Id
Log location
Message
Fields
2
Setup
Package was successfully changed to the Installed state
Logged:
PackageIdentifier:
ErrorCode:
3
Setup
Windows update could not be installed because … “The data is invalid”
Logged:
Commandline:
ErrorCode:
3
Microsoft-Windows-Crypto-NCrypt
Open key operation failed
Logged:
Provider Name:
Key Name:
4
Microsoft-Windows-Crypto-NCrypt/Operational
Create key operation failed
Logged:
Provider Name:
Key Name:
Algorithm Name:
6
Microsoft-Windows-Crypto-NCrypt/Operatonal
Unprotect Key operation failed
Logged:
KeyId:
8
System
Source: BTHUSB
The remote adapter < remote bluetooth radio address> was successfully paired with the local adapter.
Logged:
EventData:
9
System
Source: BTHUSB
The remote adapter < remote bluetooth radio address> was added to the list of personal devices.
Logged:
EventData:
11
Microsoft-Windows-CAPI2/Operational
Build Chain
System/TimeCreated/SystemTime:
Subject name of the leaf certificate is the first instance of the following path:
UserData/CertGetCertificateChain/CertificateChain/Certificate subjectName:
Subject name of the issuing certificate is the second instance of the following path:
UserData/CertGetCertificateChain/CertificateChain/ChainElement/Certificate
TrustStatus -> ErrorStatus: 1>
12
System
Source: Kernel-General
The operating system started at system time .
Logged:
This event along with no other earlier events indicates a wipe has occurred.
16
System
Source: BTHUSB
The mutual authentication between the local Bluetooth adapter and a device with Bluetooth adapter address failed.
Logged:
Data:
19
System
Source: WindowsUpdateClient
Installation Successful: Windows successfully installed the following update:
Logged:
Security ID:
updateTitle:
updateGuid:
serviceGuid:
updateRevisionNumber:
20
System
Source: Kernel-Boot
The last boot’s success was .
Logged:
LastBootGood:
21
System
Source: Kernel-Boot
The OS loader advanced options menu was displayed and the user selected option
Logged:
OptionSelected:
Note: this event is recorded if the operating system was started in an auxiliary boot mode whereas its absence indicates the operating system started in normal boot mode.
30
Microsoft-Windows-CAPI2/Operational
Verify Chain Policy
System -> TimeCreated -> SystemTime:
UserData -> CertVerifyCertificateChainPolicy -> Certificate -> subjectName:
UserData -> CertVerifyCertificateChainPolicy -> Result -> value :
48
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
MDM Unenroll: Unenroll event sent to server
Logged:
Security UserID:
65
Microsoft-Windows-Audio/Operational
MMDevAPI: Audio device state changed
Logged:
OpCode:
72
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
MDM Enroll: Succeeded
Logged:
Security UserID:
90
Microsoft-Windows-CAPI2/Operational
Logged:
Security UserID:
Subject:
400
Microsoft-Windows-AppXDeployment-Server-Microsoft-Windows-AppXDeployment-Server/Operational
Deployment Add operation on Package
from: (<.appx pathname> ) finished successfully
Logged:
403
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
MDM ConfigurationManager: CSP Allow check.
Logged:
URI:
Allowed:
404
Microsoft-Windows-AppXDeployment-Server-Microsoft-Windows-AppXDeployment-Server/Operational
AppX Deployment operation failed for package with error . The specific error text for this failure is: .
Logged:
410
Microsoft-Windows-Kernel-PnP/Device Configuration
Device < DeviceInstanceId> was started
Logged:
User:
DeviceInstanceId:
472
Microsoft-Windows-AppXDeployment-Server-Microsoft-Windows-AppXDeployment-Server /Operational
Moving package folder <%program files location%\
to <%deleted program files location%\
. Result:
Logged:
Security ID:
SourceFolderPath: <%program files location%\
DestinationFolderPath: <%deleted program files location%\
801
Microsoft-Windows-Kernel-PnP/Device Configuration
Processing device .
TimeCreated:
813
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
MDM PolicyManager
Logged:
Policy:
814
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
MDM PolicyManager
Logged:
Policy:
832
Microsoft-Windows-Kernel-PnP/Device Configuration
End removal of .
TimeCreated:
1004
Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
A certificate has been deleted
Logged:
UserID:
SubjectNames:
Thumbprint:
NotValidAfter: :
1006
Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
A new certificate has been installed.
Logged:
Subject:
Thumbprint:
1015
Applications and Services Logs-Microsoft-Windows-Wcmsvc-Operational
Interface token applied
Logged:
Security ID:
Media type:
AutoProfiles:
1027
System
Source: TPM-WMI
The Ownership of the Trusted Platform Module (TPM) hardware on this computer was successfully taken (TPM TakeOwnership command) by the system
Logged:
Keywords:
1074
System
Source: User32
The process \systemreset.exe has initiated the restart of computer on behalf of user for the following reason: No title for this reason could be found
Reason Code: 0x20001
Logged: User:
1100
Security
Subcategory: Security State Change
The event logging service has shut down
Logged:
Keywords:
1103
Security
The security audit log is now percent full.
Logged:
Keywords:
1104
System
The security audit log is full.
Logged:
Keywords:
1502
Microsoft-Windows-GroupPolicy/Operational
The Group Policy settings for the computer were processed successfully. New settings from 1 Group Policy objects were detected and applied.
Logged:
1793
Microsoft-Windows-SChannel-Events/Perf
Logged:
4502
System
Source: ResetEng
Attempt to restore the system to original condition has failed. Changes to the system have been undone.
Logged:
Keywords:
4608
Security
Subcategory: Security State Change
Startup of audit functions
Logged:
Task category:
Keywords:
4624
Security
Subcategory: Logon
An account was successfully logged on.
Logged:
Security ID:
Account Name:
Account Domain:
Workstation Name:
Logon Type:
LogonID:
Source Network Address:
4650
Security
Subcategory: IPsec Main Mode
IPsec main mode security association was established. Certificate authentication was not used.
Logged:
Task category:
Local Endpoint:
Remote Endpoint:
Keying Module Name:
Local Certificate:
Remote Certificate:
Cryptographic Information:
Keywords:
4651
Security
Subcategory: IPsec Main Mode
IPsec main mode security association was established. A certificate was used for authentication.
Logged:
Task category:
Local Endpoint:
Remote Endpoint:
Keying Module Name:
Local Certificate:
Remote Certificate:
Cryptographic Information:
Keywords:
4655
Security
Subcategory: IPsec Main Mode
IPsec main mode security association ended
Logged:
Task category:
Local Endpoint:
Remote Endpoint:
Keying Module Name:
Keywords:
4656
Security
Subcategory: Handle Manipulation
A handle to an object was requested.
Logged:
Security ID:
Object Name:
Access Mask:
Accesses:
Keywords:
4657
Security
Subcategory: Registry
Registry entry change
Logged:
Task category:
Security ID:
Object name:
Change Information:
Keywords:
4673
Security
Subcategory: Sensitive Privilege Use / Non Sensitive Privilege Use
A privileged service was called.
Logged:
Security ID:
Account Name:
Account Domain:
Keywords:
4719
Security
Subcategory: Audit Policy Change
System audit policy was changed
Logged:
Security ID:
Account Name:
Account Domain:
Login ID:
Task category:
Task Subcategory:
Subcategory GUID:
Changes:
Keywords:
4723
Security
Subcategory: User Account Management
An attempt was made to change an account's password.
Logged:
Security ID:
Keywords:
4739
Security
Subcategory: Authentication Policy Change
Domain Policy was changed.
Logged:
Security ID:
Account Name:
Account Domain:
Task Category:
Changed Attributes:
4740
Security
Subcategory: User Account Management
A user account was locked out
Logged:
Security ID:
Account Name:
Account Domain:
4800
Security
Subcategory: Logoff
The workstation was locked.
Logged:
Security UserID:
Account Name:
Account Domain:
4801
Security
Subcategory: Logon
The workstation was unlocked.
Logged:
Security ID:
Account Name:
Account Domain:
4912
Security
Subcategory: Audit Policy Change
Per-user Audit Policy was changed
Logged:
Security ID:
Account Name:
Account Domain:
Login ID:
Policy Change Details:
Policy For Account:
Keywords:
4950
Security
Subcategory: MPSSVC Rule-Level Policy Change
A Windows Firewall setting has changed.
Logged:
Value:
5058
Security
Subcategory: System Integrity
Key file operation
Logged:
Task category:
Subject:
Cryptographic Parameters:
Key file operation information:
5447
Security
Subcategory: Other Policy Change Events
Windows Filtering Platform filter has been changed
Logged:
Task category:
Change type:
Filter ID:
Filter Name:
Layer ID:
Layer Name:
Additional Information:
5450
Security
Subcategory: Filtering Platform Policy Change
Windows Filtering Platform sub-layer has been changed
Logged:
Task category:
Change type:
Sub-layer ID:
Sub-layer Name:
5451
Security
Subcategory: IPsec Quick Mode
IPsec quick mode security association was established
Logged:
Task category:
Local Endpoint:
Remote Endpoint:
Keying Module Name:
Cryptographic Information:
Keywords:
5038
Security
Subcategory: System Integrity
Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
Logged:
Task category:
File Name: < file failing integrity check>
5446
Security
Subcategory: Filtering Platform Policy Change
Windows Filtering Platform callout has been changed
Logged:
Task category:
Change type:
Callout ID:
Callout Name:
Layer ID:
Layer Name:
Keywords:
5447
Security
Subcategory: Other Policy Change Events
Windows Filtering Platform filter has been changed
Logged:
Task category:
Change type:
Filter ID:
Filter Name:
Layer ID:
Layer Name:
Additional Information:
5450
Security
Subcategory: Filtering Platform Policy Change
Windows Filtering Platform sub-layer has been changed
Logged:
Task category:
Change type:
Sub-layer ID:
Sub-layer Name:
8000
Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service started a connection to a wireless network
Logged:
Network Adapter:
8001
Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service has successfully connected to a wireless network
Logged:
SSID: (non-TOE endpoint of connection)
Authentication: WPA2-Enterprise (protocol)
8002
Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service failed to connect to a wireless network
Logged:
SSID: < Wireless network name> (non-TOE endpoint of connection)
8003
Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service has successfully disconnectd from a wireless network
Logged:
Interface GUID: < network adapter identification>
SSID:
8006
Microsoft-Windows-WLAN-AutoConfig/Operational
WLAN AutoConfig service has finished starting the hosted network.
Logged:
Interface GUID:
SSID:
8022
Microsoft-Windows-AppLocker/Packaged app-Execution
was prevented from running.
Logged:
11001
Microsoft-Windows-WLAN-AutoConfig/Operational
Wireless network association succeeded
Logged:
Network Adapter:
Local MAC address:
11004
Microsoft-Windows-WWAN-SVC-Events/Operational
Received ContextState
Logged:
Action:
11004
Microsoft-Windows-WLAN-AutoConfig/Operational
Wireless security stopped
Logged:
Network Adapter:
Local MAC address:
11010
Microsoft-Windows-WLAN-AutoConfig/Operational
Wireless Security Started
Logged:
Network Adapter:
Local MAC Address:
14001
Microsoft-Windows-WLAN-AutoConfig/Operational
New Wireless Network Policy
Logged:
Applied Settings:
20001
System
Source: UserPnP
Driver Manager concluded the process to install driver for Device Instance ID
Logged:
Security UserID:
DeviceInstanceID:
SetupClass:
24579
System
Source: Bitlocker-Driver
Encryption of volume : completed
Logged:
Security UserID:
Volume:
24588
System
Source: Bitlocker-Driver
The conversion operation on volume encountered a bad sector error.
Logged:
Volume:
24667
System
Source: BitLocker-Driver
BitLocker finalization sweep completed for volume .
Logged:
Volume:
36880
System
Source: Schannel
An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.
Logged:
Protocol:
CipherSuite:
36888
System
Source: Schannel
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is %1.
Logged:
Reason for failureProtocol:
The following are the possible error codes:
Description
Error Code Value
Unexpected message
10
Bad record MAC
20
Record overflow
22
Decompression fail
30
Handshake failure
40
Illegal parameter
47
Unknown CA
48
Access denied
49
Decode error
50
Decrypt error
51
Protocol version
70
Insufficient security
71
Internal error
80
Unsupported extension
110
Automatic Repair
%windir%\system32\logfiles\srt\strtrail.txt
Startup Repair diagnosis and repair log
Logged:
Boot critical file:
Wipe Failure Screen
Display
There was a problem resetting your PC. No changes were made.
On logon a message is displayed to the user indicating that the recovery operation of the system failed.
Bitlocker recovery
Display
Bitlocker recovery
On startup a message is displayed requesting the Bitlocker recovery key