Microsoft-Windows-CertificateServicesClient-Lifecycle-User
10 events across 1 channel
| Event ID | Title | Channel |
|---|---|---|
| 1001 | A certificate has been replaced. | Operational |
| 1002 | A certificate has expired. | Operational |
| 1003 | A certificate is about to expire. | Operational |
| 1004 | A certificate has been deleted. | Operational |
| 1005 | A certificate has been archived. | Operational |
| 1006 | A new certificate has been installed. | Operational |
| 1007 | A certificate has been exported. | Operational |
| 1008 | A certificate has been associated with its private key. | Operational |
| 1009 | A certificate could not be associated with its private key. | Operational |
| 1010 | A certificate has been deleted from Active Directory. | Operational |
Event ID 1001 — A certificate has been replaced.
Event ID 1002 — A certificate has expired.
Event ID 1003 — A certificate is about to expire.
Event ID 1004 — A certificate has been deleted.
Description
A certificate has been deleted. Please refer to the "Details" section for more information.
Message #
Fields #
| Name | Description |
|---|---|
CertNotificationData.ProcessName | — |
CertNotificationData.AccountName | — |
CertNotificationData.Context | — |
CertNotificationData.CertificateDetails | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-User",
"guid": "{bea18b89-126f-4155-9ee4-d36038b02680}",
"event_source_name": "",
"event_id": 1004,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T20:24:28.343784+00:00",
"event_record_id": 5,
"correlation": {
"ActivityID": "8B83AF9E-B321-000B-740C-848B21B3DC01"
},
"execution": {
"process_id": 8308,
"thread_id": 11160
},
"channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"CertNotificationData": {
"ProcessName": "powershell.exe",
"AccountName": "ludus\\domainadmin",
"Context": "User",
"CertificateDetails": {
"Thumbprint": "7ae558526e6bcdc8bc34cead28949eaceff86188",
"Template": {
"Name": "WebServer"
},
"EKUs": {
"EKU": {
"Name": "Server Authentication",
"OID": "1.3.6.1.5.5.7.3.1"
}
},
"NotValidAfter": "2028-03-12T20:14:17Z"
}
}
},
"message": ""
}
Event ID 1005 — A certificate has been archived.
Event ID 1006 — A new certificate has been installed.
Description
A new certificate has been installed. Please refer to the "Details" section for more information.
Message #
Fields #
| Name | Description |
|---|---|
CertNotificationData.ProcessName | — |
CertNotificationData.AccountName | — |
CertNotificationData.Context | — |
CertNotificationData.Action | — |
CertNotificationData.CertificateDetails | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-User",
"guid": "{bea18b89-126f-4155-9ee4-d36038b02680}",
"event_source_name": "",
"event_id": 1006,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T20:18:13.092915+00:00",
"event_record_id": 1,
"correlation": {},
"execution": {
"process_id": 3736,
"thread_id": 8480
},
"channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"CertNotificationData": {
"ProcessName": "efsui.exe",
"AccountName": "ludus\\domainadmin",
"Context": "User",
"Action": "Enroll",
"CertificateDetails": {
"Thumbprint": "1ed20768bdff4ceeaa04b35f61fb07124e30712d",
"Template": {
"Name": "EFS"
},
"EKUs": {
"EKU": {
"Name": "Encrypting File System",
"OID": "1.3.6.1.4.1.311.10.3.4"
}
},
"NotValidAfter": "2027-03-13T20:08:13Z"
}
}
},
"message": ""
}
Event ID 1007 — A certificate has been exported.
Event ID 1008 — A certificate has been associated with its private key.
Event ID 1009 — A certificate could not be associated with its private key.
Event ID 1010 — A certificate has been deleted from Active Directory.
Description
A certificate has been deleted from Active Directory. Please refer to the "Details" section for more information.
Message #
Fields #
| Name | Description |
|---|---|
CertNotificationData.ProcessName | — |
CertNotificationData.AccountName | — |
CertNotificationData.Context | — |
CertNotificationData.CertificateDetails | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-User",
"guid": "{bea18b89-126f-4155-9ee4-d36038b02680}",
"event_source_name": "",
"event_id": 1010,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T23:15:36.957732+00:00",
"event_record_id": 7,
"correlation": {},
"execution": {
"process_id": 10948,
"thread_id": 6968
},
"channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"CertNotificationData": {
"ProcessName": "taskhostw.exe",
"AccountName": "ludus\\domainadmin",
"Context": "User",
"CertificateDetails": {
"Thumbprint": "1ed20768bdff4ceeaa04b35f61fb07124e30712d",
"Template": {
"Name": "EFS"
},
"EKUs": {
"EKU": {
"Name": "Encrypting File System",
"OID": "1.3.6.1.4.1.311.10.3.4"
}
},
"NotValidAfter": "2027-03-13T20:08:13Z"
}
}
},
"message": ""
}