Message

Process %1 started at time %2 by parent %3 running as package %4 with executable %5 is application %6.

Fields

Message

%2: Cannot create the process for package %1 because an error was encountered. %3

Fields

Message

%2: Cannot create the process for package %1 because an error was encountered while querying the fast cache. %3

Fields

Message

%2: Cannot create the process for package %1 because an error was encountered while preparing the App credentials. %3

Fields

Message

%2: Cannot create the process for package %1 because an error was encountered while checking the user-level package status. %3

Fields

Message

%2: Cannot create the process for package %1 because an error was encountered while checking the machine-level package status. %3

Fields

Message

%2: Cannot create the process for package %1 because an error was encountered while verifying the App credentials. %3

Fields

Message

App %1 was terminated with error %2 because of an issue with application binary %3. This could be because the binary is unsigned, contains an untrusted signature, or has been corrupted or tampered with. Reinstall the application to fix this issue.

Fields

Message

App %1 was terminated with error %2 because of an issue with Windows binary %3. This could be because the binary is unsigned, contains an untrusted signature, or has been corrupted or tampered with. Refresh your PC to fix this issue.

Fields

Message

App %1 prevented the load of generated binary %3 due to error %2. This could be because the binary is unsigned, contains an untrusted signature, or has been corrupted or tampered with.

Fields

Message

An app prevented the load of a binary due to error %1. This could be because the binary is unsigned, contains an untrusted signature, or has been corrupted or tampered with.

Fields

Message

%2: Package runtime information %1 is corrupted (address=%5, size=%3, offset=%4, section=%6, processid=%7). Reinstall the package to fix this issue.

Fields

Message

%2: Package runtime information %1 is missing expected data (address=%4, size=%3, section=%5, processid=%6). Reinstall the package to fix this issue.

Fields

Message

%2: Package runtime information %1 contains conflicting data (address=%5, size=%3, offset=%4, section=%6, processid=%7). Reinstall the package to fix this issue.

Fields

Message

%2: Package runtime information %1 contains unexpected data (address=%5, size=%3, offset=%4, section=%6, processid=%7). Reinstall the package to fix this issue.

Fields

Message

%2: Package runtime information %1 failed to load (processid=%3).

Fields

Message

Package runtime information %1 failed to load because exception %2 occurred.

Fields

Message

%2: Cannot create the process for package %1 because an error was encountered while loading the runtime information. %3

Fields

Message

CreateAppContainerProfile failed for AppContainer %2 with error %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-AppModel-Runtime
  guid: F1EF270A-0D32-4352-BA52-DBAB41E1D859
  event_source_name: ''
  event_id: 21
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 2305913377957871618
  time_created: '2022-04-07T16:44:41.304110+00:00'
  event_record_id: 1
  correlation: {}
  execution:
    process_id: 500
    thread_id: 556
  channel: Microsoft-Windows-AppModel-Runtime/Admin
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-18
event_data:
  ErrorCode: 2147942410
  Context: onecore\ds\security\gina\profile\profext\appcontainer.cpp Line:1862 Usermode
    Font Driver Host microsoft.windows.fontdrvhost
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

DeleteAppContainerProfile failed for AppContainer %2 with error %1.

Fields

Message

UpdateAppContainerProfile failed for AppContainer %2 with error %1.

Fields

Message

CreateAppContainerProfile failed with error %1 because it was unable to create registry key %2.

Fields

Message

CreateAppContainerProfile failed with error %1 because it was unable to set security on registry key %2.

Fields

Message

AppContainer profile failed with error %1 because it was unable to delete registry key %2.

Fields

Message

CreateAppContainerProfile failed with error %1 because it was unable to create folder %2.

Fields

Message

CreateAppContainerProfile failed with error %1 because it was unable to set attributes on folder %2.

Fields

Message

CreateAppContainerProfile failed with error %1 because it was unable to verify the existence of registry key %2.

Fields

Message

CreateAppContainerProfile failed with error %1 because it was unable to verify the existence of folder %2.

Fields

Message

CreateAppContainerProfile failed with error %1 because it was unable to find the users local app data folder.

Fields

Message

AppContainer profile failed with error %1 because it was unable to delete folder %2 or its contents.

Fields

Message

AppContainer profile failed with error %1 because it was unable to look up the AppContainer name.

Fields

Message

AppContainer profile failed with error %1 because it was unable to look up the AppContainer display name.

Fields

Message

CreateAppContainerProfile failed with error %1 because it was unable to register with the firewall.

Fields

Message

DeleteAppContainerProfile failed with error %1 because it was unable to unregister with the firewall.

Fields

Example Event

system:
  provider: Microsoft-Windows-AppModel-Runtime
  guid: F1EF270A-0D32-4352-BA52-DBAB41E1D859
  event_source_name: ''
  event_id: 36
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 2305843009213693954
  time_created: '2023-10-26T04:16:53.639661+00:00'
  event_record_id: 1
  correlation: {}
  execution:
    process_id: 684
    thread_id: 748
  channel: Microsoft-Windows-AppModel-Runtime/Admin
  computer: WIN-OQ6R0RVA4NF
  security:
    user_id: S-1-5-18
event_data:
  Data:
    Name: ErrorCode
    Value: 2147944122
message: End

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

App Container profile failed with error %1 because it was unable to register the AppContainer SID.

Fields

Message

DeleteAppContainerProfile failed with error %1 because it was unable to unregister the AppContainer SID.

Fields

Message

Successfully created AppContainer %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-AppModel-Runtime
  guid: F1EF270A-0D32-4352-BA52-DBAB41E1D859
  event_source_name: ''
  event_id: 39
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213693954
  time_created: '2023-11-05T22:33:20.087771+00:00'
  event_record_id: 251
  correlation:
    ActivityID: E4DB489E-1037-0002-F76B-DBE43710DA01
  execution:
    process_id: 4660
    thread_id: 5424
  channel: Microsoft-Windows-AppModel-Runtime/Admin
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  Data:
    Name: AppContainerName
    Value: Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy
message: The Scenario Event Mapper is configured with more than the maximum number
  of context providers for the scenario with provider AppContainerName (event ID Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy).  The
  scenario will be ignored.

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

AppContainer %1 was not created because it already exists.

Fields

Example Event

system:
  provider: Microsoft-Windows-AppModel-Runtime
  guid: F1EF270A-0D32-4352-BA52-DBAB41E1D859
  event_source_name: ''
  event_id: 40
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213693954
  time_created: '2023-11-06T06:25:28.239888+00:00'
  event_record_id: 202
  correlation: {}
  execution:
    process_id: 736
    thread_id: 776
  channel: Microsoft-Windows-AppModel-Runtime/Admin
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Data:
    Name: AppContainerName
    Value: onecore\ds\security\gina\profile\profext\appcontainer.cpp Line:1850 Usermode
      Font Driver Host microsoft.windows.fontdrvhost
message: The Scenario Event Mapper is configured with more than the maximum number
  of end events for the scenario with provider AppContainerName (event ID onecore\ds\security\gina\profile\profext\appcontainer.cpp
  Line:1850 Usermode Font Driver Host microsoft.windows.fontdrvhost).  The scenario
  will be ignored.

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Successfully deleted AppContainer %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-AppModel-Runtime
  guid: F1EF270A-0D32-4352-BA52-DBAB41E1D859
  event_source_name: ''
  event_id: 41
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213693954
  time_created: '2023-10-26T04:18:43.498634+00:00'
  event_record_id: 5
  correlation: {}
  execution:
    process_id: 2888
    thread_id: 3124
  channel: Microsoft-Windows-AppModel-Runtime/Admin
  computer: WIN-OQ6R0RVA4NF
  security:
    user_id: S-1-5-18
event_data:
  Data:
    Name: AppContainerName
    Value: MPENG_9430677C-98FB-4F60-AE90-7960774C825F
message: The Scenario Event Mapper is configured with more than the maximum number
  of providers.  The provider AppContainerName will be ignored.

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Successfully updated AppContainer %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-AppModel-Runtime
  guid: F1EF270A-0D32-4352-BA52-DBAB41E1D859
  event_source_name: ''
  event_id: 42
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213693954
  time_created: '2023-11-05T22:29:23.081725+00:00'
  event_record_id: 227
  correlation:
    ActivityID: 59A0D65F-1037-0001-20F2-A0593710DA01
  execution:
    process_id: 5296
    thread_id: 5800
  channel: Microsoft-Windows-AppModel-Runtime/Admin
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  Data:
    Name: AppContainerName
    Value: Microsoft.VCLibs.140.00.UWPDesktop_8wekyb3d8bbwe
message: The Scenario Event Mapper is configured with an unsupported scenario. The
  scenario for provider AppContainerName (event ID Microsoft.VCLibs.140.00.UWPDesktop_8wekyb3d8bbwe)
  encountered error code %3 and will be ignored.

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

%2: Package runtime information %1 is missing expected data (address=%4, size=%3, section=%5, processid=%6). Reinstall the package to fix this issue.

Fields

Message

%2: Application identity not accessible while loading package runtime information %1 (address=%4, size=%3, processid=%5).

Fields

Message

Failed with %1 while retrieving AppContainer %2 information during interaction with Restricted AppContainer.

Fields

Message

Failed with %1 while retrieving AppContainer information during interaction with Restricted AppContainer.

Fields

Message

Failed with %1 while retrieving AppContainer information. Call invalid from this process type.

Fields

Message

Failed to create shared context object for Restricted AppContainer %2 with %1.

Fields

Message

Failed to activate Restricted AppContainer %2 with %1.

Fields

Message

Creation of Restricted AppContainer %2 failed with %1 because an invalid capability was specified.

Fields

Message

Opening existing Restricted AppContainer %2 failed with %1 because the capabilities storage value could not be read.

Fields

Message

Failed to create the capabilities storage value for Restricted AppContainer %2 with %1.

Fields

Message

The package %1 requires validation.

Fields

Message

Modification was detected in package %1.

Fields

Message

Failed to terminate app with package %1.

Fields

Message

Validation of app with package %1 was successful.

Fields

Message

Failed with %1 to retrieve the trust state of the package %2 folder.

Fields

Message

App Integrity check failed with %1 while checking %2.

Fields

Message

App Integrity terminated an application. Integrity check for %2 returned %1.

Fields

Message

App Integrity check for %1 timed out.

Fields

Message

%2: Cannot create the process for package %1 because an error was encountered while performing the integrity check. %3

Fields

Message

Deployment server integrity check of package %1 failed with %2.

Fields

Message

Failed with %1 retrieving AppModel Runtime group policy values.

Fields

Message

Failed with %1 validating AppModel Runtime group policy values.

Fields

Message

Failed with %1 retrieving AppModel Runtime status for package %2.

Fields

Message

Failed with %1 retrieving AppModel Runtime status for package %2 for user %3.

Fields

Example Event

system:
  provider: Microsoft-Windows-AppModel-Runtime
  guid: F1EF270A-0D32-4352-BA52-DBAB41E1D859
  event_source_name: ''
  event_id: 66
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 2305843009213693953
  time_created: '2022-04-07T16:53:25.460837+00:00'
  event_record_id: 56
  correlation: {}
  execution:
    process_id: 4128
    thread_id: 5340
  channel: Microsoft-Windows-AppModel-Runtime/Admin
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  ErrorCode: 87
  PackageFullName: Windows
  User: S-1-5-21-2121334350-1110938707-2888912545-500
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Failed with %1 modifying AppModel Runtime status for package %2 (current status = %4, desired status = %3).

Fields

Message

AppModel Runtime status for package %1 successfully updated to %2 (previous status = %3).

Fields

Message

Failed with %1 modifying AppModel Runtime status for package %2 for user %3 (clear=%4, set=%5).

Fields

Example Event

system:
  provider: Microsoft-Windows-AppModel-Runtime
  guid: F1EF270A-0D32-4352-BA52-DBAB41E1D859
  event_source_name: ''
  event_id: 69
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213693953
  time_created: '2022-04-07T17:04:34.316467+00:00'
  event_record_id: 69
  correlation:
    ActivityID: DD7B0B6A-4A9E-0001-314A-7BDD9E4AD801
  execution:
    process_id: 5972
    thread_id: 2672
  channel: Microsoft-Windows-AppModel-Runtime/Admin
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-18
event_data:
  ErrorCode: 1168
  PackageFullName: Microsoft.UI.Xaml.2.4_2.42007.9001.0_x64__8wekyb3d8bbwe
  User: S-1-5-21-2121334350-1110938707-2888912545-500
  DesiredStatus: 32
  CurrentStatus: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Successfully updated AppModel Runtime status for package %1 for user %2 (clear=%3, set=%4).

Fields

Example Event

system:
  provider: Microsoft-Windows-AppModel-Runtime
  guid: F1EF270A-0D32-4352-BA52-DBAB41E1D859
  event_source_name: ''
  event_id: 70
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213693953
  time_created: '2022-04-07T17:04:43.551444+00:00'
  event_record_id: 139
  correlation:
    ActivityID: DD7B0B6A-4A9E-0001-7475-7BDD9E4AD801
  execution:
    process_id: 5972
    thread_id: 904
  channel: Microsoft-Windows-AppModel-Runtime/Admin
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-18
event_data:
  PackageFullName: MicrosoftWindows.UndockedDevKit_10.0.20348.1_neutral_neutral_cw5n1h2txyewy
  User: S-1-5-21-2121334350-1110938707-2888912545-500
  DesiredStatus: 0
  CurrentStatus: 2048
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Failed with %1 modifying AppModel Runtime status version (context = %2).

Fields

Message

AppModel Runtime status version successfully updated.

Message

%2: Cannot create the process for package %1 because an error was encountered while performing the app data creation. %3

Fields

Message

Package runtime information %1 failed to refresh because the following error %2 occurred in operation type %3.

Fields

Message

error %2: Cannot register the %1 package because the following error was encountered while opening the HKEY_USERS registry key

Fields

Message

error %4: Cannot register the %1 package because the following error was encountered while enumerating to remove the %2\%3 package family registry key

Fields

Message

error %4 : Cannot register the %1 package because the following error was encountered while creating the %2\%3 package family registry key

Fields

Message

error %4: Cannot register the %1 package because the following error was encountered while removing the %2\%3 package family registry key

Fields

Message

%2: Package family %1 runtime information is corrupted. Attempting to correct the issue.

Fields

Message

%2: Package family %1 runtime information is corrupted but we cannot repair it at this time.

Fields

Message

Failed with %1 to get IsPackageStageInPlace info from State Repository cache for package %2. The app will by default require integrity check.

Fields

Message

Creating AppContainer %1.

Fields

Message

Finished creating AppContainer %2 with %1.

Fields

Message

Deleting AppContainer %1.

Fields

Message

Finished deleting AppContainer %2 with %1.

Fields

Message

Updating AppContainer %1.

Fields

Message

Finished updating AppContainer %2 with %1.

Fields

Message

Creating firewall rules for AppContainer %1.

Fields

Message

Finished creating firewall rules for AppContainer %2 with %1.

Fields

Message

Deleting firewall rules for AppContainer %1.

Fields

Message

Finished deleting firewall rules for AppContainer %2 with %1.

Fields

Message

Creating Restricted AppContainer %1.

Fields

Message

Finished creating Restricted AppContainer %2 with %1.

Fields

Message

Deleting Restricted AppContainer %1.

Fields

Message

Finished deleting Restricted AppContainer %2 with %1.

Fields

Message

Opening Restricted AppContainer %1.

Fields

Message

Finished opening Restricted AppContainer %2 with %1.

Fields

Message

Enumerating all Restricted AppContainers for %1.

Fields

Message

Finished enumerating all Restricted AppContainers for AppContainer %2 with %1.

Fields

Message

Launching process in Restricted AppContainer %1.

Fields

Message

Finished launching process in Restricted AppContainer %2 with %1.

Fields

Message

Terminating all processes in Restricted AppContainer %1.

Fields

Message

Finished terminating all processes in Restricted AppContainer %2 with %1.

Fields

Message

Checking package graph for %1.

Fields

Message

Package graph check for %2 finished with %1.

Fields

Message

Performing app integrity check for package %1.

Fields

Message

App integrity check for package %2 finished with %1.

Fields

Message

Performing runtime app integrity check for package %1.

Fields

Message

Runtime app integrity check for package %2 finished with %1.

Fields

Message

Firewall Service not running. Skipping creation of firewall rules for AppContainer %1.

Fields

Message

Updating Restricted AppContainer Capabilities %1.

Fields

Message

Finished Updating Restricted AppContainer Capabilities %2 with %1.

Fields

Message

Created process %1 for application %4 in package %2. %5

Fields

Example Event

system:
  provider: Microsoft-Windows-AppModel-Runtime
  guid: F1EF270A-0D32-4352-BA52-DBAB41E1D859
  event_source_name: ''
  event_id: 201
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213693956
  time_created: '2023-11-06T01:55:56.247720+00:00'
  event_record_id: 466
  correlation: {}
  execution:
    process_id: 5324
    thread_id: 18660
  channel: Microsoft-Windows-AppModel-Runtime/Admin
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  ProcessID: 21588
  PackageName: Microsoft.WindowsNotepad_11.2307.27.0_x64__8wekyb3d8bbwe
  ImageName: Notepad.exe
  ApplicationName: Microsoft.WindowsNotepad_8wekyb3d8bbwe!App
  Message: '[FinishPackageActivation]'
message: ''

