ESENT

36 events across 1 channel

EventTitleChannel
102Event ID 102Application
103Event ID 103Application
105Event ID 105Application
204Event ID 204Application
205Event ID 205Application
210Event ID 210Application
213Event ID 213Application
216Event ID 216Application
220Event ID 220Application
221Event ID 221Application
223Event ID 223Application
224Event ID 224Application
225Event ID 225Application
300Event ID 300Application
301Event ID 301Application
302Event ID 302Application
325Event ID 325Application
326Event ID 326Application
327Event ID 327Application
412Event ID 412Application
413Event ID 413Application
455Event ID 455Application
471Event ID 471Application
490Event ID 490Application
492Event ID 492Application
508Event ID 508Application
533Event ID 533Application
609Event ID 609Application
612Event ID 612Application
636Event ID 636Application
637Event ID 637Application
640Event ID 640Application
700Event ID 700Application
701Event ID 701Application
2005certsrv (13200,G,0) Shadow copy instance 1 starting.Application
2006certsrv (13200,G,0) Shadow copy instance 1 completed successfully.Application

Event ID 102:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Data_7
Data

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 102,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T23:42:56.5564171+00:00",
    "event_record_id": 738,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "1540,P,98",
    "Data_2": "DS_Token_DB: ",
    "Data_3": "0",
    "Data_4": "10",
    "Data_5": "00",
    "Data_6": "20348",
    "Data_7": "0000"
  },
  "message": "svchost (1540,P,98) DS_Token_DB: The database engine (10.00.20348.0000) is starting a new instance (0)."
}

Event ID 103:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 103,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T06:33:21.4302230+00:00",
    "event_record_id": 666,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "DFSRs",
    "Data_1": "3760,T,97",
    "Data_2": "\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db: ",
    "Data_3": "0",
    "Data_4": "\n[1] 0.000004 +J(0)\n[2] 0.000012 +J(0)\n[3] 0.000018 +J(0)\n[4] 0.000002 +J(0)\n[5] 0.009739 -0.001981 (7) WT +J(0) +M(C:-8K, Fs:5, WS:-4K # 0K, PF:-8K # 0K, P:-8K)\n[6] 0.000009 +J(0)\n[7] 0.000007 +J(0)\n[8] 0.011066 -0.002733 (13) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3060/2) +M(C:0K, Fs:7, WS:-28K # 0K, PF:-28K # 0K, P:-28K)\n[9] 0.001829 -0.000283 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:66/1) +M(C:0K, Fs:1, WS:4K # 0K, PF:20K # 0K, P:20K)\n[10] 0.000201 +J(0)\n[11] 0.002495 -0.001032 (2) WT +J(0)\n[12] 0.000017 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K)\n[13] 0.000183 +J(0) +M(C:0K, Fs:0, WS:-216K # 0K, PF:-228K # 0K, P:-228K)\n[14] 0.000036 +J(0) +M(C:0K, Fs:0, WS:-72K # 0K, PF:-92K # 0K, P:-92K)\n[15] 0.000004 +J(0).",
    "Data_5": "0"
  },
  "message": "DFSRs (3760,T,97) \\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db: The database engine stopped the instance (0). \r\n \r\nDirty Shutdown: 0 \r\n \r\nInternal Timing Sequence: \n[1] 0.000004 +J(0)\n[2] 0.000012 +J(0)\n[3] 0.000018 +J(0)\n[4] 0.000002 +J(0)\n[5] 0.009739 -0.001981 (7) WT +J(0) +M(C:-8K, Fs:5, WS:-4K # 0K, PF:-8K # 0K, P:-8K)\n[6] 0.000009 +J(0)\n[7] 0.000007 +J(0)\n[8] 0.011066 -0.002733 (13) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3060/2) +M(C:0K, Fs:7, WS:-28K # 0K, PF:-28K # 0K, P:-28K)\n[9] 0.001829 -0.000283 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:66/1) +M(C:0K, Fs:1, WS:4K # 0K, PF:20K # 0K, P:20K)\n[10] 0.000201 +J(0)\n[11] 0.002495 -0.001032 (2) WT +J(0)\n[12] 0.000017 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K)\n[13] 0.000183 +J(0) +M(C:0K, Fs:0, WS:-216K # 0K, PF:-228K # 0K, P:-228K)\n[14] 0.000036 +J(0) +M(C:0K, Fs:0, WS:-72K # 0K, PF:-92K # 0K, P:-92K)\n[15] 0.000004 +J(0)."
}

