Microsoft-Windows-Winlogon
151 events across 4 channels
Event ID 1: Authentication started.
#Description
Authentication started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 4,
"task": 1,
"opcode": 1,
"keywords": 4611721202799542272,
"time_created": "2026-05-29T16:33:48.0082811+00:00",
"event_record_id": 533,
"correlation": {},
"execution": {
"process_id": 760,
"thread_id": 1104
},
"channel": "Microsoft-Windows-Winlogon/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "Authentication started."
}
Event ID 2: Authentication stopped.
#Description
Authentication stopped. Result Win32Status.
Message #
Fields #
| Name | Description |
|---|---|
Win32Status UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 4,
"task": 1,
"opcode": 2,
"keywords": 4611721202799542272,
"time_created": "2026-05-29T16:33:48.1550444+00:00",
"event_record_id": 534,
"correlation": {},
"execution": {
"process_id": 760,
"thread_id": 1104
},
"channel": "Microsoft-Windows-Winlogon/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Win32Status": "0"
},
"message": "Authentication stopped. Result 0"
}
Event ID 5: CheckWindowsLicenseStatusStart
#Event ID 6: CheckWindowsLicenseStatusStop
#Event ID 7: RestoringNetConnectionsStart
#Event ID 8: RestoringNetConnectionsStop
#Event ID 10: ExecuteShellCommandListStop
#Event ID 11: ThemesOnLogonPreStart
#Event ID 12: ThemesOnLogonPreStop
#Event ID 13: ThemesOnLogonPostStart
#Event ID 14: ThemesOnLogonPostStop
#Event ID 51: ThemesOnLogoffStart
#Event ID 52: ThemesOnLogoffStop
#Event ID 61: DwmpCreateSessionProcessStart
#Event ID 62: DwmpCreateSessionProcessStop
#Event ID 64: DwmpTerminateSessionProcessStart
#Event ID 65: DwmpTerminateSessionProcessStop
#Event ID 67: DwmpNotifyUserLogonStart
#Event ID 68: DwmpNotifyUserLogonStop
#Event ID 70: ThemesOnEarlyCreateSessionStart
#Event ID 71: ThemesOnEarlyCreateSessionStop
#Event ID 72: DwmpNotifyUserLogoffStart
#Event ID 73: DwmpNotifyUserLogoffStop
#Event ID 101: CreatePrimaryTerminalStart
#Event ID 102: CreatePrimaryTerminalStop
#Event ID 103: StartLogonUIStart
#Event ID 104: StartLogonUIStop
#Event ID 105: RunStateMachineStart
#Event ID 106: RunStateMachineStop
#Event ID 107: WaitForLSMStart
#Event ID 108: WaitForLSMStop
#Event ID 201: DisplayWelcomeScreenStart
#Event ID 202: DisplayWelcomeScreenStop
#Event ID 203: RequestCredentialsStart
#Event ID 204: RequestCredentialsStop
#Event ID 205: ThemesOnCreateSessionStart
#Event ID 206: ThemesOnCreateSessionStop
#Event ID 207: ThemesOnTerminateSessionStart
#Event ID 208: ThemesOnTerminateSessionStop
#Event ID 501: WluiServerStartupStart
#Event ID 502: WluiServerStartupStop
#Event ID 503: WluiServerShutdownStart
#Event ID 504: WluiServerShutdownStop
#Event ID 505: WluiServerStartup
#Event ID 807: NotifySubscriberNotificationPended
#Fields #
| Name | Description |
|---|---|
Event UInt32 | |
SubscriberName UnicodeString | |
Message UnicodeString |
Event ID 808: NotifySubscriberNotificationFailed
#Fields #
| Name | Description |
|---|---|
Event UInt32 | |
SubscriberName UnicodeString | |
Message UnicodeString |
Event ID 811: The winlogon notification subscriber <SubscriberName> began handling the notification event (Event).
#Description
The winlogon notification subscriber <SubscriberName> began handling the notification event (Event).
Message #
Fields #
| Name | Description |
|---|---|
Event UInt32 | |
SubscriberName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "",
"event_id": 811,
"version": 0,
"level": 4,
"task": 811,
"opcode": 1,
"keywords": 4611686018427453440,
"time_created": "2026-05-29T16:33:57.4787633+00:00",
"event_record_id": 553,
"correlation": {},
"execution": {
"process_id": 760,
"thread_id": 1104
},
"channel": "Microsoft-Windows-Winlogon/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Event": "12",
"SubscriberName": "TermSrv"
},
"message": "The winlogon notification subscriber <TermSrv> began handling the notification event (12)."
}
Event ID 812: The winlogon notification subscriber <SubscriberName> finished handling the notification event (Event).
#Description
The winlogon notification subscriber <SubscriberName> finished handling the notification event (Event).
