Windows Event ID Lookup
Search common Windows Event Log IDs by number or keyword, filter by channel and severity, and generate a ready-to-paste log-monitoring config block.
Showing 82 of 82 curated event IDs.
| Watch | ID | Channel | Title | Severity | |
|---|---|---|---|---|---|
| System | The device has a bad block | Critical | |||
| System | The device did not respond within the timeout period | Warning | |||
| Application | Unable to read performance data | Info | |||
| System | Kernel-Power — system rebooted without cleanly shutting down | Critical | |||
| System | An error was detected on the device during a paging operation | Warning | |||
| System | The file system structure on the volume is corrupt | Critical | |||
| System | Reset to device issued (storage controller) | Warning | |||
| System | The IO operation was retried | Warning | |||
| Application | Application error (crash) | Warning | |||
| System | Bugcheck (Blue Screen of Death) reported | Critical | |||
| Application | Application hang (stopped responding) | Warning | |||
| System | Name resolution for a name timed out | Warning | |||
| Application | .NET Runtime fatal execution engine error | Critical | |||
| Application | .NET Runtime unhandled exception | Warning | |||
| System | Group Policy processing failed (could not read GPO) | Warning | |||
| System | The system has been shut down or restarted (initiated) | Info | |||
| System | Reason supplied for the previous unexpected shutdown | Info | |||
| Security | The event logging service has shut down | Warning | |||
| Security | The audit log was cleared | Critical | |||
| Application | ASP.NET unhandled exception (event 1309) | Warning | |||
| Application | Windows detected your registry file is still in use (profile) | Info | |||
| Security | The system time was changed | Warning | |||
| Security | An account was successfully logged on | Info | |||
| Security | An account failed to log on | Warning | |||
| Security | An account was logged off | Info | |||
| Security | User initiated logoff | Info | |||
| Security | A logon was attempted using explicit credentials | Warning | |||
| Security | A registry value was modified | Warning | |||
| Security | An attempt was made to access an object | Info | |||
| Security | Permissions on an object were changed | Warning | |||
| Security | Special privileges assigned to new logon | Warning | |||
| Security | A new process has been created | Info | |||
| Security | A process has exited | Info | |||
| Security | A service was installed in the system | Warning | |||
| Security | A scheduled task was created | Warning | |||
| Security | A scheduled task was deleted | Info | |||
| Security | A scheduled task was enabled | Info | |||
| Security | A scheduled task was updated | Info | |||
| Security | System audit policy was changed | Critical | |||
| Security | A user account was created | Warning | |||
| Security | A user account was enabled | Warning | |||
| Security | An attempt was made to change an account’s password | Info | |||
| Security | An attempt was made to reset an account’s password | Warning | |||
| Security | A user account was disabled | Info | |||
| Security | A user account was deleted | Warning | |||
| Security | A member was added to a security-enabled global group | Warning | |||
| Security | A member was added to a security-enabled local group | Critical | |||
| Security | A user account was changed | Warning | |||
| Security | A user account was locked out | Warning | |||
| Security | A member was added to a security-enabled universal group | Critical | |||
| Security | A user account was unlocked | Info | |||
| Security | A Kerberos authentication ticket (TGT) was requested | Info | |||
| Security | A Kerberos service ticket (TGS) was requested | Warning | |||
| Security | Kerberos pre-authentication failed | Warning | |||
| Security | The DC attempted to validate credentials (NTLM) | Warning | |||
| Security | The name of an account was changed | Info | |||
| Security | A user’s local group membership was enumerated | Info | |||
| Security | A security-enabled local group membership was enumerated | Info | |||
| Security | A Windows Firewall exception rule was added | Warning | |||
| Security | A Windows Firewall setting was changed | Warning | |||
| Security | A network share object was accessed | Info | |||
| Security | A network share object was checked for access (detailed) | Info | |||
| System | No domain controller available for the domain | Warning | |||
| System | The session setup from the computer failed (secure channel) | Warning | |||
| System | The Event log service was started | Info | |||
| System | The Event log service was stopped | Info | |||
| System | The previous system shutdown was unexpected | Critical | |||
| System | System uptime report | Info | |||
| System | A service failed to start | Warning | |||
| System | Timeout waiting for a service to connect | Warning | |||
| System | Timeout waiting for a service transaction response | Warning | |||
| System | A service hung on starting | Warning | |||
| System | A service terminated with an error | Warning | |||
| System | A service terminated unexpectedly (with recovery action) | Warning | |||
| System | A service terminated unexpectedly | Warning | |||
| System | A service entered the running/stopped state | Info | |||
| System | The start type of a service was changed | Warning | |||
| System | A new service was installed | Warning | |||
| Application | Product installed successfully (MSI) | Info | |||
| Application | Product install operation failed (MSI) | Warning | |||
| Application | Product removed successfully (MSI) | Info | |||
| System | A fatal TLS/SSL alert was generated (Schannel) | Warning |
How to add this to the Alert24 agent
- Install the lightweight Alert24 server agent on the Windows host (the PowerShell agent is the one that reads Windows Event Logs).
- Open the agent config JSON and paste the
log_searchesarray above as a top-level key (sibling ofmetricsandservices). If you already have alog_searchesarray, merge the objects in. - Each interval the agent counts matching events with
Get-WinEventand reports amatch_countback on the heartbeat. Add an alert rule (e.g.log_match_count > 10) to get paged.
Log-search monitoring is an Alert24 paid (Pro/Enterprise) feature. The free plan includes 3 server agents; paid plans add 5 agents per subscription unit. Heartbeats are always accepted — log searches are simply evaluated only on a plan that includes the feature.
Get alerted when your logs go wrong
Alert24’s lightweight agent watches your log files where they live and alerts on error spikes, pattern matches, log floods, and sudden silence — no log shipping, no SIEM bill, no per-GB ingest pricing.
Try Alert24 log monitoringWindows Event Log channels
Windows writes events to separate logs called channels. The three you will monitor most are the Security, System, and Application logs. This reference covers 82 curated IDs across them (43 Security, 29 System, 10 Application) — the ones sysadmins and blue teams reach for most.
Security
Logon activity, account and group changes, privilege use, Kerberos/NTLM authentication, audit-policy changes, and log clearing. The home of the 4xxx audit IDs.
System
OS and hardware health: boots and shutdowns, service crashes (Service Control Manager), disk and storage errors, and Kernel-Power events.
Application
App-level errors and hangs (1000/1002), .NET and ASP.NET runtime exceptions, and Windows Installer (MSI) activity.
Reading event severity for monitoring
The severity shown here is a monitoring judgement, not the raw Windows Level field. A successful logon (4624) is logged as Information, but it becomes interesting in context — an unusual account, an off-hours sign-in, or RDP from an unexpected IP. Use the severity filter to triage, then read the “why you’d monitor it” note on each event for the practical signal.
- Critical — almost always worth an immediate alert (audit log cleared 1102, audit policy changed 4719, unexpected shutdown 6008, Kernel-Power 41, NTFS corruption 55, BSOD 1001).
- Warning — investigate, especially in bursts (failed logons 4625, account lockout 4740, new service 7045, service crash 7034, disk errors).
- Info — baseline/context events that gain meaning when filtered or correlated (4624 logon, 7036 service state, 5140 share access).
From lookup to alert
Looking an event up is the first step; the next is getting told when it happens. Select the IDs you care about and copy the generated windows_event configuration. It groups your selected IDs into one log search per channel and drops straight into an Alert24 server agent, which counts matching events with Get-WinEvent on each heartbeat so you can threshold and alert on them.
Frequently Asked Questions
Common questions about the Windows Event ID Lookup
Event ID 4625 ("An account failed to log on") is written to the Security log whenever a logon attempt fails. The Status and Sub-Status codes explain why — for example 0xC000006A means a bad password and 0xC0000234 means the account is locked out. A sudden spike of 4625 events against one account, or against many accounts from a single source IP, is the classic signature of a brute-force or password-spray attack.
4624 records a successful logon and 4625 records a failed logon. Both live in the Security channel and both include the account name, logon type, and source. Use 4624 to baseline who is signing in where (watch logon type 10 for RDP), and 4625 to detect authentication attacks.
Watch 4625 (failed logon), 4771 (Kerberos pre-authentication failed), and 4776 (NTLM credential validation failed) for guessing attempts, and 4740 (account locked out) for the lockout itself. The Caller Computer Name in 4740 points at the source of the bad attempts, which is often a stale cached credential or a misconfigured service rather than an attacker.
Correlate System-channel events: 6005 marks the Event Log service starting (a boot), 6006 marks a clean stop, and 6008 explicitly says the previous shutdown was unexpected. A missing 6006 before a 6005, plus Kernel-Power event 41, indicates a dirty shutdown from power loss, a hard hang, or a crash.
Service crashes appear as System events 7034 (terminated unexpectedly) and 7031 (terminated with a recovery action). 7000/7009/7011 cover start failures and timeouts. A new service install is 7045 (System) or 4697 (Security) — both are common persistence and lateral-movement signals worth alerting on.
High-value security IDs include 4625 (failed logon), 4720 (user created), 4726 (user deleted), 4732/4756 (added to a privileged group), 4672 (privileged logon), 4698 (scheduled task created), 4719 (audit policy changed), and 1102 (Security log cleared). The last two are strong anti-forensics signals and are almost never legitimate in production.
No. The entire reference dataset is bundled into the page and all search, filtering, and config generation happen in your browser. Nothing you type is sent to a server.
Select one or more events and copy the generated windows_event config block. Paste it into the log_searches array of an Alert24 server agent (the PowerShell agent reads Windows Event Logs via Get-WinEvent). The agent reports a match count on each heartbeat, and you add an alert rule such as log_match_count > 10 to get notified. Log-search monitoring is an Alert24 paid feature; the free plan includes 3 server agents.
Yes. Clicking an ID opens its detail panel and updates the URL with a ?id= parameter (for example ?id=4625), so you can bookmark or share a link that opens straight to that event.
Explore More Tools
Continue with these related tools
Related External Resources
Additional tools from our partner sites
⚠️ Security Notice
This tool is provided for educational and authorized security testing purposes only. Always ensure you have proper authorization before testing any systems or networks you do not own. Unauthorized access or security testing may be illegal in your jurisdiction. All processing happens client-side in your browser - no data is sent to our servers.