detection.wiki

Application Error

2 events across 1 channel

Event IDTitleChannel
1000Faulting application name: Faulting_application_name, version: version, time …Application
1005Windows cannot access the file File for one of the following reasons: there is a …Application

Event ID 1000 — Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name.

#
Provider
Application Error
Channel
Application
Level
Error
Collection Priority
Recommended (Microsoft-WEF, others)
Task
ApplicationCrashingEvents

Description

Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name.

Message #

Faulting application name: %1, version: %2, time stamp: 0x%3
Faulting module name: %4, version: %5, time stamp: 0x%6
Exception code: 0x%7
Fault offset: 0x%8
Faulting process id: %9
Faulting application start time: %10
Faulting application path: %11
Faulting module path: %12
Report Id: %13
Faulting package full name: %14
Faulting package-relative application ID: %15

Fields #

NameDescription
Faulting_application_name
version
Faulting_module_name
version
Faulting_application_path
Faulting_module_path
Report_Id
Faulting_package_full_name
Faulting_packagerelative_application_ID

Example Event #

{
  "system": {
    "provider": "Application Error",
    "guid": "",
    "event_source_name": "",
    "event_id": 1000,
    "version": 0,
    "level": 2,
    "task": 100,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2016-08-18T20:11:24.000000Z",
    "event_record_id": 1590,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "IE10Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {}
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

References #

Event ID 1005 — Windows cannot access the file File for one of the following reasons: there is a problem with the network connection, the disk that the file is store...

Provider
Application Error
Channel
Application
Task
ApplicationCrashingEvents

Message #

Windows cannot access the file %1 for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program %2 because of this error.

Program: %2
File: %1

The error value is listed in the Additional Data section.
User Action
1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again.
2. If the file still cannot be accessed and
	- It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted.
	- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance.

Additional Data
Error value: %3
Disk type: %4

Fields #

NameDescription
File
Program
Error_value
Disk_type
FilePath UnicodeString
AppName UnicodeString
StatusCode HexInt32
MediumType HexInt32