Message #
Fields #
| Name | Description |
|---|---|
Event UInt32 | |
SubscriberName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "",
"event_id": 812,
"version": 0,
"level": 4,
"task": 811,
"opcode": 2,
"keywords": 4611686018427453440,
"time_created": "2026-05-29T16:33:57.4792609+00:00",
"event_record_id": 554,
"correlation": {},
"execution": {
"process_id": 760,
"thread_id": 1104
},
"channel": "Microsoft-Windows-Winlogon/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Event": "12",
"SubscriberName": "TermSrv"
},
"message": "The winlogon notification subscriber <TermSrv> finished handling the notification event (12)."
}
Event ID 1001: Logon hours expiration warning.
#Event ID 1002: The shell stopped unexpectedly and Data_0 was restarted
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Wlclntfy",
"event_id": 1002,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-05T23:53:34.619082+00:00",
"event_record_id": 1811,
"correlation": {},
"execution": {
"process_id": 736,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "explorer.exe",
"Binary": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1002: The shell stopped unexpectedly and %1 was restarted
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"event_id": 1002,
"level": 4,
"task": 0,
"opcode": 0,
"time_created": "2026-03-15T03:00:56.5858172+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Application"
},
"event_data": {}
}
Event ID 1101: The computer will be locked because the user has exceeded the maximum number of failed logon attempts allowed on this computer.
#Event ID 1102: The computer will be rebooted because the user has exceeded the maximum number of failed logon attempts allowed on this computer.
#Event ID 1103: The user is approaching the threshold for maximum number of failed logon attempts.
#Event ID 1104: Encryption Provider initialization failed.
#Event ID 4002: The logon hours restriction policy is applied to the logged on user
#Event ID 4003: The Windows logon process has failed to switch the desktop
#Event ID 4004: The Windows logon process has failed to terminate the currently logged on user's processes
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Winlogon",
"event_id": 4004,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2016-08-21T21:00:34.000000Z",
"event_record_id": 1596,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE10Win7",
"security": {
"user_id": ""
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4004: The Windows logon process has failed to terminate the currently logged on user's processes
#Event ID 4005: The Windows logon process has unexpectedly terminated
#Event ID 4006: The Windows logon process has failed to spawn a user application
#Event ID 4007: The Windows logon process has failed to disconnect the user session
#Event ID 4008: The Windows logon process has failed to connect the user session
#Event ID 4101: Windows license validated.
#Fields #
| Name | Description |
|---|---|
Data |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Winlogon",
"event_id": 4101,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2013-10-23T17:51:18+00:00",
"event_record_id": 232,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"0x00000000",
"0x00000001"
]
},
"message": "Windows license validated."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 4101: Windows license validated
#Event ID 4102: Windows license is invalid
#Event ID 4103: Windows license activation failed
#Event ID 4104: Accessing Windows in Notification period
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Winlogon",
"event_id": 4104,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2014-11-21T23:44:00.000000Z",
"event_record_id": 812,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4104: Accessing Windows in Notification period
#Event ID 4105: Windows is in Notification period
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Winlogon",
"event_id": 4105,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2014-11-21T23:43:09.000000Z",
"event_record_id": 811,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4105: Windows is in Notification period
#Event ID 5002: UserBootStop
#Event ID 5005: UserShellLaunch
#Event ID 5007: SystemBootStop_V2
#Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
ReadyBootTrainingCountSinceLastServicing UInt32 | |
SyncPrefetchErrorCode UInt32 | |
SyncPrefetchDurationMs UInt32 |
Event ID 6000: The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
#Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Wlclntfy",
"event_id": 6000,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-05T22:32:22.560419+00:00",
"event_record_id": 1545,
"correlation": {},
"execution": {
"process_id": 736,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"SessionEnv"
],
"Binary": "2QYAAA=="
},
"message": "The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event."
}
Event ID 6000: The winlogon notification subscriber <Data_0> was unavailable to handle a notification event
#Fields #
| Name | Description |
|---|---|
Data_0 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "",
"event_id": 6000,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-06-13T05:22:33.7521344+00:00",
"event_record_id": 1011,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "WSearch"
},
"message": "The winlogon notification subscriber <WSearch> was unavailable to handle a notification event."
}
Event ID 6001: The winlogon notification subscriber <SessionEnv> failed a notification event.
#Fields #
| Name | Description |
|---|---|
Flags |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Wlclntfy",
"event_id": 6001,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-09 21:09:30.700144+00:00",
"event_record_id": 146,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "EX-SUBCA",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "<string>SessionEnv</string>\n",
"Binary": "2QYAAA=="
},
"message": "The winlogon notification subscriber <SessionEnv> failed a notification event."
}
Event ID 6001: The winlogon notification subscriber <Flags> failed a notification event
#Fields #
| Name | Description |
|---|---|
Flags UInt32 |
Event ID 6002: The winlogon notification subscriber registration database cannot be loaded
#Event ID 6003: The winlogon notification subscriber <SessionEnv> was unavailable to handle a critical notification event.
#Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Wlclntfy",
"event_id": 6003,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-05T22:32:20.495672+00:00",
"event_record_id": 1542,
"correlation": {},
"execution": {
"process_id": 736,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"SessionEnv"
],
"Binary": "2QYAAA=="
},
"message": "The winlogon notification subscriber <SessionEnv> was unavailable to handle a critical notification event."
}
Event ID 6003: The winlogon notification subscriber <Data_0> was unavailable to handle a critical notification event
#Fields #
| Name | Description |
|---|---|
Data_0 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "",
"event_id": 6003,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-04-18T00:27:34.0707520+00:00",
"event_record_id": 20,
"correlation": {},
"execution": {
"process_id": 760,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN11-25H2-X64",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "SessionEnv"
},
"message": "The winlogon notification subscriber <SessionEnv> was unavailable to handle a critical notification event."
}
Event ID 6004: The winlogon notification subscriber <TrustedInstaller> failed a critical notification event.
#Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Wlclntfy",
"event_id": 6004,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2013-10-23T17:32:12+00:00",
"event_record_id": 181,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"TrustedInstaller"
],
"Binary": "aQYAAA=="
},
"message": "The winlogon notification subscriber <TrustedInstaller> failed a critical notification event."
}
Event ID 6004: The winlogon notification subscriber <Data_0> failed a critical notification event
#Fields #
| Name | Description |
|---|---|
Data_0 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "",
"event_id": 6004,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-06-13T13:42:47.3224679+00:00",
"event_record_id": 5090,
"correlation": {},
"execution": {
"process_id": 860,
"thread_id": 0
},
"channel": "Application",
"computer": "telemetry-W11-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "TrustedInstaller"
},
"message": "The winlogon notification subscriber <TrustedInstaller> failed a critical notification event."
}
Event ID 6005: The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (CreateSession).
#Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Wlclntfy",
"event_id": 6005,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T08:16:03.529427+00:00",
"event_record_id": 116,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"GPClient",
"CreateSession"
],
"Binary": "SNCCJg=="
},
"message": "The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (CreateSession)."
}
Event ID 6005: The winlogon notification subscriber <Data_0> is taking long time to handle the notification event (Data_1)
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "",
"event_id": 6005,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-28T22:42:48.5496626+00:00",
"event_record_id": 619,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "GPClient",
"Data_1": "CreateSession"
},
"message": "The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (CreateSession)."
}
Event ID 6006: The winlogon notification subscriber <GPClient> took 119 second(s) to handle the notification event (CreateSession).
#Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "Wlclntfy",
"event_id": 6006,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2022-04-07T08:17:03.466560+00:00",
"event_record_id": 120,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"GPClient",
"119",
"CreateSession"
],
"Binary": "AAAAAA=="
},
"message": "The winlogon notification subscriber <GPClient> took 119 second(s) to handle the notification event (CreateSession)."
}
Event ID 6006: The winlogon notification subscriber <Data_0> took Data_1 second(s) to handle the notification event (Data_2)
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "",
"event_id": 6006,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-28T22:42:49.3308868+00:00",
"event_record_id": 620,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "GPClient",
"Data_1": "60",
"Data_2": "CreateSession"
},
"message": "The winlogon notification subscriber <GPClient> took 60 second(s) to handle the notification event (CreateSession)."
}
Event ID 6105: UnlockStart
#Event ID 6106: UnlockStop
#Event ID 6107: UnlockStop6107
#Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
Event ID 6108: LogonStart
#Event ID 6109: LogonStop
#Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
Event ID 6110: LogonStop6110
#Event ID 6111: LogonStop6111
#Event ID 6112: LogonStop6112
#Event ID 6113: LockStart
#Event ID 6114: LockStop
#Event ID 6115: LockStop6115
#Event ID 6117: DelayLockDisplayLockScreen
#Event ID 6118: KillingScreenSaverToLockWorkStation
#Event ID 6119: AutomaticRestartSignOn
#Event ID 6120: HotKeyLockDesktopInvoked
#Event ID 6121: PINResetLogon
#Event ID 6122: PINResetUnlock
#Event ID 6123: AssignedAccessLogon
#Event ID 6124: AssignedAccessUnlock
#Event ID 7001: User Logon Notification for Customer Experience Improvement Program
#Description
User Logon Notification for Customer Experience Improvement Program.
Message #
Fields #
| Name | Description |
|---|---|
TSId UInt32 | |
UserSid SID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "",
"event_id": 7001,
"version": 0,
"level": 4,
"task": 1101,
"opcode": 0,
"keywords": 2305878193585782784,
"time_created": "2026-05-29T16:33:48.1843872+00:00",
"event_record_id": 6808,
"correlation": {},
"execution": {
"process_id": 760,
"thread_id": 1104
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"TSId": "1",
"UserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105"
},
"message": "User Logon Notification for Customer Experience Improvement Program"
}
Event ID 7002: User Logoff Notification for Customer Experience Improvement Program
#Description
User Logoff Notification for Customer Experience Improvement Program.
Message #
Fields #
| Name | Description |
|---|---|
TSId UInt32 | |
UserSid SID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"guid": "{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}",
"event_source_name": "",
"event_id": 7002,
"version": 0,
"level": 4,
"task": 1102,
"opcode": 0,
"keywords": 2305878193585782784,
"time_created": "2026-06-13T05:22:33.8971346+00:00",
"event_record_id": 7354,
"correlation": {},
"execution": {
"process_id": 756,
"thread_id": 1120
},
"channel": "System",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"TSId": "1",
"UserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105"
},
"message": "User Logoff Notification for Customer Experience Improvement Program"
}
Event ID 1073742826: The shell stopped unexpectedly and %1 was restarted.
#Description
The shell stopped unexpectedly and was restarted.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"event_id": 1002,
"level": 4,
"task": 0,
"opcode": 0,
"time_created": "2026-03-15T03:00:56.5858172+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Application"
},
"event_data": {}
}
Event ID 1073745826: The logon hours restriction policy is applied to the logged on user.
#Description
The logon hours restriction policy is applied to the logged on user. The user's session has been locked, disconnected or logged off depending on the policy setting. User Name: Domain Name.
Message #
Event ID 1073745928: Accessing Windows in Notification period.
#Description
Accessing Windows in Notification period.
Message #
Event ID 2147487654: The Windows logon process has failed to spawn a user application.
#Description
The Windows logon process has failed to spawn a user application. Application name: . Command line parameters: .
Message #
Event ID 2147487655: The Windows logon process has failed to disconnect the user session.
#Description
The Windows logon process has failed to disconnect the user session.
Message #
Event ID 2147487656: The Windows logon process has failed to connect the user session.
#Description
The Windows logon process has failed to connect the user session.
Message #
Event ID 2147487753: Windows is in Notification period.
#Description
Windows is in Notification period.
Message #
Event ID 2147489648: The winlogon notification subscriber <.
#Description
The winlogon notification subscriber <> was unavailable to handle a notification event.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"event_id": 6000,
"level": 4,
"task": 0,
"opcode": 0,
"time_created": "2026-03-14T21:57:32.6042462+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Application"
},
"event_data": {}
}
Event ID 2147489649: The winlogon notification subscriber <.
#Description
The winlogon notification subscriber <> failed a notification event.
Message #
Event ID 2147489650: The winlogon notification subscriber registration database cannot be loaded.
#Description
The winlogon notification subscriber registration database cannot be loaded. Reason: <>.
Message #
Event ID 2147489651: The winlogon notification subscriber <.
#Description
The winlogon notification subscriber <> was unavailable to handle a critical notification event.
Message #
Event ID 2147489652: The winlogon notification subscriber <.
#Description
The winlogon notification subscriber <> failed a critical notification event.
Message #
Event ID 2147489653: The winlogon notification subscriber <.
#Description
The winlogon notification subscriber <> is taking long time to handle the notification event ().
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"event_id": 6005,
"level": 3,
"task": 0,
"opcode": 0,
"time_created": "2026-03-13T19:09:59.4874940+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Application"
},
"event_data": {}
}
Event ID 2147489654: The winlogon notification subscriber <.
#Description
The winlogon notification subscriber <> took second(s) to handle the notification event ().
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winlogon",
"event_id": 6006,
"level": 3,
"task": 0,
"opcode": 0,
"time_created": "2026-03-13T19:10:07.8783185+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Application"
},
"event_data": {}
}
Event ID 3221229475: The Windows logon process has failed to switch the desktop.
#Description
The Windows logon process has failed to switch the desktop.
Message #
Event ID 3221229476: The Windows logon process has failed to terminate the currently logged on user's processes.
#Description
The Windows logon process has failed to terminate the currently logged on user's processes.
Message #
Event ID 3221229477: The Windows logon process has unexpectedly terminated.
#Description
The Windows logon process has unexpectedly terminated.
Message #
Event ID 3221229574: Windows license is invalid.
#Description
Windows license is invalid. Error . Policy Value .
Message #
Event ID 3221229575: Windows license activation failed.
#Description
Windows license activation failed. Error .
Message #
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID dbe9b383-7cf3-4331-91cc-a3cb16a3b538
Defined in winlogon.exe, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4768, captured 2026-06-02