Sigma Rules

• Sysinternals Tools AppX Versions Execution
  Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

%4: Cannot create the process for package %1 because an error was encountered. %5

Fields

Message

%4: Cannot create the process for package %1 because an error was encountered while preparing for activation. %5

Fields

Message

%4: Cannot create the process for package %1 because an error was encountered while elevating the token. %5

Fields

Message

%4: Cannot create the process for package %1 because UI Access is not supported for Desktop AppX processes. %5

Fields

Message

%4: Cannot create the process for package %1 because an error was encountered while adjusting the token. %5

Fields

Message

%4: Cannot create the process for package %1 because an error was encountered while launching. %5

Fields

Message

%4: Cannot create the process for package %1 because an error was encountered while configuring runtime. %5

Fields

Message

%4: Cannot create the process for package %1 because an error was encountered while resuming the thread. %5

Fields

Message

Created Desktop AppX container %3 for package %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-AppModel-Runtime
  guid: F1EF270A-0D32-4352-BA52-DBAB41E1D859
  event_source_name: ''
  event_id: 210
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213693960
  time_created: '2023-11-05T22:32:34.540536+00:00'
  event_record_id: 239
  correlation:
    ActivityID: E4DB489E-1037-0003-2157-DBE43710DA01
  execution:
    process_id: 920
    thread_id: 472
  channel: Microsoft-Windows-AppModel-Runtime/Admin
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  PackageName: MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy
  ContainerName: MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy-S-1-5-21-1992711665-1655669231-58201500-1000
  ContainerId: '{22A04431-7C2B-11EE-936C-000C293379BA}'
message: 'Intel TXT SENTER time: MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy
  ms.'

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Added process %1 to Desktop AppX container %3 for package %2.

Fields

Example Event

system:
  provider: Microsoft-Windows-AppModel-Runtime
  guid: F1EF270A-0D32-4352-BA52-DBAB41E1D859
  event_source_name: ''
  event_id: 211
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213693960
  time_created: '2023-11-05T22:32:34.540594+00:00'
  event_record_id: 240
  correlation:
    ActivityID: E4DB489E-1037-0003-2157-DBE43710DA01
  execution:
    process_id: 920
    thread_id: 472
  channel: Microsoft-Windows-AppModel-Runtime/Admin
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  ProcessID: 6212
  PackageName: MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy
  ContainerId: '{22A04431-7C2B-11EE-936C-000C293379BA}'
message: Added process 6212 to Desktop AppX container {22A04431-7C2B-11EE-936C-000C293379BA}
  for package MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy.

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

%1: Cannot add process %2 to Desktop AppX container %4 for package %3 because an error was encountered.

Fields

Message

%1: Cannot create the Desktop AppX container for package %2 because an error was encountered creating the job.

Fields

Message

%1: Cannot create the Desktop AppX container for package %2 because an error was encountered creating the description.

Fields

Message

%1: Cannot create the Desktop AppX container for package %2 because an error was encountered converting the job.

Fields

Message

%1: Cannot create the Desktop AppX container for package %2 because an error was encountered configuring the runtime.

Fields

Message

Destroyed Desktop AppX container %2 for package %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-AppModel-Runtime
  guid: F1EF270A-0D32-4352-BA52-DBAB41E1D859
  event_source_name: ''
  event_id: 217
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213693960
  time_created: '2023-11-05T22:31:32.531960+00:00'
  event_record_id: 236
  correlation:
    ActivityID: 59A0D65F-1037-0002-A9F7-A0593710DA01
  execution:
    process_id: 928
    thread_id: 6576
  channel: Microsoft-Windows-AppModel-Runtime/Admin
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  PackageName: MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy
  ContainerId: '{975E2192-7C2A-11EE-936B-000C293379BA}'
message: 'Soft reboot complete prepare finished: MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy.'

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Cannot destroy Desktop AppX container %2 for package %1.

Fields

Message

PSMFlags for Desktop AppX process %1 with applicationID %2 is %3.

Fields

Example Event

system:
  provider: Microsoft-Windows-AppModel-Runtime
  guid: '{f1ef270a-0d32-4352-ba52-dbab41e1d859}'
  event_source_name: ''
  event_id: 219
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213693956
  time_created: '2023-11-06T01:55:55.914607+00:00'
  event_record_id: 463
  correlation: {}
  execution:
    process_id: 5324
    thread_id: 18660
  channel: Microsoft-Windows-AppModel-Runtime/Admin
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline