Enter any Windows Event ID for a plain-English explanation, log source, severity and troubleshooting steps.
The table below shows the 15 most common Event IDs. The full database covers 200+ IDs across authentication, account management, system, services, DNS, DHCP, BitLocker, Hyper-V, printing, RDP, firewall, Group Policy, Defender and more. Use the search above to look up any ID not listed.
Event ID not found
This Event ID is not in our database yet. Try the Ultimate Windows Security Encyclopedia or Microsoft documentation.
| Event ID | Name | Log | Severity |
|---|
About the Windows Event ID Lookup
Windows generates event log entries for virtually everything that happens on a system, from user logons and account changes to service failures, disk errors, firewall activity and security policy modifications. Every event is identified by a numeric Event ID that tells you what type of event occurred. The Event ID Lookup database covers over 200 of the most important Event IDs with plain-English explanations that go beyond what you see in Event Viewer itself.
The database covers events across the three main Windows logs. The Security log contains authentication events (logon success and failure, Kerberos, NTLM), account management events (user creation, group membership changes, password resets) and privilege use. The System log covers hardware events, service failures, driver issues, startup and shutdown. The Application log covers events from specific applications including Windows Defender, BitLocker, PowerShell script block logging, AppLocker and .NET runtime errors.
Each entry includes not just a description but practical troubleshooting steps drawn from real-world incident response and system administration experience. For security events, the tips explain which sub-status codes indicate which failure reasons, and what correlation with other Event IDs looks like in practice.
Key Event IDs to Know
Common Use Cases
- Account lockout investigation. Event IDs 4625 and 4740 together tell you exactly which account is being locked out and from which source workstation. Essential for troubleshooting cached credential issues.
- Incident response. During a security incident, Event IDs 4624, 4625, 4648, 4728 and 4719 form the core authentication and privilege escalation audit trail across domain controllers and servers.
- SIEM rule writing. Use this database to understand exactly what each Event ID means before writing detection rules in Splunk, Sentinel, Elastic or any other SIEM platform.
- PowerShell malware detection. Event IDs 4103 and 4104 (module and script block logging) capture the actual PowerShell code that was executed, even if it was obfuscated at the command line. Correlate with 4688 for the full picture.
- Compliance auditing. Many compliance frameworks (PCI-DSS, ISO 27001, HIPAA) require specific Windows events to be monitored. Use this lookup to understand what each required event actually records.
Frequently Asked Questions
Event Categories Covered
- Authentication and logon (4624, 4625, 4648, 4768, 4771, 4776). Covers interactive, network, RDP, Kerberos and NTLM authentication events with failure sub-codes.
- Account management (4720, 4722, 4724, 4728, 4732, 4740). User creation, password changes, group membership changes and account lockouts.
- System events (41, 6008, 7000, 7036, 7045). Unexpected shutdowns, service failures, new service installations and service state changes.
- Security tools (1116, 5001, 4103, 4104, 8003). Windows Defender detections, PowerShell logging and AppLocker enforcement events.
- Network services (150, 1046, 1056, 5025, 5157). DNS, DHCP, firewall and Active Directory replication events.