Windows Events — Event ID Reference & Troubleshooting
Complete Windows Event ID reference. Understand every system event, its causes and solutions.
Our Windows Events reference centralizes documentation on Windows Event IDs. Each article explains a specific system event: what it means, its possible causes, and recommended troubleshooting steps.
Windows Event ID 36888 – Schannel: TLS/SSL Handshake Failure with Certificate Validation Error
Event ID 36888 indicates a TLS/SSL handshake failure in the Schannel security provider, typically caused by certificate validation errors, protocol mismatches, or cipher suite incompatibilities during secure connection attempts.
Windows Event ID 36874 – Schannel: TLS Connection Handshake Failure
Event ID 36874 indicates a TLS handshake failure in the Schannel security provider, typically occurring when secure connections cannot be established due to protocol mismatches, certificate issues, or cipher suite incompatibilities.
Windows Event ID 24586 – Unknown: Application or Service Initialization Error
Event ID 24586 indicates an application or service failed to initialize properly during startup. This error typically occurs when Windows components or third-party applications encounter configuration issues, missing dependencies, or permission problems during the initialization process.
Windows Event ID 24582 – Unknown: Application or Service Initialization Failure
Event ID 24582 indicates a critical initialization failure in an application or service component during system startup or service launch, requiring immediate investigation to identify the failing component.
Windows Event ID 24580 – Application Error: Critical Application Failure
Event ID 24580 indicates a critical application failure or unexpected termination. This error typically occurs when applications crash due to memory violations, corrupted files, or system resource exhaustion.
Windows Event ID 24579 – Unknown: System Component Registration or Service Initialization Event
Event ID 24579 typically indicates a system component registration, service initialization, or driver loading event. This informational event appears during system startup or when specific Windows services are starting.
Windows Event ID 24577 – Kernel-EventTracing: ETW Session Configuration Error
Event ID 24577 indicates an Event Tracing for Windows (ETW) session configuration error, typically occurring when ETW providers fail to start or when session parameters are invalid during system boot or service initialization.
Windows Event ID 11708 – Microsoft-Windows-Kernel-General: System Time Change Detected
Event ID 11708 indicates the system time was changed, either manually by a user or automatically by time synchronization services. Critical for security auditing and troubleshooting time-related issues.
Windows Event ID 7011 – Service Control Manager: Service Timeout Error
Event ID 7011 indicates a Windows service failed to respond within the configured timeout period during startup, shutdown, or control operations, requiring investigation of service dependencies and system performance.
Windows Event ID 7001 – Service Control Manager: Service Dependency Failure
Event ID 7001 indicates a Windows service failed to start because one or more of its dependent services are not running or failed to initialize properly.
Windows Event ID 6280 – Microsoft-Windows-Kernel-Process: Process Creation Notification
Event ID 6280 records process creation events in the Microsoft-Windows-Kernel-Process ETW provider, capturing detailed process startup information for security monitoring and system analysis.
Windows Event ID 6279 – WinLogon: User Logon Session Destroyed
Event ID 6279 indicates that a user logon session has been destroyed in Windows. This informational event fires when a user logs off, disconnects from a remote session, or when the system terminates a session due to timeout or policy enforcement.
Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon
Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.
Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon
Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.
Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access
Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.
Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access
Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.
Windows Event ID 6145 – WinLogon: User Logon Session Destroyed
Event ID 6145 indicates a user logon session has been destroyed by the Windows Logon service, typically occurring during normal logoff, system shutdown, or forced session termination.
Windows Event ID 6144 – Kernel-General: System Performance Counter Collection Started
Event ID 6144 indicates that Windows has started collecting system performance counters. This informational event fires during system startup or when performance monitoring services initialize.
Windows Event ID 6013 – EventLog: System Uptime Information
Event ID 6013 records system uptime information in the System log, indicating how long Windows has been running since the last boot or restart.
Windows Event ID 6009 – EventLog: Microsoft Windows Kernel Boot Information
Event ID 6009 records Windows kernel boot information including processor details, memory configuration, and system architecture during system startup.
Windows Event ID 5889 – Microsoft-Windows-Kernel-General: System Time Change Detected
Event ID 5889 indicates the system time was changed, either manually by a user or automatically by time synchronization services. This event helps track time modifications for security and audit purposes.