| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not Defined |
-
Default Domain Controller Policy |
-Not Defined |
-
Stand-Alone Server Default Settings |
-Not Defined |
-
Domain Controller Effective Default Settings |
-Authenticated Users |
-
Member Server Effective Default Settings |
-Not Defined |
-
Client Computer Effective Default Settings |
-Not Defined |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Administrators -Local Service -Network Service |
-
Default Domain Controller Policy |
-Administrators -Local Service -Network Service |
-
Stand-Alone Server Default Settings |
-Administrators -Local Service -Network Service |
-
Domain Controller Effective Default Settings |
-Administrators -Local Service -Network Service |
-
Member Server Effective Default Settings |
-Administrators -Local Service -Network Service |
-
Client Computer Effective Default Settings |
-Administrators -Local Service -Network Service |
-
| Topic | -Description | -
|---|---|
[Maintain AppLocker policies](maintain-applocker-policies.md) |
-This topic describes how to maintain rules within AppLocker policies. |
-
[Edit an AppLocker policy](edit-an-applocker-policy.md) |
-This topic for IT professionals describes the steps required to modify an AppLocker policy. |
-
[Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) |
-This topic discusses the steps required to test an AppLocker policy prior to deployment. |
-
[Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) |
-This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. |
-
[Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) |
-This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. |
-
[Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md) |
-This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. |
-
[Optimize AppLocker performance](optimize-applocker-performance.md) |
-This topic for IT professionals describes how to optimize AppLocker policy enforcement. |
-
[Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) |
-This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. |
-
[Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) |
-This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. |
-
[Working with AppLocker rules](working-with-applocker-rules.md) |
-This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. |
-
[Working with AppLocker policies](working-with-applocker-policies.md) |
-This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. |
-
| Auditing subcategory | -Setting configured in an OU GPO (higher priority) | -Setting configured in a domain GPO (lower priority) | -Resulting policy for the target computer | -
|---|---|---|---|
Detailed File Share Auditing |
-Success |
-Failure |
-Success |
-
Process Creation Auditing |
-Disabled |
-Success |
-Disabled |
-
Logon Auditing |
-Success |
-Failure |
-Failure |
-
| Topic | -Description | -
|---|---|
[Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) |
-This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies. |
-
[Advanced security auditing FAQ](advanced-security-auditing-faq.md) |
-This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. |
-
[Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) |
-This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012. |
-
[Advanced security audit policy settings](advanced-security-audit-policy-settings.md) |
-This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not Defined |
-
Default Domain Controller Policy |
-Account Operators -Administrators -Backup Operators -Print Operators -Server Operators |
-
Stand-Alone Server Default Settings |
-Administrators -Backup Operators -Users |
-
Domain Controller Effective Default Settings |
-Account Operators -Administrators -Backup Operators -Print Operators -Server Operators |
-
Member Server Effective Default Settings |
-Administrators -Backup Operators -Users |
-
Client Computer Effective Default Settings |
-Administrators -Backup Operators -Users |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not Defined |
-
Default Domain Controller Policy |
-Administrators |
-
Stand-Alone Server Default Settings |
-Administrators -Remote Desktop Users |
-
Domain Controller Effective Default Settings |
-Administrators |
-
Member Server Effective Default Settings |
-Administrators -Remote Desktop Users |
-
Client Computer Effective Default Settings |
-Administrators -Remote Desktop Users |
-
| Security level ID | -SRP | -AppLocker | -
|---|---|---|
SAFER_LEVELID_FULLYTRUSTED |
-Supported |
-Supported |
-
SAFER_LEVELID_NORMALUSER |
-Supported |
-Not supported |
-
SAFER_LEVELID_CONSTRAINED |
-Supported |
-Not supported |
-
SAFER_LEVELID_UNTRUSTED |
-Supported |
