Windows Event Viewer Notes
Last Updated: September 19, 2016
Logon Types
| Type 2 | Interactive (console login) |
| Type 3 | Network |
| Type 4 | Batch (scheduled tasks) |
| Type 5 | Services |
| Type 7 | Unlock |
| Type 8 | Network (cleartext) |
| Type 9 | NewCredentials (RunAs) |
| Type 10 | RemoteInteractive (RDP connections) |
| Type 11 | CachedInteractive (not connected to domain) |
Logon failure events
| 0xC0000064 | User name does not exist |
| 0xC000006A | User name is correct but the password is wrong |
| 0xC0000234 | User is currently locked out |
| 0xC0000072 | Account is currently disabled |
| 0xC000006F | User tried to logon outside his day of week or time of day restrictions |
| 0xC0000070 | Workstation restriction |
| 0xC00000193 | Account expiration |
| 0xC0000071 | Expired password |
| 0xC0000133 | Clocks between DC and other computer too far out of sync |
| 0xC0000224 | User is required to change password at next logon |
| 0xC0000225 | Evidently a bug in Windows and not a risk |
| 0xC000015b | "The user has not been granted the requested logon" |
Logon sessions
| 4647 | user initiated logon |
| 4800 | Workstation Locked |
| 4801 | Workstation unlocked |
| 4802 | Screen saver loaded |
| 4803 | Screen saver dismissed |
| 4778 | RDP reconnected |
| 4779 | RDP disconnected |
User account changes
| 4720 | Created |
| 4722 | Enabled |
| 4723 | User changed own password |
| 4724 | Privileged User changed this user’s password |
| 4725 | Disabled |
| 4726 | Deleted |
| 4738 | Changed |
| 4740 | Locked out |
| 4767 | Unlocked |
| 4781 | Name change |
| Logon Type | Explanation |
|---|---|
| 2 | Logon via console |
| 3 | Network Logon, A user or computer logged on to this computer from the network. |
| 4 | Batch logon |
| 5 | Windows Service Logon |
| 7 | Credentials used to unlock screen |
| 8 | Network logon sending credentials (cleartext) |
| 9 | Different credentials used than logged on user |
| 10 | Remote interactive logon (RDP) |
| 11 | Cached credentials used to logon |
| 12 | Cached remote interactive |
| 13 | Cached unlock (Similar to logon type 7) |
| Event ID | Description | Log Name |
|---|---|---|
| 4624 | Successful Logon | Security |
| 4625 | Failed Login | Security |
| 4776 | Successful /Failed Account Authentication | Security |
| 4720 | A user account was created | Security |
| 4732 | A member was added to a security-enabled local group | Security |
| 4728 | A member was added to a security-enabled global group | Security |
| 7030 | Service Creation Errors | System |
| 7045 | Service Creation | System |