Application Popup

1 events across 1 channel

Event ID	Title	Channel
26	Application popup: Caption : Message.	System

Event ID 26 — Application popup: Caption : Message.

Provider: Application Popup
Channel: System
Level: Informational

Description

Application popup: Caption : Message.

Message #

Application popup: %1 : %2

Fields #

Name	Description
`Caption` UnicodeString	Application popup.
`Message` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Application Popup",
    "guid": "47BFA2B7-BD54-4FAC-B70B-29021084CA8F",
    "event_source_name": "",
    "event_id": 26,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-05T22:30:59.302635+00:00",
    "event_record_id": 1847,
    "correlation": {},
    "execution": {
      "process_id": 656,
      "thread_id": 1476
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Caption": "VMware Tools Setup",
    "Message": "Setup needs to reboot the system in order to complete the install. Do you want to reboot now? The system will be rebooted shortly unless you cancel the reboot by answering 'No'."
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Sysmon Application Crashed source high: Detects application popup reporting a failure of the Sysmon service

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline