Windows Events — Event ID Reference & Troubleshooting
Windows Event ID 7000 – Service Control Manager: Service Failed to Start
Event ID 7000 indicates a Windows service failed to start during system boot or manual startup attempts. This critical error requires immediate investigation to identify the failing service and underlying cause.
Windows Event ID 7031 – Service Control Manager: Service Terminated Unexpectedly
Event ID 7031 indicates a Windows service has terminated unexpectedly and will be restarted by the Service Control Manager. This critical event helps identify service stability issues and potential system problems.
Windows Event ID 1000 – Application Error: Application Crash or Fault Detection
Event ID 1000 indicates an application crash or unhandled exception. This critical error event fires when Windows detects an application fault, providing crash details for troubleshooting.
Windows Event ID 10016 – DistributedCOM: DCOM Permission Denied Error
Event ID 10016 indicates DCOM permission errors when applications attempt to access COM objects without proper authorization, commonly affecting Windows services and applications.
Windows Event ID 1001 – Windows Error Reporting: Application Crash Report
Event ID 1001 indicates Windows Error Reporting has logged an application crash or fault. This event captures critical details about application failures for diagnostic purposes.
Windows Event ID 4647 – Microsoft-Windows-Security-Auditing: User Initiated Logoff
Event ID 4647 records when a user initiates a logoff from a Windows session. This security audit event tracks user-initiated disconnections for compliance and security monitoring purposes.
Windows Event ID 4634 – Microsoft-Windows-Security-Auditing: An Account Was Logged Off
Event ID 4634 records when a user account logs off from a Windows system. This security audit event tracks logoff activities for compliance and security monitoring purposes.
Windows Event ID 7040 – Service Control Manager: Service Start Type Changed
Event ID 7040 fires when a Windows service start type is modified through Service Control Manager, Group Policy, or programmatic changes. Critical for security auditing and change tracking.
Windows Event ID 1796 – Microsoft-Windows-Kernel-General: System Time Change Detected
Event ID 1796 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-sensitive applications.
Windows Event ID 2020 – DNS Client: DNS Query Response Timeout
Event ID 2020 indicates DNS query timeouts from the Windows DNS Client service. This warning event fires when DNS resolution requests exceed configured timeout thresholds, potentially impacting network connectivity and domain operations.
Windows Event ID 808 – Security: Audit Log Cleared
Event ID 808 indicates that the Windows Security audit log has been cleared, typically by an administrator or automated process. This event is critical for security monitoring and compliance tracking.
Windows Event ID 20 – Print Spooler: Print Job Completion and Status Events
Event ID 20 from the Print Spooler service indicates print job completion, cancellation, or status changes. This informational event helps track printing activity and troubleshoot spooler issues.
Windows Event ID 4740 – Security: User Account Locked Out
Event ID 4740 fires when a user account gets locked out due to failed authentication attempts. Critical for security monitoring and troubleshooting user access issues.
Windows Event ID 7000 – Service Control Manager: Service Failed to Start
Event ID 7000 indicates a Windows service failed to start during system boot or manual startup. This critical error requires immediate investigation to identify the failing service and resolve startup issues.
Windows Event ID 36887 – Schannel: TLS Connection Error or Certificate Validation Failure
Event ID 36887 indicates TLS/SSL connection failures or certificate validation errors in the Schannel security provider, commonly affecting HTTPS connections and secure communications.
Windows Event ID 7034 – Service Control Manager: Service Crashed Unexpectedly
Event ID 7034 indicates a Windows service terminated unexpectedly without a clean shutdown. This critical error requires immediate investigation to identify the failing service and root cause.
Windows Event ID 1002 – Application Error: Application Hang Detection
Event ID 1002 indicates an application has stopped responding and Windows has detected a hang condition. This critical event helps identify problematic applications affecting system performance.
Windows Event ID 6008 – EventLog: Unexpected System Shutdown Detection
Event ID 6008 indicates Windows detected an unexpected system shutdown. The system was not properly shut down before the previous boot, suggesting power loss, hardware failure, or forced restart.
Windows Event ID 4608 – Security: Windows System Startup Initialization
Event ID 4608 logs when Windows starts up and the Local Security Authority Subsystem Service (LSASS.EXE) initializes the auditing subsystem during system boot.
Windows Event ID 4723 – Microsoft-Windows-Security-Auditing: User Account Password Change Attempt
Event ID 4723 logs when a user attempts to change another user's password. This security audit event tracks administrative password reset operations and helps monitor unauthorized password modifications across Windows domains.
Windows Event ID 4625 – Microsoft-Windows-Security-Auditing: An Account Failed to Log On
Event ID 4625 records failed logon attempts in Windows Security logs. Critical for detecting brute force attacks, credential issues, and unauthorized access attempts across domain and local accounts.