# Windows Logs ### Account Management Logs | Event ID | Explanation | | ------------ | -------------------------------------------- | | Event ID 624 | User Account Created | | Event ID 626 | User Account enabled | | Event ID 627 | password change attempted | | Event ID 628 | user account password set | | Event ID 629 | user account disabled | | Event ID 630 | user account deleted | | Event ID 631 | security enabled global group created | | Event ID 632 | security enabled global group member added | | Event ID 633 | security enabled global group member removed | | Event ID 634 | security enabled global group deleted | | Event ID 635 | security enabled local group created | | Event ID 636 | security enabled local group member added | | Event ID 637 | security enabled local group member removed | | Event ID 638 | security enabled local group deleted | | Event ID 639 | security enabled local group changed | | Event ID 641 | security enabled global group changed | | Event ID 642 | user account changed | | Event ID 643 | domain policy changed | ### System Events | Event ID | Explanation | | ------------ | ---------------------------------------------------------------------------------------------------------------------- | | Event ID 512 | Windows is starting up | | Event ID 513 | windows is shutting down | | Event ID 516 | internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits | | Event ID 517 | the security log was cleared | ### Policy Changes | Event ID | Explanation | | ------------- | ------------------------------------------------------------------------------------------------------------ | | Event ID 608 | A user right was assigned | | Event ID 609 | a user right was removed | | Event ID 610 | a trust relationship with another domain was created | | Event ID 611 | a trust relationship with another domain was removed | | Event ID 612 | an audit policy was changed | | Event ID 4864 | a collision was detected between a namespace element in one forest and a namespace element in another forest | ### Query for Windows Event Logs ``` wevtutil qe Security /c:100 /rd:true /q:"*[System[(EventID=612)]]" Security --> Log name you want to query /c: --> count returned /rd: --> reverse direction true|false /q: --> your query ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/host-forensics/windows-logs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.