-Not supported |
-
SAFER_LEVELID_DISALLOWED |
-Supported |
-Supported |
-
| Setting | -Default value | -
|---|---|
Accounts created |
-None |
-
Authentication method |
-Not applicable |
-
Management interfaces |
-AppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell |
-
Ports opened |
-None |
-
Minimum privileges required |
-Administrator on the local computer; Domain Admin, or any set of rights that allow you to create, edit and distribute Group Policy Objects. |
-
Protocols used |
-Not applicable |
-
Scheduled Tasks |
-Appidpolicyconverter.exe is put in a scheduled task to be run on demand. |
-
Security Policies |
-None required. AppLocker creates security policies. |
-
System Services required |
-Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation. |
-
Storage of credentials |
-None |
-
| Topic | -Description | -
|---|---|
[Administer AppLocker](administer-applocker.md) |
-This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. |
-
[AppLocker design guide](applocker-policies-design-guide.md) |
-This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. |
-
[AppLocker deployment guide](applocker-policies-deployment-guide.md) |
-This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. |
-
[AppLocker technical reference](applocker-technical-reference.md) |
-This overview topic for IT professionals provides links to the topics in the technical reference. |
-
| Topic | -Description | -
|---|---|
[Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) |
-This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. |
-
[Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md) |
-This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. |
-
[Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md) |
-This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. |
-
[Create Your AppLocker policies](create-your-applocker-policies.md) |
-This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. |
-
[Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md) |
-This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. |
-
| Topic | -Description | -
|---|---|
[Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) |
-This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. |
-
[Determine your application control objectives](determine-your-application-control-objectives.md) |
-This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. |
-
[Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) |
-This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. |
-
[Select the types of rules to create](select-types-of-rules-to-create.md) |
-This topic lists resources you can use when selecting your application control policy rules by using AppLocker. |
-
[Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) |
-This overview topic describes the process to follow when you are planning to deploy AppLocker rules. |
-
[Plan for AppLocker policy management](plan-for-applocker-policy-management.md) |
-This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. |
-
[Create your AppLocker planning document](create-your-applocker-planning-document.md) |
-This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. |
-
| Setting | -Value | -
|---|---|
Registry path |
-Policies are stored in \HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2 |
-
Firewall ports |
-Not applicable |
-
Security policies |
-Custom created, no default |
-
Group Policy settings |
-Custom created, no default |
-
Network ports |
-Not applicable |
-
Service accounts |
-Not applicable |
-
Performance counters |
-Not applicable |
-
| Topic | -Description | -
|---|---|
[What Is AppLocker?](what-is-applocker.md) |
-This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. |
-
[Requirements to use AppLocker](requirements-to-use-applocker.md) |
-This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. |
-
[AppLocker policy use scenarios](applocker-policy-use-scenarios.md) |
-This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. |
-
[How AppLocker works](how-applocker-works-techref.md) |
-This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. |
-
[AppLocker architecture and components](applocker-architecture-and-components.md) |
-This topic for IT professional describes AppLocker’s basic architecture and its major components. |
-
[AppLocker processes and interactions](applocker-processes-and-interactions.md) |
-This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. |
-
[AppLocker functions](applocker-functions.md) |
-This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. |
-
[Security considerations for AppLocker](security-considerations-for-applocker.md) |
-This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. |
