Коды событий в журнале windows расшифровка — Ваш верный помощник с OS Windows

Windows-Log-Analysis

Event code cheatsheet

Windows log event codes and sysmon codes to monitor for early detection of anomalous and suspicious behavior warranting further investigation (includes
all pertinent Windows log types)

Some of these event codes are noisy, so be sure to filter normal events in your SIEM environment to narrow search for outliers

Event codes 0-999

 18   Windows Update activity ready
 19   Windows Update activity installed
 20   Windows Update activity failure
 40   Issue with Driver
104   System log cleared (covering tracks)
106   New scheduled job (persistence through scheduled task)
129   Created task 
141   Deleted task
400   Kernel PNP events, Powershell
401   Failed OWA login (Email/VPN)  
410   Kernel PNP configuration
500   Powershell logs (PS4)
501   Powershell log 
528   Account log in (Account crawling)
540   Account log in (Account crawling)
567   Operation performed on object  (files or registry keys added)
592   New Process created (potential malicious process, malware initiation)
600   Powershell logs (PS4)
601   New service install
800   Powershell logs (PS4)
866   Access to filename restricted

Event codes 1000-1999

1000  Application error/crash
1001  DNS operational log, DNS settings (potential for MITM attack)
1007  Installation of filename not permitted
1022  Windows Installer activity updated
1033  Windows Installer activity installed
1034  Windows Installer activity removed 
1102  Audit log cleared (covering tracks)

Event codes 2000-2999

2004  Windows Firewall rule added  (firewall evasion)
2005  Windows Firewall rule modified  (firewall evasion)
2006  Windows Firewall rule deleted  (firewall evasion)

Event codes 3000-3999

3008  DNS requests/queries
3010  DNS requests/queries

Event codes 4000-4999

4100  Powershell log (PS5 and newer)
4103  Powershell log (PS5 and newer)
4104  Powershell log (PS5 and newer)
4624  Account log in (Account crawling)
4625  Failed accountt log on
4648  Logon attempt with explicit credentials
4656  Object handle accessed
4657  Registry value modified
4662  Operation performed on object (object with SACL)
4663  Operation performed on object  (files or registry keys added)
4672  Special privileges assigned to new logon
4673  Special privileges (credential harvesting/Mimikatz)
4688  New Process  (malicious process, malware initiation)
4697  Service installed
4698  New Task Created
4702  Task modified
4703  Token right modified
4719  System audit policy was changed (non SYSTEM changes to audit policy)
4720  User acct created  (password attacks)
4724  Reset password attempt  (password attacks)
4732  Account added to local admin group (Persistence, defense evasion)
4735  Local group changed  (password attacks)
4738  User account password changed  (password attacks)
4769  Kerberos ticket request, failed attempts  (Kerberos spraying, Kerberoasting)
4771  Kerberos pre-authentication failed  (Kerberos spraying, Kerberoasting)

Event codes 5000-5999

5140  Network share object accessed (Lateral movement on endpoints)
5145  Network share object accessed (Lateral movement on endpoints)
5152  Packet blocked
5154  Allowed an application to listen for incoming connections
5156  Windows Firewall allowed connection (malicious processes, failed port scans)
5157  Connection blocked

Event codes 6000-6999

6009  Lists OS versions
6281  Failed/bad hash (images with bad hashes)

Event codes 7000-7999

7009  Timeout waiting for service to connect (possibly malicious code masquerading as a service)
7040  Service Change of State
7045  New Service Install

Event codes 8000-8999

8004  Filename not allowed to run
8000-8027 Applocker events

Event codes 9000+

11707  Software installation successful (addition of unauthorized apps/programs)
11724  Software package removed (removal of required apps/programs)

Event codes used in ransomware/malware attacks

4688/592      New Process (Malware dropper, initial installation)
7045/601      New Service Install (Service added to endpoint) 
4624/528/540  Account log in 
4663/567      File & registry auditing (Files or registry new keys added, CryptoWare and malware drops)
5156          Windows Firewall Network allowed connection by process
7040          Service Change of State 
5140/560      Share accessed (crawling shares on different systems)
4657          Registry value modified
4698          New Task Created 
4769/4771     Kerberos failed attempts (Kerberos spraying, Kerberoasting)

Sysmon event codes for more granular investigation

  1   Provides hash of the process/file (4688)  (identify known malicious hash)
  3   Provides some name resolution of IP (5156)
  7   Image Loaded  (unsigned malware)
 15   File create stream hash
 17   Pipe event created
 18   Pipe event connected
 22   Provides process that made DNS query
255   Sysmon error

Источник

Windows event ID 4608 — Windows is starting up

Windows event ID 4609 — Windows is shutting down

Windows event ID 4610 — An authentication package has been loaded by the Local Security Authority

Windows event ID 4611 — A trusted logon process has been registered with the Local Security Authority

Windows event ID 4612 — Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits

Windows event ID 4614 — A notification package has been loaded by the Security Account Manager

Windows event ID 4615 — Invalid use of LPC port

Windows event ID 4616 — The system time was changed

Windows event ID 4618 — A monitored security event pattern has occurred

Windows event ID 4621 — Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded

Windows event ID 4622 — A security package has been loaded by the Local Security Authority

Windows event ID 4624 — An account was successfully logged on

Windows event ID 4625 — An account failed to log on

Windows event ID 4634 — An account was logged off

Windows event ID 4646 — IKE DoS-prevention mode started

Windows event ID 4647 — User initiated logoff

Windows event ID 4648 — A logon was attempted using explicit credentials

Windows event ID 4649 — A replay attack was detected

Windows event ID 4650 — An IPsec Main Mode security association was established

Windows event ID 4651 — An IPsec Main Mode security association was established

Windows event ID 4652 — An IPsec Main Mode negotiation failed

Windows event ID 4653 — An IPsec Main Mode negotiation failed

Windows event ID 4654 — An IPsec Quick Mode negotiation failed

Windows event ID 4655 — An IPsec Main Mode security association ended

Windows event ID 4656 — A handle to an object was requested

Windows event ID 4657 — A registry value was modified

Windows event ID 4658 — The handle to an object was closed

Windows event ID 4659 — A handle to an object was requested with intent to delete

Windows event ID 4660 — An object was deleted

Windows event ID 4661 — A handle to an object was requested

Windows event ID 4662 — An operation was performed on an object

Windows event ID 4663 — An attempt was made to access an object

Windows event ID 4664 — An attempt was made to create a hard link

Windows event ID 4665 — An attempt was made to create an application client context

Windows event ID 4666 — An application attempted an operation:

Windows event ID 4667 — An application client context was deleted

Windows event ID 4668 — An application was initialized

Windows event ID 4670 — Permissions on an object were changed

Windows event ID 4671 — An application attempted to access a blocked ordinal through the TBS

Windows event ID 4672 — Special privileges assigned to new logon

Windows event ID 4673 — A privileged service was called

Windows event ID 4674 — An operation was attempted on a privileged object

Windows event ID 4675 — SIDs were filtered

Windows event ID 4688 — A new process has been created

Windows event ID 4689 — A process has exited

Windows event ID 4690 — An attempt was made to duplicate a handle to an object

Windows event ID 4691 — Indirect access to an object was requested

Windows event ID 4692 — Backup of data protection master key was attempted

Windows event ID 4693 — Recovery of data protection master key was attempted

Windows event ID 4694 — Protection of auditable protected data was attempted

Windows event ID 4695 — Unprotection of auditable protected data was attempted

Windows event ID 4696 — A primary token was assigned to process

Windows event ID 4697 — A service was installed in the system

Windows event ID 4698 — A scheduled task was created

Windows event ID 4699 — A scheduled task was deleted

Windows event ID 4700 — A scheduled task was enabled

Windows event ID 4701 — A scheduled task was disabled

Windows event ID 4702 — A scheduled task was updated

Windows event ID 4704 — A user right was assigned

Windows event ID 4705 — A user right was removed

Windows event ID 4706 — A new trust was created to a domain

Windows event ID 4707 — A trust to a domain was removed

Windows event ID 4709 — IPsec Services was started

Windows event ID 4710 — IPsec Services was disabled

Windows event ID 4711 — PAStore Engine %1

Windows event ID 4712 — IPsec Services encountered a potentially serious failure

Windows event ID 4713 — Kerberos policy was changed

Windows event ID 4714 — Encrypted data recovery policy was changed

Windows event ID 4715 — The audit policy (SACL) on an object was changed

Windows event ID 4716 — Trusted domain information was modified

Windows event ID 4717 — System security access was granted to an account

Windows event ID 4718 — System security access was removed from an account

Windows event ID 4719 — System audit policy was changed

Windows event ID 4720 — A user account was created

Windows event ID 4722 — A user account was enabled

Windows event ID 4723 — An attempt was made to change an account’s password

Windows event ID 4724 — An attempt was made to reset an account’s password

Windows event ID 4725 — A user account was disabled

Windows event ID 4726 — A user account was deleted

Windows event ID 4727 — A security-enabled global group was created

Windows event ID 4728 — A member was added to a security-enabled global group

Windows event ID 4729 — A member was removed from a security-enabled global group

Windows event ID 4730 — A security-enabled global group was deleted

Windows event ID 4731 — A security-enabled local group was created

Windows event ID 4732 — A member was added to a security-enabled local group

Windows event ID 4733 — A member was removed from a security-enabled local group

Windows event ID 4734 — A security-enabled local group was deleted

Windows event ID 4735 — A security-enabled local group was changed

Windows event ID 4737 — A security-enabled global group was changed

Windows event ID 4738 — A user account was changed

Windows event ID 4739 — Domain Policy was changed

Windows event ID 4740 — A user account was locked out

Windows event ID 4741 — A computer account was created

Windows event ID 4742 — A computer account was changed

Windows event ID 4743 — A computer account was deleted

Windows event ID 4744 — A security-disabled local group was created

Windows event ID 4745 — A security-disabled local group was changed

Windows event ID 4746 — A member was added to a security-disabled local group

Windows event ID 4747 — A member was removed from a security-disabled local group

Windows event ID 4748 — A security-disabled local group was deleted

Windows event ID 4749 — A security-disabled global group was created

Windows event ID 4750 — A security-disabled global group was changed

Windows event ID 4751 — A member was added to a security-disabled global group

Windows event ID 4752 — A member was removed from a security-disabled global group

Windows event ID 4753 — A security-disabled global group was deleted

Windows event ID 4754 — A security-enabled universal group was created

Windows event ID 4755 — A security-enabled universal group was changed

Windows event ID 4756 — A member was added to a security-enabled universal group

Windows event ID 4757 — A member was removed from a security-enabled universal group

Windows event ID 4758 — A security-enabled universal group was deleted

Windows event ID 4759 — A security-disabled universal group was created

Windows event ID 4760 — A security-disabled universal group was changed

Windows event ID 4761 — A member was added to a security-disabled universal group

Windows event ID 4762 — A member was removed from a security-disabled universal group

Windows event ID 4763 — A security-disabled universal group was deleted

Windows event ID 4764 — A group’s type was changed

Windows event ID 4765 — SID History was added to an account

Windows event ID 4766 — An attempt to add SID History to an account failed

Windows event ID 4767 — A user account was unlocked

Windows event ID 4768 — A Kerberos authentication ticket (TGT) was requested

Windows event ID 4769 — A Kerberos service ticket was requested

Windows event ID 4770 — A Kerberos service ticket was renewed

Windows event ID 4771 — Kerberos pre-authentication failed

Windows event ID 4772 — A Kerberos authentication ticket request failed

Windows event ID 4773 — A Kerberos service ticket request failed

Windows event ID 4774 — An account was mapped for logon

Windows event ID 4775 — An account could not be mapped for logon

Windows event ID 4776 — The domain controller attempted to validate the credentials for an account

Windows event ID 4777 — The domain controller failed to validate the credentials for an account

Windows event ID 4778 — A session was reconnected to a Window Station

Windows event ID 4779 — A session was disconnected from a Window Station

Windows event ID 4780 — The ACL was set on accounts which are members of administrators groups

Windows event ID 4781 — The name of an account was changed:

Windows event ID 4782 — The password hash an account was accessed

Windows event ID 4783 — A basic application group was created

Windows event ID 4784 — A basic application group was changed

Windows event ID 4785 — A member was added to a basic application group

Windows event ID 4786 — A member was removed from a basic application group

Windows event ID 4787 — A non-member was added to a basic application group

Windows event ID 4788 — A non-member was removed from a basic application group

Windows event ID 4789 — A basic application group was deleted

Windows event ID 4790 — An LDAP query group was created

Windows event ID 4791 — A basic application group was changed

Windows event ID 4792 — An LDAP query group was deleted

Windows event ID 4793 — The Password Policy Checking API was called

Windows event ID 4794 — An attempt was made to set the Directory Services Restore Mode

Windows event ID 4800 — The workstation was locked

Windows event ID 4801 — The workstation was unlocked

Windows event ID 4802 — The screen saver was invoked

Windows event ID 4803 — The screen saver was dismissed

Windows event ID 4816 — RPC detected an integrity violation while decrypting an incoming message

Windows event ID 4817 — Auditing settings on an object were changed

Windows event ID 4864 — A namespace collision was detected

Windows event ID 4865 — A trusted forest information entry was added

Windows event ID 4866 — A trusted forest information entry was removed

Windows event ID 4867 — A trusted forest information entry was modified

Windows event ID 4868 — The certificate manager denied a pending certificate request

Windows event ID 4869 — Certificate Services received a resubmitted certificate request

Windows event ID 4870 — Certificate Services revoked a certificate

Windows event ID 4871 — Certificate Services received a request to publish the certificate revocation list (CRL)

Windows event ID 4872 — Certificate Services published the certificate revocation list (CRL)

Windows event ID 4873 — A certificate request extension changed

Windows event ID 4874 — One or more certificate request attributes changed

Windows event ID 4875 — Certificate Services received a request to shut down

Windows event ID 4876 — Certificate Services backup started

Windows event ID 4877 — Certificate Services backup completed

Windows event ID 4878 — Certificate Services restore started

Windows event ID 4879 — Certificate Services restore completed

Windows event ID 4880 — Certificate Services started

Windows event ID 4881 — Certificate Services stopped

Windows event ID 4882 — The security permissions for Certificate Services changed

Windows event ID 4883 — Certificate Services retrieved an archived key

Windows event ID 4884 — Certificate Services imported a certificate into its database

Windows event ID 4885 — The audit filter for Certificate Services changed

Windows event ID 4886 — Certificate Services received a certificate request

Windows event ID 4887 — Certificate Services approved a certificate request and issued a certificate

Windows event ID 4888 — Certificate Services denied a certificate request

Windows event ID 4889 — Certificate Services set the status of a certificate request to pending

Windows event ID 4890 — The certificate manager settings for Certificate Services changed

Windows event ID 4891 — A configuration entry changed in Certificate Services

Windows event ID 4892 — A property of Certificate Services changed

Windows event ID 4893 — Certificate Services archived a key

Windows event ID 4894 — Certificate Services imported and archived a key

Windows event ID 4895 — Certificate Services published the CA certificate to Active Directory Domain Services

Windows event ID 4896 — One or more rows have been deleted from the certificate database

Windows event ID 4897 — Role separation enabled:

Windows event ID 4898 — Certificate Services loaded a template

Windows event ID 4899 — A Certificate Services template was updated

Windows event ID 4900 — Certificate Services template security was updated

Windows event ID 4902 — The Per-user audit policy table was created

Windows event ID 4904 — An attempt was made to register a security event source

Windows event ID 4905 — An attempt was made to unregister a security event source

Windows event ID 4906 — The CrashOnAuditFail value has changed

Windows event ID 4907 — Auditing settings on object were changed

Windows event ID 4908 — Special Groups Logon table modified

Windows event ID 4909 — The local policy settings for the TBS were changed

Windows event ID 4910 — The group policy settings for the TBS were changed

Windows event ID 4912 — Per User Audit Policy was changed

Windows event ID 4928 — An Active Directory replica source naming context was established

Windows event ID 4929 — An Active Directory replica source naming context was removed

Windows event ID 4930 — An Active Directory replica source naming context was modified

Windows event ID 4931 — An Active Directory replica destination naming context was modified

Windows event ID 4932 — Synchronization of a replica of an Active Directory naming context has begun

Windows event ID 4933 — Synchronization of a replica of an Active Directory naming context has ended

Windows event ID 4934 — Attributes of an Active Directory object were replicated

Windows event ID 4935 — Replication failure begins

Windows event ID 4936 — Replication failure ends

Windows event ID 4937 — A lingering object was removed from a replica

Windows event ID 4944 — The following policy was active when the Windows Firewall started

Windows event ID 4945 — A rule was listed when the Windows Firewall started

Windows event ID 4946 — A change has been made to Windows Firewall exception list. A rule was added

Windows event ID 4947 — A change has been made to Windows Firewall exception list. A rule was modified

Windows event ID 4948 — A change has been made to Windows Firewall exception list. A rule was deleted

Windows event ID 4949 — Windows Firewall settings were restored to the default values

Windows event ID 4950 — A Windows Firewall setting has changed

Windows event ID 4951 — A rule has been ignored because its major version number was not recognized by Windows Firewall

Windows event ID 4952 — Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced

Windows event ID 4953 — A rule has been ignored by Windows Firewall because it could not parse the rule

Windows event ID 4954 — Windows Firewall Group Policy settings have changed. The new settings have been applied

Windows event ID 4956 — Windows Firewall has changed the active profile

Windows event ID 4957 — Windows Firewall did not apply the following rule:

Windows event ID 4958 — Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:

Windows event ID 4960 — IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remot

Windows event ID 4961 — IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer

Windows event ID 4962 — IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay

Windows event ID 4963 — IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt

Windows event ID 4964 — Special groups have been assigned to a new logon

Windows event ID 4965 — IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent fr

Windows event ID 4976 — IPsec received an invalid negotiation packet

Windows event ID 4977 — IPsec received an invalid negotiation packet

Windows event ID 4978 — IPsec received an invalid negotiation packet

Windows event ID 4979 — IPsec Main Mode and Extended Mode security associations were established

Windows event ID 4980 — IPsec Main Mode and Extended Mode security associations were established

Windows event ID 4981 — IPsec Main Mode and Extended Mode security associations were established

Windows event ID 4982 — IPsec Main Mode and Extended Mode security associations were established

Windows event ID 4983 — An IPsec Extended Mode negotiation failed

Windows event ID 4984 — An IPsec Extended Mode negotiation failed

Windows event ID 4985 — The state of a transaction has changed

Windows event ID 5024 — The Windows Firewall Service has started successfully

Windows event ID 5025 — The Windows Firewall Service has been stopped

Windows event ID 5027 — The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy

Windows event ID 5028 — The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy

Windows event ID 5029 — The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy

Windows event ID 5030 — The Windows Firewall Service failed to start

Windows event ID 5031 — The Windows Firewall Service blocked an application from accepting incoming connections on the network

Windows event ID 5032 — Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network

Windows event ID 5033 — The Windows Firewall Driver has started successfully

Windows event ID 5034 — The Windows Firewall Driver has been stopped

Windows event ID 5035 — The Windows Firewall Driver failed to start

Windows event ID 5037 — The Windows Firewall Driver detected critical runtime error. Terminating

Windows event ID 5038 — Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error

Windows event ID 5039 — A registry key was virtualized

Windows event ID 5040 — IPsec: An Authentication Set was added

Windows event ID 5041 — IPsec: An Authentication Set was modified

Windows event ID 5042 — IPsec: An Authentication Set was deleted

Windows event ID 5043 — IPsec: A Connection Security Rule was added

Windows event ID 5044 — IPsec: A Connection Security Rule was modified

Windows event ID 5045 — IPsec: A Connection Security Rule was deleted

Windows event ID 5046 — IPsec: A Crypto Set was added

Windows event ID 5047 — IPsec: A Crypto Set was modified

Windows event ID 5048 — IPsec: A Crypto Set was deleted

Windows event ID 5049 — An IPsec Security Association was deleted

Windows event ID 5050 — An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected because this API is not supported on Windows Vista

Windows event ID 5051 — A file was virtualized

Windows event ID 5056 — A cryptographic self test was performed

Windows event ID 5057 — A cryptographic primitive operation failed

Windows event ID 5058 — Key file operation

Windows event ID 5059 — Key migration operation

Windows event ID 5060 — Verification operation failed

Windows event ID 5061 — Cryptographic operation

Windows event ID 5062 — A kernel-mode cryptographic self test was performed

Windows event ID 5063 — A cryptographic provider operation was attempted

Windows event ID 5064 — A cryptographic context operation was attempted

Windows event ID 5065 — A cryptographic context modification was attempted

Windows event ID 5066 — A cryptographic function operation was attempted

Windows event ID 5067 — A cryptographic function modification was attempted

Windows event ID 5068 — A cryptographic function provider operation was attempted

Windows event ID 5069 — A cryptographic function property operation was attempted

Windows event ID 5070 — A cryptographic function property modification was attempted

Windows event ID 5120 — OCSP Responder Service Started

Windows event ID 5121 — OCSP Responder Service Stopped

Windows event ID 5122 — A Configuration entry changed in the OCSP Responder Service

Windows event ID 5123 — A configuration entry changed in the OCSP Responder Service

Windows event ID 5124 — A security setting was updated on OCSP Responder Service

Windows event ID 5125 — A request was submitted to OCSP Responder Service

Windows event ID 5126 — Signing Certificate was automatically updated by the OCSP Responder Service

Windows event ID 5127 — The OCSP Revocation Provider successfully updated the revocation information

Windows event ID 5136 — A directory service object was modified

Windows event ID 5137 — A directory service object was created

Windows event ID 5138 — A directory service object was undeleted

Windows event ID 5139 — A directory service object was moved

Windows event ID 5140 — A network share object was accessed

Windows event ID 5141 — A directory service object was deleted

Windows event ID 5142 — A network share object was added

Windows event ID 5143 — A network share object was modified

Windows event ID 5144 — A network share object was deleted

Windows event ID 5145 — A network share object was checked to see whether the client can be granted desired access

Windows event ID 5148 — The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded

Windows event ID 5149 — The DoS attack has subsided and normal processing is being resumed

Windows event ID 5150 — The Windows Filtering Platform has blocked a packet

Windows event ID 5151 — A more restrictive Windows Filtering Platform filter has blocked a packet

Windows event ID 5152 — The Windows Filtering Platform blocked a packet

Windows event ID 5153 — A more restrictive Windows Filtering Platform filter has blocked a packet

Windows event ID 5154 — The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections

Windows event ID 5155 — The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections

Windows event ID 5156 — The Windows Filtering Platform has allowed a connection

Windows event ID 5157 — The Windows Filtering Platform has blocked a connection

Windows event ID 5158 — The Windows Filtering Platform has permitted a bind to a local port

Windows event ID 5159 — The Windows Filtering Platform has blocked a bind to a local port

Windows event ID 5168 — Spn check for SMB/SMB2 failed

Windows event ID 5376 — Credential Manager credentials were backed up

Windows event ID 5377 — Credential Manager credentials were restored from a backup

Windows event ID 5378 — The requested credentials delegation was disallowed by policy

Windows event ID 5440 — The following callout was present when the Windows Filtering Platform Base Filtering Engine started

Windows event ID 5441 — The following filter was present when the Windows Filtering Platform Base Filtering Engine started

Windows event ID 5442 — The following provider was present when the Windows Filtering Platform Base Filtering Engine started

Windows event ID 5443 — The following provider context was present when the Windows Filtering Platform Base Filtering Engine started

Windows event ID 5444 — The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started

Windows event ID 5446 — A Windows Filtering Platform callout has been changed

Windows event ID 5447 — A Windows Filtering Platform filter has been changed

Windows event ID 5448 — A Windows Filtering Platform provider has been changed

Windows event ID 5449 — A Windows Filtering Platform provider context has been changed

Windows event ID 5450 — A Windows Filtering Platform sub-layer has been changed

Windows event ID 5451 — An IPsec Quick Mode security association was established

Windows event ID 5452 — An IPsec Quick Mode security association ended

Windows event ID 5453 — An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started

Windows event ID 5456 — PAStore Engine applied Active Directory storage IPsec policy on the computer

Windows event ID 5457 — PAStore Engine failed to apply Active Directory storage IPsec policy on the computer

Windows event ID 5458 — PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer

Windows event ID 5459 — PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer

Windows event ID 5460 — PAStore Engine applied local registry storage IPsec policy on the computer

Windows event ID 5461 — PAStore Engine failed to apply local registry storage IPsec policy on the computer

Windows event ID 5462 — PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem

Windows event ID 5463 — PAStore Engine polled for changes to the active IPsec policy and detected no changes

Windows event ID 5464 — PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services

Windows event ID 5465 — PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully

Windows event ID 5466 — PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active D

Windows event ID 5467 — PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being us

Windows event ID 5468 — PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy i

Windows event ID 5471 — PAStore Engine loaded local storage IPsec policy on the computer

Windows event ID 5472 — PAStore Engine failed to load local storage IPsec policy on the computer

Windows event ID 5473 — PAStore Engine loaded directory storage IPsec policy on the computer

Windows event ID 5474 — PAStore Engine failed to load directory storage IPsec policy on the computer

Windows event ID 5477 — PAStore Engine failed to add quick mode filter

Windows event ID 5478 — IPsec Services has started successfully

Windows event ID 5479 — IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks

Windows event ID 5480 — IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use

Windows event ID 5483 — IPsec Services failed to initialize RPC server. IPsec Services could not be started

Windows event ID 5484 — IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks

Windows event ID 5485 — IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPs

Windows event ID 5632 — A request was made to authenticate to a wireless network

Windows event ID 5633 — A request was made to authenticate to a wired network

Windows event ID 5712 — A Remote Procedure Call (RPC) was attempted

Windows event ID 5888 — An object in the COM+ Catalog was modified

Windows event ID 5889 — An object was deleted from the COM+ Catalog

Windows event ID 5890 — An object was added to the COM+ Catalog

Windows event ID 6144 — Security policy in the group policy objects has been applied successfully

Windows event ID 6145 — One or more errors occurred while processing security policy in the group policy objects

Windows event ID 6272 — Network Policy Server granted access to a user

Windows event ID 6273 — Network Policy Server denied access to a user

Windows event ID 6274 — Network Policy Server discarded the request for a user

Windows event ID 6275 — Network Policy Server discarded the accounting request for a user

Windows event ID 6276 — Network Policy Server quarantined a user

Windows event ID 6277 — Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy

Windows event ID 6278 — Network Policy Server granted full access to a user because the host met the defined health policy

Windows event ID 6279 — Network Policy Server locked the user account due to repeated failed authentication attempts

Windows event ID 6280 — Network Policy Server unlocked the user account

Windows event ID 6281 — Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk

Windows event ID 6400 — BranchCache: Received an incorrectly formatted response while discovering availability of content.

Windows event ID 6401 — BranchCache: Received invalid data from a peer. Data discarded.

Windows event ID 6402 — BranchCache: The message to the hosted cache offering it data is incorrectly formatted.

Windows event ID 6403 — BranchCache: The hosted cache sent an incorrectly formatted response to the client

Windows event ID 6404 — BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.

Windows event ID 6405 — BranchCache: %2 instance(s) of event id %1 occurred

Windows event ID 6406 — %1 registered to Windows Firewall to control filtering for the following: %2

Windows event ID 6407 — 1%

Windows event ID 6408 — Registered product %1 failed and Windows Firewall is now controlling the filtering for %2

Windows event ID 8191 — Highest System-Defined Audit Message Value

Источник

Время на прочтение4 мин

Количество просмотров309K

Рэнди Франклин Смит (CISA, SSCP, Security MVP) имеет в своем арсенале очень полезный документ, рассказывающий о том, какие события (event IDs) обязательно должны отслеживаться в рамках обеспечения информационной безопасности Windows. В этом документе изложена крайне полезная информация, которая позволит Вам “выжать” максимум из штатной системы аудита. Мы подготовили перевод этого материала. Заинтересованных приглашаем под кат.

О том, как настроить аудит, мы уже обстоятельно писали в одном из наших постов. Но из всех event id, которые встречаются в журналах событий, необходимо остановить свое внимание на нескольких критических важных. На каких именно – решать каждому. Однако Рэнди Франклин Смит предлагает сосредоточить внимание на 10 важных событиях безопасности в Windows.

