New Audit Events added to the Windows 10 & Server 2016 security auditing

With ever-emerging threats across all layers of computer systems, it is becoming difficult to keep security up all the time. But, the Windows Team has included new audit events to Windows Server 2016, which will help in early detection of the malicious activities in the users’ data center.  These new even additions are listed into Windows 10 and Windows Server 2016 security auditing and monitoring reference guide, which can be downloaded from Microsoft’s Download Center.


Windows 10 & Server 2016 Security Auditing & Monitoring


Windows 10 & Security Auditing & Monitoring

To make the security of data centers easier and more efficient, Windows’ team has included several events in the Windows Server 2016 security auditing. Some of these events are highlighted that are easy to configure and build the foundation for better threats detection. These events in the Windows Server 2016 security auditing belong to different categories such as detailed tracking activity, account management, audit security group management, logon and logoff and audit system integrity. The events in each of these categories of Windows Server 2016 security auditing are as follows:

  • Detailed Tracking\Audit PNP Activity:
    • Event 6416 can be used to detect when new devices are attached to the server
  • Account Management\Audit User Account Management:
    • Event 4724 can be used to detect when an account password is reset by another account
    • Event 4798: A user’s local group membership was enumerated
  • Account Management\Audit Security Group Management:
    • Event 4799: A security-enabled local group membership (BUILTIN\Administrators) was enumerated
  • Login and Logoff\Audit Account Lockout
    • Event 4625: Account failed to log on when the account was already locked out.
  • Audit system integrity:
    • Event 4816: RPC detected an integrity violation while decrypting an incoming message (We recommend monitoring this event especially on High-Value Asset [HVA] computers because it can be a sign of malicious activity.)
    • Event 5038: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
    • Event 6281: Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could also indicate a disk device error.
    • Event 6410: Code integrity determined that a file does not meet the security requirements to load into a process. Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. For example, when a driver tries to modify memory pages, the system will log this event.

You can download the complete list of events in the Windows 10 & Server 2016 security auditing & monitoring reference guide from here.

Posted by with Tags
Anand Khanse is the Admin of, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. He enjoys following and reporting Microsoft news and developments in the world of Personal Computing & Social Media.

Leave a Reply

Your email address will not be published. Required fields are marked *

9 + 6 =