-
[Tools to Use with AppLocker](tools-to-use-with-applocker.md) |
-This topic for the IT professional describes the tools available to create and administer AppLocker policies. |
-
[AppLocker Settings](applocker-settings.md) |
-This topic for the IT professional lists the settings used by AppLocker. |
-
| Event ID | -Event message | -
|---|---|
4625 |
-An account failed to log on. |
-
| Event ID | -Event message | -
|---|---|
4665 |
-An attempt was made to create an application client context. |
-
4666 |
-An application attempted an operation: |
-
4667 |
-An application client context was deleted. |
-
4668 |
-An application was initialized. |
-
| Event ID | -Event message | -
|---|---|
4783 |
-A basic application group was created. - |
-
4784 |
-A basic application group was changed. - |
-
4785 |
-A member was added to a basic application group. - |
-
4786 |
-A member was removed from a basic application group. - |
-
4787 |
-A non-member was added to a basic application group. - |
-
4788 |
-A non-member was removed from a basic application group. - |
-
4789 |
-A basic application group was deleted. - |
-
4790 |
-An LDAP query group was created. - |
-
| Event ID | -Event message | -
|---|---|
4715 |
-The audit policy (SACL) on an object was changed. |
-
4719 |
-System audit policy was changed. |
-
4817 |
-Auditing settings on an object were changed. -
-Note
-
-This event is logged only on computers running the supported versions of the Windows operating system. -
-
- |
-
4902 |
-The Per-user audit policy table was created. |
-
4904 |
-An attempt was made to register a security event source. |
-
4905 |
-An attempt was made to unregister a security event source. |
-
4906 |
-The CrashOnAuditFail value has changed. |
-
4907 |
-Auditing settings on object were changed. |
-
4908 |
-Special Groups Logon table modified. |
-
4912 |
-Per User Audit Policy was changed. |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Not defined |
-
Stand-Alone Server Default Settings |
-Disabled |
-
DC Effective Default Settings |
-Disabled |
-
Member Server Effective Default Settings |
-Disabled |
-
Client Computer Effective Default Settings |
-Disabled |
-
| Event ID | -Event message | -
|---|---|
4659 |
-A handle to an object was requested with intent to delete. |
-
4660 |
-An object was deleted. |
-
4661 |
-A handle to an object was requested. |
-
4663 |
-An attempt was made to access an object. |
-
| Event ID | -Event message | -
|---|---|
560 |
-Access was granted to an already existing object. |
-
562 |
-A handle to an object was closed. |
-
563 |
-An attempt was made to open an object with the intent to delete it. -
-Note
-
-This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile(). -
-
- |
-
564 |
-A protected object was deleted. |
-
565 |
-Access was granted to an already existing object type. |
-
567 |
-A permission associated with a handle was used. -
-Note
-
-A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. -
-
- |
-
569 |
-The resource manager in Authorization Manager attempted to create a client context. |
-
570 |
-A client attempted to access an object. -
-Note
-
-An event will be generated for every attempted operation on the object. -
-
- |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Not defined |
-
Stand-Alone Server Default Settings |
-Disabled |
-
DC Effective Default Settings |
-Disabled |
-
Member Server Effective Default Settings |
-Disabled |
-
Client Computer Effective Default Settings |
-Disabled |
-
| Event ID | -Event message | -
|---|---|
4713 |
-Kerberos policy was changed. |
-
4716 |
-Trusted domain information was modified. |
-
4717 |
-System security access was granted to an account. |
-
4718 |
-System security access was removed from an account. |
-
4739 |
-Domain Policy was changed. |
-
4864 |
-A namespace collision was detected. |
-
4865 |
-A trusted forest information entry was added. |
-
4866 |
-A trusted forest information entry was removed. |
-
4867 |
-A trusted forest information entry was modified. |
-
| Event ID | -Event message | -
|---|---|
4704 |
-A user right was assigned. |
-
4705 |
-A user right was removed. |
-
4706 |
-A new trust was created to a domain. |
-
4707 |
-A trust to a domain was removed. |
-
4714 |
-Encrypted data recovery policy was changed. |
-
| Event ID | -Event message | -
|---|---|
4818 |
-Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy |
-
| Event ID | -Event message | -
|---|---|
4868 |
-The certificate manager denied a pending certificate request. |
-
4869 |
-Certificate Services received a resubmitted certificate request. |
-
4870 |
-Certificate Services revoked a certificate. |
-
