Microsoft-Windows-Winlogon

150 events across 4 channels

Event ID	Title	Channel
1	Authentication started.	Operational
2	Authentication stopped.	Operational
3		Diagnostic
4		Diagnostic
5		Diagnostic
6		Diagnostic
7		Diagnostic
8		Diagnostic
9		Diagnostic
10		Diagnostic
11		Diagnostic
12		Diagnostic
13		Diagnostic
14		Diagnostic
51		Diagnostic
52		Diagnostic
61		Diagnostic
62		Diagnostic
64		Diagnostic
65		Diagnostic
67		Diagnostic
68		Diagnostic
70		Diagnostic
71		Diagnostic
72		Diagnostic
73		Diagnostic
101		Diagnostic
102		Diagnostic
103		Diagnostic
104		Diagnostic
105		Diagnostic
106		Diagnostic
107		Diagnostic
108		Diagnostic
201		Diagnostic
202		Diagnostic
203		Diagnostic
204		Diagnostic
205		Diagnostic
206		Diagnostic
207		Diagnostic
208		Diagnostic
301		Diagnostic
401		Diagnostic
402		Diagnostic
403		Diagnostic
404		Diagnostic
501		Diagnostic
502		Diagnostic
503		Diagnostic
504		Diagnostic
505		Operational
801		Diagnostic
802		Diagnostic
803		Diagnostic
804		Diagnostic
805		Diagnostic
806		Diagnostic
807		Diagnostic
808		Diagnostic
809		Diagnostic
810		Diagnostic
811	The winlogon notification subscriber <.	Operational
812	The winlogon notification subscriber <.	Operational
1001	Logon hours expiration warning.	Operational
1002		Operational
1002		Application
1101	The computer will be locked because the user has exceeded the maximum number of …	Operational
1102	The computer will be rebooted because the user has exceeded the maximum number …	Operational
1103	The user is approaching the threshold for maximum number of failed logon …	Operational
1104	Encryption Provider initialization failed.	Operational
4002		Operational
4003		Operational
4004		Operational
4004		Application
4005		Operational
4006		Operational
4007		Operational
4008		Operational
4101		Operational
4101	Windows license validated.	Application
4102		Operational
4103		Operational
4104		Operational
4104		Application
4105		Operational
4105		Application
5001		Diagnostic
5002		Diagnostic
5003		Diagnostic
5005		Diagnostic
5007		Diagnostic
6000		Operational
6000	The winlogon notification subscriber <SessionEnv> was unavailable to handle a …	Application
6001		Diagnostic
6002		Operational
6003		Operational
6003	The winlogon notification subscriber <SessionEnv> was unavailable to handle a …	Application
6004		Operational
6004	The winlogon notification subscriber <TrustedInstaller> failed a critical …	Application
6005		Operational
6005	The winlogon notification subscriber <GPClient> is taking long time to handle …	Application
6006		Operational
6006	The winlogon notification subscriber <GPClient> took 119 second(s) to handle the …	Application
6101		Diagnostic
6102		Diagnostic
6103		Diagnostic
6104		Diagnostic
6105		Diagnostic
6106		Diagnostic
6107		Diagnostic
6108		Diagnostic
6109		Diagnostic
6110		Diagnostic
6111		Diagnostic
6112		Diagnostic
6113		Diagnostic
6114		Diagnostic
6115		Diagnostic
6116		Diagnostic
6117		Diagnostic
6118		Diagnostic
6119		Diagnostic
6120		Diagnostic
6121		Diagnostic
6122		Diagnostic
6123		Diagnostic
6124		Diagnostic
7001	User Logon Notification for Customer Experience Improvement Program	System
7002	User Logoff Notification for Customer Experience Improvement Program	System
1073742826	The shell stopped unexpectedly and %1 was restarted.	Operational
1073745826	The logon hours restriction policy is applied to the logged on user.	Operational
1073745925	Windows license validated.	Operational
1073745928	Accessing Windows in Notification period.	Operational
2147487654	The Windows logon process has failed to spawn a user application.	Operational
2147487655	The Windows logon process has failed to disconnect the user session.	Operational
2147487656	The Windows logon process has failed to connect the user session.	Operational
2147487753	Windows is in Notification period.	Operational
2147489648	The winlogon notification subscriber <.	Operational
2147489649	The winlogon notification subscriber <.	Operational
2147489650	The winlogon notification subscriber registration database cannot be loaded.	Operational
2147489651	The winlogon notification subscriber <.	Operational
2147489652	The winlogon notification subscriber <.	Operational
2147489653	The winlogon notification subscriber <.	Operational
2147489654	The winlogon notification subscriber <.	Operational
3221229475	The Windows logon process has failed to switch the desktop.	Operational
3221229476	The Windows logon process has failed to terminate the currently logged on user's …	Operational
3221229477	The Windows logon process has unexpectedly terminated.	Operational
3221229574	Windows license is invalid.	Operational
3221229575	Windows license activation failed.	Operational

Event ID 1 — Authentication started.

Provider: Microsoft-Windows-Winlogon
Channel: Operational
Level: 4
Samples: 1

Message

Authentication started.

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: DBE9B383-7CF3-4331-91CC-A3CB16A3B538
  event_source_name: ''
  event_id: 1
  version: 0
  level: 4
  task: 1
  opcode: 1
  keywords: 4611721202799542272
  time_created: '2023-11-05T22:32:19.983931+00:00'
  event_record_id: 353
  correlation: {}
  execution:
    process_id: 736
    thread_id: 1032
  channel: Microsoft-Windows-Winlogon/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2 — Authentication stopped.

Provider: Microsoft-Windows-Winlogon
Channel: Operational
Level: 4
Samples: 1

Message

Authentication stopped. Result %1

Fields

Name	Description
`Win32Status`	—

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: DBE9B383-7CF3-4331-91CC-A3CB16A3B538
  event_source_name: ''
  event_id: 2
  version: 0
  level: 4
  task: 1
  opcode: 2
  keywords: 4611721202799542272
  time_created: '2023-11-05T22:32:20.244576+00:00'
  event_record_id: 354
  correlation: {}
  execution:
    process_id: 736
    thread_id: 1032
  channel: Microsoft-Windows-Winlogon/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Win32Status: 0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 3 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Flags`	—

Event ID 4 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Flags`	—

Event ID 5 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 7 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 8 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 9 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`CommandList`	—

Event ID 10 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 11 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 12 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 13 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 14 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 51 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 52 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 61 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 62 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 64 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 65 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 67 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 68 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 70 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 71 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 72 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 73 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 101 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 102 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 103 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 104 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 105 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 106 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 107 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 108 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 201 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 202 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 203 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 204 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 205 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 206 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 207 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 208 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 301 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Flags`	—

Event ID 401 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Flags`	—

Event ID 402 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Win32Status`	—

Event ID 403 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Flags`	—

Event ID 404 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Win32Status`	—

Event ID 501 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 502 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 503 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 504 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 505 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 801 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Event`	—

Event ID 802 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Event`	—

Event ID 803 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`EventCode`	—
`SessionId`	—

Event ID 804 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`EventCode`	—
`SessionId`	—

Event ID 805 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Event`	—
`SubscriberName`	—

Event ID 806 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Event`	—
`SubscriberName`	—

Event ID 807 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Event`	—
`SubscriberName`	—
`Message`	—

Event ID 808 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Event`	—
`SubscriberName`	—
`Message`	—

Event ID 809 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`SubscriberName`	—

Event ID 810 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`SubscriberName`	—

Event ID 811 — The winlogon notification subscriber <.

Provider: Microsoft-Windows-Winlogon
Channel: Operational
Level: 4
Samples: 1

Message

The winlogon notification subscriber <%2> began handling the notification event (%1).

Fields

Name	Description
`Event`	—
`SubscriberName`	—

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: DBE9B383-7CF3-4331-91CC-A3CB16A3B538
  event_source_name: ''
  event_id: 811
  version: 0
  level: 4
  task: 811
  opcode: 1
  keywords: 4611686018427453440
  time_created: '2023-11-05T22:32:22.759378+00:00'
  event_record_id: 367
  correlation: {}
  execution:
    process_id: 736
    thread_id: 1032
  channel: Microsoft-Windows-Winlogon/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  Event: 12
  SubscriberName: TermSrv
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 812 — The winlogon notification subscriber <.

