A: The event ID numbering scheme changed for Windows 7, Server 2008, and Windows Vista. You might need to figure out the corresponding IDs so that you can use them with your monitoring software.

To find the Server 2008 event ID that corresponds to a given Server 2003 event ID, use the following simple rule:

Server 2003 event ID + 4096 = Windows Server 2008 Event ID.

Exceptions to this rule are the Windows logon events:

  • The successful logon events (event IDs 528 and 540) have been merged into a single event, 4624 (this is 528 + 4096).
  • The failure logon events (event IDs 529 through 537 and 539) have been merged into a single event, 4625 (this is 529 + 4096).

Related Reading: