PatternDB Event ID Lookup
The AlienVault PatternDB.xml file is a pre-filter applied to events picked up by NXlog, reducing the number of event types sent to AlienVault.
This tool enables searching of the list and provides additional information on the events in order to aid in security investigations. Events are referenced against Microsoft's own documentaion where possible, however some Event ID's do not have dedicated pages and are referenced against other sources. This may mean a little extra digging is necessary for some events.
If an Event ID does not appear in the list below, it is of little or no security value and therefore is not collected by NXlog when using PatternDB. Similarly, if PatternDB is not in use, filtering rules can be created to filter out events not listed below.
Event ID 1 - Sysmon - Process creation
Event ID 2 - Sysmon - A process changed a file creation time
Event ID 3 - Sysmon - Network connection
Event ID 11 - Sysmon - FileCreate
Event ID 12 - Sysmon - RegistryEvent (Object create and delete)
Event ID 13 - Sysmon - RegistryEvent (Value Set)
Event ID 17 - Sysmon - PipeEvent (Pipe Created)
Event ID 19 - Sysmon - WmiEvent (WmiEventFilter activity detected)
Event ID 20 - Sysmon - WmiEvent (WmiEventConsumer activity detected)
Event ID 22 - Sysmon - DNSEvent (DNS query)
Event ID 24 - Sysmon - ClipboardChange (New content in the clipboard)
Event ID 25 - Sysmon - ProcessTampering (Process image change)
Event ID 31 - Windows Update Services - Windows Update failed to download an update.
Event ID 32 - Windows Update Services - Windows Update cannot connect to the server. Please check the connection to server %1.
Event ID 33 - Windows Event - The oldest shadow copy of volume % was deleted to keep disk space usage for shadow copies of volume V: below the user defined limit
Event ID 36 - Microsoft-Windows-Time-Service - The time service has not synchronized the system time for %1 seconds because none of the time service providers provided a usable time stamp.
Event ID 41 - Microsoft-Windows-Time-Service - The time service has been configured to use one or more input providers.
Event ID 51 - Microsoft-Windows-Time-Service - Time Provider NtpClient: The time sample received from peer %1 differs from the local time by %2 seconds.
Event ID 100 - Microsoft-Windows-ADFS - The AD FS Web Agent for Windows NT token-based applications could not contact the Federation Service during startup
Event ID 100 - Active Directory Rights Management Services - The Active Directory Domain Services (AD DS) component failed to initialize for Active Directory Rights Management Services (AD RMS).
Event ID 100 - Windows CertSvc - Certificate Services did not start: Could not load or verify the current CA certificate. Enterprise-Sub
Event ID 104 - Microsoft-Windows-ADFS - The AD FS Web Agent for Windows NT token-based applications encountered a serious error.
Event ID 104 - Microsoft-Windows-CertificationAuthority - Active Directory Certificate Services published certificate %1 to %2.
Event ID 106 - Microsoft-Windows-ADFS - The AD FS Web Agent Internet Server Application Programming Interface (ISAPI) Extension encountered a serious error.
Event ID 106 - Active Directory Rights Management Services - The Active Directory Rights Management Services (AD RMS) provisioning process failed to install the required performance counters or could not find the required resources.
Event ID 106 - Microsoft-Windows-CertificationAuthority - Active Directory Certificate Services cannot add certificate %1 to %2. %3. %4
Event ID 140 - Microsoft-Windows-Time-Service - The time service has stopped advertising as a time source because the local machine is not an Active Directory Domain Controller.
Event ID 140 - Microsoft-Windows-DNS-Server-ServiceDNS Server could not initialize RPC. The data is the error.
Event ID 219 - Active Directory Rights Management Services - A request was made with a payload that was too big or to a URI that was too long.
Event ID 219 - LicenseService - The certificate database could not be restored.
Event ID 307 - Microsoft-Windows-TaskScheduler - The Task Scheduler service failed to connect to the task engine "%1" process. The error value is: %2.
Event ID 307 - appevt - The launch of the setup command for application %1 from policy %2 succeeded.
Event ID 307 - Application Management - The launch of the setup command for program Program name from policy Default Domain
Event ID 307 - Microsoft-Windows-Bits-Client - It took %1 seconds to write a change file to the BITS job list. If the time required is excessive, the number of BITS jobs may be larger than this machine can handle quickly.
Event ID 400 - Microsoft-Windows-TaskScheduler - The Task Scheduler service has started.
Event ID 400 - Microsoft-Windows-TerminalServices-Gateway - The TS Gateway service is shutting down.
Event ID 400 - LDAP - LDAP Service cannot initialize its security.
Event ID 400 - Microsoft-Windows-Diagnostics-Performance - Information about the system performance monitoring event:
Event ID 400 - PowerShell - MS Windows PowerShell Event (PowerShell Audit)
Event ID 528 - Security - Successful Logon
Event ID 528 - Microsoft-Windows-Backup - Scheduled backup configuration conflicts with group policy settings, error - '%2'.
Event ID 528 - Netlogon - A user successfully logged on to a computer.
Event ID 528 - SMTPSVC - Virtual Server %1: The specified masquerade name is not valid.
Event ID 538 - Security - User Logoff
Event ID 538 - Microsoft-Windows-TBS - A compatible TPM is not found.
Event ID 538 - Netlogon - The logoff process was completed for a user.
Event ID 540 - Security - Successful Network Logon
Event ID 541 - Security - IKE security association established.
Event ID 541 - Microsoft-Windows-TerminalServices-Gateway - The resource authorization policy "%1" was deleted.
Event ID 551 - Security - User initiated logoff
Event ID 552 - Security - Logon attempt using explicit credentials
Event ID 576 - Security - Special privileges assigned to new logon
Event ID 615 - Security - IPSEC PolicyAgent Service
Event ID 624 - Security - User Account Created
Event ID 626 - Security - User Account Enabled
Event ID 628 - Security - User Account password set
Event ID 632 - Security - Security Enabled Global Group Member Added
Event ID 636 - Security - Security Enabled Local Group Member Added
Event ID 642 - Security - User Account Changed
Event ID 643 - Security - Domain Policy Changed
Event ID 680 - Security - Account Used for Logon by
Event ID 770 - Microsoft-Windows-DNS-Server-Service - DNS Server plugin DLL has been loaded
Event ID 800 - Microsoft-Windows-DNS-Server-Service - The zone %1 is configured to accept updates but the A record for the primary server in the zones SOA record is not available on this DNS server.
Event ID 865 - Microsoft-Windows-SoftwareRestrictionPolicies - Access to %1 has been restricted by your Administrator by the default software restriction policy level.
Event ID 866 - Microsoft-Windows-SoftwareRestrictionPolicies - Access to %1 has been restricted by your Administrator by location with policy rule %2 placed on path %3.
Event ID 867 - Microsoft-Windows-SoftwareRestrictionPolicies - Access to %1 has been restricted by your Administrator by software publisher policy.
Event ID 868 - Microsoft-Windows-SoftwareRestrictionPolicies - Access to %1 has been restricted by your Administrator by policy rule %2.
Event ID 882 - Microsoft-Windows-SoftwareRestrictionPolicies - Access to %1 has been restricted by your Administrator by policy rule %2.
Event ID 903 - Microsoft-Windows-Security-SPP - The Software Protection service has stopped.
Event ID 904 - ESE BACKUP - () Callback function call ended with error .
Event ID 908 - Microsoft-Windows-Application-Experience - A program was removed from the system. For details please examine the event data.
Event ID 1000 - IIS - IISInfoCtrs - Unable to open the Performance sub key of the IIS Info Service.
Event ID 1000 - Microsoft-Windows-IIS-IISManager - Failed to delete directory '{0}'.
Event ID 1000 - NTDS GENERAL - Microsoft Directory startup complete, version 5.00.2160.1
Event ID 1001 - DHCP - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address .
Event ID 1001 - dhcpserver - The DHCP service failed to register with Service Controller. The following error occurred: %1.
Event ID 1002 - DHCP - The IP address lease ip address for the Network Card with network address MAC address has been denied by the DHCP server dhcpServer IP address (The DHCP Server sent a DHCPNACK message).
Event ID 1002 - DHCPServer - The DHCP service failed to initialize its global parameters. The following error occurred: %%0.
Event ID 1002 - Microsoft-Windows-DHCP-Client - The IP address lease %1 for the network adapter with MAC address %2 has been denied by the DHCP server %3 (The DHCP server sent a DHCPNACK message).
Event ID 1005 - DHCP - DHCP failed to renew a lease for the card with network address "MAC Address." The following error occurred: The semaphore timeout period has expired.
Event ID 1005 - Microsoft-Windows-DHCP-Client - Your computer has detected that the IP address %1 for the network adapter with MAC address %2 is already in use on the network. Your computer will automatically attempt to obtain a different address.
Event ID 1005 - Microsoft-Windows-DHCP-Server - The DHCP service failed to initialize Winsock startup. The following error occurred: %1
Event ID 1005 - Microsoft-Windows-IIS-IISManager - Encountered an error while attempting to retrieve Web Management Service configuration from the registry
Event ID 1006 - DHCP - The DHCP server Failed to start the RPC server. The following error occurred : text
Event ID 1006 - DHCP Server - The Dynamic Host Configuration Protocol (DHCP) server service cannot start. Restart your computer, and try again.
Event ID 1006 - Microsoft-Windows-DHCP-Client - Your computer was unable to automatically configure the IP parameters for the network adapter with the MAC address %1. The following error occurred during configuration: %2.
Event ID 1006 - Microsoft-Windows-DHCP-Server - The DHCP Server service failed to start as a RPC server. The following error occurred : %1"
Event ID 1006 - DNS - DNS Server encountered file name %1 exceeding maximum file path length, in file %2, line %3.
Event ID 1008 - DhcpServer - The DHCP server is shutting down due to the following error: [No further data is available]
Event ID 1008 - Microsoft-Windows-DHCP-Client - Your computer was unable to initialize a Network Interface attached to the system. The error code is: %1.
Event ID 1008 - Active Directory - The consistency checker failed to initialize (error %2). Local consistency updates will be disabled until this server is rebooted.
Event ID 1010 - Active Directory - Insufficient memory was available for processing logging override settings. An attempt to allocate %1 bytes failed. No overrides will be done.
Event ID 1010 - DFSR - Service has stopped because of an internal error
Event ID 1010 - DHCP - The DHCP service encountered the following error while cleaning up the database: %n%1
Event ID 1010 - dhcpserver - The DHCP service encountered the following error while cleaning up the database: code
Event ID 1010 - Microsoft-Windows-DHCP-Client - TRACE Acquiring Lease: %1
Event ID 1022 - Active Directory - Could not allocate memory while creating cache of objects that have been recently read and one object could not be cached. The performance of the directory will decrease.
Event ID 1022 - Microsoft-Windows-DHCP-Server - The DHCP service could not use the database.
Event ID 1033 - Active Directory - Internal error: Unable to cache class schema. This Windows Domain Controller may have a memory allocation problem. Stop and restart this Windows Domain Controller and try again.
Event ID 1033 - Microsoft-Windows-DHCP-Server - The DHCP service has successfully loaded one or more callout DLLs.
Event ID 1073 - Active Directory - Internal event: The directory replication agent (DRA) got changes returning %1 objects, %2 bytes total and entries up to update sequence number (USN) %3, with extended return %4.
Event ID 1073 - Kernel - The specified service already exists.
Event ID 1074 - Active Directory - The directory replication agent (DRA) failed while assembling an update replication reply message for another site. The DRA will try again. If this condition persists, stop and restart this Windows Domain Controller. The error is: %1 The record data is the status code.
Event ID 1074 - User32 - The process %1 has initiated the %5 of
computer %2 on behalf of user %7 for the following reason: %3
Reason Code: %4
Shutdown Type: %5
Comment: %6
Event ID 1102 - Security - The audit log was cleared
Event ID 1102 - Active Directory - During intersite replication, the directory replication agent (DRA) successfully submitted a message with a length of %1 while requesting updates in partition %2 from the directory at %3.
Event ID 1102 - Microsoft-Windows-DHCP-Server - Authorization failed%0
Event ID 1104 - Security - The security Log is now full
Event ID 1104 - Active Directory - The consistency checker has terminated change notifications for the following: Partition: %1 Destination DSA DN (if available): %3 Destination DSA Address: %2
Event ID 1104 - Microsoft-Windows-DHCP-Server - Authorization failure, stopped servicing%0
Event ID 1104 - Microsoft-Windows-GroupPolicy - Windows was unable to read the Windows Management Instrumentation (WMI) filter information associated with the Group Policy object (GPO) %8.
Event ID 1116 - Active Directory - Outbound replication is re-enabled.
Event ID 1125 - Active Directory - Unable to establish connection with server %1 error %2.
Event ID 1125 - Microsoft-Windows-GroupPolicy - The processing of Group Policy failed because of an internal system error.
Event ID 1127 - Active Directory - Replication error: A name conflict was detected while replicating the partition prefix %1 (object GUID %2).
Event ID 1127 - Microsoft-Windows-GroupPolicy - The processing of Group Policy failed due to an internal error.
Event ID 1129 - Active Directory - The replication connection from %1 to %2 was deleted to improve the replication load of the system.
Event ID 1129 - Microsoft-Windows-GroupPolicy - The processing of Group Policy failed because of lack of network connectivity to a domain controller.
Event ID 2001 - Microsoft-Windows-PerfDisk - Unable to read performance data for the Disk performance counters.
Event ID 2003 - Microsoft-Windows-DNS-Server-Service - The DNS server encountered an error writing current configuration back to boot file.
Event ID 2004 - DNS - The DNS server has been reconfigured to boot from a boot file.
Event ID 2004 - Microsoft-Windows-DNS-Server-Service - The registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\%1 contains an invalid value or could not be read. The DNS server cannot start.
Event ID 2005 - DNS - The DNS server has been reconfigured to boot from a boot file. Current server and zone configuration information has been written to this file.
Event ID 2006 - Microsoft-Windows-ADFS - An error occurred during calling of the custom transform module, which is an extensibility point for third-party code.
Event ID 2033 - Microsoft-Windows-Windows Firewall with Advanced Security - All rules have been deleted from the Windows Firewall configuration on this computer. %tStore Type:%t%1 %tModifyingUser:%t%2 %tModifyingApplication:%t%3
Event ID 3001 - Microsoft-Windows-Windows Defender - %1 Real-Time Protection agents have stopped.
Event ID 3002 - Microsoft-Windows-Windows Defender - %1 Real-Time Protection agent has encountered an error and failed to start.
Event ID 3002 - Microsoft-Windows-CodeIntegrity - Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system.
Event ID 3003 - Microsoft-Windows-Windows Defender - %1 Real-Time Protection checkpoint has encountered an error and failed to start.
Event ID 3003 - Microsoft-Windows-CodeIntegrity - Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system.
Event ID 3004 - Microsoft-Windows-Windows Defender - %1 Real-Time Protection agent has detected spyware or other potentially unwanted software.
Event ID 3004 - Microsoft-Windows-CodeIntegrity - Windows is unable to verify the image integrity of the file %2 because file hash could not be found on the system.
Event ID 3004 - Microsoft-Windows-Wininit - Windows start-up process has failed to synchronize with the local security subsystem during setup.
Event ID 3010 - Microsoft-Windows-CodeIntegrity - Code Integrity was unable to load the %2 catalog.
Event ID 3023 - Rdr - The redirector failed to map the requested file disposition (for NtCreateFile).
Event ID 4100 - Microsoft-Windows-IDMU-Psync - Password propagation denied for user. User is in PasswordPropDeny group. %ruser = %1
Event ID 4100 - Microsoft-Windows-MSDTC - An exception occurred while processing control requests from the Service Control Manager%0
Event ID 4104 - Microsoft-Windows-IDMU-Psync - Password change request for computer account ignored. %rAccount = %1
Event ID 4608 - Windows Event - Windows is starting up
Event ID 4624 - Windows Event - An account was successfully logged on
Event ID 4625 - Windows Event - An account failed to log on
Event ID 4634 - Windows Event - An account was logged off
Event ID 4647 - Windows Event - User initiated logoff
Event ID 4648 - Windows Event - A logon was attempted using explicit credentials
Event ID 4649 - Windows Event - A replay attack was detected
Event ID 4656 - Windows Event - A handle to an object was requested
Event ID 4657 - Windows Event - A registry value was modified
Event ID 4663 - Windows Event - An attempt was made to access an object
Event ID 4664 - Windows Event - An attempt was made to create a hard link
Event ID 4672 - Windows Event - Special privileges assigned to new logon
Event ID 4688 - Windows Event - A new process has been created
Event ID 4697 - Windows Event - A service was installed in the system
Event ID 4698 - Windows Event - A scheduled task was created
Event ID 4699 - Windows Event - A scheduled task was deleted
Event ID 4700 - Windows Event - A scheduled task was enabled
Event ID 4701 - Windows Event - A scheduled task was disabled
Event ID 4702 - Windows Event - A scheduled task was updated
Event ID 4704 - Windows Event - A user right was assigned
Event ID 4705 - Windows Event - A user right was removed
Event ID 4706 - Windows Event - A new trust was created to a domain
Event ID 4707 - Windows Event - A trust to a domain was removed
Event ID 4713 - Windows Event - Kerberos policy was changed
Event ID 4714 - Windows Event - Encrypted data recovery policy was changed
Event ID 4716 - Windows Event - Trusted domain information was modified
Event ID 4719 - Windows Event - System audit policy was changed
Event ID 4720 - Windows Event - A user account was created
Event ID 4722 - Windows Event - A user account was enabled
Event ID 4723 - Windows Event - An attempt was made to change an account's password
Event ID 4724 - Windows Event - An attempt was made to reset an accounts password
Event ID 4725 - Windows Event - A user account was disabled
Event ID 4726 - Windows Event - A user account was deleted
Event ID 4727 - Windows Event - A security-enabled global group was created
Event ID 4728 - Windows Event - A member was added to a security-enabled global group
Event ID 4729 - Windows Event - A member was removed from a security-enabled global group
Event ID 4730 - Windows Event - A security-enabled global group was deleted
Event ID 4731 - Windows Event - A security-enabled local group was created
Event ID 4732 - Windows Event - A member was added to a security-enabled local group
Event ID 4733 - Windows Event - A member was removed from a security-enabled local group
Event ID 4734 - Windows Event - A security-enabled local group was deleted
Event ID 4735 - Windows Event - A security-enabled local group was changed
Event ID 4737 - Windows Event - A security-enabled global group was changed
Event ID 4738 - Windows Event - A user account was changed
Event ID 4739 - Windows Event - Domain Policy was changed
Event ID 4740 - Windows Event - A user account was locked out
Event ID 4741 - Windows Event - A computer account was created
Event ID 4742 - Windows Event - A computer account was changed
Event ID 4743 - Windows Event - A computer account was deleted
Event ID 4744 - Windows Event - A security-disabled local group was created
Event ID 4745 - Windows Event - A security-disabled local group was changed
Event ID 4746 - Windows Event - A member was added to a security-disabled local group
Event ID 4747 - Windows Event - A member was removed from a security-disabled local group
Event ID 4748 - Windows Event - A security-disabled local group was deleted
Event ID 4749 - Windows Event - A security-disabled global group was created
Event ID 4750 - Windows Event - A security-disabled global group was changed
Event ID 4751 - Windows Event - A member was added to a security-disabled global group
Event ID 4752 - Windows Event - A member was removed from a security-disabled global group
Event ID 4753 - Windows Event - A security-disabled global group was deleted
Event ID 4754 - Windows Event - A security-enabled universal group was created
Event ID 4755 - Windows Event - A security-enabled universal group was changed
Event ID 4756 - Windows Event - A member was added to a security-enabled universal group
Event ID 4757 - Windows Event - A member was removed from a security-enabled universal group
Event ID 4758 - Windows Event - A security-enabled universal group was deleted
Event ID 4759 - Windows Event - A security-disabled universal group was created
Event ID 4760 - Windows Event - A security-disabled universal group was changed
Event ID 4761 - Windows Event - A member was added to a security-disabled universal group
Event ID 4762 - Windows Event - A member was removed from a security-disabled universal group
Event ID 4763 - Windows Event - A security-disabled universal group was deleted
Event ID 4764 - Windows Event - A groups type was changed
Event ID 4767 - Windows Event - A user account was unlocked
Event ID 4768 - Windows Event - A Kerberos authentication ticket (TGT) was requested
Event ID 4769 - Windows Event - A Kerberos service ticket was requested
Event ID 4770 - Windows Event - A Kerberos service ticket was renewed
Event ID 4771 - Windows Event - Kerberos pre-authentication failed
Event ID 4776 - Windows Event - The domain controller attempted to validate the credentials for an account
Event ID 4778 - Windows Event - A session was reconnected to a Window Station
Event ID 4779 - Windows Event - A session was disconnected from a Window Station
Event ID 4781 - Windows Event - The name of an account was changed
Event ID 4782 - Windows Event - The password hash an account was accessed
Event ID 4794 - Windows Event - An attempt was made to set the Directory Services Restore Mode administrator password
Event ID 4800 - Windows Event - The workstation was locked
Event ID 4801 - Windows Event - The workstation was unlocked
Event ID 4802 - Windows Event - The screen saver was invoked
Event ID 4803 - Windows Event - The screen saver was dismissed
Event ID 4905 - Windows Event - An attempt was made to unregister a security event source
Event ID 5001 - - No Event Name available
Event ID 5004 - Microsoft-Windows-Windows Defender - %1 Real-time Protection agent configuration has changed.
Event ID 5008 - - No Event Name available
Event ID 5030 - Windows Event - The Windows Firewall Service failed to start
Event ID 5034 - Windows Event - The Windows Firewall Driver has been stopped
Event ID 5035 - Windows Event - The Windows Firewall Driver failed to start
Event ID 5038 - Windows Event - Code integrity determined that the image hash of a file is not valid
Event ID 5145 - Windows Event - A network share object was checked to see whether client can be granted desired access
Event ID 5152 - Windows Event - The Windows Filtering Platform blocked a packet
Event ID 5157 - Windows Event - The Windows Filtering Platform has blocked a connection
Event ID 5827 - Windows Event - The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account.
Event ID 5828 - Windows Event - The Netlogon service denied a vulnerable Netlogon secure channel connection using a trust account.
Event ID 5829 - Windows Event - The Netlogon service allowed a vulnerable Netlogon secure channel connection.
Event ID 5830 - Windows Event - The Netlogon service allowed a vulnerable Netlogon secure channel connection because the machine account is allowed in the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
Event ID 6006 - Windows Event - The event log service was stopped.
Event ID 6008 - Windows Event - The previous system shutdown at Time on Date was unexpected.
Event ID 6281 - Windows Event - Code Integrity determined that the page hashes of an image file are not valid...
Event ID 7001 - Windows Event - The TCP/IP NetBIOS Helper Service depends on the NetBIOS over TCP/IP service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
Event ID 7022 - Windows Event - The Distributed Transaction Coordinator service hung on starting.
Event ID 7023 - Windows Event - The %1 service terminated with the following error: %2
Event ID 7024 - Windows Event - The %1 service terminated with service-specific error %2.
Event ID 7030 - Windows Event - The %1 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Event ID 7031 - Windows Event - 1.The COM+ System Application terminated unexpectedly. It has done this 1 time, the following corrective action will be taken in 1000 milliseconds:Restart the service.
2.The service terminated unexpectedly. It has done this time(s). The following corrective action will be taken inmilliseconds. .
Event ID 7032 - Windows Event - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Microsoft Exchange Routing Engine service, but this action failed with the following error: An instance of the service is already running.
Event ID 7034 - Windows Event - The service terminated unexpectedly. It has done this time(s).
Event ID 7035 - Windows Event - The %1 service was successfully sent a %2 control.
Event ID 7036 - Windows Event - 1.The Print Spooler service entered the running state.
2.The Windows Firewall/Internet Connection Sharing (ICS) service entered the stopped state.
Event ID 7045 - Windows Event - The catalog was not propagated because no new files were detected.
Event ID 8003 - Windows Event - The master browser has received a server announcement from the computer %2 that believes that it is the master browser for the domain on transport %3. The master browser is stopping or an election is being forced
Event ID 8004 - Windows Event - A request has been submitted to promote the computer to backup when it is already a master browser.
Event ID 8006 - Windows Event - Completed periodic policy processing for computer in 4 seconds.
Event ID 8007 - Windows Event - The browser was unable to update the service status bits. The data is the error.
Event ID 8193 - Windows Event - Volume Shadow Copy Service error: Unexpected error calling routine %1. hr = %2.
Event ID 10010 - Windows Event - The server %1 did not register with DCOM within the required time-out period.
Event ID 10016 - Windows Event - The %1 permission settings do not grant %2 %3 permission for the COM Server application with CLSID %4 to the user %5\%6 SID (%7) from address %8. This security permission can be modified using the Component Services snap-in.
Event ID 10110 - Windows Event - A problem has occurred with one or more user-mode drivers and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices.
Event ID 10111 - Windows Event - The device HID-compliant headset (location (unknown)) is offline due to a user-mode driver crash. Windows will attempt to restart the device 4 more times. Please contact the device manufacturer for more information about this problem.
Event ID 15457 - SQL Event - Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install
Event ID 18452 - SQL Event - Login failed for user %ls. Reason: Not associated with a trusted SQL Server connection.
Event ID 53504 - PowerShell Event - Windows PowerShell has started an IPC listening thread on process: