Application Error

2 events across 1 channel

Event ID	Title	Channel
1000	Faulting application name: %1, version: %2, time stamp: 0x%3 Faulting module …	Application
1005	Windows cannot access the file %1 for one of the following reasons: there is a …	Application

Event ID 1000 — Faulting application name: %1, version: %2, time stamp: 0x%3 Faulting module name: %4, version: %5, time stamp: 0x%6 Exception code: 0x%7 Fault off...

Provider: Application Error
Channel: Application
Level: 2
Samples: 1

Message

Faulting application name: %1, version: %2, time stamp: 0x%3
Faulting module name: %4, version: %5, time stamp: 0x%6
Exception code: 0x%7
Fault offset: 0x%8
Faulting process id: %9
Faulting application start time: %10
Faulting application path: %11
Faulting module path: %12
Report Id: %13
Faulting package full name: %14
Faulting package-relative application ID: %15

Fields

Name	Description
`Faulting_application_name`	—
`version`	—
`Faulting_module_name`	—
`version`	—
`Faulting_application_path`	—
`Faulting_module_path`	—
`Report_Id`	—
`Faulting_package_full_name`	—
`Faulting_packagerelative_application_ID`	—

Example Event

system:
  provider: Application Error
  guid: ''
  event_source_name: ''
  event_id: 1000
  version: 0
  level: 2
  task: 100
  opcode: 0
  keywords: 36028797018963968
  time_created: '2016-08-18T20:11:24.000000Z'
  event_record_id: 1590
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE10Win7
  security:
    user_id: ''
event_data: {}

Sigma Rules

LSASS Process Crashed - Application
Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service). This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
Microsoft Malware Protection Engine Crash
This rule detects a suspicious crash of the Microsoft Malware Protection Engine

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1005 — Windows cannot access the file %1 for one of the following reasons: there is a problem with the network connection, the disk that the file is store...

Provider: Application Error
Channel: Application

Message

Windows cannot access the file %1 for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program %2 because of this error.

Program: %2
File: %1

The error value is listed in the Additional Data section.
User Action
1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again.
2. If the file still cannot be accessed and
	- It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted.
	- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance.

Additional Data
Error value: %3
Disk type: %4

Fields

Name	Description
`File`	—
`Program`	—
`Error_value`	—
`Disk_type`	—
`FilePath`	—
`AppName`	—
`StatusCode`	—
`MediumType`	—