Common Event ID’s for

Forensic & SOC

Analysts

B Y,
Asif Khan
Sr. Cyber Forensics Expert
HTTPS://WWW.LINKEDIN.COM/IN/ASIF-KHAN-
B5379A126/
 Common Event ID’s
Certainly! Understanding common Event IDs and their meanings is crucial for interpreting
Windows Event Logs effectively. Event IDs are numerical codes that uniquely identify specific
events within the Windows operating system. They help administrators and forensic analysts
to quickly recognize and respond to various system, security, and application events.
In this comprehensive guide, we'll cover common Event IDs across different logs, including their
descriptions and significance in forensic analysis.

Table of Contents
1. Introduction to Event IDs
2. System Log Event IDs
3. Security Log Event IDs
4. Application Log Event IDs
5. Setup Log Event IDs
6. Application and Service Logs Event IDs
7. Event IDs Related to Account Management
8. Event IDs Related to Logon and Logoff
9. Event IDs Related to System Integrity
10. Event IDs Related to Policy Changes
11. Event IDs Related to Object Access
12. Additional Resources
13. Summary

1. Introduction to Event IDs

• Definition: An Event ID is a numerical code that identifies a specific event or type of
event within Windows Event Logs.
• Purpose: Helps in filtering, searching, and interpreting events during system
administration and forensic investigations.
• Event Logs Categories:
o System Log: Records events logged by Windows system components.
 o Security Log: Records security-related events, such as logon attempts and
resource access.
o Application Log: Records events logged by applications.
o Setup Log: Records events related to application setup and installation.
o Application and Service Logs: Records events from individual applications and
services.

2. System Log Event IDs

2.1 Service Control Manager Events
• Event ID 7000: "The service failed to start due to the following error..."
o Description: A service failed to start.
o Significance: Could indicate system instability or misconfigurations.
• Event ID 7001: "The service depends on the service which failed to start..."
o Description: A dependent service failed to start.
o Significance: Helps identify cascading failures.
• Event ID 7034: "The service terminated unexpectedly..."
o Description: A service terminated unexpectedly.
o Significance: May indicate software bugs or malicious activity.
• Event ID 7040: "The start type of the service was changed from..."
o Description: Indicates a change in the startup type of a service.
o Significance: Potentially unauthorized changes to services.
• Event ID 7045: "A service was installed in the system."
o Description: A new service was installed.
o Fields to Examine:
▪ Service Name
▪ Service File Name
▪ Service Type
o Significance: Important for detecting unauthorized or malicious services.
2.2 System Shutdown and Startup Events
 • Event ID 6005: "The Event Log service was started."
o Description: Indicates system startup.
o Significance: Helps establish timelines.
• Event ID 6006: "The Event Log service was stopped."
o Description: Indicates system shutdown.
o Significance: Helps establish timelines.
• Event ID 6008: "The previous system shutdown was unexpected."
o Description: Indicates an improper shutdown.
o Significance: May result from system crashes or power loss.
2.3 Time Change Events
• Event ID 1 (Kernel-General): "The system time has changed to..."
o Description: System time was changed.
o Fields to Examine:
▪ Previous Time
▪ New Time
o Significance: Time changes can affect log analysis and may indicate tampering.
2.4 Disk and Hardware Events
• Event ID 7 (Disk): "The device, \Device\Harddisk0\DR0, has a bad block."
o Description: Indicates a bad sector on the hard disk.
o Significance: May lead to data corruption or system instability.
• Event ID 51 (Disk): "An error was detected on device \Device\Harddisk0\DR0 during a
paging operation."
o Description: Disk I/O error.
o Significance: Could indicate failing hardware.

