 512 - Windows NT is starting up  576 - Special privileges assigned to new logon

Windows 2000/XP and  513 - Windows is shutting down  577 - Privileged Service Called
 514 - An authentication package has been loaded  578 - Privileged object operation
Windows Server 2003 by the Local Security Authority  592 - A new process has been created
 515 - A trusted logon process has registered with  593 - A process has exited
According to the version of Windows the Local Security Authority  594 - A handle to an object has been duplicated
installed on the system under  516 - Internal resources allocated for the queuing  595 - Indirect access to an object has been
investigation, the number and types of of audit messages have been exhausted, leading obtained
to the loss of some audits  596 - Backup of data protection master key
events will differ, so the events logged
 517 - The audit log was cleared  600 - A process was assigned a primary token
by a Windows XP machine may be
 518 - A notification package has been loaded by  601 - Attempt to install service
incompatible with an event log analysis the Security Account Manager  602 - Scheduled Task created
tool designed for Windows 8.  519 - A process is using an invalid local procedure  608 - User Right Assigned
call (LPC) port  609 - User Right Removed
For example, Event ID 551 on a  520 - The system time was changed  610 - New Trusted Domain
Windows XP machine refers to a logoff  521 - Unable to log events to security log  611 - Removing Trusted Domain
event; the Windows 7 equivalent is  528 - Successful Logon  612 - Audit Policy Change
Event ID 4647.  529 - Logon Failure - Unknown user name or bad  613 - IPSec policy agent started
password  614 - IPSec policy agent disabled
 530 - Logon Failure - Account logon time  615 - IPSEC PolicyAgent Service
restriction violation  616 - IPSec policy agent encountered a
 531 - Logon Failure - Account currently disabled potentially serious failure.
 532 - Logon Failure - The specified user account  617 - Kerberos Policy Changed
has expired  618 - Encrypted Data Recovery Policy Changed
 533 - Logon Failure - User not allowed to logon at  619 - Quality of Service Policy Changed
this computer  620 - Trusted Domain Information Modified
 534 - Logon Failure - The user has not been  621 - System Security Access Granted
granted the requested logon type at this machine  622 - System Security Access Removed
 535 - Logon Failure - The specified account's  623 - Per User Audit Policy was refreshed
password has expired
 624 - User Account Created
 536 - Logon Failure - The NetLogon component is
 625 - User Account Type Changed
not active
 626 - User Account Enabled
 537 - Logon failure - The logon attempt failed for
 627 - Change Password Attempt
other reasons.
 628 - User Account password set
 538 - User Logoff
 629 - User Account Disabled
 539 - Logon Failure - Account locked out
 630 - User Account Deleted
 540 - Successful Network Logon
 631 - Security Enabled Global Group Created
 551 - User initiated logoff
 632 - Security Enabled Global Group Member
 552 - Logon attempt using explicit credentials
Added
 560 - Object Open
 633 - Security Enabled Global Group Member
 561 - Handle Allocated
Removed
 562 - Handle Closed
 634 - Security Enabled Global Group Deleted
 563 - Object Open for Delete
 635 - Security Enabled Local Group Created
 564 - Object Deleted
 636 - Security Enabled Local Group Member
 565 - Object Open (Active Directory) Added
 566 - Object Operation (Active Directory)  637 - Security Enabled Local Group Member
 567 - Object Access Attempt Removed

Andrea Fortuna - https://www.andreafortuna.org

 638 - Security Enabled Local Group Deleted  677 - Service Ticket Request Failed  855 - A Windows Firewall ICMP setting has
 639 - Security Enabled Local Group Changed  678 - Account Mapped for Logon by changed
 640 - General Account Database Change  679 - The name: %2 could not be mapped for  856 - The Windows Firewall setting to allow
 641 - Security Enabled Global Group Changed logon by: %1 unicast responses to multicast/broadcast traffic
 642 - User Account Changed  680 - Account Used for Logon by has changed
 643 - Domain Policy Changed  681 - The logon to account: %2 by: %1 from  857 - The Windows Firewall setting to allow
 644 - User Account Locked Out workstation: %3 failed. remote administration, allowing port TCP 135
 645 - Computer Account Created  682 - Session reconnected to winstation and DCOM/RPC, has changed
 646 - Computer Account Changed  683 - Session disconnected from winstation  858 - Windows Firewall group policy settings
 647 - Computer Account Deleted  684 - Set ACLs of members in administrators have been applied
 648 - Security Disabled Local Group Created groups  859 - The Windows Firewall group policy settings
 649 - Security Disabled Local Group Changed  685 - Account Name Changed have been removed
 650 - Security Disabled Local Group Member  686 - Password of the following user accessed  860 - The Windows Firewall has switched the
Added  687 - Basic Application Group Created active policy profile
 651 - Security Disabled Local Group Member  688 - Basic Application Group Changed  861 - The Windows Firewall has detected an
Removed  689 - Basic Application Group Member Added application listening for incoming traffic
 652 - Security Disabled Local Group Deleted  690 - Basic Application Group Member Removed
 653 - Security Disabled Global Group Created  691 - Basic Application Group Non-Member
 654 - Security Disabled Global Group Changed Added
 655 - Security Disabled Global Group Member  692 - Basic Application Group Non-Member
Added Removed
 656 - Security Disabled Global Group Member  693 - Basic Application Group Deleted
Removed  694 - LDAP Query Group Created
 657 - Security Disabled Global Group Deleted  695 - LDAP Query Group Changed
 658 - Security Enabled Universal Group Created  696 - LDAP Query Group Deleted
 659 - Security Enabled Universal Group Changed  697 - Password Policy Checking API is called
 660 - Security Enabled Universal Group Member  806 - Per User Audit Policy was refreshed
Added  807 - Per user auditing policy set for user
 661 - Security Enabled Universal Group Member  808 - A security event source has attempted to
Removed register
 662 - Security Enabled Universal Group Deleted  809 - A security event source has attempted to
 663 - Security Disabled Universal Group Created unregister
 664 - Security Disabled Universal Group Changed  848 - The following policy was active when the
 665 - Security Disabled Universal Group Member Windows Firewall started
Added  849 - An application was listed as an exception
 666 - Security Disabled Universal Group Member when the Windows Firewall started
Removed  850 - A port was listed as an exception when the
 667 - Security Disabled Universal Group Deleted Windows Firewall started
 668 - Group Type Changed  851 - A change has been made to the Windows
 669 - Add SID History Firewall application exception list
 670 - Add SID History  852 - A change has been made to the Windows
 671 - User Account Unlocked Firewall port exception list
 672 - Authentication Ticket Granted  853 - The Windows Firewall operational mode
 673 - Service Ticket Granted has changed
 674 - Ticket Granted Renewed  854 - The Windows Firewall logging settings have
 675 - Pre-authentication failed changed
 676 - Authentication Ticket Request Failed

Andrea Fortuna - https://www.andreafortuna.org

  1100 - The event logging service has shut down  4657 - A registry value was modified
Windows 7/Vista/8/10  1101 - Audit events have been dropped by the  4658 - The handle to an object was closed
transport.  4659 - A handle to an object was requested with
Windows Server  1102 - The audit log was cleared intent to delete
 1104 - The security Log is now full  4660 - An object was deleted
2008/2012R2/2016/2019  1105 - Event log automatic backup  4661 - A handle to an object was requested
 1108 - The event logging service encountered an  4662 - An operation was performed on an object
error  4663 - An attempt was made to access an object
 4608 - Windows is starting up  4664 - An attempt was made to create a hard link
 4609 - Windows is shutting down  4665 - An attempt was made to create an
 4610 - An authentication package has been loaded application client context.
by the Local Security Authority  4666 - An application attempted an operation
 4611 - A trusted logon process has been  4667 - An application client context was deleted
registered with the Local Security Authority  4668 - An application was initialized
 4612 - Internal resources allocated for the  4670 - Permissions on an object were changed
queuing of audit messages have been exhausted,  4671 - An application attempted to access a
leading to the loss of some audits. blocked ordinal through the TBS
 4614 - A notification package has been loaded by  4672 - Special privileges assigned to new logon
the Security Account Manager.  4673 - A privileged service was called
 4615 - Invalid use of LPC port  4674 - An operation was attempted on a
 4616 - The system time was changed. privileged object
 4618 - A monitored security event pattern has  4675 - SIDs were filtered
occurred  4688 - A new process has been created
 4621 - Administrator recovered system from  4689 - A process has exited
CrashOnAuditFail  4690 - An attempt was made to duplicate a handle
 4622 - A security package has been loaded by the to an object
Local Security Authority.  4691 - Indirect access to an object was requested
 4624 - An account was successfully logged on  4692 - Backup of data protection master key was
 4625 - An account failed to log on attempted
 4626 - User/Device claims information  4693 - Recovery of data protection master key
 4627 - Group membership information. was attempted
 4634 - An account was logged off  4694 - Protection of auditable protected data was
 4646 - IKE DoS-prevention mode started attempted
 4647 - User initiated logoff  4695 - Unprotection of auditable protected data
 4648 - A logon was attempted using explicit was attempted
credentials  4696 - A primary token was assigned to process
 4649 - A replay attack was detected  4697 - A service was installed in the system
 4650 - An IPsec Main Mode security association  4698 - A scheduled task was created
was established  4699 - A scheduled task was deleted
 4651 - An IPsec Main Mode security association  4700 - A scheduled task was enabled
was established  4701 - A scheduled task was disabled
 4652 - An IPsec Main Mode negotiation failed  4702 - A scheduled task was updated
 4653 - An IPsec Main Mode negotiation failed  4703 - A token right was adjusted
 4654 - An IPsec Quick Mode negotiation failed  4704 - A user right was assigned
 4655 - An IPsec Main Mode security association  4705 - A user right was removed
ended  4706 - A new trust was created to a domain
 4656 - A handle to an object was requested  4707 - A trust to a domain was removed