Контроллеры доменов

Event ID — (Категория) — Описание

1) 675 или 4771
(Аудит событий входа в систему)
Событие 675/4771 на контроллере домена указывает на неудачную попытку войти через Kerberos на рабочей станции с доменной учетной записью. Обычно причиной этого является несоответствующий пароль, но код ошибки указывает, почему именно аутентификация была неудачной. Таблица кодов ошибок Kerberos приведена ниже.

2) 676, или Failed 672 или 4768
(Аудит событий входа в систему)
Событие 676/4768 логгируется для других типов неудачной аутентификации. Таблица кодов Kerberos приведена ниже.
ВНИМАНИЕ: В Windows 2003 Server событие отказа записывается как 672 вместо 676.

3) 681 или Failed 680 или 4776
(Аудит событий входа в систему)
Событие 681/4776 на контроллере домена указывает на неудачную попытку входа в систему через
NTLM с доменной учетной записью. Код ошибки указывает, почему именно аутентификация была неудачной.
Коды ошибок NTLM приведены ниже.
ВНИМАНИЕ: В Windows 2003 Server событие отказа записывается как 680 вместо 681.

4) 642 или 4738
(Аудит управления учетными записями)
Событие 642/4738 указывает на изменения в указанной учетной записи, такие как сброс пароля или активация деактивированной до этого учетной записи. Описание события уточняется в соответствие с типом изменения.

5) 632 или 4728; 636 или 4732; 660 или 4756
(Аудит управления учетными записями)
Все три события указывают на то, что указанный пользователь был добавлен в определенную группу. Обозначены Глобальная (Global), Локальная (Local) и Общая (Universal) соответственно для каждого ID.

6) 624 или 4720
(Аудит управления учетными записями)
Была создана новая учетная запись пользователя

7) 644 или 4740
(Аудит управления учетными записями)
Учетная запись указанного пользователя была заблокирована после нескольких попыток входа

517 или 1102
(Аудит системных событий)
Указанный пользователь очистил журнал безопасности

Вход и выход из системы (Logon/Logoff)

Event Id — Описание

528 или 4624 — Успешный вход в систему
529 или 4625 — Отказ входа в систему – Неизвестное имя пользователя или неверный пароль
530 или 4625 Отказ входа в систему – Вход в систему не был осуществлен в течение обозначенного периода времени
531 или 4625 — Отказ входа в систему – Учетная запись временно деактивирована
532 или 4625 — Отказ входа в систему – Срок использования указанной учетной записи истек
533 или 4625 — Отказ входа в систему – Пользователю не разрешается осуществлять вход в систему на данном компьютере
534 или 4625 или 5461 — Отказ входа в систему – Пользователь не был разрешен запрашиваемый тип входа на данном компьютере
535 или 4625 — Отказ входа в систему – Срок действия пароля указанной учетной записи истек
539 или 4625 — Отказ входа в систему – Учетная запись заблокирована
540 или 4624 — Успешный сетевой вход в систему (Только Windows 2000, XP, 2003)

Типы входов в систему (Logon Types)

Тип входа в систему — Описание

2 — Интерактивный (вход с клавиатуры или экрана системы)
3 — Сетевой (например, подключение к общей папке на этом компьютере из любого места в сети или IIS вход — Никогда не заходил 528 на Windows Server 2000 и выше. См. событие 540)
4 — Пакет (batch) (например, запланированная задача)
5 — Служба (Запуск службы)
7 — Разблокировка (например, необслуживаемая рабочая станция с защищенным паролем скринсейвером)
8 — NetworkCleartext (Вход с полномочиями (credentials), отправленными в виде простого текст. Часто обозначает вход в IIS с “базовой аутентификацией”)
9 — NewCredentials
10 — RemoteInteractive (Терминальные службы, Удаленный рабочий стол или удаленный помощник)
11 — CachedInteractive (вход с кешированными доменными полномочиями, например, вход на рабочую станцию, которая находится не в сети)

Коды отказов Kerberos

Код ошибки — Причина

6 — Имя пользователя не существует
12 — Ограничение рабочей машины; ограничение времени входа в систему
18 — Учетная запись деактивирована, заблокирована или истек срок ее действия
23 — Истек срок действия пароля пользователя
24 — Предварительная аутентификация не удалась; обычно причиной является неверный пароль
32 — Истек срок действия заявки. Это нормальное событие, которое логгируется учетными записями компьютеров
37 — Время на рабочей машины давно не синхронизировалось со временем на контроллере домена

Коды ошибок NTLM

Код ошибки (десятичная система) — Код ошибки (16-ричная система) — Описание

3221225572 — C0000064 — Такого имени пользователя не существует
3221225578 — C000006A — Верное имя пользователя, но неверный пароль
3221226036 — C0000234 — Учетная запись пользователя заблокирована
3221225586 — C0000072 — Учетная запись деактивирована
3221225583 — C000006F — Пользователь пытается войти в систему вне обозначенного периода времени (рабочего времени)
3221225584 — C0000070 — Ограничение рабочей станции
3221225875 — C0000193 — Истек срок действия учетной записи
3221225585 — C0000071 — Истек срок действия пароля
3221226020 — C0000224 — Пользователь должен поменять пароль при следующем входе в систему

Еще раз продублируем ссылку на скачивание документа на сайте Рэнди Франклина Смита www.ultimatewindowssecurity.com/securitylog/quickref/Default.aspx. Нужно будет заполнить небольшую форму, чтобы получить к нему доступ.

P.S. Хотите полностью автоматизировать работу с журналами событий? Попробуйте новую версию NetWrix Event Log Manager 4.0, которая осуществляет сбор и архивирование журналов событий, строит отчеты и генерирует оповещения в режиме реального времени. Программа собирает данные с многочисленных компьютеров сети, предупреждает Вас о критических событиях и централизованно хранит данные обо всех событиях в сжатом формате для удобства анализа архивных данных журналов. Доступна бесплатная версия программы для 10 контроллеров доменов и 100 компьютеров.

Источник

Windows	1100	The event logging service has shut down
Windows	1101	Audit events have been dropped by the transport.
Windows	1102	The audit log was cleared
Windows	1104	The security Log is now full
Windows	1105	Event log automatic backup
Windows	1108	The event logging service encountered an error
Windows	4608	Windows is starting up
Windows	4609	Windows is shutting down
Windows	4610	An authentication package has been loaded by the Local Security Authority
Windows	4611	A trusted logon process has been registered with the Local Security Authority
Windows	4612	Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
Windows	4614	A notification package has been loaded by the Security Account Manager.
Windows	4615	Invalid use of LPC port
Windows	4616	The system time was changed.
Windows	4618	A monitored security event pattern has occurred
Windows	4621	Administrator recovered system from CrashOnAuditFail
Windows	4622	A security package has been loaded by the Local Security Authority.
Windows	4624	An account was successfully logged on
Windows	4625	An account failed to log on
Windows	4626	User/Device claims information
Windows	4627	Group membership information.
Windows	4634	An account was logged off
Windows	4646	IKE DoS-prevention mode started
Windows	4647	User initiated logoff
Windows	4648	A logon was attempted using explicit credentials
Windows	4649	A replay attack was detected
Windows	4650	An IPsec Main Mode security association was established
Windows	4651	An IPsec Main Mode security association was established
Windows	4652	An IPsec Main Mode negotiation failed
Windows	4653	An IPsec Main Mode negotiation failed
Windows	4654	An IPsec Quick Mode negotiation failed
Windows	4655	An IPsec Main Mode security association ended
Windows	4656	A handle to an object was requested
Windows	4657	A registry value was modified
Windows	4658	The handle to an object was closed
Windows	4659	A handle to an object was requested with intent to delete
Windows	4660	An object was deleted
Windows	4661	A handle to an object was requested
Windows	4662	An operation was performed on an object
Windows	4663	An attempt was made to access an object
Windows	4664	An attempt was made to create a hard link
Windows	4665	An attempt was made to create an application client context.
Windows	4666	An application attempted an operation
Windows	4667	An application client context was deleted
Windows	4668	An application was initialized
Windows	4670	Permissions on an object were changed
Windows	4671	An application attempted to access a blocked ordinal through the TBS
Windows	4672	Special privileges assigned to new logon
Windows	4673	A privileged service was called
Windows	4674	An operation was attempted on a privileged object
Windows	4675	SIDs were filtered
Windows	4688	A new process has been created
Windows	4689	A process has exited
Windows	4690	An attempt was made to duplicate a handle to an object
Windows	4691	Indirect access to an object was requested
Windows	4692	Backup of data protection master key was attempted
Windows	4693	Recovery of data protection master key was attempted
Windows	4694	Protection of auditable protected data was attempted
Windows	4695	Unprotection of auditable protected data was attempted
Windows	4696	A primary token was assigned to process
Windows	4697	A service was installed in the system
Windows	4698	A scheduled task was created
Windows	4699	A scheduled task was deleted
Windows	4700	A scheduled task was enabled
Windows	4701	A scheduled task was disabled
Windows	4702	A scheduled task was updated
Windows	4703	A token right was adjusted
Windows	4704	A user right was assigned
Windows	4705	A user right was removed
Windows	4706	A new trust was created to a domain
Windows	4707	A trust to a domain was removed
Windows	4709	IPsec Services was started
Windows	4710	IPsec Services was disabled
Windows	4711	PAStore Engine (1%)
Windows	4712	IPsec Services encountered a potentially serious failure
Windows	4713	Kerberos policy was changed
Windows	4714	Encrypted data recovery policy was changed
Windows	4715	The audit policy (SACL) on an object was changed
Windows	4716	Trusted domain information was modified
Windows	4717	System security access was granted to an account
Windows	4718	System security access was removed from an account
Windows	4719	System audit policy was changed
Windows	4720	A user account was created
Windows	4722	A user account was enabled
Windows	4723	An attempt was made to change an account’s password
Windows	4724	An attempt was made to reset an accounts password
Windows	4725	A user account was disabled
Windows	4726	A user account was deleted
Windows	4727	A security-enabled global group was created
Windows	4728	A member was added to a security-enabled global group
Windows	4729	A member was removed from a security-enabled global group
Windows	4730	A security-enabled global group was deleted
Windows	4731	A security-enabled local group was created
Windows	4732	A member was added to a security-enabled local group
Windows	4733	A member was removed from a security-enabled local group
Windows	4734	A security-enabled local group was deleted
Windows	4735	A security-enabled local group was changed
Windows	4737	A security-enabled global group was changed
Windows	4738	A user account was changed
Windows	4739	Domain Policy was changed
Windows	4740	A user account was locked out
Windows	4741	A computer account was created
Windows	4742	A computer account was changed
Windows	4743	A computer account was deleted
Windows	4744	A security-disabled local group was created
Windows	4745	A security-disabled local group was changed
Windows	4746	A member was added to a security-disabled local group
Windows	4747	A member was removed from a security-disabled local group
Windows	4748	A security-disabled local group was deleted
Windows	4749	A security-disabled global group was created
Windows	4750	A security-disabled global group was changed
Windows	4751	A member was added to a security-disabled global group
Windows	4752	A member was removed from a security-disabled global group
Windows	4753	A security-disabled global group was deleted
Windows	4754	A security-enabled universal group was created
Windows	4755	A security-enabled universal group was changed
Windows	4756	A member was added to a security-enabled universal group
Windows	4757	A member was removed from a security-enabled universal group
Windows	4758	A security-enabled universal group was deleted
Windows	4759	A security-disabled universal group was created
Windows	4760	A security-disabled universal group was changed
Windows	4761	A member was added to a security-disabled universal group
Windows	4762	A member was removed from a security-disabled universal group
Windows	4763	A security-disabled universal group was deleted
Windows	4764	A groups type was changed
Windows	4765	SID History was added to an account
Windows	4766	An attempt to add SID History to an account failed
Windows	4767	A user account was unlocked
Windows	4768	A Kerberos authentication ticket (TGT) was requested
Windows	4769	A Kerberos service ticket was requested
Windows	4770	A Kerberos service ticket was renewed
Windows	4771	Kerberos pre-authentication failed
Windows	4772	A Kerberos authentication ticket request failed
Windows	4773	A Kerberos service ticket request failed
Windows	4774	An account was mapped for logon
Windows	4775	An account could not be mapped for logon
Windows	4776	The domain controller attempted to validate the credentials for an account
Windows	4777	The domain controller failed to validate the credentials for an account
Windows	4778	A session was reconnected to a Window Station
Windows	4779	A session was disconnected from a Window Station
Windows	4780	The ACL was set on accounts which are members of administrators groups
Windows	4781	The name of an account was changed
Windows	4782	The password hash an account was accessed
Windows	4783	A basic application group was created
Windows	4784	A basic application group was changed
Windows	4785	A member was added to a basic application group
Windows	4786	A member was removed from a basic application group
Windows	4787	A non-member was added to a basic application group
Windows	4788	A non-member was removed from a basic application group..
Windows	4789	A basic application group was deleted
Windows	4790	An LDAP query group was created
Windows	4791	A basic application group was changed
Windows	4792	An LDAP query group was deleted
Windows	4793	The Password Policy Checking API was called
Windows	4794	An attempt was made to set the Directory Services Restore Mode administrator password
Windows	4797	An attempt was made to query the existence of a blank password for an account
Windows	4798	A user’s local group membership was enumerated.
Windows	4799	A security-enabled local group membership was enumerated
Windows	4800	The workstation was locked
Windows	4801	The workstation was unlocked
Windows	4802	The screen saver was invoked
Windows	4803	The screen saver was dismissed
Windows	4816	RPC detected an integrity violation while decrypting an incoming message
Windows	4817	Auditing settings on object were changed.
Windows	4818	Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
Windows	4819	Central Access Policies on the machine have been changed
Windows	4820	A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions
Windows	4821	A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions
Windows	4822	NTLM authentication failed because the account was a member of the Protected User group
Windows	4823	NTLM authentication failed because access control restrictions are required
Windows	4824	Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group
Windows	4825	A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group
Windows	4826	Boot Configuration Data loaded
Windows	4830	SID History was removed from an account
Windows	4864	A namespace collision was detected
Windows	4865	A trusted forest information entry was added
Windows	4866	A trusted forest information entry was removed
Windows	4867	A trusted forest information entry was modified
Windows	4868	The certificate manager denied a pending certificate request
Windows	4869	Certificate Services received a resubmitted certificate request
Windows	4870	Certificate Services revoked a certificate
Windows	4871	Certificate Services received a request to publish the certificate revocation list (CRL)
Windows	4872	Certificate Services published the certificate revocation list (CRL)
Windows	4873	A certificate request extension changed
Windows	4874	One or more certificate request attributes changed.
Windows	4875	Certificate Services received a request to shut down
Windows	4876	Certificate Services backup started
Windows	4877	Certificate Services backup completed
Windows	4878	Certificate Services restore started
Windows	4879	Certificate Services restore completed
Windows	4880	Certificate Services started
Windows	4881	Certificate Services stopped
Windows	4882	The security permissions for Certificate Services changed
Windows	4883	Certificate Services retrieved an archived key
Windows	4884	Certificate Services imported a certificate into its database
Windows	4885	The audit filter for Certificate Services changed
Windows	4886	Certificate Services received a certificate request
Windows	4887	Certificate Services approved a certificate request and issued a certificate
Windows	4888	Certificate Services denied a certificate request
Windows	4889	Certificate Services set the status of a certificate request to pending
Windows	4890	The certificate manager settings for Certificate Services changed.
Windows	4891	A configuration entry changed in Certificate Services
Windows	4892	A property of Certificate Services changed
Windows	4893	Certificate Services archived a key
Windows	4894	Certificate Services imported and archived a key
Windows	4895	Certificate Services published the CA certificate to Active Directory Domain Services
Windows	4896	One or more rows have been deleted from the certificate database
Windows	4897	Role separation enabled
Windows	4898	Certificate Services loaded a template
Windows	4899	A Certificate Services template was updated
Windows	4900	Certificate Services template security was updated
Windows	4902	The Per-user audit policy table was created
Windows	4904	An attempt was made to register a security event source
Windows	4905	An attempt was made to unregister a security event source
Windows	4906	The CrashOnAuditFail value has changed
Windows	4907	Auditing settings on object were changed
Windows	4908	Special Groups Logon table modified
Windows	4909	The local policy settings for the TBS were changed
Windows	4910	The group policy settings for the TBS were changed
Windows	4911	Resource attributes of the object were changed
Windows	4912	Per User Audit Policy was changed
Windows	4913	Central Access Policy on the object was changed
Windows	4928	An Active Directory replica source naming context was established
Windows	4929	An Active Directory replica source naming context was removed
Windows	4930	An Active Directory replica source naming context was modified
Windows	4931	An Active Directory replica destination naming context was modified
Windows	4932	Synchronization of a replica of an Active Directory naming context has begun
Windows	4933	Synchronization of a replica of an Active Directory naming context has ended
Windows	4934	Attributes of an Active Directory object were replicated
Windows	4935	Replication failure begins
Windows	4936	Replication failure ends
Windows	4937	A lingering object was removed from a replica
Windows	4944	The following policy was active when the Windows Firewall started
Windows	4945	A rule was listed when the Windows Firewall started
Windows	4946	A change has been made to Windows Firewall exception list. A rule was added
Windows	4947	A change has been made to Windows Firewall exception list. A rule was modified
Windows	4948	A change has been made to Windows Firewall exception list. A rule was deleted
Windows	4949	Windows Firewall settings were restored to the default values
Windows	4950	A Windows Firewall setting has changed
Windows	4951	A rule has been ignored because its major version number was not recognized by Windows Firewall
Windows	4952	Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall
Windows	4953	A rule has been ignored by Windows Firewall because it could not parse the rule
Windows	4954	Windows Firewall Group Policy settings has changed. The new settings have been applied
Windows	4956	Windows Firewall has changed the active profile
Windows	4957	Windows Firewall did not apply the following rule
Windows	4958	Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer
Windows	4960	IPsec dropped an inbound packet that failed an integrity check
Windows	4961	IPsec dropped an inbound packet that failed a replay check
Windows	4962	IPsec dropped an inbound packet that failed a replay check
Windows	4963	IPsec dropped an inbound clear text packet that should have been secured
Windows	4964	Special groups have been assigned to a new logon
Windows	4965	IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI).
Windows	4976	During Main Mode negotiation, IPsec received an invalid negotiation packet.
Windows	4977	During Quick Mode negotiation, IPsec received an invalid negotiation packet.
Windows	4978	During Extended Mode negotiation, IPsec received an invalid negotiation packet.
Windows	4979	IPsec Main Mode and Extended Mode security associations were established.
Windows	4980	IPsec Main Mode and Extended Mode security associations were established
Windows	4981	IPsec Main Mode and Extended Mode security associations were established
Windows	4982	IPsec Main Mode and Extended Mode security associations were established
Windows	4983	An IPsec Extended Mode negotiation failed
Windows	4984	An IPsec Extended Mode negotiation failed
Windows	4985	The state of a transaction has changed
Windows	5024	The Windows Firewall Service has started successfully
Windows	5025	The Windows Firewall Service has been stopped
Windows	5027	The Windows Firewall Service was unable to retrieve the security policy from the local storage
Windows	5028	The Windows Firewall Service was unable to parse the new security policy.
Windows	5029	The Windows Firewall Service failed to initialize the driver
Windows	5030	The Windows Firewall Service failed to start
Windows	5031	The Windows Firewall Service blocked an application from accepting incoming connections on the network.
Windows	5032	Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network
Windows	5033	The Windows Firewall Driver has started successfully
Windows	5034	The Windows Firewall Driver has been stopped
Windows	5035	The Windows Firewall Driver failed to start
Windows	5037	The Windows Firewall Driver detected critical runtime error. Terminating
Windows	5038	Code integrity determined that the image hash of a file is not valid
Windows	5039	A registry key was virtualized.
Windows	5040	A change has been made to IPsec settings. An Authentication Set was added.
Windows	5041	A change has been made to IPsec settings. An Authentication Set was modified
Windows	5042	A change has been made to IPsec settings. An Authentication Set was deleted
Windows	5043	A change has been made to IPsec settings. A Connection Security Rule was added
Windows	5044	A change has been made to IPsec settings. A Connection Security Rule was modified
Windows	5045	A change has been made to IPsec settings. A Connection Security Rule was deleted
Windows	5046	A change has been made to IPsec settings. A Crypto Set was added
Windows	5047	A change has been made to IPsec settings. A Crypto Set was modified
Windows	5048	A change has been made to IPsec settings. A Crypto Set was deleted
Windows	5049	An IPsec Security Association was deleted
Windows	5050	An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE
Windows	5051	A file was virtualized
Windows	5056	A cryptographic self test was performed
Windows	5057	A cryptographic primitive operation failed
Windows	5058	Key file operation
Windows	5059	Key migration operation
Windows	5060	Verification operation failed
Windows	5061	Cryptographic operation
Windows	5062	A kernel-mode cryptographic self test was performed
Windows	5063	A cryptographic provider operation was attempted
Windows	5064	A cryptographic context operation was attempted
Windows	5065	A cryptographic context modification was attempted
Windows	5066	A cryptographic function operation was attempted
Windows	5067	A cryptographic function modification was attempted
Windows	5068	A cryptographic function provider operation was attempted
Windows	5069	A cryptographic function property operation was attempted
Windows	5070	A cryptographic function property operation was attempted
Windows	5071	Key access denied by Microsoft key distribution service
Windows	5120	OCSP Responder Service Started
Windows	5121	OCSP Responder Service Stopped
Windows	5122	A Configuration entry changed in the OCSP Responder Service
Windows	5123	A configuration entry changed in the OCSP Responder Service
Windows	5124	A security setting was updated on OCSP Responder Service
Windows	5125	A request was submitted to OCSP Responder Service
Windows	5126	Signing Certificate was automatically updated by the OCSP Responder Service
Windows	5127	The OCSP Revocation Provider successfully updated the revocation information
Windows	5136	A directory service object was modified
Windows	5137	A directory service object was created
Windows	5138	A directory service object was undeleted
Windows	5139	A directory service object was moved
Windows	5140	A network share object was accessed
Windows	5141	A directory service object was deleted
Windows	5142	A network share object was added.
Windows	5143	A network share object was modified
Windows	5144	A network share object was deleted.
Windows	5145	A network share object was checked to see whether client can be granted desired access
Windows	5146	The Windows Filtering Platform has blocked a packet
Windows	5147	A more restrictive Windows Filtering Platform filter has blocked a packet
Windows	5148	The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
Windows	5149	The DoS attack has subsided and normal processing is being resumed.
Windows	5150	The Windows Filtering Platform has blocked a packet.
Windows	5151	A more restrictive Windows Filtering Platform filter has blocked a packet.
Windows	5152	The Windows Filtering Platform blocked a packet
Windows	5153	A more restrictive Windows Filtering Platform filter has blocked a packet
Windows	5154	The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
Windows	5155	The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections
Windows	5156	The Windows Filtering Platform has allowed a connection
Windows	5157	The Windows Filtering Platform has blocked a connection
Windows	5158	The Windows Filtering Platform has permitted a bind to a local port
Windows	5159	The Windows Filtering Platform has blocked a bind to a local port
Windows	5168	Spn check for SMB/SMB2 fails.
Windows	5169	A directory service object was modified
Windows	5170	A directory service object was modified during a background cleanup task
Windows	5376	Credential Manager credentials were backed up
Windows	5377	Credential Manager credentials were restored from a backup
Windows	5378	The requested credentials delegation was disallowed by policy
Windows	5379	Credential Manager credentials were read
Windows	5380	Vault Find Credential
Windows	5381	Vault credentials were read
Windows	5382	Vault credentials were read
Windows	5440	The following callout was present when the Windows Filtering Platform Base Filtering Engine started
Windows	5441	The following filter was present when the Windows Filtering Platform Base Filtering Engine started
Windows	5442	The following provider was present when the Windows Filtering Platform Base Filtering Engine started
Windows	5443	The following provider context was present when the Windows Filtering Platform Base Filtering Engine started
Windows	5444	The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started
Windows	5446	A Windows Filtering Platform callout has been changed
Windows	5447	A Windows Filtering Platform filter has been changed
Windows	5448	A Windows Filtering Platform provider has been changed
Windows	5449	A Windows Filtering Platform provider context has been changed
Windows	5450	A Windows Filtering Platform sub-layer has been changed
Windows	5451	An IPsec Quick Mode security association was established
Windows	5452	An IPsec Quick Mode security association ended
Windows	5453	An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started
Windows	5456	PAStore Engine applied Active Directory storage IPsec policy on the computer
Windows	5457	PAStore Engine failed to apply Active Directory storage IPsec policy on the computer
Windows	5458	PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer
Windows	5459	PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer
Windows	5460	PAStore Engine applied local registry storage IPsec policy on the computer
Windows	5461	PAStore Engine failed to apply local registry storage IPsec policy on the computer
Windows	5462	PAStore Engine failed to apply some rules of the active IPsec policy on the computer
Windows	5463	PAStore Engine polled for changes to the active IPsec policy and detected no changes
Windows	5464	PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services
Windows	5465	PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully
Windows	5466	PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead
Windows	5467	PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy
Windows	5468	PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes
Windows	5471	PAStore Engine loaded local storage IPsec policy on the computer
Windows	5472	PAStore Engine failed to load local storage IPsec policy on the computer
Windows	5473	PAStore Engine loaded directory storage IPsec policy on the computer
Windows	5474	PAStore Engine failed to load directory storage IPsec policy on the computer
Windows	5477	PAStore Engine failed to add quick mode filter
Windows	5478	IPsec Services has started successfully
Windows	5479	IPsec Services has been shut down successfully
Windows	5480	IPsec Services failed to get the complete list of network interfaces on the computer
Windows	5483	IPsec Services failed to initialize RPC server. IPsec Services could not be started
Windows	5484	IPsec Services has experienced a critical failure and has been shut down
Windows	5485	IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces
Windows	5632	A request was made to authenticate to a wireless network
Windows	5633	A request was made to authenticate to a wired network
Windows	5712	A Remote Procedure Call (RPC) was attempted
Windows	5888	An object in the COM+ Catalog was modified
Windows	5889	An object was deleted from the COM+ Catalog
Windows	5890	An object was added to the COM+ Catalog
Windows	6144	Security policy in the group policy objects has been applied successfully
Windows	6145	One or more errors occured while processing security policy in the group policy objects
Windows	6272	Network Policy Server granted access to a user
Windows	6273	Network Policy Server denied access to a user
Windows	6274	Network Policy Server discarded the request for a user
Windows	6275	Network Policy Server discarded the accounting request for a user
Windows	6276	Network Policy Server quarantined a user
Windows	6277	Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy
Windows	6278	Network Policy Server granted full access to a user because the host met the defined health policy
Windows	6279	Network Policy Server locked the user account due to repeated failed authentication attempts
Windows	6280	Network Policy Server unlocked the user account
Windows	6281	Code Integrity determined that the page hashes of an image file are not valid…
Windows	6400	BranchCache: Received an incorrectly formatted response while discovering availability of content.
Windows	6401	BranchCache: Received invalid data from a peer. Data discarded.
Windows	6402	BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
Windows	6403	BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data.
Windows	6404	BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
Windows	6405	BranchCache: %2 instance(s) of event id %1 occurred.
Windows	6406	%1 registered to Windows Firewall to control filtering for the following:
Windows	6407	%1
Windows	6408	Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
Windows	6409	BranchCache: A service connection point object could not be parsed
Windows	6410	Code integrity determined that a file does not meet the security requirements to load into a process. This could be due to the use of shared sections or other issues
Windows	6416	A new external device was recognized by the system.
Windows	6417	The FIPS mode crypto selftests succeeded
Windows	6418	The FIPS mode crypto selftests failed
Windows	6419	A request was made to disable a device
Windows	6420	A device was disabled
Windows	6421	A request was made to enable a device
Windows	6422	A device was enabled
Windows	6423	The installation of this device is forbidden by system policy
Windows	6424	The installation of this device was allowed, after having previously been forbidden by policy
Windows	8191	Highest System-Defined Audit Message Value

Источник

Сообщение (сортировано по названию)
Код

Код
Сообщение (сортировано по коду)

WM_ACTIVATE
0x0006

0x0000
WM_NULL

WM_ACTIVATEAPP
0x001C

0x0001
WM_CREATE

WM_AFXFIRST
0x0360

0x0002
WM_DESTROY

WM_AFXLAST
0x037F

0x0003
WM_MOVE

WM_APP
0x8000

0x0005
WM_SIZE

WM_APPCOMMAND
0x0319

0x0006
WM_ACTIVATE

WM_ASKCBFORMATNAME
0x030C

0x0007
WM_SETFOCUS

WM_CANCELJOURNAL
0x004B

0x0008
WM_KILLFOCUS

WM_CANCELMODE
0x001F

0x000A
WM_ENABLE

WM_CAPTURECHANGED
0x0215

0x000B
WM_SETREDRAW

WM_CHANGECBCHAIN
0x030D

0x000C
WM_SETTEXT

WM_CHANGEUISTATE
0x0127

0x000D
WM_GETTEXT

WM_CHAR
0x0102

0x000E
WM_GETTEXTLENGTH

WM_CHARTOITEM
0x002F

0x000F
WM_PAINT

WM_CHILDACTIVATE
0x0022

0x0010
WM_CLOSE

WM_CLEAR
0x0303

0x0011
WM_QUERYENDSESSION

WM_CLOSE
0x0010

0x0013
WM_QUERYOPEN

WM_COMMAND
0x0111

0x0016
WM_ENDSESSION

WM_COMMNOTIFY
0x0044

0x0012
WM_QUIT

WM_COMPACTING
0x0041

0x0014
WM_ERASEBKGND

WM_COMPAREITEM
0x0039

0x0015
WM_SYSCOLORCHANGE

WM_CONTEXTMENU
0x007B

0x0018
WM_SHOWWINDOW

WM_COPY
0x0301

0x001A
WM_WININICHANGE

WM_COPYDATA
0x004A

0x001A
WM_SETTINGCHANGE

WM_CREATE
0x0001

0x001B
WM_DEVMODECHANGE

WM_CTLCOLORBTN
0x0135

0x001C
WM_ACTIVATEAPP

WM_CTLCOLORDLG
0x0136

0x001D
WM_FONTCHANGE

WM_CTLCOLOREDIT
0x0133

0x001E
WM_TIMECHANGE

WM_CTLCOLORLISTBOX
0x0134

0x001F
WM_CANCELMODE

WM_CTLCOLORMSGBOX
0x0132

0x0020
WM_SETCURSOR

WM_CTLCOLORSCROLLBAR
0x0137

0x0021
WM_MOUSEACTIVATE

WM_CTLCOLORSTATIC
0x0138

0x0022
WM_CHILDACTIVATE

WM_CUT
0x0300

0x0023
WM_QUEUESYNC

WM_DEADCHAR
0x0103

0x0024
WM_GETMINMAXINFO

WM_DELETEITEM
0x002D

0x0026
WM_PAINTICON

WM_DESTROY
0x0002

0x0027
WM_ICONERASEBKGND

WM_DESTROYCLIPBOARD
0x0307

0x0028
WM_NEXTDLGCTL

WM_DEVICECHANGE
0x0219

0x002A
WM_SPOOLERSTATUS

WM_DEVMODECHANGE
0x001B

0x002B
WM_DRAWITEM

WM_DISPLAYCHANGE
0x007E

0x002C
WM_MEASUREITEM

WM_DRAWCLIPBOARD
0x0308

0x002D
WM_DELETEITEM

WM_DRAWITEM
0x002B

0x002E
WM_VKEYTOITEM

WM_DROPFILES
0x0233

0x002F
WM_CHARTOITEM

WM_ENABLE
0x000A

0x0030
WM_SETFONT

WM_ENDSESSION
0x0016

0x0031
WM_GETFONT

WM_ENTERIDLE
0x0121

0x0032
WM_SETHOTKEY

WM_ENTERMENULOOP
0x0211

0x0033
WM_GETHOTKEY

WM_ENTERSIZEMOVE
0x0231

0x0037
WM_QUERYDRAGICON

WM_ERASEBKGND
0x0014

0x0039
WM_COMPAREITEM

WM_EXITMENULOOP
0x0212

0x003D
WM_GETOBJECT

WM_EXITSIZEMOVE
0x0232

0x0041
WM_COMPACTING

WM_FONTCHANGE
0x001D

0x0044
WM_COMMNOTIFY

WM_GETDLGCODE
0x0087

0x0046
WM_WINDOWPOSCHANGING

WM_GETFONT
0x0031

0x0047
WM_WINDOWPOSCHANGED

WM_GETHOTKEY
0x0033

0x0048
WM_POWER

WM_GETICON
0x007F

0x004A
WM_COPYDATA

WM_GETMINMAXINFO
0x0024

0x004B
WM_CANCELJOURNAL

WM_GETOBJECT
0x003D

0x004E
WM_NOTIFY

WM_GETTEXT
0x000D

0x0050
WM_INPUTLANGCHANGEREQUEST

WM_GETTEXTLENGTH
0x000E

0x0051
WM_INPUTLANGCHANGE

WM_HANDHELDFIRST
0x0358

0x0052
WM_TCARD

WM_HANDHELDLAST
0x035F

0x0053
WM_HELP

WM_HELP
0x0053

0x0054
WM_USERCHANGED

WM_HOTKEY
0x0312

0x0055
WM_NOTIFYFORMAT

WM_HSCROLL
0x0114

0x007B
WM_CONTEXTMENU

WM_HSCROLLCLIPBOARD
0x030E

0x007C
WM_STYLECHANGING

WM_ICONERASEBKGND
0x0027

0x007D
WM_STYLECHANGED

WM_IME_CHAR
0x0286

0x007E
WM_DISPLAYCHANGE

WM_IME_COMPOSITION
0x010F

0x007F
WM_GETICON

WM_IME_COMPOSITIONFULL
0x0284

0x0080
WM_SETICON

WM_IME_CONTROL
0x0283

0x0081
WM_NCCREATE

WM_IME_ENDCOMPOSITION
0x010E

0x0082
WM_NCDESTROY

WM_IME_KEYDOWN
0x0290

0x0083
WM_NCCALCSIZE

WM_IME_KEYLAST
0x010F

0x0084
WM_NCHITTEST

WM_IME_KEYUP
0x0291

0x0085
WM_NCPAINT

WM_IME_NOTIFY
0x0282

0x0086
WM_NCACTIVATE

WM_IME_REQUEST
0x0288

0x0087
WM_GETDLGCODE

WM_IME_SELECT
0x0285

0x0088
WM_SYNCPAINT

WM_IME_SETCONTEXT
0x0281

0x00A0
WM_NCMOUSEMOVE

WM_IME_STARTCOMPOSITION
0x010D

0x00A1
WM_NCLBUTTONDOWN

WM_INITDIALOG
0x0110

0x00A2
WM_NCLBUTTONUP

WM_INITMENU
0x0116

0x00A3
WM_NCLBUTTONDBLCLK

WM_INITMENUPOPUP
0x0117

0x00A4
WM_NCRBUTTONDOWN

WM_INPUT
0x00FF

0x00A5
WM_NCRBUTTONUP

WM_INPUTLANGCHANGE
0x0051

0x00A6
WM_NCRBUTTONDBLCLK

WM_INPUTLANGCHANGEREQUEST
0x0050

0x00A7
WM_NCMBUTTONDOWN

WM_KEYDOWN
0x0100

0x00A8
WM_NCMBUTTONUP

WM_KEYFIRST
0x0100

0x00A9
WM_NCMBUTTONDBLCLK

WM_KEYLAST (Windows 2000)
0x0108

0x00AB
WM_NCXBUTTONDOWN

WM_KEYLAST
0x0109

0x00AC
WM_NCXBUTTONUP

WM_KEYUP
0x0101

0x00AD
WM_NCXBUTTONDBLCLK

WM_KILLFOCUS
0x0008

0x00FF
WM_INPUT

WM_LBUTTONDBLCLK
0x0203

0x0100
WM_KEYFIRST

WM_LBUTTONDOWN
0x0201

0x0100
WM_KEYDOWN

WM_LBUTTONUP
0x0202

0x0101
WM_KEYUP

WM_MBUTTONDBLCLK
0x0209

0x0102
WM_CHAR

WM_MBUTTONDOWN
0x0207

0x0103
WM_DEADCHAR

WM_MBUTTONUP
0x0208

0x0104
WM_SYSKEYDOWN

WM_MDIACTIVATE
0x0222

0x0105
WM_SYSKEYUP

WM_MDICASCADE
0x0227

0x0106
WM_SYSCHAR

WM_MDICREATE
0x0220

0x0107
WM_SYSDEADCHAR

WM_MDIDESTROY
0x0221

0x0108
WM_KEYLAST (Windows 2000)

WM_MDIGETACTIVE
0x0229

0x0109
WM_KEYLAST

WM_MDIICONARRANGE
0x0228

0x0109
WM_UNICHAR

WM_MDIMAXIMIZE
0x0225

0x010D
WM_IME_STARTCOMPOSITION

WM_MDINEXT
0x0224

0x010E
WM_IME_ENDCOMPOSITION

WM_MDIREFRESHMENU
0x0234

0x010F
WM_IME_COMPOSITION

WM_MDIRESTORE
0x0223

0x010F
WM_IME_KEYLAST

WM_MDISETMENU
0x0230

0x0110
WM_INITDIALOG

WM_MDITILE
0x0226

0x0111
WM_COMMAND

WM_MEASUREITEM
0x002C

0x0112
WM_SYSCOMMAND

WM_MENUCHAR
0x0120

0x0113
WM_TIMER

WM_MENUCOMMAND
0x0126

0x0114
WM_HSCROLL

WM_MENUDRAG
0x0123

0x0115
WM_VSCROLL

WM_MENUGETOBJECT
0x0124

0x0116
WM_INITMENU

WM_MENURBUTTONUP
0x0122

0x0117
WM_INITMENUPOPUP

WM_MENUSELECT
0x011F

0x011F
WM_MENUSELECT

WM_MOUSEACTIVATE
0x0021

0x0120
WM_MENUCHAR

WM_MOUSEFIRST
0x0200

0x0121
WM_ENTERIDLE

WM_MOUSEHOVER
0x02A1

0x0122
WM_MENURBUTTONUP

WM_MOUSELAST(2K,XP,2k3)
0x020D

0x0123
WM_MENUDRAG

WM_MOUSELAST(95)
0x0209

0x0124
WM_MENUGETOBJECT

WM_MOUSELAST(NT4,98)
0x020A

0x0125
WM_UNINITMENUPOPUP

WM_MOUSELEAVE
0x02A3

0x0126
WM_MENUCOMMAND

WM_MOUSEMOVE
0x0200

0x0127
WM_CHANGEUISTATE

WM_MOUSEWHEEL
0x020A

0x0128
WM_UPDATEUISTATE

WM_MOVE
0x0003

0x0129
WM_QUERYUISTATE

WM_MOVING
0x0216

0x0132
WM_CTLCOLORMSGBOX

WM_NCACTIVATE
0x0086

0x0133
WM_CTLCOLOREDIT

WM_NCCALCSIZE
0x0083

0x0134
WM_CTLCOLORLISTBOX

WM_NCCREATE
0x0081

0x0135
WM_CTLCOLORBTN

WM_NCDESTROY
0x0082

0x0136
WM_CTLCOLORDLG

WM_NCHITTEST
0x0084

0x0137
WM_CTLCOLORSCROLLBAR

WM_NCLBUTTONDBLCLK
0x00A3

0x0138
WM_CTLCOLORSTATIC

WM_NCLBUTTONDOWN
0x00A1

0x0200
WM_MOUSEFIRST

WM_NCLBUTTONUP
0x00A2

0x0200
WM_MOUSEMOVE

WM_NCMBUTTONDBLCLK
0x00A9

0x0201
WM_LBUTTONDOWN

WM_NCMBUTTONDOWN
0x00A7

0x0202
WM_LBUTTONUP

WM_NCMBUTTONUP
0x00A8

0x0203
WM_LBUTTONDBLCLK

WM_NCMOUSEHOVER
0x02A0

0x0204
WM_RBUTTONDOWN

WM_NCMOUSELEAVE
0x02A2

0x0205
WM_RBUTTONUP

WM_NCMOUSEMOVE
0x00A0

0x0206
WM_RBUTTONDBLCLK

WM_NCPAINT
0x0085

0x0207
WM_MBUTTONDOWN

WM_NCRBUTTONDBLCLK
0x00A6

0x0208
WM_MBUTTONUP

WM_NCRBUTTONDOWN
0x00A4

0x0209
WM_MBUTTONDBLCLK

WM_NCRBUTTONUP
0x00A5

0x0209
WM_MOUSELAST(95)

WM_NCXBUTTONDBLCLK
0x00AD

0x020A
WM_MOUSEWHEEL

WM_NCXBUTTONDOWN
0x00AB

0x020A
WM_MOUSELAST(NT4,98)

WM_NCXBUTTONUP
0x00AC

0x020B
WM_XBUTTONDOWN

WM_NEXTDLGCTL
0x0028

0x020C
WM_XBUTTONUP

WM_NEXTMENU
0x0213

0x020D
WM_XBUTTONDBLCLK

WM_NOTIFY
0x004E

0x020D
WM_MOUSELAST(2K,XP,2k3)

WM_NOTIFYFORMAT
0x0055

0x0210
WM_PARENTNOTIFY

WM_NULL
0x0000

0x0211
WM_ENTERMENULOOP

WM_PAINT
0x000F

0x0212
WM_EXITMENULOOP

WM_PAINTCLIPBOARD
0x0309

0x0213
WM_NEXTMENU

WM_PAINTICON
0x0026

0x0214
WM_SIZING

WM_PALETTECHANGED
0x0311

0x0215
WM_CAPTURECHANGED

WM_PALETTEISCHANGING
0x0310

0x0216
WM_MOVING

WM_PARENTNOTIFY
0x0210

0x0218
WM_POWERBROADCAST

WM_PASTE
0x0302

0x0219
WM_DEVICECHANGE

WM_PENWINFIRST
0x0380

0x0220
WM_MDICREATE

WM_PENWINLAST
0x038F

0x0221
WM_MDIDESTROY

WM_POWER
0x0048

0x0222
WM_MDIACTIVATE

WM_POWERBROADCAST
0x0218

0x0223
WM_MDIRESTORE

WM_PRINT
0x0317

0x0224
WM_MDINEXT

WM_PRINTCLIENT
0x0318

0x0225
WM_MDIMAXIMIZE

WM_QUERYDRAGICON
0x0037

0x0226
WM_MDITILE

WM_QUERYENDSESSION
0x0011

0x0227
WM_MDICASCADE

WM_QUERYNEWPALETTE
0x030F

0x0228
WM_MDIICONARRANGE

WM_QUERYOPEN
0x0013

0x0229
WM_MDIGETACTIVE

WM_QUERYUISTATE
0x0129

0x0230
WM_MDISETMENU

WM_QUEUESYNC
0x0023

0x0231
WM_ENTERSIZEMOVE

WM_QUIT
0x0012

0x0232
WM_EXITSIZEMOVE

WM_RBUTTONDBLCLK
0x0206

0x0233
WM_DROPFILES

WM_RBUTTONDOWN
0x0204

0x0234
WM_MDIREFRESHMENU

WM_RBUTTONUP
0x0205

0x0281
WM_IME_SETCONTEXT

WM_RENDERALLFORMATS
0x0306

0x0282
WM_IME_NOTIFY

WM_RENDERFORMAT
0x0305

0x0283
WM_IME_CONTROL

WM_SETCURSOR
0x0020

0x0284
WM_IME_COMPOSITIONFULL

WM_SETFOCUS
0x0007

0x0285
WM_IME_SELECT

WM_SETFONT
0x0030

0x0286
WM_IME_CHAR

WM_SETHOTKEY
0x0032

0x0288
WM_IME_REQUEST

WM_SETICON
0x0080

0x0290
WM_IME_KEYDOWN

WM_SETREDRAW
0x000B

0x0291
WM_IME_KEYUP

WM_SETTEXT
0x000C

0x02A1
WM_MOUSEHOVER

WM_SETTINGCHANGE
0x001A

0x02A3
WM_MOUSELEAVE

WM_SHOWWINDOW
0x0018

0x02A0
WM_NCMOUSEHOVER

WM_SIZE
0x0005

0x02A2
WM_NCMOUSELEAVE

WM_SIZECLIPBOARD
0x030B

0x02B1
WM_WTSSESSION_CHANGE

WM_SIZING
0x0214

0x02C0
WM_TABLET_FIRST

WM_SPOOLERSTATUS
0x002A

0x02DF
WM_TABLET_LAST

WM_STYLECHANGED
0x007D

0x0300
WM_CUT

WM_STYLECHANGING
0x007C

0x0301
WM_COPY

WM_SYNCPAINT
0x0088

0x0302
WM_PASTE

WM_SYSCHAR
0x0106

0x0303
WM_CLEAR

WM_SYSCOLORCHANGE
0x0015

0x0304
WM_UNDO

WM_SYSCOMMAND
0x0112

0x0305
WM_RENDERFORMAT

WM_SYSDEADCHAR
0x0107

0x0306
WM_RENDERALLFORMATS

WM_SYSKEYDOWN
0x0104

0x0307
WM_DESTROYCLIPBOARD

WM_SYSKEYUP
0x0105

0x0308
WM_DRAWCLIPBOARD

WM_TABLET_FIRST
0x02C0

0x0309
WM_PAINTCLIPBOARD

WM_TABLET_LAST
0x02DF

0x030A
WM_VSCROLLCLIPBOARD

WM_TCARD
0x0052

0x030B
WM_SIZECLIPBOARD

WM_THEMECHANGED
0x031A

0x030C
WM_ASKCBFORMATNAME

WM_TIMECHANGE
0x001E

0x030D
WM_CHANGECBCHAIN

WM_TIMER
0x0113

0x030E
WM_HSCROLLCLIPBOARD

WM_UNDO
0x0304

0x030F
WM_QUERYNEWPALETTE

WM_UNICHAR
0x0109

0x0310
WM_PALETTEISCHANGING

WM_UNINITMENUPOPUP
0x0125

0x0311
WM_PALETTECHANGED

WM_UPDATEUISTATE
0x0128

0x0312
WM_HOTKEY

WM_USER
0x0400

0x0317
WM_PRINT

WM_USERCHANGED
0x0054

0x0318
WM_PRINTCLIENT

WM_VKEYTOITEM
0x002E

0x0319
WM_APPCOMMAND

WM_VSCROLL
0x0115

0x031A
WM_THEMECHANGED

WM_VSCROLLCLIPBOARD
0x030A

0x0358
WM_HANDHELDFIRST

WM_WINDOWPOSCHANGED
0x0047

0x035F
WM_HANDHELDLAST

WM_WINDOWPOSCHANGING
0x0046

0x0360
WM_AFXFIRST

WM_WININICHANGE
0x001A

0x037F
WM_AFXLAST

WM_WTSSESSION_CHANGE
0x02B1

0x0380
WM_PENWINFIRST

WM_XBUTTONDBLCLK
0x020D

0x038F
WM_PENWINLAST

WM_XBUTTONDOWN
0x020B

0x0400
WM_USER

WM_XBUTTONUP
0x020C

0x8000
WM_APP

Источник