3. Security Log Event IDs

3.1 Successful Logon Events
• Event ID 4624: "An account was successfully logged on."
o Description: A user successfully logged on to the system.
 o Fields to Examine:
▪ Logon Type
▪ Account Name
▪ Source Network Address
o Logon Types:
▪ 2: Interactive (local console)
▪ 3: Network (e.g., accessing shared resources)
▪ 10: RemoteInteractive (Remote Desktop)
o Significance: Essential for tracking user activity.
3.2 Failed Logon Events
• Event ID 4625: "An account failed to log on."
o Description: A failed logon attempt occurred.
o Fields to Examine:
▪ Failure Reason
▪ Account Name
▪ Logon Type
▪ Source Network Address
o Significance: May indicate password guessing or unauthorized access attempts.
3.3 Account Management Events
• Event ID 4720: "A user account was created."
o Description: A new user account was created.
o Significance: Important for detecting unauthorized account creations.
• Event ID 4722: "A user account was enabled."
o Description: An account was re-enabled after being disabled.
o Significance: May be used to regain access to a disabled account.
• Event ID 4725: "A user account was disabled."
o Description: An account was disabled.
o Significance: Could be part of normal operations or indicate malicious activity.
 • Event ID 4726: "A user account was deleted."
o Description: An account was deleted.
o Significance: Important for auditing account deletions.
3.4 Privilege Use Events
• Event ID 4672: "Special privileges assigned to new logon."
o Description: A user logged on with administrative privileges.
o Significance: Critical for detecting privileged account usage.
3.5 Audit Log Clearing
• Event ID 1102: "The audit log was cleared."
o Description: Security log was cleared.
o Significance: Potential indicator of malicious activity attempting to cover tracks.
3.6 System Integrity Events
• Event ID 4616: "The system time was changed."
o Description: Indicates a change in system time.
o Significance: May affect log analysis and indicate tampering.

4. Application Log Event IDs

4.1 Application Errors
• Event ID 1000 (Application Error): "Faulting application name..."
o Description: Indicates that an application crashed.
o Fields to Examine:
▪ Faulting Application Name
▪ Faulting Module Name
▪ Exception Code
o Significance: Useful for diagnosing application crashes.
4.2 Application Hang
• Event ID 1002 (Application Hang): "The program [application name] version
[version] stopped interacting with Windows..."
o Description: An application became unresponsive.
 o Significance: May indicate performance issues or resource exhaustion.
4.3 MsiInstaller Events
• Event ID 11707: "Installation of [product name] succeeded."
o Description: An application was installed successfully.
o Significance: Helps track software installations.
• Event ID 11708: "Installation of [product name] failed."
o Description: An application installation failed.
o Significance: May indicate issues with software deployment.

5. Setup Log Event IDs

5.1 Windows Update Events
• Event ID 19 (WindowsUpdateClient): "Installation Successful: Windows successfully
installed the following update..."
o Description: A Windows Update was installed successfully.
o Significance: Important for ensuring systems are up to date.
• Event ID 20 (WindowsUpdateClient): "Installation Failure: Windows failed to install
the following update..."
o Description: A Windows Update installation failed.
o Significance: May leave the system vulnerable.
• Event ID 21 (WindowsUpdateClient): "Installation Pending: Windows is waiting to
install the following update..."
o Description: A Windows Update is pending installation.
o Significance: Indicates updates that require action.
5.2 System Installation Events
• Event ID 300 (Setup): "The Windows installer has initiated a system restart to complete
the installation or update..."
o Description: Indicates a restart initiated by an installer.
o Significance: Helps track system changes.

6. Application and Service Logs Event IDs

6.1 PowerShell Logs
• Event ID 4103 (Microsoft-Windows-PowerShell): "PowerShell Pipeline Execution
Details."
o Description: Logs details about executed PowerShell commands.
o Significance: Useful for detecting malicious scripts.
• Event ID 4104 (Microsoft-Windows-PowerShell): "PowerShell Script Block Logging."
o Description: Captures the content of PowerShell scripts executed.
o Significance: Critical for detecting and analyzing malicious PowerShell activity.
6.2 Sysmon Logs
• Event ID 1 (Sysmon): "Process creation detected."
o Description: Logs when a process is created.
o Significance: Provides detailed process information for threat hunting.
• Event ID 3 (Sysmon): "Network connection detected."
o Description: Logs network connections initiated by processes.
o Significance: Helps identify suspicious network activity.
6.3 Windows Defender Logs
• Event ID 1000 (Windows Defender): "Malware Detection."
o Description: Malware was detected on the system.
o Significance: Indicates potential compromise.
• Event ID 1116 (Windows Defender): "Antivirus scan started."
o Description: An antivirus scan was initiated.
o Significance: Helps track security operations.
6.4 Task Scheduler Logs
• Event ID 106 (TaskScheduler): "Task registered or updated."
o Description: A scheduled task was created or modified.
o Significance: Attackers may use scheduled tasks for persistence.
6.5 Remote Desktop Services Logs
• Event ID 1149 (TerminalServices-RemoteConnectionManager): "Remote Desktop
Services: User authentication succeeded."
 o Description: A user successfully authenticated via RDP.
o Significance: Important for monitoring remote access.