Andrea Fortuna - https://www.andreafortuna.org

 4709 - IPsec Services was started  4743 - A computer account was deleted  4770 - A Kerberos service ticket was renewed
 4710 - IPsec Services was disabled  4744 - A security-disabled local group was created  4771 - Kerberos pre-authentication failed
 4711 - PAStore Engine (1%)  4745 - A security-disabled local group was  4772 - A Kerberos authentication ticket request
 4712 - IPsec Services encountered a potentially changed failed
serious failure  4746 - A member was added to a security-disabled  4773 - A Kerberos service ticket request failed
 4713 - Kerberos policy was changed local group  4774 - An account was mapped for logon
 4714 - Encrypted data recovery policy was  4747 - A member was removed from a security-  4775 - An account could not be mapped for logon
changed disabled local group  4776 - The domain controller attempted to
 4715 - The audit policy (SACL) on an object was  4748 - A security-disabled local group was deleted validate the credentials for an account
changed  4749 - A security-disabled global group was  4777 - The domain controller failed to validate the
 4716 - Trusted domain information was modified created credentials for an account
 4717 - System security access was granted to an  4750 - A security-disabled global group was  4778 - A session was reconnected to a Window
account changed Station
 4718 - System security access was removed from  4751 - A member was added to a security-disabled  4779 - A session was disconnected from a Window
an account global group Station
 4719 - System audit policy was changed  4752 - A member was removed from a security-  4780 - The ACL was set on accounts which are
 4720 - A user account was created disabled global group members of administrators groups
 4722 - A user account was enabled  4753 - A security-disabled global group was  4781 - The name of an account was changed
 4723 - An attempt was made to change an deleted  4782 - The password hash an account was
account's password  4754 - A security-enabled universal group was accessed
 4724 - An attempt was made to reset an accounts created  4783 - A basic application group was created
password  4755 - A security-enabled universal group was  4784 - A basic application group was changed
 4725 - A user account was disabled changed  4785 - A member was added to a basic application
 4726 - A user account was deleted  4756 - A member was added to a security-enabled group
 4727 - A security-enabled global group was universal group  4786 - A member was removed from a basic
created  4757 - A member was removed from a security- application group
 4728 - A member was added to a security-enabled enabled universal group  4787 - A non-member was added to a basic
global group  4758 - A security-enabled universal group was application group
 4729 - A member was removed from a security- deleted  4788 - A non-member was removed from a basic
enabled global group  4759 - A security-disabled universal group was application group..
 4730 - A security-enabled global group was created  4789 - A basic application group was deleted
deleted  4760 - A security-disabled universal group was  4790 - An LDAP query group was created
 4731 - A security-enabled local group was created changed  4791 - A basic application group was changed
 4732 - A member was added to a security-enabled  4761 - A member was added to a security-disabled  4792 - An LDAP query group was deleted
local group universal group  4793 - The Password Policy Checking API was
 4733 - A member was removed from a security-  4762 - A member was removed from a security- called
enabled local group disabled universal group  4794 - An attempt was made to set the Directory
 4734 - A security-enabled local group was deleted  4763 - A security-disabled universal group was Services Restore Mode administrator password
 4735 - A security-enabled local group was deleted  4797 - An attempt was made to query the
changed  4764 - A groups type was changed existence of a blank password for an account
 4737 - A security-enabled global group was  4765 - SID History was added to an account  4798 - A user's local group membership was
changed  4766 - An attempt to add SID History to an enumerated.
 4738 - A user account was changed account failed  4799 - A security-enabled local group membership
 4739 - Domain Policy was changed  4767 - A user account was unlocked was enumerated
 4740 - A user account was locked out  4768 - A Kerberos authentication ticket (TGT) was  4800 - The workstation was locked
 4741 - A computer account was created requested  4801 - The workstation was unlocked
 4742 - A computer account was changed  4769 - A Kerberos service ticket was requested  4802 - The screen saver was invoked

Andrea Fortuna - https://www.andreafortuna.org

 4803 - The screen saver was dismissed  4875 - Certificate Services received a request to  4906 - The CrashOnAuditFail value has changed
 4816 - RPC detected an integrity violation while shut down  4907 - Auditing settings on object were changed
decrypting an incoming message  4876 - Certificate Services backup started  4908 - Special Groups Logon table modified
 4817 - Auditing settings on object were changed.  4877 - Certificate Services backup completed  4909 - The local policy settings for the TBS were
 4818 - Proposed Central Access Policy does not  4878 - Certificate Services restore started changed
grant the same access permissions as the current  4879 - Certificate Services restore completed  4910 - The group policy settings for the TBS were
Central Access Policy  4880 - Certificate Services started changed
 4819 - Central Access Policies on the machine  4881 - Certificate Services stopped  4911 - Resource attributes of the object were
have been changed  4882 - The security permissions for Certificate changed
 4820 - A Kerberos Ticket-granting-ticket (TGT) was Services changed  4912 - Per User Audit Policy was changed
denied because the device does not meet the  4883 - Certificate Services retrieved an archived  4913 - Central Access Policy on the object was
access control restrictions key changed
 4821 - A Kerberos service ticket was denied  4884 - Certificate Services imported a certificate  4928 - An Active Directory replica source naming
because the user, device, or both does not meet into its database context was established
the access control restrictions  4885 - The audit filter for Certificate Services  4929 - An Active Directory replica source naming
 4822 - NTLM authentication failed because the changed context was removed
account was a member of the Protected User  4886 - Certificate Services received a certificate  4930 - An Active Directory replica source naming
group request context was modified
 4823 - NTLM authentication failed because access  4887 - Certificate Services approved a certificate  4931 - An Active Directory replica destination
control restrictions are required request and issued a certificate naming context was modified
 4824 - Kerberos preauthentication by using DES or  4888 - Certificate Services denied a certificate  4932 - Synchronization of a replica of an Active
RC4 failed because the account was a member of request Directory naming context has begun
the Protected User group  4889 - Certificate Services set the status of a  4933 - Synchronization of a replica of an Active
 4825 - A user was denied the access to Remote certificate request to pending Directory naming context has ended
Desktop. By default, users are allowed to connect  4890 - The certificate manager settings for  4934 - Attributes of an Active Directory object
only if they are members of the Remote Desktop Certificate Services changed. were replicated
Users group or Administrators group  4891 - A configuration entry changed in Certificate  4935 - Replication failure begins
 4826 - Boot Configuration Data loaded Services  4936 - Replication failure ends
 4830 - SID History was removed from an account  4892 - A property of Certificate Services changed  4937 - A lingering object was removed from a
 4864 - A namespace collision was detected  4893 - Certificate Services archived a key replica
 4865 - A trusted forest information entry was  4894 - Certificate Services imported and archived  4944 - The following policy was active when the
added a key Windows Firewall started
 4866 - A trusted forest information entry was  4895 - Certificate Services published the CA  4945 - A rule was listed when the Windows
removed certificate to Active Directory Domain Services Firewall started
 4867 - A trusted forest information entry was  4896 - One or more rows have been deleted from  4946 - A change has been made to Windows
modified the certificate database Firewall exception list. A rule was added
 4868 - The certificate manager denied a pending  4897 - Role separation enabled  4947 - A change has been made to Windows
certificate request  4898 - Certificate Services loaded a template Firewall exception list. A rule was modified
 4869 - Certificate Services received a resubmitted  4899 - A Certificate Services template was  4948 - A change has been made to Windows
certificate request updated Firewall exception list. A rule was deleted
 4870 - Certificate Services revoked a certificate  4900 - Certificate Services template security was  4949 - Windows Firewall settings were restored to
 4871 - Certificate Services received a request to updated the default values
publish the certificate revocation list (CRL)  4902 - The Per-user audit policy table was created  4950 - A Windows Firewall setting has changed
 4872 - Certificate Services published the  4904 - An attempt was made to register a security  4951 - A rule has been ignored because its major
certificate revocation list (CRL) event source version number was not recognized by Windows
 4873 - A certificate request extension changed  4905 - An attempt was made to unregister a Firewall
 4874 - One or more certificate request attributes security event source
changed.

Andrea Fortuna - https://www.andreafortuna.org

 4952 - Parts of a rule have been ignored because  5027 - The Windows Firewall Service was unable  5057 - A cryptographic primitive operation failed
its minor version number was not recognized by to retrieve the security policy from the local  5058 - Key file operation
Windows Firewall storage  5059 - Key migration operation
 4953 - A rule has been ignored by Windows  5028 - The Windows Firewall Service was unable  5060 - Verification operation failed
Firewall because it could not parse the rule to parse the new security policy.  5061 - Cryptographic operation
 4954 - Windows Firewall Group Policy settings has  5029 - The Windows Firewall Service failed to  5062 - A kernel-mode cryptographic self test was
changed. The new settings have been applied initialize the driver performed
 4956 - Windows Firewall has changed the active  5030 - The Windows Firewall Service failed to start  5063 - A cryptographic provider operation was
profile  5031 - The Windows Firewall Service blocked an attempted
 4957 - Windows Firewall did not apply the application from accepting incoming connections  5064 - A cryptographic context operation was
following rule on the network. attempted
 4958 - Windows Firewall did not apply the  5032 - Windows Firewall was unable to notify the  5065 - A cryptographic context modification was
following rule because the rule referred to items user that it blocked an application from accepting attempted
not configured on this computer incoming connections on the network  5066 - A cryptographic function operation was
 4960 - IPsec dropped an inbound packet that  5033 - The Windows Firewall Driver has started attempted
failed an integrity check successfully  5067 - A cryptographic function modification was
 4961 - IPsec dropped an inbound packet that  5034 - The Windows Firewall Driver has been attempted
failed a replay check stopped  5068 - A cryptographic function provider
 4962 - IPsec dropped an inbound packet that  5035 - The Windows Firewall Driver failed to start operation was attempted
failed a replay check  5037 - The Windows Firewall Driver detected  5069 - A cryptographic function property
 4963 - IPsec dropped an inbound clear text packet critical runtime error. Terminating operation was attempted
that should have been secured  5038 - Code integrity determined that the image  5070 - A cryptographic function property
 4964 - Special groups have been assigned to a hash of a file is not valid operation was attempted
new logon  5039 - A registry key was virtualized.  5071 - Key access denied by Microsoft key
 4965 - IPsec received a packet from a remote  5040 - A change has been made to IPsec settings. distribution service
computer with an incorrect Security Parameter An Authentication Set was added.  5120 - OCSP Responder Service Started
Index (SPI).  5041 - A change has been made to IPsec settings.  5121 - OCSP Responder Service Stopped
 4976 - During Main Mode negotiation, IPsec An Authentication Set was modified  5122 - A Configuration entry changed in the OCSP
received an invalid negotiation packet.  5042 - A change has been made to IPsec settings. Responder Service
 4977 - During Quick Mode negotiation, IPsec An Authentication Set was deleted  5123 - A configuration entry changed in the OCSP
received an invalid negotiation packet.  5043 - A change has been made to IPsec settings. Responder Service
 4978 - During Extended Mode negotiation, IPsec A Connection Security Rule was added  5124 - A security setting was updated on OCSP
received an invalid negotiation packet.  5044 - A change has been made to IPsec settings. Responder Service
 4979 - IPsec Main Mode and Extended Mode A Connection Security Rule was modified  5125 - A request was submitted to OCSP
security associations were established.  5045 - A change has been made to IPsec settings. Responder Service
 4980 - IPsec Main Mode and Extended Mode A Connection Security Rule was deleted  5126 - Signing Certificate was automatically
security associations were established  5046 - A change has been made to IPsec settings. updated by the OCSP Responder Service
 4981 - IPsec Main Mode and Extended Mode A Crypto Set was added  5127 - The OCSP Revocation Provider successfully
security associations were established  5047 - A change has been made to IPsec settings. updated the revocation information
 4982 - IPsec Main Mode and Extended Mode A Crypto Set was modified  5136 - A directory service object was modified
security associations were established  5048 - A change has been made to IPsec settings.  5137 - A directory service object was created
 4983 - An IPsec Extended Mode negotiation failed A Crypto Set was deleted  5138 - A directory service object was undeleted
 4984 - An IPsec Extended Mode negotiation failed  5049 - An IPsec Security Association was deleted  5139 - A directory service object was moved
 4985 - The state of a transaction has changed  5050 - An attempt to programmatically disable the  5140 - A network share object was accessed
 5024 - The Windows Firewall Service has started Windows Firewall using a call to  5141 - A directory service object was deleted
successfully INetFwProfile.FirewallEnabled(FALSE  5142 - A network share object was added.
 5025 - The Windows Firewall Service has been  5051 - A file was virtualized  5143 - A network share object was modified
stopped  5056 - A cryptographic self test was performed

Andrea Fortuna - https://www.andreafortuna.org

 5144 - A network share object was deleted.  5440 - The following callout was present when the  5463 - PAStore Engine polled for changes to the
 5145 - A network share object was checked to see Windows Filtering Platform Base Filtering Engine active IPsec policy and detected no changes
whether client can be granted desired access started  5464 - PAStore Engine polled for changes to the
 5146 - The Windows Filtering Platform has  5441 - The following filter was present when the active IPsec policy, detected changes, and applied
blocked a packet Windows Filtering Platform Base Filtering Engine them to IPsec Services
 5147 - A more restrictive Windows Filtering started  5465 - PAStore Engine received a control for
Platform filter has blocked a packet  5442 - The following provider was present when forced reloading of IPsec policy and processed the
 5148 - The Windows Filtering Platform has the Windows Filtering Platform Base Filtering control successfully
detected a DoS attack and entered a defensive Engine started  5466 - PAStore Engine polled for changes to the
mode  5443 - The following provider context was present Active Directory IPsec policy, determined that
 5149 - The DoS attack has subsided and normal when the Windows Filtering Platform Base Active Directory cannot be reached, and will use
processing is being resumed. Filtering Engine started the cached copy of the Active Directory IPsec
 5150 - The Windows Filtering Platform has  5444 - The following sub-layer was present when policy instead
blocked a packet. the Windows Filtering Platform Base Filtering  5467 - PAStore Engine polled for changes to the
 5151 - A more restrictive Windows Filtering Engine started Active Directory IPsec policy, determined that
Platform filter has blocked a packet.  5446 - A Windows Filtering Platform callout has Active Directory can be reached, and found no
 5152 - The Windows Filtering Platform blocked a been changed changes to the policy
packet  5447 - A Windows Filtering Platform filter has  5468 - PAStore Engine polled for changes to the
 5153 - A more restrictive Windows Filtering been changed Active Directory IPsec policy, determined that
Platform filter has blocked a packet  5448 - A Windows Filtering Platform provider has Active Directory can be reached, found changes to
 5154 - The Windows Filtering Platform has been changed the policy, and applied those changes
permitted an application or service to listen on a  5449 - A Windows Filtering Platform provider  5471 - PAStore Engine loaded local storage IPsec
port for incoming connections context has been changed policy on the computer
 5155 - The Windows Filtering Platform has  5450 - A Windows Filtering Platform sub-layer has  5472 - PAStore Engine failed to load local storage
blocked an application or service from listening on been changed IPsec policy on the computer
a port for incoming connections  5451 - An IPsec Quick Mode security association  5473 - PAStore Engine loaded directory storage
 5156 - The Windows Filtering Platform has was established IPsec policy on the computer
allowed a connection  5452 - An IPsec Quick Mode security association  5474 - PAStore Engine failed to load directory
 5157 - The Windows Filtering Platform has ended storage IPsec policy on the computer
blocked a connection  5453 - An IPsec negotiation with a remote  5477 - PAStore Engine failed to add quick mode
 5158 - The Windows Filtering Platform has computer failed because the IKE and AuthIP IPsec filter
permitted a bind to a local port Keying Modules (IKEEXT) service is not started  5478 - IPsec Services has started successfully
 5159 - The Windows Filtering Platform has  5456 - PAStore Engine applied Active Directory  5479 - IPsec Services has been shut down
blocked a bind to a local port storage IPsec policy on the computer successfully
 5168 - Spn check for SMB/SMB2 fails.  5457 - PAStore Engine failed to apply Active  5480 - IPsec Services failed to get the complete list
 5169 - A directory service object was modified Directory storage IPsec policy on the computer of network interfaces on the computer
 5170 - A directory service object was modified  5458 - PAStore Engine applied locally cached copy  5483 - IPsec Services failed to initialize RPC server.
during a background cleanup task of Active Directory storage IPsec policy on the IPsec Services could not be started
 5376 - Credential Manager credentials were computer  5484 - IPsec Services has experienced a critical
backed up  5459 - PAStore Engine failed to apply locally failure and has been shut down
 5377 - Credential Manager credentials were cached copy of Active Directory storage IPsec  5485 - IPsec Services failed to process some IPsec
restored from a backup policy on the computer filters on a plug-and-play event for network
 5378 - The requested credentials delegation was  5460 - PAStore Engine applied local registry interfaces
disallowed by policy storage IPsec policy on the computer  5632 - A request was made to authenticate to a
 5379 - Credential Manager credentials were read  5461 - PAStore Engine failed to apply local registry wireless network
 5380 - Vault Find Credential storage IPsec policy on the computer  5633 - A request was made to authenticate to a
 5381 - Vault credentials were read  5462 - PAStore Engine failed to apply some rules wired network
 5382 - Vault credentials were read of the active IPsec policy on the computer

Andrea Fortuna - https://www.andreafortuna.org

 5712 - A Remote Procedure Call (RPC) was  6405 - BranchCache: %2 instance(s) of event id %1
attempted occurred.
 5888 - An object in the COM+ Catalog was  6406 - %1 registered to Windows Firewall to
modified control filtering for the following:
 5889 - An object was deleted from the COM+  6407 - %1
Catalog  6408 - Registered product %1 failed and Windows
 5890 - An object was added to the COM+ Catalog Firewall is now controlling the filtering for %2.
 6144 - Security policy in the group policy objects  6409 - BranchCache: A service connection point
has been applied successfully object could not be parsed
 6145 - One or more errors occured while  6410 - Code integrity determined that a file does
processing security policy in the group policy not meet the security requirements to load into a
objects process. This could be due to the use of shared
 6272 - Network Policy Server granted access to a sections or other issues
user  6416 - A new external device was recognized by
 6273 - Network Policy Server denied access to a the system.
user  6417 - The FIPS mode crypto selftests succeeded
 6274 - Network Policy Server discarded the  6418 - The FIPS mode crypto selftests failed
request for a user  6419 - A request was made to disable a device
 6275 - Network Policy Server discarded the  6420 - A device was disabled
accounting request for a user  6421 - A request was made to enable a device
 6276 - Network Policy Server quarantined a user  6422 - A device was enabled
 6277 - Network Policy Server granted access to a  6423 - The installation of this device is forbidden
user but put it on probation because the host did by system policy
not meet the defined health policy  6424 - The installation of this device was allowed,
 6278 - Network Policy Server granted full access to after having previously been forbidden by policy
a user because the host met the defined health  8191 - Highest System-Defined Audit Message
policy Value
 6279 - Network Policy Server locked the user
account due to repeated failed authentication
attempts
 6280 - Network Policy Server unlocked the user
account
 6281 - Code Integrity determined that the page
hashes of an image file are not valid...
 6400 - BranchCache: Received an incorrectly
formatted response while discovering availability
of content.
 6401 - BranchCache: Received invalid data from a
peer. Data discarded.
 6402 - BranchCache: The message to the hosted
cache offering it data is incorrectly formatted.
 6403 - BranchCache: The hosted cache sent an
incorrectly formatted response to the client's
message to offer it data.
 6404 - BranchCache: Hosted cache could not be
authenticated using the provisioned SSL
certificate.

Andrea Fortuna - https://www.andreafortuna.org