Windows Event Log service

The Windows Event Log service (also called EventLog) is a core system service.

Its job is to collect, store, and manage Windows events from the OS, applications, and security auditing. It acts like a centralized logging hub, every application or system component can report events to it.

The service itself runs inside svchost.exe which hosts multiple Windows services in a single process. Because it’s always running, events are logged in real-time.

Event Viewer

Windows Event Viewer is a built-in Microsoft Management Console (MMC) snap-in that lets you view, filter, and analyze event logs generated by Windows and installed applications.

Windows stores its event logs in two main file formats depending on the OS version:

.evt

stands for event, it’s a binary file used by older versions of Windows.

Stored in:

C:\Windows\System32\config\

or C:\Windows\System32\winevt\Logs\ on some versions.

Structure of .evt

Binary files have these key components:

  1. File Header Contains metadata: file size, version, sequence numbers.

  2. Event Records Each event is a binary structure including:

    • Record Number
    • Timestamp
    • Event ID
    • Event Type / Level
    • Source / Provider
    • User SID (Security Identifier)
    • Message String (description)

  3. Footer / Checksum Ensures integrity of the log.

Binary Files

A binary file is a file that stores data in raw bytes rather than readable text. Unlike text files, binary files are meant to be read by programs.

Examples: .exe (executables), .dll (libraries), .jpg (images), .evt (legacy event logs).

Binary files often contain structured data, like headers, records, and checksums, which the program knows how to interpret.

.evtx

combining evt(event) + x for XML, signaling the new XML-based format.

Stored in:

C:\Windows\System32\winevt\Logs\

XML-based, supports structured fields, easier parsing, forwardable, and secure.

XML

XML stands for eXtensible Markup Language. It’s used to structure data in a readable and hierarchical way, using tags.

XML-based in .evtx means the core event content is XML, but the file also includes binary headers, chunks, and checksums to manage the file efficiently.

Structure of .evtx

.evtx is highly structured, supporting both human-readable and machine-readable queries.

  1. File Header

    • Version info, header size, file flags.
    • Contains checksum and sequence number for integrity.

  2. File Chunks

    • .evtx divides logs into 64 KB chunks.

    • Each chunk has:

      • Chunk Header - metadata, sequence number, offset.
      • Event Records - structured XML data.
      • Chunk Footer / Checksum - for integrity verification.

  3. Event Records

    • XML format under <Event> tag.
    • Main sections:
<Event>
<System>
    <Provider Name="Service Control Manager"/>
    <EventID>7036</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2026-03-07T12:00:00.000Z"/>
    <EventRecordID>12345</EventRecordID>
    <Channel>System</Channel>
    <Computer>HOSTNAME</Computer>
</System>
<EventData>
    <Data>Service started successfully</Data>
</EventData>
</Event>
  • Fully queryable using XPath (XML Path Language) or PowerShell (Get-WinEvent).

  1. File Footer

    • Integrity checksum and sequence numbers.

Event Types in EVT and EVTX

Both .evt and .evtx store the same event types, just represented differently internally. Main types (Level/Severity):

Level Description
Critical System failure or crash
Error Failure requiring attention
Warning Non-critical problem
Information Normal operation info
Verbose Detailed developer info (EVTX only)

.evtx supports more structured event categorization

Log Channels

Event Viewer organizes logs into two main groups:

A. Windows Logs

These are the three (plus a couple more) we discussed:

Log Name Purpose
Application App events (crashes, warnings)
System OS, drivers, hardware
Security Auditing, logons/logoffs
Setup Windows installation events
Forwarded Events Logs collected from other machines

These are core, built-in logs that every Windows system has.

Application

Used by software applications to record operational events.

Security

This is the most important log for cybersecurity.

only generated if Windows auditing is enabled via Group Policy.

System

Generated by the Windows operating system and drivers.

This tells analysts that a system service started.

Setup

Forwarded Events

This log is used in centralized logging setups. In large organizations, administrators configure:

Windows Event Forwarding (WEF)

Event Log Fields

Each entry in the Windows Event Log is an Event and contains the following primary components:

Log Name

The channel where the event is stored.

Source

The component that generated the event.

Event ID

This is the unique identifier for the event type.

Task Category

Describes the type of operation. This often contains a value or name that can help us understand the purpose or use of the event.

Level

The severity of the event (Information, Warning, Error, Critical, or Verbose).

Keywords

Keywords are flags used for filtering.

User

The user account that was logged on when the event occurred.

OpCode

Indicates what operation occurred. This field can identify the specific operation that the event reports.

Rarely used by analysts but helpful in debugging.

Logged (Timestamp)

The date and time when the event was logged.

Computer

The name of the computer where the event occurred.

B. Applications and Services Logs

These are component-specific logs: Each Windows component or service can define its own logging channel.

For example:

Provider Channel Example
Microsoft-Windows-PowerShell Operational PowerShell command execution logs

In Event Viewer it looks like a directory path, but it’s not a folder on disk. It’s a logical log channel name used by Windows Event Log.

  • Provider: Microsoft-Windows-PowerShell the component that produces events (PowerShell in this case).
  • Channel: Operational → the specific log channel for that provider.

Together:

Microsoft-Windows-PowerShell/Operational

This tells Windows: Store events generated by the PowerShell provider in the Operational channel.

since the actual .evtx files are stored in:

C:\Windows\System32\winevt\Logs\

For PowerShell Operational:

Microsoft-Windows-PowerShell%4Operational.evtx
Note:
Windows can’t use / in filenames, so it replaces it with %4 just a safe encoding, you don’t use it when querying logs in PowerShell.

How to access it

In Event Viewer open Applications and Services Logs → Microsoft → Windows → PowerShell → Operational

In PowerShell

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational"

Event Levels (Severity)

Windows Event Logs are structured entries that record system, application, and security-related activities. Each entry is called an Event, and each event provides detailed information that helps administrators and analysts understand what occurred on the system.

Every event has a Level, which indicates severity. These apply across Application, System, Setup, and many custom logs.

Level Name Value Meaning
LogAlways 0 Internal use, always logged. Rarely shown in Event Viewer.
Critical 1 Severe issue, system/service crash, unrecoverable error. Requires immediate attention.
Error 2 Something failed, but system may still run. Example: application crash.
Warning 3 Potential issue that could cause future problems. Example: low disk space.
Information 4 Normal operations. Example: “Service started successfully”.
Verbose 5 Detailed diagnostic information. Mostly for troubleshooting.

In the (Security log), you may instead notice “Audit Success” or “Audit Failure.” These are not new severity levels. They are Keywords attached to the event.

Microsoft did this to make security auditing more intuitive: rather than just Information, you see whether an action (like a logon attempt) succeeded or failed. For example:

The Level field is still Information. The Keywords field shows Audit Success.

Logon ID

Every login session in Windows receives a unique Logon ID.
Windows assigns this ID to all actions performed during that login session.

Example:

4624  Successful login
4672  Admin privileges assigned
4688  Process started
4634  Logoff

If all these events share the same Logon ID, they belong to the same user session.

Logon ID 0x3E7

Logon ID 0x3E7 represents the Local System account.

User: SYSTEM
Domain: NT AUTHORITY

This account is used by:

  • Windows services
  • OS components
  • system-level processes

It has very high privileges on the machine. Seeing actions under this account often means:

  • a system process performed the action
  • a service executed it
  • or malware gained SYSTEM privileges

Logon Failure Status Codes

Windows assigns status/sub-status codes for failed logon attempts. These codes indicate why a logon failed and are crucial for analyzing brute-force attacks, misconfigurations, or policy violations.

Status/Sub-Status Code Description
0xC0000064 User name does not exist
0xC000006A User name is correct but the password is wrong
0xC0000234 User is currently locked out
0xC0000072 Account is currently disabled
0xC000006F User tried to logon outside allowed day/time restrictions
0xC0000070 Workstation restriction or Authentication Policy Silo violation (check Event ID 4820 on DC)
0xC0000193 Account expired
0xC0000071 Password expired
0xC0000133 Clocks between DC and computer too far out of sync
0xC0000224 User is required to change password at next logon
0xC0000225 Windows bug, not a security risk
0xC000015B User has not been granted the requested logon type (logon right) at this machine

Logon Type

Numerical codes in Windows security logs that define how a user or service accessed a system:

Logon Type Description
2 Interactive: user logged in at console (keyboard/monitor)
3 Network: access via network (file shares, SMB, etc)
4 Batch: batch job (scheduled task, script)
5 Service: service startup using service account
7 Unlock: workstation unlock
8 NetworkCleartext: network logon with cleartext credentials (rare)
9 NewCredentials: RunAs with alternate credentials
10 RemoteInteractive: Remote Desktop / Terminal Services
11 CachedInteractive: logon with cached domain credentials (offline logon)
12 CachedRemoteInteractive: cached RDP logon
13 CachedUnlock: unlock with cached credentials

Example:

Logon Type: 5
User: SYSTEM

This means a service created a logon session.

Event IDs

Every event in Windows Event Logs has a unique identifier called an Event ID. This ID corresponds to a specific type of system or security activity.

Common Event ID Ranges and Categories

Here’s a breakdown of widely used ranges:

Event ID Range Category Example Event IDs
4600-4699 Logon / Authentication 4624 (successful login), 4625 (failed login)
4700-4799 User and Group Management 4720 (user created), 4726 (user deleted), 4722 (user enabled)
4800-4899 Logon Sessions / Lockouts 4800 (workstation locked), 4801 (workstation unlocked)
4900-4999 Policy Changes / Auditing 4902 (per-user audit policy changed), 4907 (SACL changed)
5000-5099 System Integrity 5001-5002 (various system integrity events)
5100-5199 Kerberos / Authentication 4768 (Kerberos TGT requested), 4769 (Kerberos service ticket requested)
1100-1200 Antivirus / Security Platform (Defender) 1102 (audit log cleared), 1116-1120 (malware detected/remediated)
6000-6999 System / Event Log / Service Events 6005 (Event Log started), 6006 (Event Log stopped), 6013 (uptime), 7040 (service startup changed)
100-199 Application / Misc Events Depends on specific software

Here’s a compact list of commonly used Event IDs:

System / Service Events

  • 1074 → System shutdown/restart
  • 6005 → Event Log started (system boot)
  • 6006 → Event Log stopped (shutdown)
  • 6013 → System uptime
  • 7040 → Service startup type changed

Security / Audit Events

  • 1102 → Audit log cleared
  • 1116 → Malware detected
  • 1118 → Malware remediation started
  • 1119 → Malware remediation succeeded
  • 1120 → Malware remediation failed

User / Account Activity

  • 4624 → Successful login
  • 4625 → Failed login
  • 4647 → User logoff
  • 4672 → Special privileges assigned (admin)
  • 4720 → User account created
  • 4726 → User account deleted
  • 4722 → Account enabled
  • 4725 → Account disabled

Policy / Audit Changes

  • 4663 → Object accessed (files/folders)
  • 4670 → Permissions changed on object
  • 4719 → Audit policy changed
  • 4902 → Per-user audit policy changed
  • 4907 → SACL changed

Process / System Integrity

  • 4688 → Process created
  • 4689 → Process terminated
  • 4697 → Service installed

SACL Change (Audit Policy Change) 4907

ACL (Access Control List)

Think of an ACL as a rulebook attached to a file, folder, or object that tells Windows:

  1. Who can do what (DACL)
  2. Which actions should be logged (SACL)

Windows uses these two main types of ACLs:

DACL (Discretionary Access Control List)

Controls permissions (who can read/write/execute). controls access, not logging.

SACL (System Access Control List)

Controls auditing/logging, not permissions. controls what gets recorded in the Security Event Log, so administrators can track sensitive actions.

Event ID 4907 SACL Changed

4907 happens when someone changes the SACL (the audit rules) of an object.

Example: You tell Windows: Start logging every time someone deletes this file.

When you make that change, Windows logs Event ID 4907.

So Event 4907 is literally someone changed what gets logged for this file/folder event.