Microsoft-Windows-AppID

8 events across 1 channel

Event ID	Title	Channel
4001	AppID failed to compute %2 process attributes.	Operational
4002	AppID Driver failed to start.	Operational
4003	AppID Service failed to start.	Operational
4004	AppID Service is called to verify %2 signature.	Operational
4005	AppID certificate store verification failed.	Operational
4006	AppID certificate store is verified.	Operational
4007	AppID encountered a failure from discache.	Operational
4008	Function call error.	Operational

Event ID 4001 — AppID failed to compute %2 process attributes.

Provider: Microsoft-Windows-AppID
Channel: Operational

Message

AppID failed to compute %2 process attributes. Status %3.

Fields

Name	Description
`FilePathLength`	—
`FilePathBuffer`	—
`Status`	—

Event ID 4002 — AppID Driver failed to start.

Provider: Microsoft-Windows-AppID
Channel: Operational

Message

AppID Driver failed to start. Status %1.

Fields

Name	Description
`Status`	—

Event ID 4003 — AppID Service failed to start.

Provider: Microsoft-Windows-AppID
Channel: Operational

Message

AppID Service failed to start. Status %1.

Fields

Name	Description
`Status`	—

Event ID 4004 — AppID Service is called to verify %2 signature.

Provider: Microsoft-Windows-AppID
Channel: Operational

Message

AppID Service is called to verify %2 signature. Status %5.

Fields

Name	Description
`FilePathLength`	—
`FilePathBuffer`	—
`PublisherNameLength`	—
`PublisherNameBuffer`	—
`Status`	—

Event ID 4005 — AppID certificate store verification failed.

Provider: Microsoft-Windows-AppID
Channel: Operational

Message

AppID certificate store verification failed. Status %1.

Fields

Name	Description
`Status`	—

Event ID 4006 — AppID certificate store is verified.

Provider: Microsoft-Windows-AppID
Channel: Operational
Level: 4
Samples: 1

Message

AppID certificate store is verified.

Example Event

system:
  provider: Microsoft-Windows-AppID
  guid: 3CB2A168-FE19-4A4E-BDAD-DCF422F13473
  event_source_name: ''
  event_id: 4006
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:45:55.746206+00:00'
  event_record_id: 50
  correlation: {}
  execution:
    process_id: 18240
    thread_id: 4544
  channel: Microsoft-Windows-AppID/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 4007 — AppID encountered a failure from discache.

Provider: Microsoft-Windows-AppID
Channel: Operational

Message

AppID encountered a failure from discache.sys. Status %1.

Fields

Name	Description
`Status`	—

Event ID 4008 — Function call error.

Provider: Microsoft-Windows-AppID
Channel: Operational

Message

Function call error: %2 called %4 which returned unsuccessfully (Error code: %5).

Fields

Name	Description
`CallingFunctionNameLength`	—
`CallingFunctionName`	—
`FunctionCallNameLength`	—
`FunctionCallName`	—
`Status`	—