What event ID captures badlogon events in Windows 2. Thanks Miles. I went by the above documentation and searched for event 4. BUT they contain no account name, no domain name, they dont contain much useful info. In fact for username it listed as NULL SID. Basically those events didnt. I listed one of these belowSo then I tried filtering by Audit failures, and found some event IDs that looked to provide what Im looking for users who could not login. The event ID that picks up this info is 4. I have a Windows DC that is freezing every day and has to be rebooted VM in order to even login. Going through the System logs I see several errors with the. Sample report Custom viewsfilters Servers list, organized in groups Integration with EventID. Net Consolidated view for all logs Free for subscribers. Credential Validation. These events lists the. Wanna hear more about the Windows 7 KB971033 Update Installed Windows 7 SP1 and need to activate You have come to the right place Scroll down below for additional. But the way MS has documented it, you would never know this is the event that captures login failure. I wonder if there are other such events that I should also look for. Time Generated     Time Written       Type               Audit Failure. User Name         Category           1. Category String   Event Code         Event Identifier   Type Event         Insertion Strings Log File           Message           An account failed to log on. Subject                        Security ID        S 1 0 0                        Account Name                                Account Domain                                Logon ID        0x. Logon Type            3                    Account For Which Logon Failed                        Security ID        S 1 0 0                        Account Name                        Account Domain                    Failure Information                        Failure Reason        An Error occured during Logon. Status            0xc. Sub Status        0xc. Process Information                        Caller Process ID    0x. Forums/getfile/905449' alt='Windows Update Event Id 16' title='Windows Update Event Id 16' />Caller Process Name                        Network Information                        Workstation Name                            Source Network Address    1. Source Port        3. Detailed Authentication Information                        Logon Process        Kerberos                        Authentication Package    Kerberos                        Transited Services                            Package Name NTLM only                            Key Length        0                    This event is generated when a logon request fails. It is g                    enerated on the computer where access was attempted. The Subject fields indicate the account on the local system                     which requested the logon. This is most commonly a service                     such as the Server service, or a local process such as Win                    logon. How To Install An Over The Range Microwave Electrical Requirements there. Services. exe.                     The Logon Type field indicates the kind of logon that was r                    equested. The most common types are 2 interactive and 3                     network. The Process Information fields indicate which account and p                    rocess on the system requested the logon. The Network Information fields indicate where a remote logo                    n request originated. Workstation name is not always availa                    ble and may be left blank in some cases. The authentication information fields provide detailed info                    rmation about this specific logon request. Transited services indicate which intermediate servic                    es have participated in this logon request. Package name indicates which sub protocol was used am                    ong the NTLM protocols. Key length indicates the length of the generated sess                    ion key. This will be 0 if no session key was requested. Frequent Event ID 3. Windows Schannel errors in the Event Viewer. Ok I got the problem solved on my system at least running Windows 8 Consumer preview  I stumbled into this solution while trouble shooting a different DCOM error message that I kept getting In Group Policy Editor run gpedit. Computer Configuration Administrative Templates System Distributed COM Application Compatibility and enabled allow local activation security check exemptionsNo more Schannel or DCOM errors now Of course, im not suggesting this as a cure all from what Ive read on other forums, these schannel errors are quite common and are probably generated as a result of many possible different conflicts this is just what worked for me. But if. DCOM errors along with the schannel errors, its worth a try.