Critical Windows Event IDs for Cybersecurity Pros

Estimated read time 5 min read

Hello, Cyberwarriors! As we know, the path to cybersecurity enlightenment is paved with event logs. These tiny nuggets of data are like clues in a digital detective story. Today, we’re going to tackle a list of some of the most important Windows Event IDs. Buckle up!

Scheduled Tasks

Event ID 4697: A New Service Was Installed in the System

When you spot Event ID 4697, it means a new service has been installed on your system. This could be harmless – or it could be malware setting up shop. Verify the origin of the service, the installer’s identity, and the nature of the service. If anything is out of order, take immediate action.

Event ID 106: Task Scheduler Task Registration

Event ID 106 is a friendly visitor. It logs when a user registers a Task Scheduler task. Regular tasks shouldn’t be alarming, but if this event is triggered at odd hours, or by unknown users, you might want to investigate further.

Event ID 4702: An Update to Scheduled Tasks

Event ID 4702 indicates that a scheduled task has been updated. This is usually benign, but if the task is linked to critical system operations or sensitive data, verify who made the update and why. If it smells fishy, you might have a security incident on your hands.

Event ID 140 & 141: Time Service Changes

Event IDs 140 and 141 log when the time service has stopped advertising as a time source. These events aren’t typically a cause for concern unless you’re running a domain controller. But if these events start happening frequently, it could indicate a problem with your system’s time synchronization.

Event ID 4699: A Scheduled Task Was Deleted

Event ID 4699 means a scheduled task was deleted. If the task wasn’t scheduled for deletion, or if the user who deleted it doesn’t have appropriate permissions, this could be a sign of a security breach.

Event ID 201: Task Scheduler Successfully Completed Task

Event ID 201 is a sign of success – the Task Scheduler successfully completed a task. Regularly scheduled tasks completing successfully aren’t usually a cause for concern, but if you see this event ID with tasks you didn’t schedule, it’s worth looking into.


Event ID 4697: The Arrival of a New Service

Heads up, folks! When you spot Event ID 4697, it means a new service has been installed on your system. Normally, this is just an everyday occurrence. But keep your guard up: if a malicious actor is masquerading as a legitimate service, then we’ve got a problem. Always verify the service’s source, the identity of the installer, and the service’s role. If something doesn’t add up, it’s time to take action.

Event ID 7045: The Birth of a New Service

Event ID 7045 is like a birth announcement in the cybersecurity world. This event ID appears whenever a new service is created on your local Windows machine. However, not all “newborns” are innocent. If this event ID is associated with unfamiliar users or services, it’s best to start digging deeper.

Event ID 7034: An Unexpected Service Termination

Are you seeing Event ID 7034? This is your sign that a service has ended unexpectedly. And as we all know, unexpected terminations usually signal trouble. If a service has stopped without warning, it’s time to investigate. Determine which service stopped and why. It could be a simple system error, or it could be a warning sign of a larger issue.

Event ID 7036: Tracking Service States

Event ID 7036 keeps tabs on the state of your system’s services. It gets logged whenever a service enters a new state, whether that’s stopped or running. Most of the time, this is just part of the normal ebb and flow of system operations. But if you notice unusual shifts, especially with critical services like the Windows Firewall, then it’s time to take a closer look.

Event ID 7040: Changes to IPSEC Services

Event ID 7040 is all about changes to the start type of IPSEC services. Sometimes, these changes are just part of routine system maintenance. But if you’re not the one making these changes, be cautious. It could be an attempt to tamper with these services. Always stay alert and vigilant.

Event Log Manipulation

Event ID 1102: The Audit Log Was Cleared

Event ID 1102 is like an alarm bell in the cybersecurity world. This event ID appears whenever the Windows Security audit log is cleared. Clearing audit logs is often a way for malicious actors to cover their tracks. If you see this event ID and you didn’t clear the logs, it’s time to investigate.

Event ID 104: The Log File Was Cleared

Similar to Event ID 1102, Event ID 104 is logged when a log file was cleared. Clearing log files can be a normal part of system maintenance, but it can also be a sign of suspicious activity. If you didn’t clear the log file, it’s important to figure out who did and why.

That is all for now…

Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author