Enter eventvwr.msc during operation to open the event log.
| Login type | Description |
| 2 | Interaction (keyboard and screen login system) |
| 3 | Network (that is, connect to the shared folder from other places (Internet on this computer) |
| 4 | Batch processing (i.e. scheduled tasks) |
| 5 | Service (service start) |
| 7 | Unlock password protection screen saver Program (i.e. unnattended workstation) |
| 8 | NetworkCleartext (login credentials are sent in plain text. It usually means the same as “basic Authentication” to log in to IIS) |
| 9 | NewCredentials such as RunAs or mapped network drives to replace credentials. This login type does not appear to appear in any event |
| 10 | Terminal Services, Remote Desktop or Remote Assistance |
| 11 | Cachedinteractive (logging in to a laptop and other remote networks with cached domain login credentials |
Common Windows event ID description
In the information recorded in the Windows event log, the key elements include event level, recording time, event source description, involved users, Computer, operation code and task category, etc. The ID of the event is related to the version of the operating system. The operating system of the event ID listed below is the version after Vista/win7/win8/win10/server2008/server2012
| Event ID | Description |
| 1102 | |
| 4624 | The account is successfully logged in |
| 4625 | |
| 4768 | kerberos authentication (TGT Request) |
| 4769 | kerberos service ticket request |
| 4776 | NTLM authentication |
| 4720 | Create user |
| 4726 | Delete User |
| 4728 | Add members to a security-enabled global group |
| 4729 | Remove members from the safe entire crew |
| 4732 | Add members to the security-enabled local group |
| 4733 | Remove members from security-enabled local groups |
| 4756 | |
| 4757 | Remove members from security-enabled universal groups |
| 4719 | System audit policy modification |