Event ID 105:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Data

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 105,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T23:42:56.6501654+00:00",
    "event_record_id": 742,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "1540,D,0",
    "Data_2": "DS_Token_DB: ",
    "Data_3": "0",
    "Data_4": "0",
    "Data_5": "\n[1] 0.000863 +J(0) +M(C:0K, Fs:138, WS:532K # 532K, PF:2652K # 2652K, P:2652K)\n[2] 0.000483 +J(0) +M(C:8K, Fs:126, WS:496K # 496K, PF:1216K # 1216K, P:1216K)\n[3] 0.000025 +J(0) +M(C:0K, Fs:14, WS:52K # 52K, PF:72K # 72K, P:72K)\n[4] 0.000198 +J(0) +M(C:0K, Fs:74, WS:296K # 296K, PF:184K # 184K, P:184K)\n[5] 0.002430 +J(0) +M(C:0K, Fs:48, WS:192K # 192K, PF:28K # 28K, P:28K)\n[6] 0.005455 +J(0) +M(C:0K, Fs:68, WS:272K # 272K, PF:48K # 48K, P:48K)\n[7] 0.002805 -0.000622 (2) WT +J(0) +M(C:0K, Fs:33, WS:132K # 132K, PF:64K # 64K, P:64K)\n[8] 0.027728 -0.010559 (11) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:16224/11) +M(C:0K, Fs:111, WS:300K # 304K, PF:212K # 216K, P:212K)\n[9] 0.000715 +J(0) +M(C:0K, Fs:5, WS:20K # 16K, PF:4K # 0K, P:4K)\n[10] 0.001094 -0.000385 (1) WT +J(0) +M(C:0K, Fs:0, WS:-60K # 0K, PF:-60K # 0K, P:-60K)\n[11] 0.000031 +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:49/1) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)\n[12] 0.004739 -0.002736 (1) WT +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[13] 0.052292 -0.000596 (2) CM -0.023208 (23) WT +J(CM:2, PgRf:2, Rd:0/2, Dy:0/0, Lg:8759/5) +M(C:0K, Fs:53, WS:88K # 104K, PF:228K # 236K, P:228K)\n[14] 0.000020 +J(0)\n[15] 0.000016 +J(0)\n[16] 0.000886 -0.000177 (1) WT +J(0) +M(C:0K, Fs:2, WS:0K # 0K, PF:0K # 0K, P:0K).",
    "Data_6": "lgposV2[] = 00000003:0001:0000 - 00000003:0004:0367 - 00000003:0005:0000 - 00000003:0005:0000 (00000000:0000:0000)\ncReInits = 2\n"
  },
  "message": "svchost (1540,D,0) DS_Token_DB: The database engine started a new instance (0). (Time=0 seconds) \r\n \r\nAdditional Data:\r\n lgposV2[] = 00000003:0001:0000 - 00000003:0004:0367 - 00000003:0005:0000 - 00000003:0005:0000 (00000000:0000:0000)\ncReInits = 2\n \r\n \r\nInternal Timing Sequence: \n[1] 0.000863 +J(0) +M(C:0K, Fs:138, WS:532K # 532K, PF:2652K # 2652K, P:2652K)\n[2] 0.000483 +J(0) +M(C:8K, Fs:126, WS:496K # 496K, PF:1216K # 1216K, P:1216K)\n[3] 0.000025 +J(0) +M(C:0K, Fs:14, WS:52K # 52K, PF:72K # 72K, P:72K)\n[4] 0.000198 +J(0) +M(C:0K, Fs:74, WS:296K # 296K, PF:184K # 184K, P:184K)\n[5] 0.002430 +J(0) +M(C:0K, Fs:48, WS:192K # 192K, PF:28K # 28K, P:28K)\n[6] 0.005455 +J(0) +M(C:0K, Fs:68, WS:272K # 272K, PF:48K # 48K, P:48K)\n[7] 0.002805 -0.000622 (2) WT +J(0) +M(C:0K, Fs:33, WS:132K # 132K, PF:64K # 64K, P:64K)\n[8] 0.027728 -0.010559 (11) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:16224/11) +M(C:0K, Fs:111, WS:300K # 304K, PF:212K # 216K, P:212K)\n[9] 0.000715 +J(0) +M(C:0K, Fs:5, WS:20K # 16K, PF:4K # 0K, P:4K)\n[10] 0.001094 -0.000385 (1) WT +J(0) +M(C:0K, Fs:0, WS:-60K # 0K, PF:-60K # 0K, P:-60K)\n[11] 0.000031 +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:49/1) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)\n[12] 0.004739 -0.002736 (1) WT +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[13] 0.052292 -0.000596 (2) CM -0.023208 (23) WT +J(CM:2, PgRf:2, Rd:0/2, Dy:0/0, Lg:8759/5) +M(C:0K, Fs:53, WS:88K # 104K, PF:228K # 236K, P:228K)\n[14] 0.000020 +J(0)\n[15] 0.000016 +J(0)\n[16] 0.000886 -0.000177 (1) WT +J(0) +M(C:0K, Fs:2, WS:0K # 0K, PF:0K # 0K, P:0K)."
}

