Application Error
2 events across 1 channel
| Event | Title | Channel |
|---|---|---|
| 1000 | Faulting application name: Faulting_application_name, version: version, time … | Application |
| 1005 | Windows cannot access the file File for one of the following reasons: there is a … | Application |
Event ID 1000: Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name.
#Description
Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
Data_0 | ||
Data_1 | ||
Data_2 | ||
Data_3 | ||
Data_4 | ||
Data_5 | ||
Data_6 | ||
Data_7 | ||
Data_8 | ||
Data_9 | ||
Data_10 | ||
Data_11 | ||
Data_12 | ||
Data_13 | ||
Data_14 | ||
AppName | 3 | |
AppVersion | 5 | |
AppTimeStamp | ||
ModuleName | 1 | |
ModuleVersion | ||
ModuleTimeStamp | ||
ExceptionCode | 2 | |
FaultingOffset | ||
ProcessId | ||
ProcessCreationTime | ||
AppPath | ||
ModulePath | ||
IntegratorReportId | ||
PackageFullName | ||
PackageRelativeAppId |
Example Event #
{
"system": {
"provider": "Application Error",
"guid": "",
"event_source_name": "",
"event_id": 1000,
"version": 0,
"level": 2,
"task": 100,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-28T19:24:06.1832880+00:00",
"event_record_id": 306,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "kape.exe",
"Data_1": "1.3.0.2",
"Data_2": "89883a17",
"Data_3": "KERNELBASE.dll",
"Data_4": "10.0.20348.558",
"Data_5": "827f29ba",
"Data_6": "e0434352",
"Data_7": "000000000001ff6c",
"Data_8": "17e0",
"Data_9": "01dceed7707604fd",
"Data_10": "C:\\Tools\\KAPE\\kape.exe",
"Data_11": "C:\\Windows\\System32\\KERNELBASE.dll",
"Data_12": "707434bb-9bd5-4bbf-b8d2-6327601feefc",
"Data_13": "",
"Data_14": ""
},
"message": "Faulting application name: kape.exe, version: 1.3.0.2, time stamp: 0x89883a17\r\nFaulting module name: KERNELBASE.dll, version: 10.0.20348.558, time stamp: 0x827f29ba\r\nException code: 0xe0434352\r\nFault offset: 0x000000000001ff6c\r\nFaulting process id: 0x17e0\r\nFaulting application start time: 0x01dceed7707604fd\r\nFaulting application path: C:\\Tools\\KAPE\\kape.exe\r\nFaulting module path: C:\\Windows\\System32\\KERNELBASE.dll\r\nReport Id: 707434bb-9bd5-4bbf-b8d2-6327601feefc\r\nFaulting package full name: \r\nFaulting package-relative application ID: "
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Provider_Name | eq | Application Error | 5 rules | sigma |
AppName | eq | lsass.exe | 2 rules | sigma |
Data | contains | mpengine.dll | 1 rule | sigma |
Data | contains | msmpeng.exe | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- LSASS Process Crashed - Application source high: Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service). This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
- Microsoft Malware Protection Engine Crash source high: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
- CVE-2023-40477 Potential Exploitation - WinRAR Application Crash source medium: Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477
Show 2 more (5 total)
- CVE-2024-49113 Exploitation Attempt - LDAP Nightmare source high: Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
- LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089 source high: Detects a crash of the LSASS process where netlogon.dll is the faulting module and the exception code is STATUS_STACK_BUFFER_OVERRUN (0xc0000409). This crash, especially on Domain Controllers, might indicate the exploitation of CVE-2026-41089, a denial of service (DoS) vulnerability, which exists in the Netlogon component of Windows and can be triggered by sending specially crafted requests to the Netlogon service, leading to a stack-based buffer overflow and subsequent crash of the LSASS process.
Splunk # view in coverage
- Potential CVE-2024-49113 - LDAPNightmare (Windows Event Log) source: SafeBreach Labs revealed a PoC for CVE-2024-49113, codenamed LDAPNightmare. The PoC is designed to crash any unpatched Windows Server with no prerequisites except that the DNS server of the victim domain controller has internet…
Event ID 1005: Windows cannot access the file File for one of the following reasons: there is a problem with the network connection, the disk that the file is store...
#Description
Windows cannot access the file FilePath for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program AppName because of this error. Program: AppName File: FilePath The error value is listed in the Additional Data section. User Action 1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again. 2. If the file still cannot be accessed and - It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted. - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer. 3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER. 4. If the problem persists, restore the file from a backup copy. 5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance. Additional Data Error value: StatusCode Disk type: MediumType
Message #
Fields #
| Name | Description |
|---|---|
FilePath UnicodeString | |
AppName UnicodeString | |
StatusCode HexInt32 | NTSTATUS reference |
MediumType HexInt32 |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID a0e9b465-b939-57d7-b27d-95d8e925ff57
Defined in wer.dll, which carries the event manifest.
Observed on:
- Win11-26200.6584 · schema read from the registered manifest · binary version 10.0.26100.5074 · captured 2026-06-02