# Windows Logs

### Account Management Logs

| Event ID     | Explanation                                  |
| ------------ | -------------------------------------------- |
| Event ID 624 | User Account Created                         |
| Event ID 626 | User Account enabled                         |
| Event ID 627 | password change attempted                    |
| Event ID 628 | user account password set                    |
| Event ID 629 | user account disabled                        |
| Event ID 630 | user account deleted                         |
| Event ID 631 | security enabled global group created        |
| Event ID 632 | security enabled global group member added   |
| Event ID 633 | security enabled global group member removed |
| Event ID 634 | security enabled global group deleted        |
| Event ID 635 | security enabled local group created         |
| Event ID 636 | security enabled local group member added    |
| Event ID 637 | security enabled local group member removed  |
| Event ID 638 | security enabled local group deleted         |
| Event ID 639 | security enabled local group changed         |
| Event ID 641 | security enabled global group changed        |
| Event ID 642 | user account changed                         |
| Event ID 643 | domain policy changed                        |

### System Events

| Event ID     | Explanation                                                                                                            |
| ------------ | ---------------------------------------------------------------------------------------------------------------------- |
| Event ID 512 | Windows is starting up                                                                                                 |
| Event ID 513 | windows is shutting down                                                                                               |
| Event ID 516 | internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits |
| Event ID 517 | the security log was cleared                                                                                           |

### Policy Changes

| Event ID      | Explanation                                                                                                  |
| ------------- | ------------------------------------------------------------------------------------------------------------ |
| Event ID 608  | A user right was assigned                                                                                    |
| Event ID 609  | a user right was removed                                                                                     |
| Event ID 610  | a trust relationship with another domain was created                                                         |
| Event ID 611  | a trust relationship with another domain was removed                                                         |
| Event ID 612  | an audit policy was changed                                                                                  |
| Event ID 4864 | a collision was detected between a namespace element in one forest and a namespace element in another forest |

### Query for Windows Event Logs&#x20;

```
wevtutil qe Security /c:100 /rd:true /q:"*[System[(EventID=612)]]"

Security --> Log name you want to query
/c: --> count returned
/rd: --> reverse direction true|false
/q: --> your query
```