Windows Event Logs

Good old windows event logs these store all the fun that has been happening on a windows box however at first glance these can look quite daunting as there is a ridiculous number of these and they are not always clear. Below is a breakdown of some of the different event types you should look out for if you ever need to audit these logs 🙂

Windows Firewall

Event Code:
5152 – Packet was blocked
5154 – Permit an application to listen for incoming connections
5156 – Permitted connection
5157 – Blocked Connection

Authentication

Login
4624 – Successful login
4625 – Failed login

Accounts
4720 – User account was created
4724 – attempt to reset password
4735 – Local Group Change
4738 – User password change

Logon types:
Type 2 – Interactive –GUI
Type 3 – Network
Type 4 – Batch
Type 5 – Service
Type 8 – Network Clear Text
Type 9 – New Credentials (RDP Tools)
Type 10 – RDP
Type 11 – Cached

Applications and Services

Installations
1022 – windows installer updated the application
1033 – windows installed installed the application
1034 – windows installer removed the application

4688 – New process name
4663 – Access writedata/add file (new file added)

Services
7035 – Service sent a start or stop request
7036 – Service was started or stopped
7045 – Service was installed in the system



Scroll Up