auditing for all computers on the network.

Event IDs per Audit Category

As a long time administrator and security professional, I have found that some events are more important than others, when it comes to tracking and analyzing security. With this said, there are thousands of events that can be generated in the security log, so you need to have the secret decoder ring to know which ones to look for. Here is a breakdown of some of the most important events per category that you might want to track from your security logs.

Audit account logon events

Event ID      Description

4776 - The domain controller attempted to validate the credentials for an account

4777 - The domain controller failed to validate the credentials for an account

4768 - A Kerberos authentication ticket (TGT) was requested

4769 - A Kerberos service ticket was requested

4770 - A Kerberos service ticket was renewed

Audit account management

Event ID          Description

4741 - A computer account was created.

4742 - A computer account was changed.

4743 - A computer account was deleted.

4739 - Domain Policy was changed. 

4782 - The password hash an account was accessed.

4727 - A security-enabled global group was created.

4728 - A member was added to a security-enabled global group.

4729 - A member was removed from a security-enabled global group.

4730 - A security-enabled global group was deleted.

4731 - A security-enabled local group was created.

4732 - A member was added to a security-enabled local group.

4733 - A member was removed from a security-enabled local group.

4734 - A security-enabled local group was deleted.

4735 - A security-enabled local group was changed.

4737 - A security-enabled global group was changed.

4754 - A security-enabled universal group was created.

4755 - A security-enabled universal group was changed.

4756 - A member was added to a security-enabled universal group.

4757 - A member was removed from a security-enabled universal group.

4758 - A security-enabled universal group was deleted.

4720 - A user account was created.

4722 - A user account was enabled.

4723 - An attempt was made to change an account's password.

4724 - An attempt was made to reset an account's password.

4725 - A user account was disabled.

4726 - A user account was deleted.

4738 - A user account was changed.

4740 - A user account was locked out.

4765 - SID History was added to an account.

4766 - An attempt to add SID History to an account failed.

4767 - A user account was unlocked.

4780 - The ACL was set on accounts which are members of administrators groups.

4781 - The name of an account was changed:

Audit directory service access

4934 - Attributes of an Active Directory object were replicated. 

4935 - Replication failure begins. 

4936 - Replication failure ends. 

5136 - A directory service object was modified. 

5137 - A directory service object was created. 

5138 - A directory service object was undeleted. 

5139 - A directory service object was moved. 

5141 - A directory service object was deleted.

4932 - Synchronization of a replica of an Active Directory naming context has begun.

4933 - Synchronization of a replica of an Active Directory naming context has ended.

Audit logon events

4634 - An account was logged off.

4647 - User initiated logoff.

4624 - An account was successfully logged on.

4625 - An account failed to log on. 

4648 - A logon was attempted using explicit credentials.

4675 - SIDs were filtered. 

4649 - A replay attack was detected.

4778 - A session was reconnected to a Window Station.

4779 - A session was disconnected from a Window Station.

4800 - The workstation was locked.

4801 - The workstation was unlocked.

4802 - The screen saver was invoked.

4803 - The screen saver was dismissed.

5378     The requested credentials delegation was disallowed by policy.

5632     A request was made to authenticate to a wireless network.

5633     A request was made to authenticate to a wired network.

Audit object access

5140 - A network share object was accessed.

4664 - An attempt was made to create a hard link. 

4985 - The state of a transaction has changed. 

5051 - A file was virtualized. 

5031 - The Windows Firewall Service blocked an application from accepting incoming connections on the network. 

4698 - A scheduled task was created. 

4699 - A scheduled task was deleted. 

4700 - A scheduled task was enabled. 

4701 - A scheduled task was disabled. 

4702 - A scheduled task was updated.

4657 - A registry value was modified.

5039 - A registry key was virtualized.

4660 - An object was deleted. 

4663 - An attempt was made to access an object. 

Audit policy change

4715 -  The audit policy (SACL) on an object was changed. 

4719 -  System audit policy was changed. 

4902 -  The Per-user audit policy table was created. 

4906 -  The CrashOnAuditFail value has changed. 

4907 -  Auditing settings on object were changed. 

4706 -  A new trust was created to a domain. 

4707 -  A trust to a domain was removed.

4713 -  Kerberos policy was changed. 

4716 -  Trusted domain information was modified. 

4717 -  System security access was granted to an account. 

4718 -  System security access was removed from an account. 

4864 -  A namespace collision was detected. 

4865 -  A trusted forest information entry was added. 

4866 -  A trusted forest information entry was removed. 

4867 -  A trusted forest information entry was modified. 

4704 -  A user right was assigned. 

4705 -  A user right was removed. 

4714 -  Encrypted data recovery policy was changed.

4944 -  The following policy was active when the Windows Firewall started. 

4945 -  A rule was listed when the Windows Firewall started. 

4946 -  A change has been made to Windows Firewall exception list. A rule was added. 

4947 -  A change has been made to Windows Firewall exception list. A rule was modified. 

4948 -  A change has been made to Windows Firewall exception list. A rule was deleted. 

4949 -  Windows Firewall settings were restored to the default values. 

4950 -  A Windows Firewall setting has changed. 

4951 -  A rule has been ignored because its major version number was not recognized by Windows Firewall. 

4952 -    Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. 

4953 -  A rule has been ignored by Windows Firewall because it could not parse the rule. 

4954 -  Windows Firewall Group Policy settings have changed. The new settings have been applied. 

4956 -  Windows Firewall has changed the active profile. 

4957 -  Windows Firewall did not apply the following rule: 

4958 -  Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: 

6144 -  Security policy in the group policy objects has been applied successfully. 

6145 -  One or more errors occurred while processing security policy in the group policy objects. 

4670 -  Permissions on an object were changed.

Audit privilege use

4672 - Special privileges assigned to new logon.

4673 - A privileged service was called.

4674 - An operation was attempted on a privileged object.

Audit system events

5024 - The Windows Firewall Service has started successfully. 

5025 - The Windows Firewall Service has been stopped. 

5027 - The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. 

5028 - The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. 

5029 - The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. 

5030 - The Windows Firewall Service failed to start. 

5032 - Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. 

5033 - The Windows Firewall Driver has started successfully. 

5034 - The Windows Firewall Driver has been stopped. 

5035 - The Windows Firewall Driver failed to start. 

5037 - The Windows Firewall Driver detected critical runtime error. Terminating. 

4608 - Windows is starting up. 

4609 - Windows is shutting down. 

4616 - The system time was changed. 

4621 - Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. 

4697 - A service was installed in the system. 

4618 - A monitored security event pattern has occurred. 

For a full list of all events, go to the following Microsoft URL.

Summary

Microsoft continues to include additional events that show up in the Security Log within Event Viewer. Once you have used Group Policy to establish which categories you will audit and track, you can then use the events decoded above to track only what you need for your environment. If you combine the events with other technology, such as subscriptions, you can create a fine tuned log of the events that you need to track to perform your duties and keep your network secured.

Featured Links