Windows Events — Event ID Reference & Troubleshooting

Windows Event ID 1102 – Microsoft-Windows-Eventlog: Security Log Cleared

Event ID 1102 indicates the Windows Security log has been manually cleared by an administrator or system process, triggering immediate audit trail documentation.

Windows Event ID 1006 – WinMgmt: WMI Performance Adapter Registration Failure

Event ID 1006 indicates WMI performance adapter registration failures, typically occurring during system startup or when WMI services attempt to initialize performance counters for system monitoring.

Windows Event ID 1311 – MSI Installer: Product Installation Failure

Event ID 1311 indicates a Windows Installer (MSI) package failed to install or configure properly. This error typically occurs when the installer cannot access required files, encounters permission issues, or faces corrupted installation media during software deployment.

Windows Event ID 1925 – MSExchange Store: Database Mount Failure or Corruption

Event ID 1925 indicates Microsoft Exchange Store service encountered a critical database mount failure or corruption issue, preventing mailbox databases from mounting properly during startup or maintenance operations.

Windows Event ID 98 – System: Processor Thermal Throttling Event

Event ID 98 indicates processor thermal throttling has occurred due to high CPU temperatures. This system-level event fires when Windows reduces CPU performance to prevent overheating damage.

Windows Event ID 1500 – Application Error: Application Crash or Hang Detection

Event ID 1500 indicates an application has crashed, hung, or encountered a critical error. This event helps administrators track application stability and identify problematic software components.

Windows Event ID 33 – System: Time Service Provider Time Synchronization

Event ID 33 indicates Windows Time Service has successfully synchronized system time with an external time source or encountered synchronization issues during the process.

Windows Event ID 25 – Application Popup: System Process Terminated Unexpectedly

Event ID 25 indicates a critical system process has terminated unexpectedly, triggering Windows Error Reporting. This event typically signals driver issues, memory corruption, or system instability requiring immediate investigation.

Windows Event ID 8 – Kernel-General: Page Fault in Nonpaged Area

Event ID 8 indicates a critical page fault in the nonpaged memory area, typically caused by faulty drivers, hardware issues, or memory corruption that can lead to system instability.

Windows Event ID 219 – Kernel-PnP: Device Driver Installation or Removal Event

Event ID 219 from Kernel-PnP indicates device driver installation, removal, or configuration changes in Windows. This informational event helps track Plug and Play device management activities.

Windows Event ID 38 – Kernel-Power: System Thermal Zone Temperature

Event ID 38 from Kernel-Power indicates thermal zone temperature changes or thermal management events in Windows systems, typically logged when CPU or system temperatures exceed normal operating thresholds.

Windows Event ID 29 – Kernel-Power: Critical System Power Event

Event ID 29 from Kernel-Power indicates critical power-related issues including unexpected shutdowns, power supply failures, or thermal protection events that can cause system instability.

Windows Event ID 7045 – Service Control Manager: New Service Installation

Event ID 7045 fires when a new Windows service is installed on the system. This informational event logs service creation details including name, path, and startup type for security monitoring.

Windows Event ID 7 – Kernel-General: Bad Block Detected on Device

Event ID 7 indicates Windows detected a bad block on a storage device. This critical hardware event signals potential disk failure and requires immediate investigation to prevent data loss.

Windows Event ID 18 – Various Sources: Generic Application or Service Event

Event ID 18 is a generic identifier used by multiple Windows applications and services to log various operational events, ranging from informational messages to error conditions depending on the source.

Windows Event ID 1 – Unknown: Generic System Event Logging

Event ID 1 from Unknown source represents generic system events that occur when Windows cannot identify the specific event source or when third-party applications generate basic logging entries.

Windows Event ID 129 – Storahci: Reset to Device Issued by Port Driver

Event ID 129 indicates the Windows storage port driver issued a reset command to a storage device, typically due to unresponsive I/O operations or device communication failures.

Windows Event ID 4625 – Microsoft-Windows-Security-Auditing: An Account Failed to Log On

Event ID 4625 records failed logon attempts in Windows Security logs. Critical for detecting unauthorized access attempts, brute force attacks, and troubleshooting authentication issues across domain and local accounts.

Windows Event ID 1704 – Winlogon: User Profile Service Failed

Event ID 1704 indicates the User Profile Service failed to load a user profile, preventing successful user logon and potentially causing profile corruption or access issues.

Windows Event ID 12289 – Kernel-General: Memory Manager Performance Counter Update

Event ID 12289 indicates Windows Memory Manager has updated performance counters for memory allocation tracking. This informational event helps monitor system memory usage patterns and virtual memory operations.

Windows Event ID 4771 – Microsoft-Windows-Security-Auditing: Kerberos Pre-authentication Failed

Event ID 4771 indicates a Kerberos pre-authentication failure, typically caused by incorrect passwords, expired accounts, or time synchronization issues between client and domain controller.