4871 |
-Certificate Services received a request to publish the certificate revocation list (CRL). |
-
4872 |
-Certificate Services published the certificate revocation list (CRL). |
-
4873 |
-A certificate request extension changed. |
-
4874 |
-One or more certificate request attributes changed. |
-
4875 |
-Certificate Services received a request to shut down. |
-
4876 |
-Certificate Services backup started. |
-
4877 |
-Certificate Services backup completed. |
-
4878 |
-Certificate Services restore started. |
-
4879 |
-Certificate Services restore completed. |
-
4880 |
-Certificate Services started. |
-
4881 |
-Certificate Services stopped. |
-
4882 |
-The security permissions for Certificate Services changed. |
-
4883 |
-Certificate Services retrieved an archived key. |
-
4884 |
-Certificate Services imported a certificate into its database. |
-
4885 |
-The audit filter for Certificate Services changed. |
-
4886 |
-Certificate Services received a certificate request. |
-
4887 |
-Certificate Services approved a certificate request and issued a certificate. |
-
4888 |
-Certificate Services denied a certificate request. |
-
4889 |
-Certificate Services set the status of a certificate request to pending. |
-
4890 |
-The certificate manager settings for Certificate Services changed. |
-
4891 |
-A configuration entry changed in Certificate Services. |
-
4892 |
-A property of Certificate Services changed. |
-
4893 |
-Certificate Services archived a key. |
-
4894 |
-Certificate Services imported and archived a key. |
-
4895 |
-Certificate Services published the CA certificate to Active Directory Domain Services. |
-
4896 |
-One or more rows have been deleted from the certificate database. |
-
4897 |
-Role separation enabled: |
-
4898 |
-Certificate Services loaded a template. |
-
| Event ID | -Event message | -
|---|---|
4741 |
-A computer account was created. |
-
4742 |
-A computer account was changed. |
-
4743 |
-A computer account was deleted. |
-
| Event ID | -Event message | -
|---|---|
4774 |
-An account was mapped for logon. - |
-
4775 |
-An account could not be mapped for logon. - |
-
4776 |
-The domain controller attempted to validate the credentials for an account. - |
-
4777 |
-The domain controller failed to validate the credentials for an account. - |
-
| Event ID | -Event message | -
|---|---|
4928 |
-An Active Directory replica source naming context was established. |
-
4929 |
-An Active Directory replica source naming context was removed. |
-
4930 |
-An Active Directory replica source naming context was modified. |
-
4931 |
-An Active Directory replica destination naming context was modified. |
-
4934 |
-Attributes of an Active Directory object were replicated. |
-
4935 |
-Replication failure begins. |
-
4936 |
-Replication failure ends. |
-
4937 |
-A lingering object was removed from a replica. |
-
| Event ID | -Event message | -
|---|---|
5145 |
-A network share object was checked to see whether the client can be granted desired access. |
-
| Event ID | -Event message | -
|---|---|
4662 |
-An operation was performed on an object. |
-
| Event ID | -Event message | -
|---|---|
5136 |
-A directory service object was modified. |
-
5137 |
-A directory service object was created. |
-
5138 |
-A directory service object was undeleted. |
-
5139 |
-A directory service object was moved. |
-
5141 |
-A directory service object was deleted. |
-
| Event ID | -Event message | -
|---|---|
4932 |
-Synchronization of a replica of an Active Directory naming context has begun. |
-
4933 |
-Synchronization of a replica of an Active Directory naming context has ended. |
-
| Event ID | -Event message | -
|---|---|
4744 |
-A security-disabled local group was created. |
-
4745 |
-A security-disabled local group was changed. |
-
4746 |
-A member was added to a security-disabled local group. |
-
4747 |
-A member was removed from a security-disabled local group. |
-
4748 |
-A security-disabled local group was deleted. |
-
4749 |
-A security-disabled global group was created. |
-
4750 |
-A security-disabled global group was changed. |
-
4751 |
-A member was added to a security-disabled global group. |
-
4752 |
-A member was removed from a security-disabled global group. |
-
4753 |
-A security-disabled global group was deleted. |
-
4759 |
-A security-disabled universal group was created. |
-
4760 |
-A security-disabled universal group was changed. |
-
4761 |
-A member was added to a security-disabled universal group. |
-
4762 |
-A member was removed from a security-disabled universal group. |
-
| Event ID | -Event message | -
|---|---|
4692 |
-Backup of data protection master key was attempted. |
-
