# Windows Event Log

## Dump Logfile

Windows Event Logfiles can be dumped via

```sh
evtx_dump $EVENT_LOG > event.log
evtx_dump -o json $EVENT_LOG > event.log
```

## Event IDs

### Process

* **1**: Process Creation

### Files

* **11**: File opened

### Account Management

* **4719**: Attempt to change a policy
* **4720**: User account creation
* **4722**: User account enabled
* **4723**: Attempt to change an account password. The user attempts to change their password
* **4724**: Attempt to reset the account password. The user attempts to reset the password of another account
* **4725**: Account disable
* **4726**: Account removal
* **4728**: Attempt to add an account to a global security group
* **4729**: Attempt to remove an account from a global security group
* **4756**: Attempt to add an account to a universal security group
* **4757**: Attempt to remove an account from a universal security group

### Account Logon

* **4624**: Successful logon
* **4625**: Failed logon
* **4634** and **4647**: Logoff
* **4779**: Session disconnect

### Scheduled Tasks

* **4698**: Scheduled task creation
* **4702**: Scheduled task updated
* **4699**: Scheduled task deletion

### Security

* **1100**: Logging service disabled
* **1102**: Log deletion
* **1116**: Malware detection