7. Event IDs Related to Account Management

• Event ID 4727: "A security-enabled global group was created."
• Event ID 4728: "A member was added to a security-enabled global group."
• Event ID 4732: "A member was added to a security-enabled local group."
• Event ID 4756: "A member was added to a security-enabled universal group."
• Event ID 4767: "A user account was unlocked."
Significance: Changes to group memberships and account statuses can indicate privilege
escalation or account misuse.

8. Event IDs Related to Logon and Logoff

• Event ID 4634: "An account was logged off."
o Description: A user logged off from the system.
o Significance: Helps track session durations.
• Event ID 4647: "User initiated logoff."
o Description: The user initiated a logoff.
o Significance: Differentiates between user-initiated and system-initiated logoffs.
• Event ID 4648: "A logon was attempted using explicit credentials."
o Description: Credentials were used to log on on behalf of another user.
o Significance: May indicate lateral movement or credential theft.

9. Event IDs Related to System Integrity

• Event ID 5038 (System Integrity): "Code integrity determined that the image hash of a
file is not valid."
o Description: Indicates potential tampering with system files.
o Significance: May suggest malware infection or system compromise.
 • Event ID 6281 (Audit Failure): "Code Integrity determined that the page hashes of an
image file are not valid."
o Description: Failed code integrity checks.
o Significance: Potential unauthorized modifications to code.

10. Event IDs Related to Policy Changes

• Event ID 4719: "System audit policy was changed."
o Description: Changes were made to audit policies.
o Significance: May indicate attempts to hide malicious activities.
• Event ID 4739: "Domain Policy was changed."
o Description: Modifications to domain policies.
o Significance: Critical in domain environments for detecting unauthorized
changes.

11. Event IDs Related to Object Access

• Event ID 4663: "An attempt was made to access an object."
o Description: Logs access to objects (files, folders, registry keys) when auditing is
enabled.
o Significance: Helps detect unauthorized access to sensitive data.
• Event ID 5140: "A network share object was accessed."
o Description: Indicates access to shared folders over the network.
o Significance: Useful for monitoring file sharing activities.

12. Additional Resources

Books and Guides
• "Windows Security Monitoring" by Andrei Miroshnikov.
• "Windows Forensic Analysis Toolkit" by Harlan Carvey.
• "Incident Response & Computer Forensics" by Jason T. Luttgens, Matthew Pepe, and
Kevin Mandia.
Online References
 • Microsoft Docs:
o Security Audit Events for Windows
• Ultimate Windows Security:
o Security Log Encyclopedia
Tools
• Event Log Explorer: Advanced event log viewer and analyzer.
• Log Parser Studio: GUI for Microsoft's Log Parser.
• Sysinternals Suite: Collection of advanced system utilities.
Communities
• SANS Digital Forensics and Incident Response:
o Training, articles, and community discussions.
• Forensic Focus Forums:
o Discussions on forensic methodologies and tool usage.
• Reddit r/DFIR:
o Community of professionals discussing digital forensics and incident response.

13. Summary
Understanding Common Event IDs and Their Meanings is essential for:
• System Administrators:
o Quickly identifying and responding to system events.
• Forensic Analysts:
o Interpreting logs accurately during investigations.
• Security Professionals:
o Detecting and responding to security incidents.
• Compliance Officers:
o Ensuring adherence to audit and compliance requirements.
By familiarizing yourself with these common Event IDs, you can effectively monitor system
activities, detect anomalies, and support incident response efforts. Remember that context is
crucial; always correlate events with other logs and system behaviors for comprehensive
analysis.