What is the difference between Event ID 4624 and Event ID 4625?

Event ID 4624 records a successful logon to a Windows system. Event ID 4625 records a failed logon attempt. Both events live in the Security channel. A cluster of 4625 events with the same source workstation plus different account names is the brute-force or password-spray attack signature. The companion 4624 events show whether any of those brute-force attempts ultimately succeeded.

Why does event log forensics matter in 2026?

Event log forensics is the bedrock of Windows incident response. EVTX channels capture the audit trail of what happened on a system: logons, process creation, privilege use, credential access plus configuration changes. Without event logs an investigator cannot answer the basic questions of who did what plus when. Modern attackers know this plus actively delete or tamper with event logs as part of post-exploitation. Tamper detection plus log preservation are part of standard forensic methodology.

What Is an EVTX File and Why Event Log Forensics Matters in 2026

Q: What is an EVTX file?

EVTX is the Windows event log file format introduced in Windows Vista plus Server 2008. It replaced the legacy EVT format. EVTX files store Windows events in a structured binary format with separate streams for the System, Security, Application plus custom channel logs. Each event carries a timestamp, an event ID, a source identifier plus a payload of structured data fields.

TL;DR: EVTX is the Windows event log file format. It replaced the legacy EVT format in Vista plus Server 2008. Each EVTX file is a structured binary log with a timestamp + event ID + source identifier + payload per event. Investigators read EVTX to reconstruct what happened during an incident.

What an EVTX File Actually Is

EVTX (Windows Event Log) is a structured binary file format that Windows uses to store audit events. The format replaced the legacy EVT format in Windows Vista plus Windows Server 2008. EVTX files live in C:\Windows\System32\winevt\Logs\ on a default install. Each channel maps to its own file: Security.evtx holds the security audit log, System.evtx holds the operating system event log, Application.evtx holds the application event log plus custom channels (Sysmon, PowerShell operational, WindowsUpdateClient, etc.) each get their own file.

Internally an EVTX file is a series of chunk records. Each chunk holds a header plus a set of EventRecord structures. Each EventRecord is XML rendered as a binary template with structured field substitution. The on-disk representation is compact; the rendered XML view is what investigators see in Event Viewer or in forensic tooling like the Sherlock Universal Events Viewer Forensic Edition.

The Event IDs That Matter Most

Windows logs thousands of distinct event types. Forensic examiners focus on a small subset that carries the bulk of incident-relevant information.

Event ID 4624 (Successful Logon). Records that an account successfully authenticated to the system. The Logon Type field distinguishes interactive (Type 2) from network (Type 3) from remote desktop (Type 10) from service (Type 5) logons. Cluster of 4624 events across multiple endpoints with the same account name is the lateral movement signature.
Event ID 4625 (Failed Logon). Records a failed authentication attempt. A burst of 4625 events with the same source workstation plus different account names is the brute-force or password-spray attack signature.
Event ID 4672 (Special Privileges Assigned to New Logon). Records that a privileged account logged on. Frequent 4672 events for non-service accounts at odd hours is the credential-dumping or admin-account-compromise indicator.
Event ID 4648 (Logon Attempted With Explicit Credentials). Records that an account was used in a runas-equivalent operation. The Subject field plus Target field together show which account ran which command as which other account.
Event ID 4768/4769/4770/4771 (Kerberos Ticket Events). Records Kerberos authentication ticket activity. Golden Ticket plus Silver Ticket attacks produce anomalous patterns in these events.
Event ID 1102 (Security Log Cleared). Records that the Security event log was cleared. This event is almost always either an authorized administrative action OR an attacker covering their tracks. There is no benign third option.

Why Event Log Forensics Matters in 2026

The Windows event log is the closest thing to an authoritative audit trail that a Windows endpoint produces. Other artifacts (Prefetch, ShimCache, Amcache, MFT) tell parts of the story; EVTX is the only artifact set that combines who-did-what-when at a per-event grain. Modern attacker methodology routinely includes log tampering as part of post-exploitation: clearing the Security log plus disabling auditing plus using LOLBins (living-off-the-land binaries) that produce minimal log events. Tamper detection is part of the standard forensic methodology.

The Sherlock Universal Events Viewer Forensic Edition at \$97 USD reads EVTX files plus the legacy EVT format. It carries built-in detection rules for credential dumping (Event ID 4672 anomalies), lateral movement (4624 + 4648 chain) plus Kerberos ticket abuse (4768 + 4769 + 4770 + 4771 anomalies). The Forensic Edition output is the structured forensic record an incident response engagement needs to defend against an in-court challenge that the evidence was modified after acquisition.

Practical Takeaway

If you operate a Windows fleet plus you do not yet collect EVTX logs centrally OR you do not have a forensic analyst on retainer who knows what to do with them, you have a known gap. The first step is logging configuration: confirm your audit policy is logging at least Logon, Logoff, Account Logon, Privilege Use plus Process Creation. The second step is forwarding: send the EVTX channels to a central SIEM or log store. The third step is regular review: even a weekly grep across the prior week's 4625, 4672 plus 1102 events catches more incidents than no review at all.

If you are responding to an incident now plus you need to read EVTX files from a workstation that has been pulled for forensic imaging, the Universal Events Viewer Forensic Edition is the tool. It reads the EVTX without a running Windows instance, surfaces the high-signal event IDs above plus produces a court-ready PDF report you can attach to the incident response engagement record.