Microsoft-Windows-Winlogon
150 events across 4 channels
| Event ID | Title | Channel |
|---|---|---|
| 1 | Authentication started. | Operational |
| 2 | Authentication stopped. | Operational |
| 3 | Diagnostic | |
| 4 | Diagnostic | |
| 5 | Diagnostic | |
| 6 | Diagnostic | |
| 7 | Diagnostic | |
| 8 | Diagnostic | |
| 9 | Diagnostic | |
| 10 | Diagnostic | |
| 11 | Diagnostic | |
| 12 | Diagnostic | |
| 13 | Diagnostic | |
| 14 | Diagnostic | |
| 51 | Diagnostic | |
| 52 | Diagnostic | |
| 61 | Diagnostic | |
| 62 | Diagnostic | |
| 64 | Diagnostic | |
| 65 | Diagnostic | |
| 67 | Diagnostic | |
| 68 | Diagnostic | |
| 70 | Diagnostic | |
| 71 | Diagnostic | |
| 72 | Diagnostic | |
| 73 | Diagnostic | |
| 101 | Diagnostic | |
| 102 | Diagnostic | |
| 103 | Diagnostic | |
| 104 | Diagnostic | |
| 105 | Diagnostic | |
| 106 | Diagnostic | |
| 107 | Diagnostic | |
| 108 | Diagnostic | |
| 201 | Diagnostic | |
| 202 | Diagnostic | |
| 203 | Diagnostic | |
| 204 | Diagnostic | |
| 205 | Diagnostic | |
| 206 | Diagnostic | |
| 207 | Diagnostic | |
| 208 | Diagnostic | |
| 301 | Diagnostic | |
| 401 | Diagnostic | |
| 402 | Diagnostic | |
| 403 | Diagnostic | |
| 404 | Diagnostic | |
| 501 | Diagnostic | |
| 502 | Diagnostic | |
| 503 | Diagnostic | |
| 504 | Diagnostic | |
| 505 | Operational | |
| 801 | Diagnostic | |
| 802 | Diagnostic | |
| 803 | Diagnostic | |
| 804 | Diagnostic | |
| 805 | Diagnostic | |
| 806 | Diagnostic | |
| 807 | Diagnostic | |
| 808 | Diagnostic | |
| 809 | Diagnostic | |
| 810 | Diagnostic | |
| 811 | The winlogon notification subscriber <SubscriberName> began handling the … | Operational |
| 812 | The winlogon notification subscriber <SubscriberName> finished handling the … | Operational |
| 1001 | Logon hours expiration warning. | Operational |
| 1002 | Application | |
| 1002 | Operational | |
| 1101 | The computer will be locked because the user has exceeded the maximum number of … | Operational |
| 1102 | The computer will be rebooted because the user has exceeded the maximum number … | Operational |
| 1103 | The user is approaching the threshold for maximum number of failed logon … | Operational |
| 1104 | Encryption Provider initialization failed. | Operational |
| 4002 | Operational | |
| 4003 | Operational | |
| 4004 | Application | |
| 4004 | Operational | |
| 4005 | Operational | |
| 4006 | Operational | |
| 4007 | Operational | |
| 4008 | Operational | |
| 4101 | Windows license validated. | Application |
| 4101 | Operational | |
| 4102 | Operational | |
| 4103 | Operational | |
| 4104 | Application | |
| 4104 | Operational | |
| 4105 | Application | |
| 4105 | Operational | |
| 5001 | Diagnostic | |
| 5002 | Diagnostic | |
| 5003 | Diagnostic | |
| 5005 | Diagnostic | |
| 5007 | Diagnostic | |
| 6000 | The winlogon notification subscriber <SessionEnv> was unavailable to handle a … | Application |
| 6000 | Operational | |
| 6001 | Diagnostic | |
| 6002 | Operational | |
| 6003 | The winlogon notification subscriber <SessionEnv> was unavailable to handle a … | Application |
| 6003 | Operational | |
| 6004 | The winlogon notification subscriber <TrustedInstaller> failed a critical … | Application |
| 6004 | Operational | |
| 6005 | The winlogon notification subscriber <GPClient> is taking long time to handle … | Application |
| 6005 | Operational | |
| 6006 | The winlogon notification subscriber <GPClient> took 119 second(s) to handle the … | Application |
| 6006 | Operational | |
| 6101 | Diagnostic | |
| 6102 | Diagnostic | |
| 6103 | Diagnostic | |
| 6104 | Diagnostic | |
| 6105 | Diagnostic | |
| 6106 | Diagnostic | |
| 6107 | Diagnostic | |
| 6108 | Diagnostic | |
| 6109 | Diagnostic | |
| 6110 | Diagnostic | |
| 6111 | Diagnostic | |
| 6112 | Diagnostic | |
| 6113 | Diagnostic | |
| 6114 | Diagnostic | |
| 6115 | Diagnostic | |
| 6116 | Diagnostic | |
| 6117 | Diagnostic | |
| 6118 | Diagnostic | |
| 6119 | Diagnostic | |
| 6120 | Diagnostic | |
| 6121 | Diagnostic | |
| 6122 | Diagnostic | |
| 6123 | Diagnostic | |
| 6124 | Diagnostic | |
| 7001 | User Logon Notification for Customer Experience Improvement Program | System |
| 7002 | User Logoff Notification for Customer Experience Improvement Program | System |
| 1073742826 | The shell stopped unexpectedly and %1 was restarted. | Operational |
| 1073745826 | The logon hours restriction policy is applied to the logged on user. | Operational |
| 1073745925 | Windows license validated. | Operational |
| 1073745928 | Accessing Windows in Notification period. | Operational |
| 2147487654 | The Windows logon process has failed to spawn a user application. | Operational |
| 2147487655 | The Windows logon process has failed to disconnect the user session. | Operational |
| 2147487656 | The Windows logon process has failed to connect the user session. | Operational |
| 2147487753 | Windows is in Notification period. | Operational |
| 2147489648 | The winlogon notification subscriber <. | Operational |
| 2147489649 | The winlogon notification subscriber <. | Operational |
| 2147489650 | The winlogon notification subscriber registration database cannot be loaded. | Operational |
| 2147489651 | The winlogon notification subscriber <. | Operational |
| 2147489652 | The winlogon notification subscriber <. | Operational |
| 2147489653 | The winlogon notification subscriber <. | Operational |
| 2147489654 | The winlogon notification subscriber <. | Operational |
| 3221229475 | The Windows logon process has failed to switch the desktop. | Operational |
| 3221229476 | The Windows logon process has failed to terminate the currently logged on user's … | Operational |
| 3221229477 | The Windows logon process has unexpectedly terminated. | Operational |
| 3221229574 | Windows license is invalid. | Operational |
| 3221229575 | Windows license activation failed. | Operational |
Event ID 1 — Authentication started.
#Description
Authentication started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "DBE9B383-7CF3-4331-91CC-A3CB16A3B538",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 4,
"task": 1,
"opcode": 1,
"keywords": 4611721202799542272,
"time_created": "2023-11-05T22:32:19.983931+00:00",
"event_record_id": 353,
"correlation": {},
"execution": {
"process_id": 736,
"thread_id": 1032
},
"channel": "Microsoft-Windows-Winlogon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2 — Authentication stopped.
#Description
Authentication stopped. Result Win32Status.
Message #
Fields #
| Name | Description |
|---|---|
Win32Status UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "DBE9B383-7CF3-4331-91CC-A3CB16A3B538",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 4,
"task": 1,
"opcode": 2,
"keywords": 4611721202799542272,
"time_created": "2023-11-05T22:32:20.244576+00:00",
"event_record_id": 354,
"correlation": {},
"execution": {
"process_id": 736,
"thread_id": 1032
},
"channel": "Microsoft-Windows-Winlogon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Win32Status": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 3 —
Fields #
| Name | Description |
|---|---|
Flags UInt32 | — |
Event ID 4 —
Fields #
| Name | Description |
|---|---|
Flags UInt32 | — |
Event ID 5 —
Event ID 6 —
Event ID 7 —
Event ID 8 —
Event ID 9 —
Fields #
| Name | Description |
|---|---|
CommandList UnicodeString | — |
Event ID 10 —
Event ID 11 —
Event ID 12 —
Event ID 13 —
Event ID 14 —
Event ID 51 —
Event ID 52 —
Event ID 61 —
Event ID 62 —
Event ID 64 —
Event ID 65 —
Event ID 67 —
Event ID 68 —
Event ID 70 —
Event ID 71 —
Event ID 72 —
Event ID 73 —
Event ID 101 —
Event ID 102 —
Event ID 103 —
Event ID 104 —
Event ID 105 —
Event ID 106 —
Event ID 107 —
Event ID 108 —
Event ID 201 —
Event ID 202 —
Event ID 203 —
Event ID 204 —
Event ID 205 —
Event ID 206 —
Event ID 207 —
Event ID 208 —
Event ID 301 —
Fields #
| Name | Description |
|---|---|
Flags UInt32 | — |
Event ID 401 —
Fields #
| Name | Description |
|---|---|
Flags UInt32 | — |
Event ID 402 —
Fields #
| Name | Description |
|---|---|
Win32Status UInt32 | — |
Event ID 403 —
Fields #
| Name | Description |
|---|---|
Flags UInt32 | — |
Event ID 404 —
Fields #
| Name | Description |
|---|---|
Win32Status UInt32 | — |
Event ID 501 —
Event ID 502 —
Event ID 503 —
Event ID 504 —
Event ID 505 —
Event ID 801 —
Fields #
| Name | Description |
|---|---|
Event UInt32 | — |
Event ID 802 —
Fields #
| Name | Description |
|---|---|
Event UInt32 | — |
Event ID 803 —
Fields #
| Name | Description |
|---|---|
EventCode UInt32 | — |
SessionId UInt32 | — |
Event ID 804 —
Fields #
| Name | Description |
|---|---|
EventCode UInt32 | — |
SessionId UInt32 | — |
Event ID 805 —
Fields #
| Name | Description |
|---|---|
Event UInt32 | — |
SubscriberName UnicodeString | — |
Event ID 806 —
Fields #
| Name | Description |
|---|---|
Event UInt32 | — |
SubscriberName UnicodeString | — |
Event ID 807 —
Fields #
| Name | Description |
|---|---|
Event UInt32 | — |
SubscriberName UnicodeString | — |
Message UnicodeString | — |
Event ID 808 —
Fields #
| Name | Description |
|---|---|
Event UInt32 | — |
SubscriberName UnicodeString | — |
Message UnicodeString | — |
Event ID 809 —
Fields #
| Name | Description |
|---|---|
SubscriberName UnicodeString | — |
Event ID 810 —
Fields #
| Name | Description |
|---|---|
SubscriberName UnicodeString | — |
Event ID 811 — The winlogon notification subscriber <SubscriberName> began handling the notification event (Event).
#Description
The winlogon notification subscriber <SubscriberName> began handling the notification event (Event).
Message #
Fields #
| Name | Description |
|---|---|
Event UInt32 | — |
SubscriberName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "DBE9B383-7CF3-4331-91CC-A3CB16A3B538",
"event_source_name": "",
"event_id": 811,
"version": 0,
"level": 4,
"task": 811,
"opcode": 1,
"keywords": 4611686018427453440,
"time_created": "2023-11-05T22:32:22.759378+00:00",
"event_record_id": 367,
"correlation": {},
"execution": {
"process_id": 736,
"thread_id": 1032
},
"channel": "Microsoft-Windows-Winlogon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"Event": 12,
"SubscriberName": "TermSrv"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 812 — The winlogon notification subscriber <SubscriberName> finished handling the notification event (Event).
#Description
The winlogon notification subscriber <SubscriberName> finished handling the notification event (Event).
Message #
Fields #
| Name | Description |
|---|---|
Event UInt32 | — |
SubscriberName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "DBE9B383-7CF3-4331-91CC-A3CB16A3B538",
"event_source_name": "",
"event_id": 812,
"version": 0,
"level": 4,
"task": 811,
"opcode": 2,
"keywords": 4611686018427453440,
"time_created": "2023-11-05T22:32:22.759585+00:00",
"event_record_id": 368,
"correlation": {},
"execution": {
"process_id": 736,
"thread_id": 1032
},
"channel": "Microsoft-Windows-Winlogon/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"Event": 12,
"SubscriberName": "TermSrv"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1001 — Logon hours expiration warning.
Event ID 1002 —
#Fields #
| Name | Description |
|---|---|
Data_0 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Wlclntfy",
"event_id": 1002,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-05T23:53:34.619082+00:00",
"event_record_id": 1811,
"correlation": {},
"execution": {
"process_id": 736,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "explorer.exe",
"Binary": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1002 —
Event ID 1101 — The computer will be locked because the user has exceeded the maximum number of failed logon attempts allowed on this computer.
Event ID 1102 — The computer will be rebooted because the user has exceeded the maximum number of failed logon attempts allowed on this computer.
Event ID 1103 — The user is approaching the threshold for maximum number of failed logon attempts.
Event ID 1104 — Encryption Provider initialization failed.
Event ID 4002 —
Event ID 4003 —
Event ID 4004 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Winlogon",
"event_id": 4004,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2016-08-21T21:00:34.000000Z",
"event_record_id": 1596,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE10Win7",
"security": {
"user_id": ""
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4004 —
Event ID 4005 —
Event ID 4006 —
Event ID 4007 —
Event ID 4008 —
Event ID 4101 — Windows license validated.
#Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Winlogon",
"event_id": 4101,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2013-10-23T17:51:18+00:00",
"event_record_id": 232,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"0x00000000",
"0x00000001"
]
},
"message": "Windows license validated."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4101 —
Event ID 4102 —
Event ID 4103 —
Event ID 4104 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Winlogon",
"event_id": 4104,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2014-11-21T23:44:00.000000Z",
"event_record_id": 812,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4104 —
Event ID 4105 —
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Winlogon",
"event_id": 4105,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2014-11-21T23:43:09.000000Z",
"event_record_id": 811,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4105 —
Event ID 5001 —
Fields #
| Name | Description |
|---|---|
SessionId UInt32 | — |
Event ID 5002 —
Event ID 5003 —
Fields #
| Name | Description |
|---|---|
SessionId UInt32 | — |
Event ID 5005 —
Event ID 5007 —
Fields #
| Name | Description |
|---|---|
SessionId UInt32 | — |
ReadyBootTrainingCountSinceLastServicing UInt32 | — |
SyncPrefetchErrorCode UInt32 | — |
SyncPrefetchDurationMs UInt32 | — |
Event ID 6000 — The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
#Fields #
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Wlclntfy",
"event_id": 6000,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-05T22:32:22.560419+00:00",
"event_record_id": 1545,
"correlation": {},
"execution": {
"process_id": 736,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"SessionEnv"
],
"Binary": "2QYAAA=="
},
"message": "The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 6000 —
Event ID 6001 —
Fields #
| Name | Description |
|---|---|
Flags UInt32 | — |
Event ID 6002 —
Event ID 6003 — The winlogon notification subscriber <SessionEnv> was unavailable to handle a critical notification event.
#Fields #
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Wlclntfy",
"event_id": 6003,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-05T22:32:20.495672+00:00",
"event_record_id": 1542,
"correlation": {},
"execution": {
"process_id": 736,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"SessionEnv"
],
"Binary": "2QYAAA=="
},
"message": "The winlogon notification subscriber <SessionEnv> was unavailable to handle a critical notification event."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6003 —
Event ID 6004 — The winlogon notification subscriber <TrustedInstaller> failed a critical notification event.
#Fields #
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Wlclntfy",
"event_id": 6004,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2013-10-23T17:32:12+00:00",
"event_record_id": 181,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"TrustedInstaller"
],
"Binary": "aQYAAA=="
},
"message": "The winlogon notification subscriber <TrustedInstaller> failed a critical notification event."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 6004 —
Event ID 6005 — The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (CreateSession).
#Fields #
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Wlclntfy",
"event_id": 6005,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T08:16:03.529427+00:00",
"event_record_id": 116,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"GPClient",
"CreateSession"
],
"Binary": "SNCCJg=="
},
"message": "The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (CreateSession)."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6005 —
Event ID 6006 — The winlogon notification subscriber <GPClient> took 119 second(s) to handle the notification event (CreateSession).
#Fields #
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Wlclntfy",
"event_id": 6006,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T08:17:03.466560+00:00",
"event_record_id": 120,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"GPClient",
"119",
"CreateSession"
],
"Binary": "AAAAAA=="
},
"message": "The winlogon notification subscriber <GPClient> took 119 second(s) to handle the notification event (CreateSession)."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6006 —
Event ID 6101 —
Fields #
| Name | Description |
|---|---|
LogoffFlags UInt32 | — |
Event ID 6102 —
Fields #
| Name | Description |
|---|---|
Flags UInt32 | — |
Event ID 6103 —
Fields #
| Name | Description |
|---|---|
LogoffFlags UInt32 | — |
Event ID 6104 —
Fields #
| Name | Description |
|---|---|
LogoffFlags UInt32 | — |
Event ID 6105 —
Event ID 6106 —
Event ID 6107 —
Fields #
| Name | Description |
|---|---|
Status UInt32 | — NTSTATUS reference |
Event ID 6108 —
Event ID 6109 —
Fields #
| Name | Description |
|---|---|
Status UInt32 | — NTSTATUS reference |
Event ID 6110 —
Event ID 6111 —
Event ID 6112 —
Event ID 6113 —
Event ID 6114 —
Event ID 6115 —
Event ID 6116 —
Fields #
| Name | Description |
|---|---|
Duration UInt32 | — |
ResolverData UInt32 | — |
Event ID 6117 —
Event ID 6118 —
Event ID 6119 —
Event ID 6120 —
Event ID 6121 —
Event ID 6122 —
Event ID 6123 —
Event ID 6124 —
Event ID 7001 — User Logon Notification for Customer Experience Improvement Program
#Description
User Logon Notification for Customer Experience Improvement Program.
Message #
Fields #
| Name | Description |
|---|---|
TSId UInt32 | — |
UserSid SID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "DBE9B383-7CF3-4331-91CC-A3CB16A3B538",
"event_source_name": "",
"event_id": 7001,
"version": 0,
"level": 4,
"task": 1101,
"opcode": 0,
"keywords": 2305878193585782784,
"time_created": "2023-11-05T22:32:20.322384+00:00",
"event_record_id": 1941,
"correlation": {},
"execution": {
"process_id": 736,
"thread_id": 1032
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"TSId": 1,
"UserSid": "S-1-5-21-1992711665-1655669231-58201500-1000"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7002 — User Logoff Notification for Customer Experience Improvement Program
#Description
User Logoff Notification for Customer Experience Improvement Program.
Message #
Fields #
| Name | Description |
|---|---|
TSId UInt32 | — |
UserSid SID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "DBE9B383-7CF3-4331-91CC-A3CB16A3B538",
"event_source_name": "",
"event_id": 7002,
"version": 0,
"level": 4,
"task": 1102,
"opcode": 0,
"keywords": 2305878193585782784,
"time_created": "2023-11-05T22:31:34.253350+00:00",
"event_record_id": 1850,
"correlation": {},
"execution": {
"process_id": 736,
"thread_id": 1328
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"TSId": 1,
"UserSid": "S-1-5-21-1992711665-1655669231-58201500-1000"
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 1073742826 — The shell stopped unexpectedly and %1 was restarted.
Description
The shell stopped unexpectedly and was restarted.
Message #
Event ID 1073745826 — The logon hours restriction policy is applied to the logged on user.
Description
The logon hours restriction policy is applied to the logged on user. The user's session has been locked, disconnected or logged off depending on the policy setting. User Name: Domain Name.
Message #
Event ID 1073745925 — Windows license validated.
Description
Windows license validated.
Message #
Event ID 1073745928 — Accessing Windows in Notification period.
Description
Accessing Windows in Notification period.
Message #
Event ID 2147487654 — The Windows logon process has failed to spawn a user application.
Description
The Windows logon process has failed to spawn a user application. Application name: . Command line parameters: .
Message #
Event ID 2147487655 — The Windows logon process has failed to disconnect the user session.
Description
The Windows logon process has failed to disconnect the user session.
Message #
Event ID 2147487656 — The Windows logon process has failed to connect the user session.
Description
The Windows logon process has failed to connect the user session.
Message #
Event ID 2147487753 — Windows is in Notification period.
Description
Windows is in Notification period.
Message #
Event ID 2147489648 — The winlogon notification subscriber <.
Description
The winlogon notification subscriber <> was unavailable to handle a notification event.
Message #
Event ID 2147489649 — The winlogon notification subscriber <.
Description
The winlogon notification subscriber <> failed a notification event.
Message #
Event ID 2147489650 — The winlogon notification subscriber registration database cannot be loaded.
Description
The winlogon notification subscriber registration database cannot be loaded. Reason: <>.
Message #
Event ID 2147489651 — The winlogon notification subscriber <.
Description
The winlogon notification subscriber <> was unavailable to handle a critical notification event.
Message #
Event ID 2147489652 — The winlogon notification subscriber <.
Description
The winlogon notification subscriber <> failed a critical notification event.
Message #
Event ID 2147489653 — The winlogon notification subscriber <.
Description
The winlogon notification subscriber <> is taking long time to handle the notification event ().
Message #
Event ID 2147489654 — The winlogon notification subscriber <.
Description
The winlogon notification subscriber <> took second(s) to handle the notification event ().
Message #
Event ID 3221229475 — The Windows logon process has failed to switch the desktop.
Description
The Windows logon process has failed to switch the desktop.
Message #
Event ID 3221229476 — The Windows logon process has failed to terminate the currently logged on user's processes.
Description
The Windows logon process has failed to terminate the currently logged on user's processes.
Message #
Event ID 3221229477 — The Windows logon process has unexpectedly terminated.
Description
The Windows logon process has unexpectedly terminated.
Message #
Event ID 3221229574 — Windows license is invalid.
Description
Windows license is invalid. Error . Policy Value .
Message #
Event ID 3221229575 — Windows license activation failed.
Description
Windows license activation failed. Error .