Kerberos Event Decoder

Paste a raw Windows Security Event XML from Event Viewer and get a human-readable breakdown of every field — ticket options flags, encryption types, result codes, pre-authentication types, and security warnings.

Event XML

Decode Clear Copy Link Ctrl+Enter to decode

Examples: 4768 TGT Success 4768 TGT Failure 4769 TGS Success 4771 Pre-auth Failure 4770 Renewal

Copy Details

---

Supported Events

These four events cover the Kerberos authentication lifecycle on domain controllers. Enable Audit Kerberos Authentication Service and Audit Kerberos Service Ticket Operations in Advanced Audit Policy to capture them.

Event	Name	Generated When
4768	TGT Request (AS-REQ)	Client requests an initial TGT from the KDC
4769	Service Ticket (TGS-REQ)	Client uses a TGT to request a service ticket
4770	Ticket Renewed	An existing service ticket is renewed
4771	Pre-auth Failed	AS-REQ fails pre-authentication (wrong password, locked account, etc.)

How to Export Event XML

Event Viewer GUI — Right-click an event → Copy → Copy details as XML.

PowerShell (single event):

Get-WinEvent -FilterHashtable @{LogName='Security';Id=4768} -MaxEvents 1 |
  ForEach-Object { $_.ToXml() }

PowerShell (export failures):

Get-WinEvent -FilterHashtable @{LogName='Security';Id=4768} -MaxEvents 100 |
  Where-Object { $_.ToXml() -match 'Status.*0x[1-9a-fA-F]' } |
  ForEach-Object { $_.ToXml() }

wevtutil (command line):

wevtutil qe Security "/q:*[System[EventID=4768]]" /c:1 /f:xml

See Also

• Encryption Type Calculator — decode msDS-SupportedEncryptionTypes bitmask values
• Etype Negotiation — how the KDC selects encryption types
• Registry Settings — registry paths that control Kerberos encryption
• Group Policy — GPO settings for encryption type filtering