4693 |
-Recovery of data protection master key was attempted. |
-
4694 |
-Protection of auditable protected data was attempted. |
-
4695 |
-Unprotection of auditable protected data was attempted. |
-
| Event ID | -Event message | -
|---|---|
5140 |
-A network share object was accessed. -
-Note
-
-This event is logged on computers running Windows 10, Windows Server 2016 Technical Preview, Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista. -
-
- |
-
5142 |
-A network share object was added. |
-
5143 |
-A network share object was modified. |
-
5144 |
-A network share object was deleted. |
-
5168 |
-SPN check for SMB/SMB2 failed. |
-
| Event ID | -Event message | -
|---|---|
4664 |
-An attempt was made to create a hard link. |
-
4985 |
-The state of a transaction has changed. |
-
5051 |
-A file was virtualized. |
-
| Event ID | -Event message | -
|---|---|
5031 |
-The Windows Firewall Service blocked an application from accepting incoming connections on the network. |
-
5140 |
-A network share object was accessed. |
-
5150 |
-The Windows Filtering Platform blocked a packet. |
-
5151 |
-A more restrictive Windows Filtering Platform filter has blocked a packet. |
-
5154 |
-The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. |
-
5155 |
-The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. |
-
5156 |
-The Windows Filtering Platform has allowed a connection. |
-
5157 |
-The Windows Filtering Platform has blocked a connection. |
-
5158 |
-The Windows Filtering Platform has permitted a bind to a local port. |
-
5159 |
-The Windows Filtering Platform has blocked a bind to a local port. |
-
| Event ID | -Event message | -
|---|---|
5152 |
-The Windows Filtering Platform blocked a packet. |
-
5153 |
-A more restrictive Windows Filtering Platform filter has blocked a packet. |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Not defined |
-
Stand-Alone Server Default Settings |
-Enabled |
-
DC Effective Default Settings |
-Enabled |
-
Member Server Effective Default Settings |
-Enabled |
-
Client Computer Effective Default Settings |
-Enabled |
-
| Event ID | -Event message | -
|---|---|
4627 |
-Group membership information. |
-
| Event ID | -Event message | -
|---|---|
4656 |
-A handle to an object was requested. |
-
4658 |
-The handle to an object was closed. |
-
4690 |
-An attempt was made to duplicate a handle to an object. |
-
| Event ID | -Event message | -
|---|---|
4960 |
-IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. |
-
4961 |
-IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. |
-
4962 |
-IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. |
-
4963 |
-IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. |
-
4965 |
-IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. |
-
5478 |
-IPsec Services has started successfully. |
-
5479 |
-IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. |
-
5480 |
-IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. |
-
5483 |
-IPsec Services failed to initialize RPC server. IPsec Services could not be started. |
-
5484 |
-IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. |
-
5485 |
-IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. |
-
| Event ID | -Event message | -
|---|---|
4978 |
-During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. |
-
4979 |
-IPsec Main Mode and Extended Mode security associations were established. -
-Note
-
-This event provides event data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint, Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, and Extended Mode Information. -
-
- |
-
4980 |
-IPsec Main Mode and Extended Mode security associations were established. -
-Note
-
-This event provides event audit data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint. Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information: -
-
- |
-
4981 |
-IPsec Main Mode and Extended Mode security associations were established. -
-Note
-
-This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, and Extended Mode Information. -
-
- |
-
4982 |
-IPsec Main Mode and Extended Mode security associations were established. -
-Note
-
-This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information. -
-
- |
-
4983 |
-An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. -
-Note
-
-This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, and Failure Information. -
-
- |
-
4984 |
-An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. -
-Note
-
-This event provides event audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. -
-
- |
-
| Event ID | -Event message | -
|---|---|
4646 |
-Security ID: %1 |
-
4650 |
-An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. |
-
4651 |
-An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. |
-
4652 |
-An IPsec Main Mode negotiation failed. -
-Note
-
-This audit event returns detailed audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Additional Information, and Failure Information. -
-
- |
-
4653 |
-An IPsec Main Mode negotiation failed. -
-Note
-
-This audit event returns detailed audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. -
-
- |
-
4655 |
-An IPsec Main Mode security association ended. |
-
4976 |
-During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. |
-
5049 |
-An IPsec Security Association was deleted. |
-
5453 |
-An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. |
-
| Event ID | -Event message | -
|---|---|
4977 |
-During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. |
-
5451 |
-An IPsec Quick Mode security association was established. |
-
5452 |
-An IPsec Quick Mode security association ended. |
-
| Event ID | -Event message | -
|---|---|
4768 |
-A Kerberos authentication ticket (TGT) was requested. |
-
4771 |
-Kerberos preauthentication failed. |
-
4772 |
-A Kerberos authentication ticket request failed. |
-
| Event ID | -Event message | -
|---|---|
4769 |
-A Kerberos service ticket was requested. |
-
4770 |
-A Kerberos service ticket was renewed. |
-
| Event ID | -Event message | -
|---|---|
4659 |
-A handle to an object was requested with intent to delete. |
-
4660 |
-An object was deleted. |
-
4661 |
-A handle to an object was requested. |
-
4663 |
-An attempt was made to access an object. |
-
| Event ID | -Event message | -
|---|---|
4634 |
-An account was logged off. |
-
4647 |
-User initiated logoff. |
-
| Event ID | -Event message | -
|---|---|
4624 |
-An account was successfully logged on. |
-
4625 |
-An account failed to log on. |
-
4648 |
-A logon was attempted using explicit credentials. |
-
4675 |
-SIDs were filtered. |
-
| Event ID | -Event message | -
|---|---|
4944 |
-The following policy was active when the Windows Firewall started. |
-
4945 |
-A rule was listed when the Windows Firewall started. |
-
4946 |
-A change has been made to Windows Firewall exception list. A rule was added. |
-
4947 |
-A change has been made to Windows Firewall exception list. A rule was modified. |
-
4948 |
-A change has been made to Windows Firewall exception list. A rule was deleted. |
-
4949 |
-Windows Firewall settings were restored to the default values. |
-
4950 |
-A Windows Firewall setting has changed. |
-
4951 |
-A rule has been ignored because its major version number was not recognized by Windows Firewall. |
-
4952 |
-Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. |
-
4953 |
-A rule has been ignored by Windows Firewall because it could not parse the rule. |
-
4954 |
-Windows Firewall Group Policy settings have changed. The new settings have been applied. |
-
4956 |
-Windows Firewall has changed the active profile. |
-
4957 |
-Windows Firewall did not apply the following rule: |
-
4958 |
-Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: |
-
| Event ID | -Event message | -
|---|---|
6272 |
-Network Policy Server granted access to a user. |
-
6273 |
-Network Policy Server denied access to a user. |
-
6274 |
-Network Policy Server discarded the request for a user. |
-
6275 |
-Network Policy Server discarded the accounting request for a user. |
-
6276 |
-Network Policy Server quarantined a user. |
-
6277 |
-Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. |
-
6278 |
-Network Policy Server granted full access to a user because the host met the defined health policy. |
-
6279 |
-Network Policy Server locked the user account due to repeated failed authentication attempts. |
-
6280 |
-Network Policy Server unlocked the user account. |
-
| Event ID | -Event message | -
|---|---|
4672 |
-Special privileges assigned to new logon. |
-
4673 |
-A privileged service was called. |
-
4674 |
-An operation was attempted on a privileged object. |
-
| Event ID | -Event message | -
|---|---|
4649 |
-A replay attack was detected. |
-
4778 |
-A session was reconnected to a Window Station. |
-
4779 |
-A session was disconnected from a Window Station. |
-
4800 |
-The workstation was locked. |
-
4801 |
-The workstation was unlocked. |
-
4802 |
-The screen saver was invoked. |
-
4803 |
-The screen saver was dismissed. |
-
5378 |
-The requested credentials delegation was disallowed by policy. |
-
5632 |
-A request was made to authenticate to a wireless network. |
-
5633 |
-A request was made to authenticate to a wired network. |
-
| Event ID | -Event Message Summary | -
|---|---|
4782 |
-The password hash for an account was accessed. |
-
4793 |
-The Password Policy Checking API was called. |
-
| Event ID | -Event message | -
|---|---|
4649 |
-A replay attack was detected. |
-
4778 |
-A session was reconnected to a Window Station. |
-
4779 |
-A session was disconnected from a Window Station. |
-
4800 |
-The workstation was locked. |
-
4801 |
-The workstation was unlocked. |
-
4802 |
-The screen saver was invoked. |
-
4803 |
-The screen saver was dismissed. |
-
5378 |
-The requested credentials delegation was disallowed by policy. |
-
5632 |
-A request was made to authenticate to a wireless network. |
-
5633 |
-A request was made to authenticate to a wired network. |
-
| Event ID | -Event message | -
|---|---|
4671 |
-An application attempted to access a blocked ordinal through the TBS. |
-
4691 |
-Indirect access to an object was requested. |
-
4698 |
-A scheduled task was created. |
-
4699 |
-A scheduled task was deleted. |
-
4700 |
-A scheduled task was enabled. |
-
4701 |
-A scheduled task was disabled. |
-
4702 |
-A scheduled task was updated. |
-
5148 |
-The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. |
-
5149 |
-The DoS attack has subsided and normal processing is being resumed. |
-
5888 |
-An object in the COM+ Catalog was modified. |
-
5889 |
-An object was deleted from the COM+ Catalog. |
-
5890 |
-An object was added to the COM+ Catalog. |
-
| Event ID | -Event message | -
|---|---|
4670 |
-Permissions on an object were changed. |
-
4909 |
-The local policy settings for the TBS were changed. |
-
4910 |
-The group policy settings for the TBS were changed. |
-
5063 |
-A cryptographic provider operation was attempted. |
-
5064 |
-A cryptographic context operation was attempted. |
-
5065 |
-A cryptographic context modification was attempted. |
-
5066 |
-A cryptographic function operation was attempted. |
-
5067 |
-A cryptographic function modification was attempted. |
-
5068 |
-A cryptographic function provider operation was attempted. |
-
5069 |
-A cryptographic function property operation was attempted. |
-
5070 |
-A cryptographic function property modification was attempted. |
-
5447 |
-A Windows Filtering Platform filter has been changed. |
-
6144 |
-Security policy in the group policy objects has been applied successfully. |
-
6145 |
-One or more errors occurred while processing security policy in the group policy objects. |
-
| Event ID | -Event message | -
|---|---|
5024 |
-The Windows Firewall Service has started successfully. |
-
5025 |
-The Windows Firewall Service has been stopped. |
-
5027 |
-The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. |
-
5028 |
-The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. |
-
5029 |
-The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. |
-
5030 |
-The Windows Firewall Service failed to start. |
-
5032 |
-Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. |
-
5033 |
-The Windows Firewall Driver has started successfully. |
-
5034 |
-The Windows Firewall Driver has been stopped. |
-
5035 |
-The Windows Firewall Driver failed to start. |
-
5037 |
-The Windows Firewall Driver detected critical runtime error. Terminating. |
-
5058 |
-Key file operation. |
-
5059 |
-Key migration operation. |
-
6400 |
-BranchCache: Received an incorrectly formatted response while discovering availability of content. |
-
6401 |
-BranchCache: Received invalid data from a peer. Data discarded. |
-
6402 |
-BranchCache: The message to the hosted cache offering it data is incorrectly formatted. |
-
6403 |
-BranchCache: The hosted cache sent an incorrectly formatted response to the client. |
-
6404 |
-BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. |
-
6405 |
-BranchCache: %2 instance(s) of event id %1 occurred. |
-
6406 |
-%1 registered to Windows Firewall to control filtering for the following: %2 |
-
6407 |
-1% |
-
6408 |
-Registered product %1 failed and Windows Firewall is now controlling the filtering for %2 |
-
| Event ID | -Event message | -
|---|---|
6416 |
-A new external device was recognized by the system. |
-
| Event ID | -Event message | -
|---|---|
4688 |
-A new process has been created. |
-
4696 |
-A primary token was assigned to a process. |
-
| Event ID | -Event message | -
|---|---|
4689 |
-A process has exited. |
-
| Event ID | -Event message | -
|---|---|
4657 |
-A registry value was modified. |
-
5039 |
-A registry key was virtualized. |
-
| Event ID | -Event message | -
|---|---|
5712 |
-A Remote Procedure Call (RPC) was attempted. |
-
| Event ID | -Event message | -
|---|---|
4659 |
-A handle to an object was requested with intent to delete. |
-
4660 |
-An object was deleted. |
-
4661 |
-A handle to an object was requested. |
-
4663 |
-An attempt was made to access an object. |
-
| Event ID | -Event message | -
|---|---|
4727 |
-A security-enabled global group was created. |
-
4728 |
-A member was added to a security-enabled global group. |
-
4729 |
-A member was removed from a security-enabled global group. |
-
4730 |
-A security-enabled global group was deleted. |
-
4731 |
-A security-enabled local group was created. |
-
4732 |
-A member was added to a security-enabled local group. |
-
4733 |
-A member was removed from a security-enabled local group. |
-
4734 |
-A security-enabled local group was deleted. |
-
4735 |
-A security-enabled local group was changed. |
-
4737 |
-A security-enabled global group was changed. |
-
4754 |
-A security-enabled universal group was created. |
-
4755 |
-A security-enabled universal group was changed. |
-
4756 |
-A member was added to a security-enabled universal group. |
-
4757 |
-A member was removed from a security-enabled universal group. |
-
4758 |
-A security-enabled universal group was deleted. |
-
4764 |
-A group's type was changed. |
-
| Event ID | -Event Message Summary | -Minimum Requirement | -
|---|---|---|
4608 |
-Windows is starting up. |
-Windows Vista, Windows Server 2008 |
-
4609 |
-Windows is shutting down. |
-Windows Vista, Windows Server 2008 |
-
4616 |
-The system time was changed. |
-Windows Vista, Windows Server 2008 |
-
4621 |
-Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. |
-Windows Vista, Windows Server 2008 |
-
| Event ID | -Event message | -
|---|---|
4610 |
-An authentication package has been loaded by the Local Security Authority. |
-
4611 |
-A trusted logon process has been registered with the Local Security Authority. |
-
4614 |
-A notification package has been loaded by the Security Account Manager. |
-
4622 |
-A security package has been loaded by the Local Security Authority. |
-
4697 |
-A service was installed in the system. |
-
| Event ID | -Event message | -
|---|---|
4672 |
-Special privileges assigned to new logon. |
-
4673 |
-A privileged service was called. |
-
4674 |
-An operation was attempted on a privileged object. |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not defined |
-
Default Domain Controller Policy |
-Not defined |
-
Stand-Alone Server Default Settings |
-Disabled |
-
DC Effective Default Settings |
-Disabled |
-
Member Server Effective Default Settings |
-Disabled |
-
Client Computer Effective Default Settings |
-Disabled |
-
| Event ID | -Event message | -
|---|---|
4964 |
-Special groups have been assigned to a new logon. |
-
| Event ID | -Event message | -
|---|---|
4612 |
-Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. |
-
4615 |
-Invalid use of LPC port. |
-
4618 |
-A monitored security event pattern has occurred. |
-
4816 |
-RPC detected an integrity violation while decrypting an incoming message. |
-
5038 |
-Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. |
-
5056 |
-A cryptographic self-test was performed. |
-
5057 |
-A cryptographic primitive operation failed. |
-
5060 |
-Verification operation failed. |
-
5061 |
-Cryptographic operation. |
-
5062 |
-A kernel-mode cryptographic self-test was performed. |
-
6281 |
-Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. |
-
| Event ID | -Event message | -
|---|---|
4720 |
-A user account was created. |
-
4722 |
-A user account was enabled. |
-
4723 |
-An attempt was made to change an account's password. |
-
4724 |
-An attempt was made to reset an account's password. |
-
4725 |
-A user account was disabled. |
-
4726 |
-A user account was deleted. |
-
4738 |
-A user account was changed. |
-
4740 |
-A user account was locked out. |
-
4765 |
-SID History was added to an account. |
-
4766 |
-An attempt to add SID History to an account failed. |
-
4767 |
-A user account was unlocked. |
-
4780 |
-The ACL was set on accounts which are members of administrators groups. |
-
4781 |
-The name of an account was changed: |
-
4794 |
-An attempt was made to set the Directory Services Restore Mode. |
-
5376 |
-Credential Manager credentials were backed up. |
-
5377 |
-Credential Manager credentials were restored from a backup. |
-
| Server type or GPO | -Default value | -
|---|---|
Default Domain Policy |
-Not Defined |
-
Default Domain Controller Policy |
-Administrators -Backup Operators -Server Operators |
-
Stand-Alone Server Default Settings |
-Administrators -Backup Operators |
-
Domain Controller Effective Default Settings |
-Administrators -Backup Operators -Server Operators |
-
Member Server Effective Default Settings |
-Administrators -Backup Operators |
-
Client Computer Effective Default Settings |
-Administrators -Backup Operators |
-