Provider: Microsoft-Windows-Winlogon
Channel: Operational
Level: 4
Samples: 1

Message

The winlogon notification subscriber <%2> finished handling the notification event (%1).

Fields

Name	Description
`Event`	—
`SubscriberName`	—

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: DBE9B383-7CF3-4331-91CC-A3CB16A3B538
  event_source_name: ''
  event_id: 812
  version: 0
  level: 4
  task: 811
  opcode: 2
  keywords: 4611686018427453440
  time_created: '2023-11-05T22:32:22.759585+00:00'
  event_record_id: 368
  correlation: {}
  execution:
    process_id: 736
    thread_id: 1032
  channel: Microsoft-Windows-Winlogon/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  Event: 12
  SubscriberName: TermSrv
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1001 — Logon hours expiration warning.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

Logon hours expiration warning.

Fields

Name	Description
`ActionId`	—
`TimeLeft`	—

Event ID 1002 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 1002 —

Provider: Microsoft-Windows-Winlogon
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data_0`	—
`Binary`	—

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: '{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}'
  event_source_name: Wlclntfy
  event_id: 1002
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-05T23:53:34.619082+00:00'
  event_record_id: 1811
  correlation: {}
  execution:
    process_id: 736
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  Data_0: explorer.exe
  Binary: ''
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1101 — The computer will be locked because the user has exceeded the maximum number of failed logon attempts allowed on this computer.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The computer will be locked because the user has exceeded the maximum number of failed logon attempts allowed on this computer. A recovery key is required to unlock the device.
UserSid: %1 
UserName: %2 
UserDomain: %3

Fields

Name	Description
`UserSid`	—
`UserName`	—
`UserDomain`	—

Event ID 1102 — The computer will be rebooted because the user has exceeded the maximum number of failed logon attempts allowed on this computer.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The computer will be rebooted because the user has exceeded the maximum number of failed logon attempts allowed on this computer.
UserSid: %1 
UserName: %2 
UserDomain: %3

Fields

Name	Description
`UserSid`	—
`UserName`	—
`UserDomain`	—

Event ID 1103 — The user is approaching the threshold for maximum number of failed logon attempts.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The user is approaching the threshold for maximum number of failed logon attempts. Once the maximum limit is reached the computer will be locked or rebooted.
UserSid: %1 
UserName: %2 
UserDomain: %3

Fields

Name	Description
`UserSid`	—
`UserName`	—
`UserDomain`	—

Event ID 1104 — Encryption Provider initialization failed.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

Encryption Provider initialization failed. Error %1

Fields

Name	Description
`Win32Status`	—

Event ID 4002 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 4003 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 4004 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 4004 —

Provider: Microsoft-Windows-Winlogon
Channel: Application
Level: 4
Samples: 1

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: '{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}'
  event_source_name: Winlogon
  event_id: 4004
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2016-08-21T21:00:34.000000Z'
  event_record_id: 1596
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE10Win7
  security:
    user_id: ''
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 4005 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 4006 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 4007 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 4008 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 4101 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 4101 — Windows license validated.

Provider: Microsoft-Windows-Winlogon
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: '{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}'
  event_source_name: Winlogon
  event_id: 4101
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2013-10-23T17:51:18+00:00'
  event_record_id: 232
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE8Win7
  security:
    user_id: ''
event_data:
  Data:
  - '0x00000000'
  - '0x00000001'
message: Windows license validated.

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 4102 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 4103 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 4104 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 4104 —

Provider: Microsoft-Windows-Winlogon
Channel: Application
Level: 4
Samples: 1

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: '{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}'
  event_source_name: Winlogon
  event_id: 4104
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2014-11-21T23:44:00.000000Z'
  event_record_id: 812
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE8Win7
  security:
    user_id: ''
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 4105 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 4105 —

Provider: Microsoft-Windows-Winlogon
Channel: Application
Level: 3
Samples: 1

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: '{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}'
  event_source_name: Winlogon
  event_id: 4105
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2014-11-21T23:43:09.000000Z'
  event_record_id: 811
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE8Win7
  security:
    user_id: ''
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 5001 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`SessionId`	—

Event ID 5002 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 5003 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`SessionId`	—

Event ID 5005 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 5007 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`SessionId`	—
`ReadyBootTrainingCountSinceLastServicing`	—
`SyncPrefetchErrorCode`	—
`SyncPrefetchDurationMs`	—

Event ID 6000 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 6000 — The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.

Provider: Microsoft-Windows-Winlogon
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: '{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}'
  event_source_name: Wlclntfy
  event_id: 6000
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-05T22:32:22.560419+00:00'
  event_record_id: 1545
  correlation: {}
  execution:
    process_id: 736
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  Data:
  - SessionEnv
  Binary: 2QYAAA==
message: The winlogon notification subscriber <SessionEnv> was unavailable to handle
  a notification event.

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 6001 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Flags`	—

Event ID 6002 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 6003 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 6003 — The winlogon notification subscriber <SessionEnv> was unavailable to handle a critical notification event.

Provider: Microsoft-Windows-Winlogon
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: '{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}'
  event_source_name: Wlclntfy
  event_id: 6003
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-05T22:32:20.495672+00:00'
  event_record_id: 1542
  correlation: {}
  execution:
    process_id: 736
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  Data:
  - SessionEnv
  Binary: 2QYAAA==
message: The winlogon notification subscriber <SessionEnv> was unavailable to handle
  a critical notification event.

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 6004 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 6004 — The winlogon notification subscriber <TrustedInstaller> failed a critical notification event.

Provider: Microsoft-Windows-Winlogon
Channel: Application
Level: 3
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: '{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}'
  event_source_name: Wlclntfy
  event_id: 6004
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2013-10-23T17:32:12+00:00'
  event_record_id: 181
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE8Win7
  security:
    user_id: ''
event_data:
  Data:
  - TrustedInstaller
  Binary: aQYAAA==
message: The winlogon notification subscriber <TrustedInstaller> failed a critical
  notification event.

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 6005 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 6005 — The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (CreateSession).

Provider: Microsoft-Windows-Winlogon
Channel: Application
Level: 3
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: '{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}'
  event_source_name: Wlclntfy
  event_id: 6005
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2022-04-07T08:16:03.529427+00:00'
  event_record_id: 116
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: ''
event_data:
  Data:
  - GPClient
  - CreateSession
  Binary: SNCCJg==
message: The winlogon notification subscriber <GPClient> is taking long time to handle
  the notification event (CreateSession).

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 6006 —

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Event ID 6006 — The winlogon notification subscriber <GPClient> took 119 second(s) to handle the notification event (CreateSession).

Provider: Microsoft-Windows-Winlogon
Channel: Application
Level: 3
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: '{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}'
  event_source_name: Wlclntfy
  event_id: 6006
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2022-04-07T08:17:03.466560+00:00'
  event_record_id: 120
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: ''
event_data:
  Data:
  - GPClient
  - '119'
  - CreateSession
  Binary: AAAAAA==
message: The winlogon notification subscriber <GPClient> took 119 second(s) to handle
  the notification event (CreateSession).

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 6101 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`LogoffFlags`	—

Event ID 6102 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Flags`	—

Event ID 6103 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`LogoffFlags`	—

Event ID 6104 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`LogoffFlags`	—

Event ID 6105 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6106 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6107 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Status`	—

Event ID 6108 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6109 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Status`	—

Event ID 6110 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6111 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6112 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6113 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6114 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6115 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6116 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Fields

Name	Description
`Duration`	—
`ResolverData`	—

Event ID 6117 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6118 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6119 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6120 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6121 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6122 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6123 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 6124 —

Provider: Microsoft-Windows-Winlogon
Channel: Diagnostic

Event ID 7001 — User Logon Notification for Customer Experience Improvement Program

Provider: Microsoft-Windows-Winlogon
Channel: System
Level: 4
Samples: 1

Message

User Logon Notification for Customer Experience Improvement Program

Fields

Name	Description
`TSId`	—
`UserSid`	—

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: DBE9B383-7CF3-4331-91CC-A3CB16A3B538
  event_source_name: ''
  event_id: 7001
  version: 0
  level: 4
  task: 1101
  opcode: 0
  keywords: 2305878193585782784
  time_created: '2023-11-05T22:32:20.322384+00:00'
  event_record_id: 1941
  correlation: {}
  execution:
    process_id: 736
    thread_id: 1032
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  TSId: 1
  UserSid: S-1-5-21-1992711665-1655669231-58201500-1000
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 7002 — User Logoff Notification for Customer Experience Improvement Program

Provider: Microsoft-Windows-Winlogon
Channel: System
Level: 4
Samples: 1

Message

User Logoff Notification for Customer Experience Improvement Program

Fields

Name	Description
`TSId`	—
`UserSid`	—

Example Event

system:
  provider: Microsoft-Windows-Winlogon
  guid: DBE9B383-7CF3-4331-91CC-A3CB16A3B538
  event_source_name: ''
  event_id: 7002
  version: 0
  level: 4
  task: 1102
  opcode: 0
  keywords: 2305878193585782784
  time_created: '2023-11-05T22:31:34.253350+00:00'
  event_record_id: 1850
  correlation: {}
  execution:
    process_id: 736
    thread_id: 1328
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  TSId: 1
  UserSid: S-1-5-21-1992711665-1655669231-58201500-1000
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 1073742826 — The shell stopped unexpectedly and %1 was restarted.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The shell stopped unexpectedly and %1 was restarted.

Event ID 1073745826 — The logon hours restriction policy is applied to the logged on user.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The logon hours restriction policy is applied to the logged on user. The user's session has been locked, disconnected or logged off depending on the policy setting. User Name: %1 Domain Name: %2

Event ID 1073745925 — Windows license validated.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

Windows license validated.

Event ID 1073745928 — Accessing Windows in Notification period.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

Accessing Windows in Notification period.

Event ID 2147487654 — The Windows logon process has failed to spawn a user application.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The Windows logon process has failed to spawn a user application. Application name: %1. Command line parameters: %2.

Event ID 2147487655 — The Windows logon process has failed to disconnect the user session.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The Windows logon process has failed to disconnect the user session.

Event ID 2147487656 — The Windows logon process has failed to connect the user session.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The Windows logon process has failed to connect the user session.

Event ID 2147487753 — Windows is in Notification period.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

Windows is in Notification period.

Event ID 2147489648 — The winlogon notification subscriber <.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The winlogon notification subscriber <%1> was unavailable to handle a notification event.

Event ID 2147489649 — The winlogon notification subscriber <.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The winlogon notification subscriber <%1> failed a notification event.

Event ID 2147489650 — The winlogon notification subscriber registration database cannot be loaded.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The winlogon notification subscriber registration database cannot be loaded. Reason: <%1>.

Event ID 2147489651 — The winlogon notification subscriber <.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The winlogon notification subscriber <%1> was unavailable to handle a critical notification event.

Event ID 2147489652 — The winlogon notification subscriber <.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The winlogon notification subscriber <%1> failed a critical notification event.

Event ID 2147489653 — The winlogon notification subscriber <.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The winlogon notification subscriber <%1> is taking long time to handle the notification event (%2).

Event ID 2147489654 — The winlogon notification subscriber <.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The winlogon notification subscriber <%1> took %2 second(s) to handle the notification event (%3).

Event ID 3221229475 — The Windows logon process has failed to switch the desktop.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The Windows logon process has failed to switch the desktop.

Event ID 3221229476 — The Windows logon process has failed to terminate the currently logged on user's processes.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The Windows logon process has failed to terminate the currently logged on user's processes.

Event ID 3221229477 — The Windows logon process has unexpectedly terminated.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

The Windows logon process has unexpectedly terminated.

Event ID 3221229574 — Windows license is invalid.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

Windows license is invalid. Error %1. Policy Value %2.

Event ID 3221229575 — Windows license activation failed.

Provider: Microsoft-Windows-Winlogon
Channel: Operational

Message

Windows license activation failed. Error %1.