| Event ID | Explanation |
|---|---|
| Event ID 624 | User Account Created |
| Event ID 626 | User Account enabled |
| Event ID 627 | password change attempted |
| Event ID 628 | user account password set |
| Event ID 629 | user account disabled |
| Event ID 630 | user account deleted |
| Event ID 631 | security enabled global group created |
| Event ID 632 | security enabled global group member added |
| Event ID 633 | security enabled global group member removed |
| Event ID 634 | security enabled global group deleted |
| Event ID 635 | security enabled local group created |
| Event ID 636 | security enabled local group member added |
| Event ID 637 | security enabled local group member removed |
| Event ID 638 | security enabled local group deleted |
| Event ID 639 | security enabled local group changed |
| Event ID 641 | security enabled global group changed |
| Event ID 642 | user account changed |
| Event ID 643 | domain policy changed |
| Event ID | Explanation |
|---|---|
| Event ID 512 | Windows is starting up |
| Event ID 513 | windows is shutting down |
| Event ID 516 | internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits |
| Event ID 517 | the security log was cleared |
| Event ID | Explanation |
|---|---|
| Event ID 608 | A user right was assigned |
| Event ID 609 | a user right was removed |
| Event ID 610 | a trust relationship with another domain was created |
| Event ID 611 | a trust relationship with another domain was removed |
| Event ID 612 | an audit policy was changed |
| Event ID 4864 | a collision was detected between a namespace element in one forest and a namespace element in another forest |
wevtutil qe Security /c:100 /rd:true /q:"*[System[(EventID=612)]]"
Security --> Log name you want to query
/c: --> count returned
/rd: --> reverse direction true|false
/q: --> your query