Windows Events — Event ID Reference & Troubleshooting

Windows Event ID 5 – Kernel: Process Terminated Unexpectedly

Event ID 5 indicates a critical process or service has terminated unexpectedly, often due to access violations, memory corruption, or system instability requiring immediate investigation.

Windows Event ID 4 – Kernel-General: System Process Terminated Unexpectedly

Event ID 4 indicates a critical system process has terminated unexpectedly, often signaling kernel-level failures, driver issues, or system instability requiring immediate investigation.

Windows Event ID 3 – System: Network Connection Established

Event ID 3 indicates a successful network connection has been established by the Windows system, typically logged when network services start or connections are made to remote resources.

Windows Event ID 2 – Kernel-General: System Boot Completion

Event ID 2 from Kernel-General indicates successful Windows system boot completion. This informational event logs when the kernel finishes loading and the system is ready for user logon.

Windows Event ID 0 – Unknown: System Event with Undefined Source

Event ID 0 with Unknown source indicates a system event where the event source could not be properly identified or registered, often pointing to corrupted event log entries or missing event source definitions.

Windows Event ID 19 – Kernel-PnP: Device Installation or Configuration Event

Event ID 19 from Kernel-PnP indicates Plug and Play device installation, configuration changes, or driver-related activities on Windows systems.

Windows Event ID 2019 – Srv: Server Service Connection Limit Exceeded

Event ID 2019 indicates the Windows Server service has reached its maximum connection limit, preventing new client connections until existing sessions are freed.

Windows Event ID 3065 – WinRM: WS-Management Service Authentication Error

Event ID 3065 indicates WinRM authentication failures when clients attempt to connect to the WS-Management service, typically due to credential issues or configuration problems.

Windows Event ID 76 – Application Popup: System Process Terminated Unexpectedly

Event ID 76 indicates a critical system process has terminated unexpectedly, triggering Windows to display an application error popup and potentially initiate system recovery procedures.

Windows Event ID 29 – Kernel-Power: Critical System Power Event

Event ID 29 from Kernel-Power indicates a critical system power event, typically occurring during unexpected shutdowns, power failures, or hardware-related power issues that require immediate investigation.

Windows Event ID 131 – Unknown: Application or Service Crash Event

Event ID 131 indicates an application or service has crashed unexpectedly. This critical event helps administrators identify failing processes and investigate system stability issues.

Windows Event ID 157 – Disk: Disk Error Detected

Event ID 157 indicates a disk error has been detected by the Windows storage subsystem, typically signaling hardware issues, bad sectors, or failing storage devices requiring immediate investigation.

Windows Event ID 5783 – NETLOGON: Dynamic DNS Registration Failed

Event ID 5783 indicates that a domain controller failed to register its DNS records dynamically. This critical networking event affects Active Directory authentication and client connectivity to domain services.

Windows Event ID 4776 – Microsoft-Windows-Security-Auditing: Computer Account Authentication

Event ID 4776 logs computer account authentication attempts in Active Directory environments, tracking domain controller validation of computer credentials during logon processes.

Windows Event ID 2004 – Perflib: Performance Counter Provider Registration Failed

Event ID 2004 indicates a performance counter provider failed to register with the Windows Performance Toolkit. This typically occurs when performance counter DLLs are corrupted, missing, or incompatible with the current system.

Windows Event ID 13 – Kernel-General: System Boot Performance Monitoring

Event ID 13 from Kernel-General tracks system boot performance metrics, recording boot duration and initialization phases during Windows startup sequences.

Windows Event ID 12010 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 12010 fires when Windows detects a system time change, either manual or automatic. Critical for security auditing and troubleshooting time synchronization issues in domain environments.

Windows Event ID 823 – Ntfs: Critical Disk I/O Error Detected

Event ID 823 indicates a critical disk I/O error where the NTFS file system detected corrupted data during read/write operations, potentially signaling hardware failure or data corruption.

Windows Event ID 4004 – WinLogon: Interactive Logon Process Initialization

Event ID 4004 indicates the Windows interactive logon process has been initialized. This informational event fires during system startup when WinLogon prepares the interactive desktop environment for user authentication.

Windows Event ID 2042 – DNS Client: DNS Client Service Failed to Start

Event ID 2042 indicates the DNS Client service failed to start during system boot, preventing DNS resolution and network connectivity for applications requiring domain name lookups.

Windows Event ID 1500 – Application Error: Application Crash or Failure

Event ID 1500 indicates an application has crashed or encountered a critical error. This event helps administrators track application stability and identify problematic software components.