Event ID 204:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 204,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:07:16.380817+00:00",
    "event_record_id": 4241,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv.exe",
    "Data_1": "14016,P,98",
    "Data_2": "Restore0001: ",
    "Data_3": "C:\\Windows\\system32\\CertLog\\",
    "Data_4": "C:\\Windows\\system32\\CertLog\\",
    "Binary": ""
  },
  "message": ""
}

Event ID 205:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 205,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:07:16.486548+00:00",
    "event_record_id": 4247,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv.exe",
    "Data_1": "14016,U,98",
    "Data_2": "Restore0001: ",
    "Binary": ""
  },
  "message": ""
}

Event ID 210:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 210,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2013-10-23T16:22:59+00:00",
    "event_record_id": 94,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "IE8Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "WinMail",
      "280",
      "WindowsMail0: "
    ]
  },
  "message": ""
}

References #

Event ID 213:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 213,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2013-10-23T16:23:00+00:00",
    "event_record_id": 99,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "IE8Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "WinMail",
      "280",
      "WindowsMail0: "
    ]
  },
  "message": ""
}

References #

Event ID 216:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescriptionRules
Data1

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 216,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2021-06-05T19:36:36.537144+00:00",
    "event_record_id": 442136,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "rootdc1.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "lsass",
      "548",
      "",
      "C:\\Windows\\NTDS\\ntds.dit",
      "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy5\\Windows\\NTDS\\ntds.dit"
    ]
  },
  "message": ""
}

Detection Patterns #

Credential Access: NTDS

1 rule

Sigma

Nasreddine Bencherchali (Nextron Systems)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
Datacontainsntds.dit1 rulesigma
Provider_NameeqESENT1 rulesigma

Detection Rules #

View all rules referencing this event →

YARA-L # view in coverage

References #

Event ID 220:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 220,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2013-10-23T16:22:59+00:00",
    "event_record_id": 95,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "IE8Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "WinMail",
      "280",
      "WindowsMail0: ",
      "C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore",
      "2 Mb"
    ]
  },
  "message": ""
}

References #

Event ID 221:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 221,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2013-10-23T16:22:59+00:00",
    "event_record_id": 96,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "IE8Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "WinMail",
      "280",
      "WindowsMail0: ",
      "C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore"
    ]
  },
  "message": ""
}

References #

Event ID 223:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 223,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2013-10-23T16:23:00+00:00",
    "event_record_id": 97,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "IE8Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "WinMail",
      "280",
      "WindowsMail0: ",
      "C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log",
      "C:\\Users\\IEUser\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log"
    ]
  },
  "message": ""
}

References #

Event ID 224:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 224,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:06:22.480449+00:00",
    "event_record_id": 4227,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv.exe",
    "Data_1": "13036,D,81",
    "Data_2": "",
    "Data_3": "C:\\Windows\\system32\\CertLog\\edb00001.log",
    "Data_4": "C:\\Windows\\system32\\CertLog\\edb00001.log",
    "Binary": ""
  },
  "message": ""
}

Event ID 225:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 225,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T13:41:34.6041240+00:00",
    "event_record_id": 654,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "3664,U,98",
    "Data_2": "PeerDistPubCacheJetInstance: "
  },
  "message": "svchost (3664,U,98) PeerDistPubCacheJetInstance: No log files can be truncated. "
}

Event ID 300:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 300,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T23:42:56.5564171+00:00",
    "event_record_id": 739,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "1540,R,98",
    "Data_2": "DS_Token_DB: "
  },
  "message": "svchost (1540,R,98) DS_Token_DB: The database engine is initiating recovery steps."
}

Event ID 301:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Data

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 301,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T23:42:56.5876674+00:00",
    "event_record_id": 740,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "1540,R,98",
    "Data_2": "DS_Token_DB: ",
    "Data_3": "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\DataSharing\\Storage\\DSS.log",
    "Data_4": "\n[1] 0.019763 -0.009452 (8) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:16224/11) +M(C:0K, Fs:85, WS:204K # 208K, PF:132K # 136K, P:132K).",
    "Data_5": "AttachDB ",
    "Data_6": "2"
  },
  "message": "svchost (1540,R,98) DS_Token_DB: The database engine has finished replaying logfile C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\DataSharing\\Storage\\DSS.log. \r\n \r\nProcessing Stats: \n[1] 0.019763 -0.009452 (8) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:16224/11) +M(C:0K, Fs:85, WS:204K # 208K, PF:132K # 136K, P:132K). \r\nLog record of type 'AttachDB ' was seen most frequently (2 times)"
}

Event ID 302:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 302,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T23:42:56.6345413+00:00",
    "event_record_id": 741,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "1540,U,98",
    "Data_2": "DS_Token_DB: "
  },
  "message": "svchost (1540,U,98) DS_Token_DB: The database engine has successfully completed recovery steps."
}

Event ID 325:

#
Provider
ESENT
Channel
Application
Level
Informational
Collection Priority
Recommended (ASD)

Fields #

NameDescriptionRules
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Data_7
Data_8
Data8

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 325,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T16:38:30.9959300+00:00",
    "event_record_id": 734,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "DFSRs",
    "Data_1": "3832,D,35",
    "Data_2": "\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db: ",
    "Data_3": "1",
    "Data_4": "\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db",
    "Data_5": "0",
    "Data_6": "\n[1] 0.000175 +J(0) +M(C:0K, Fs:5, WS:20K # 0K, PF:8K # 0K, P:8K)\n[2] 0.002483 -0.000148 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:4, WS:16K # 0K, PF:0K # 0K, P:0K)\n[3] 0.017793 -0.000003 (3) WT +J(0) +M(C:0K, Fs:11, WS:36K # 0K, PF:20K # 0K, P:20K)\n[4] 0.000373 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[5] 0.003502 -0.000716 (3) WT +J(CM:0, PgRf:3, Rd:0/0, Dy:3/6, Lg:122/4) +M(C:0K, Fs:42, WS:160K # 0K, PF:244K # 0K, P:244K)\n[6] 0.007479 -0.000235 (2) WT +J(CM:0, PgRf:209, Rd:0/0, Dy:12/408, Lg:24454/447) +M(C:0K, Fs:75, WS:300K # 0K, PF:220K # 0K, P:220K)\n[7] 0.002184 -0.000263 (3) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:4096/3) +M(C:0K, Fs:4, WS:8K # 0K, PF:0K # 0K, P:0K)\n[8] 0.000003 +J(0)\n[9] 0.006297 -0.004371 (4) WT +J(0) +M(C:-52K, Fs:10, WS:-20K # 0K, PF:-44K # 0K, P:-44K)\n[10] 0.009886 -0.000596 (5) WT +J(CM:0, PgRf:348, Rd:0/0, Dy:7/93, Lg:12509/130) +M(C:12K, Fs:47, WS:180K # 0K, PF:96K # 0K, P:96K)\n[11] 0.000005 +J(0).",
    "Data_7": "0 0",
    "Data_8": "lgposCreate = 00000001:0001:0268,\ndbv = 1568.180.400 (9360)"
  },
  "message": "DFSRs (3832,D,35) \\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db: The database engine created a new database (1, \\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db). (Time=0 seconds) \r\n \r\nAdditional Data: lgposCreate = 00000001:0001:0268,\ndbv = 1568.180.400 (9360) \r\n \r\nInternal Timing Sequence: \n[1] 0.000175 +J(0) +M(C:0K, Fs:5, WS:20K # 0K, PF:8K # 0K, P:8K)\n[2] 0.002483 -0.000148 (1) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:4, WS:16K # 0K, PF:0K # 0K, P:0K)\n[3] 0.017793 -0.000003 (3) WT +J(0) +M(C:0K, Fs:11, WS:36K # 0K, PF:20K # 0K, P:20K)\n[4] 0.000373 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[5] 0.003502 -0.000716 (3) WT +J(CM:0, PgRf:3, Rd:0/0, Dy:3/6, Lg:122/4) +M(C:0K, Fs:42, WS:160K # 0K, PF:244K # 0K, P:244K)\n[6] 0.007479 -0.000235 (2) WT +J(CM:0, PgRf:209, Rd:0/0, Dy:12/408, Lg:24454/447) +M(C:0K, Fs:75, WS:300K # 0K, PF:220K # 0K, P:220K)\n[7] 0.002184 -0.000263 (3) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:4096/3) +M(C:0K, Fs:4, WS:8K # 0K, PF:0K # 0K, P:0K)\n[8] 0.000003 +J(0)\n[9] 0.006297 -0.004371 (4) WT +J(0) +M(C:-52K, Fs:10, WS:-20K # 0K, PF:-44K # 0K, P:-44K)\n[10] 0.009886 -0.000596 (5) WT +J(CM:0, PgRf:348, Rd:0/0, Dy:7/93, Lg:12509/130) +M(C:12K, Fs:47, WS:180K # 0K, PF:96K # 0K, P:96K)\n[11] 0.000005 +J(0)."
}

Detection Patterns #

Credential Access: NTDS

2 rules

Sigma

Nasreddine Bencherchali (Nextron Systems)

Credential Access: NTDS

2 rules

Sigma

Nasreddine Bencherchali (Nextron Systems)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
Datacontainsntds.dit2 rulessigma
Provider_NameeqESENT2 rulessigma
Datacontains\desktop\1 rulesigma
Datacontains\perflogs\1 rulesigma
Datacontains\users\public\1 rulesigma

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

YARA-L # view in coverage

Event ID 326:

#
Provider
ESENT
Channel
Application
Level
Informational
Collection Priority
Recommended (ASD)

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Data_7
Data_8
Data

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 326,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T23:42:56.6657933+00:00",
    "event_record_id": 743,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "1540,D,50",
    "Data_2": "DS_Token_DB: ",
    "Data_3": "1",
    "Data_4": "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\DataSharing\\Storage\\DSTokenDB2.dat",
    "Data_5": "0",
    "Data_6": "\n[1] 0.000003 +J(0)\n[2] 0.001071 -0.000515 (1) WT +J(0) +M(C:0K, Fs:17, WS:4K # 4K, PF:4K # 0K, P:4K)\n[3] 0.011507 -0.003172 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:7, WS:24K # 0K, PF:20K # 0K, P:20K)\n[4] 0.000893 +J(0)\n[5] -\n[6] -\n[7] -\n[8] 0.001077 -0.000873 (2) CM -0.000753 (2) WT +J(CM:2, PgRf:2, Rd:4/2, Dy:0/0, Lg:54/1) +M(C:8K, Fs:3, WS:12K # 0K, PF:28K # 0K, P:28K)\n[9] 0.002592 -0.002210 (3) CM -0.002046 (3) WT +J(CM:3, PgRf:23, Rd:0/3, Dy:0/0, Lg:0/0) +M(C:8K, Fs:32, WS:128K # 100K, PF:208K # 192K, P:208K)\n[10] 0.000526 -0.000397 (1) CM -0.000348 (1) WT +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 16K, PF:64K # 64K, P:64K)\n[11] 0.000016 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K)\n[12] 0.000040 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:5, WS:20K # 20K, PF:0K # 0K, P:0K)\n[13] 0.0 +J(0)\n[14] 0.0 +J(0)\n[15] 0.000005 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).",
    "Data_7": "1 0",
    "Data_8": "lgposAttach = 00000003:0007:0268,\ndbv = 1568.180.400 (9360)"
  },
  "message": "svchost (1540,D,50) DS_Token_DB: The database engine attached a database (1, C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\DataSharing\\Storage\\DSTokenDB2.dat). (Time=0 seconds) \r\n \r\nSaved Cache: 1 0 \r\nAdditional Data: lgposAttach = 00000003:0007:0268,\ndbv = 1568.180.400 (9360) \r\n \r\nInternal Timing Sequence: \n[1] 0.000003 +J(0)\n[2] 0.001071 -0.000515 (1) WT +J(0) +M(C:0K, Fs:17, WS:4K # 4K, PF:4K # 0K, P:4K)\n[3] 0.011507 -0.003172 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:7, WS:24K # 0K, PF:20K # 0K, P:20K)\n[4] 0.000893 +J(0)\n[5] -\n[6] -\n[7] -\n[8] 0.001077 -0.000873 (2) CM -0.000753 (2) WT +J(CM:2, PgRf:2, Rd:4/2, Dy:0/0, Lg:54/1) +M(C:8K, Fs:3, WS:12K # 0K, PF:28K # 0K, P:28K)\n[9] 0.002592 -0.002210 (3) CM -0.002046 (3) WT +J(CM:3, PgRf:23, Rd:0/3, Dy:0/0, Lg:0/0) +M(C:8K, Fs:32, WS:128K # 100K, PF:208K # 192K, P:208K)\n[10] 0.000526 -0.000397 (1) CM -0.000348 (1) WT +J(CM:1, PgRf:40, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:4, WS:16K # 16K, PF:64K # 64K, P:64K)\n[11] 0.000016 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:3, WS:12K # 12K, PF:0K # 0K, P:0K)\n[12] 0.000040 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:5, WS:20K # 20K, PF:0K # 0K, P:0K)\n[13] 0.0 +J(0)\n[14] 0.0 +J(0)\n[15] 0.000005 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0)."
}

Detection Patterns #

Credential Access: NTDS

2 rules

Sigma

Nasreddine Bencherchali (Nextron Systems)

Credential Access: NTDS

2 rules

Sigma

Nasreddine Bencherchali (Nextron Systems)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
Datacontainsntds.dit1 rulesigma
Provider_NameeqESENT1 rulesigma

Detection Rules #

View all rules referencing this event →

YARA-L # view in coverage

Event ID 327:

#
Provider
ESENT
Channel
Application
Level
Informational
Collection Priority
Recommended (ASD)

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Data_7
Data_8
Data

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 327,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T13:41:33.8541525+00:00",
    "event_record_id": 640,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "3908,D,51",
    "Data_2": "",
    "Data_3": "1",
    "Data_4": "C:\\Windows\\System32\\LServer\\TLSLic.edb",
    "Data_5": "0",
    "Data_6": "\n[1] 0.000005 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[2] 0.000001 +J(0)\n[3] 0.000019 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[4] 0.000001 +J(0)\n[5] 0.000001 +J(0)\n[6] 0.003213 -0.000382 (1) WT +J(0) +M(C:0K, Fs:3, WS:12K # 0K, PF:0K # 0K, P:0K)\n[7] 0.000012 +J(0)\n[8] 0.001508 -0.000165 (2) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:4042/2)\n[9] 0.004767 -0.000426 (5) WT +J(0) +M(C:0K, Fs:1, WS:-20K # 0K, PF:-20K # 0K, P:-20K)\n[10] 0.001581 +J(0)\n[11] 0.000031 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K).",
    "Data_7": "0 0",
    "Data_8": "lgposDetach = 00000001:0002:0036"
  },
  "message": "svchost (3908,D,51) The database engine detached a database (1, C:\\Windows\\System32\\LServer\\TLSLic.edb). (Time=0 seconds) \r\n \r\nRevived Cache: 0 0 \r\nAdditional Data: lgposDetach = 00000001:0002:0036 \r\n \r\nInternal Timing Sequence: \n[1] 0.000005 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[2] 0.000001 +J(0)\n[3] 0.000019 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)\n[4] 0.000001 +J(0)\n[5] 0.000001 +J(0)\n[6] 0.003213 -0.000382 (1) WT +J(0) +M(C:0K, Fs:3, WS:12K # 0K, PF:0K # 0K, P:0K)\n[7] 0.000012 +J(0)\n[8] 0.001508 -0.000165 (2) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:4042/2)\n[9] 0.004767 -0.000426 (5) WT +J(0) +M(C:0K, Fs:1, WS:-20K # 0K, PF:-20K # 0K, P:-20K)\n[10] 0.001581 +J(0)\n[11] 0.000031 +J(0) +M(C:0K, Fs:0, WS:-4K # 0K, PF:-4K # 0K, P:-4K)."
}

Detection Patterns #

Credential Access: NTDS

2 rules

Sigma

Nasreddine Bencherchali (Nextron Systems)

Credential Access: NTDS

2 rules

Sigma

Nasreddine Bencherchali (Nextron Systems)

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
Datacontainsntds.dit1 rulesigma
Provider_NameeqESENT1 rulesigma

Detection Rules #

View all rules referencing this event →

YARA-L # view in coverage

Event ID 412:

#
Provider
ESENT
Channel
Application
Level
Error

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 412,
    "version": 0,
    "level": 2,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-12T03:05:00.384288+00:00",
    "event_record_id": 49444,
    "correlation": {},
    "execution": {
      "process_id": 3544,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "3544,R,98",
    "Data_2": "SRUJet: ",
    "Data_3": "C:\\Windows\\system32\\SRU\\SRU.log",
    "Data_4": "-501",
    "Binary": ""
  },
  "message": ""
}

Event ID 413:

#
Provider
ESENT
Channel
Application
Level
Error

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 413,
    "version": 0,
    "level": 2,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-14T03:42:00.148167+00:00",
    "event_record_id": 37478,
    "correlation": {},
    "execution": {
      "process_id": 4016,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "4016,D,0",
    "Data_2": "SRUJet: ",
    "Data_3": "-1032",
    "Binary": ""
  },
  "message": ""
}

Event ID 455:

#
Provider
ESENT
Channel
Application
Level
Error

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 455,
    "version": 0,
    "level": 2,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:03:01.690404+00:00",
    "event_record_id": 4186,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certutil.exe",
    "Data_1": "1736,R,98",
    "Data_2": "",
    "Data_3": "C:\\Windows\\system32\\CertLog\\edb.log",
    "Data_4": "-1032 (0xfffffbf8)",
    "Binary": ""
  },
  "message": ""
}

Event ID 471:

#
Provider
ESENT
Channel
Application
Level
Error

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 471,
    "version": 0,
    "level": 2,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-14T03:42:00.150050+00:00",
    "event_record_id": 37480,
    "correlation": {},
    "execution": {
      "process_id": 4016,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "4016,D,43",
    "Data_2": "SRUJet: ",
    "Data_3": "1525",
    "Data_4": "C:\\Windows\\system32\\sru\\SRUDB.dat",
    "Data_5": "-510",
    "Binary": ""
  },
  "message": ""
}

Event ID 490:

#
Provider
ESENT
Channel
Application
Level
Error

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 490,
    "version": 0,
    "level": 2,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:03:01.689833+00:00",
    "event_record_id": 4185,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certutil.exe",
    "Data_1": "1736,R,98",
    "Data_2": "",
    "Data_3": "C:\\Windows\\system32\\CertLog\\edb.log",
    "Data_4": "-1032 (0xfffffbf8)",
    "Data_5": "32 (0x00000020)",
    "Data_6": "The process cannot access the file because it is being used by another process. ",
    "Binary": ""
  },
  "message": ""
}

Event ID 492:

#
Provider
ESENT
Channel
Application
Level
Error

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 492,
    "version": 0,
    "level": 2,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-14T03:42:00.149257+00:00",
    "event_record_id": 37479,
    "correlation": {},
    "execution": {
      "process_id": 4016,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "4016,D,0",
    "Data_2": "SRUJet: ",
    "Data_3": "C:\\Windows\\system32\\SRU\\",
    "Binary": ""
  },
  "message": ""
}

Event ID 508:

#
Provider
ESENT
Channel
Application
Level
Warning

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 508,
    "version": 0,
    "level": 3,
    "task": 7,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T06:00:45.9773498+00:00",
    "event_record_id": 643,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "2656,D,0",
    "Data_2": "SoftwareUsageMetrics-Svc: ",
    "Data_3": "C:\\Windows\\system32\\LogFiles\\Sum\\Svc.log",
    "Data_4": "49152 (0x000000000000c000)",
    "Data_5": "4096 (0x00001000)",
    "Data_6": "15"
  },
  "message": "svchost (2656,D,0) SoftwareUsageMetrics-Svc: A request to write to the file \"C:\\Windows\\system32\\LogFiles\\Sum\\Svc.log\" at offset 49152 (0x000000000000c000) for 4096 (0x00001000) bytes succeeded, but took an abnormally long time (15 seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem."
}

Event ID 533:

#
Provider
ESENT
Channel
Application
Level
Warning

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 533,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-15T04:09:57.608199+00:00",
    "event_record_id": 5739,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "svchost",
    "Data_1": "7392,T,0",
    "Data_2": "SRUJet: ",
    "Data_3": "C:\\Windows\\system32\\SRU\\SRU.chk",
    "Data_4": "0 (0x0000000000000000)",
    "Data_5": "4096 (0x00001000)",
    "Data_6": "36",
    "Binary": ""
  },
  "message": ""
}

Event ID 609:

#
Provider
ESENT
Channel
Application
Level
Informational

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 609,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2013-10-23T19:25:31.000000Z",
    "event_record_id": 521,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "IE8Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {}
}

References #

Event ID 612:

#
Provider
ESENT
Channel
Application
Level
Informational

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 612,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2013-10-23T19:25:31.000000Z",
    "event_record_id": 522,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "IE8Win7",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {}
}

References #

Event ID 636:

#
Provider
ESENT
Channel
Application
Level
Warning

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 636,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:07:16.391784+00:00",
    "event_record_id": 4243,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv.exe",
    "Data_1": "14016,P,98",
    "Data_2": "Restore0001: ",
    "Data_3": "C:\\Windows\\system32\\CertLog\\EvtGen-Root-CA.jfm",
    "Data_4": "ReadHdrFailed",
    "Binary": ""
  },
  "message": ""
}

Event ID 637:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 637,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:07:16.393005+00:00",
    "event_record_id": 4244,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv.exe",
    "Data_1": "14016,P,98",
    "Data_2": "Restore0001: ",
    "Data_3": "C:\\Windows\\system32\\CertLog\\EvtGen-Root-CA.jfm",
    "Binary": ""
  },
  "message": ""
}

Event ID 640:

#
Provider
ESENT
Channel
Application
Level
Warning

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 640,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:07:16.370498+00:00",
    "event_record_id": 4240,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv.exe",
    "Data_1": "14016,P,98",
    "Data_2": "Restore0001: ",
    "Data_3": "-1919",
    "Data_4": "C:\\Windows\\system32\\CertLog\\EvtGen-Root-CA.jfm",
    "Data_5": "[SignDbHdrFromDb:Create time:03/13/2026 23:06:22.503 Rand:3655758382 Computer:] [SignFmHdrFromDb:Create time:03/13/2026 23:06:22.385 Rand:413456288 Computer:] [SignDbHdrFromFm:Create time:03/13/2026 23:06:22.931 Rand:2864051150 Computer:] [SignFmHdrFromFm:Create time:03/13/2026 23:06:22.945 Rand:3852748920 Computer:]",
    "Binary": ""
  },
  "message": ""
}

Event ID 700:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 700,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-02-28T22:56:52.420762+00:00",
    "event_record_id": 2450,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "DFSRs",
      "4004,D,0",
      "\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db: ",
      "\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db"
    ],
    "Binary": ""
  },
  "message": ""
}

Event ID 701:

#
Provider
ESENT
Channel
Application
Level
Informational

Fields #

NameDescription
Data
Binary

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 701,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-02-28T22:56:52.420762+00:00",
    "event_record_id": 2451,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "DFSRs",
      "4004,D,0",
      "\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db: ",
      "\\\\.\\C:\\System Volume Information\\DFSR\\database_901C_C49A_1CC4_7CAA\\dfsr.db",
      "0",
      "2/28/2026",
      "0",
      "1",
      "1",
      "5"
    ],
    "Binary": ""
  },
  "message": ""
}

Event ID 2005: certsrv (13200,G,0) Shadow copy instance 1 starting.

#
Provider
ESENT
Channel
Application
Level
4

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 2005,
    "version": 0,
    "level": 4,
    "task": 16,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-30T02:25:24.5358691+00:00",
    "event_record_id": 253625,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv",
    "Data_1": "13200,G,0",
    "Data_2": "",
    "Data_3": "1"
  },
  "message": "certsrv (13200,G,0) Shadow copy instance 1 starting. This will be a Full shadow copy."
}

Event ID 2006: certsrv (13200,G,0) Shadow copy instance 1 completed successfully.

#
Provider
ESENT
Channel
Application
Level
4

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3

Example Event #

{
  "system": {
    "provider": "ESENT",
    "guid": "",
    "event_source_name": "",
    "event_id": 2006,
    "version": 0,
    "level": 4,
    "task": 16,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-30T02:25:27.7561355+00:00",
    "event_record_id": 253646,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "certsrv",
    "Data_1": "13200,G,0",
    "Data_2": "",
    "Data_3": "1"
  },
  "message": "certsrv (13200,G,0) Shadow copy instance 1 completed successfully."
}