📋

Windows Event ID Lookup

Look up any Windows Event ID for a plain-English explanation, log source, severity rating and practical troubleshooting steps. Database covers 200+ IDs across Security, System and Application logs.

Search Event ID Database

Enter any Windows Event ID for a plain-English explanation, log source, severity and troubleshooting steps.

The table below shows the 15 most common Event IDs. The full database covers 200+ IDs across authentication, account management, system, services, DNS, DHCP, BitLocker, Hyper-V, printing, RDP, firewall, Group Policy, Defender and more. Use the search above to look up any ID not listed.

What it means
Troubleshooting tips
🔍

Event ID not found

This Event ID is not in our database yet. Try the Ultimate Windows Security Encyclopedia or Microsoft documentation.

15 Most Common Event IDs
Click any row to look it up instantly. Use the search box above to access all 200+ IDs.
Event IDNameLogSeverity

About the Windows Event ID Lookup

Windows generates event log entries for virtually everything that happens on a system, from user logons and account changes to service failures, disk errors, firewall activity and security policy modifications. Every event is identified by a numeric Event ID that tells you what type of event occurred. The Event ID Lookup database covers over 200 of the most important Event IDs with plain-English explanations that go beyond what you see in Event Viewer itself.

The database covers events across the three main Windows logs. The Security log contains authentication events (logon success and failure, Kerberos, NTLM), account management events (user creation, group membership changes, password resets) and privilege use. The System log covers hardware events, service failures, driver issues, startup and shutdown. The Application log covers events from specific applications including Windows Defender, BitLocker, PowerShell script block logging, AppLocker and .NET runtime errors.

Each entry includes not just a description but practical troubleshooting steps drawn from real-world incident response and system administration experience. For security events, the tips explain which sub-status codes indicate which failure reasons, and what correlation with other Event IDs looks like in practice.

Key Event IDs to Know

Common Use Cases

  • 🔍
    Account lockout investigation. Event IDs 4625 and 4740 together tell you exactly which account is being locked out and from which source workstation. Essential for troubleshooting cached credential issues.
  • 🛡️
    Incident response. During a security incident, Event IDs 4624, 4625, 4648, 4728 and 4719 form the core authentication and privilege escalation audit trail across domain controllers and servers.
  • 📊
    SIEM rule writing. Use this database to understand exactly what each Event ID means before writing detection rules in Splunk, Sentinel, Elastic or any other SIEM platform.
  • 💡
    PowerShell malware detection. Event IDs 4103 and 4104 (module and script block logging) capture the actual PowerShell code that was executed, even if it was obfuscated at the command line. Correlate with 4688 for the full picture.
  • 📋
    Compliance auditing. Many compliance frameworks (PCI-DSS, ISO 27001, HIPAA) require specific Windows events to be monitored. Use this lookup to understand what each required event actually records.

Frequently Asked Questions

Where do I find these events in Windows?
Open Event Viewer (eventvwr.msc), expand Windows Logs, and select Security, System or Application depending on the log source shown in the lookup result. Use Filter Current Log and enter the Event ID number to find specific events quickly.
Why does Event ID 4625 show different failure reasons?
The Sub Status field in Event ID 4625 contains the actual failure reason as a hex code. 0xC000006A means wrong password, 0xC0000064 means the username does not exist, and 0xC0000234 means the account is locked out. The lookup entry for 4625 lists all the common sub status codes.
How do I enable PowerShell script block logging?
Via Group Policy: Computer Configuration, Administrative Templates, Windows Components, Windows PowerShell, Turn on PowerShell Script Block Logging. Set to Enabled. This activates Event ID 4104 logging which captures all executed script blocks even when encoded with -EncodedCommand.
What is the difference between Event IDs 4624 and 4648?
Event ID 4624 is a standard successful logon. Event ID 4648 is a logon using explicitly supplied credentials, which occurs when a process uses different credentials from the logged-in user, such as with runas, scheduled tasks, or pass-the-hash attacks. 4648 is a higher-priority alert in security monitoring.

Event Categories Covered

  • 🔑
    Authentication and logon (4624, 4625, 4648, 4768, 4771, 4776). Covers interactive, network, RDP, Kerberos and NTLM authentication events with failure sub-codes.
  • 👤
    Account management (4720, 4722, 4724, 4728, 4732, 4740). User creation, password changes, group membership changes and account lockouts.
  • 💻
    System events (41, 6008, 7000, 7036, 7045). Unexpected shutdowns, service failures, new service installations and service state changes.
  • 🔒
    Security tools (1116, 5001, 4103, 4104, 8003). Windows Defender detections, PowerShell logging and AppLocker enforcement events.
  • 🌐
    Network services (150, 1046, 1056, 5025, 5157). DNS, DHCP, firewall and Active Directory replication events.