Microsoft-Windows-AppModel-Runtime
131 events across 6 channels
Event ID 1 — Process ProcessID started at time CreateTime by parent ParentProcessID running as package PackageFullName with executable ImageName is application PackageRelativeApplicationId.
Description
Process ProcessID started at time CreateTime by parent ParentProcessID running as package PackageFullName with executable ImageName is application PackageRelativeApplicationId.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | — |
CreateTime FILETIME | — |
ParentProcessID UInt32 | — |
PackageFullName UnicodeString | — |
ImageName UnicodeString | — |
PackageRelativeApplicationId UnicodeString | — |
Event ID 2 — ErrorCode: Cannot create the process for package PackageFullName because an error was encountered.
Event ID 3 — ErrorCode: Cannot create the process for package PackageFullName because an error was encountered while querying the fast cache.
Event ID 4 — ErrorCode: Cannot create the process for package PackageFullName because an error was encountered while preparing the App credentials.
Event ID 5 — ErrorCode: Cannot create the process for package PackageFullName because an error was encountered while checking the user-level package status.
Event ID 6 — ErrorCode: Cannot create the process for package PackageFullName because an error was encountered while checking the machine-level package status.
Event ID 7 — ErrorCode: Cannot create the process for package PackageFullName because an error was encountered while verifying the App credentials.
Event ID 8 — App PackageFullName was terminated with error ErrorCode because of an issue with application binary FailedBinary.
Event ID 9 — App PackageFullName was terminated with error ErrorCode because of an issue with Windows binary FailedBinary.
Event ID 11 — App PackageFullName prevented the load of generated binary FailedBinary due to error ErrorCode.
Description
App PackageFullName prevented the load of generated binary FailedBinary due to error ErrorCode. This could be because the binary is unsigned, contains an untrusted signature, or has been corrupted or tampered with.
Message #
Fields #
| Name | Description |
|---|---|
PackageFullName UnicodeString | — |
ErrorCode UInt32 | — |
FailedBinary UnicodeString | — |
Event ID 12 — An app prevented the load of a binary due to error ErrorCode.
Event ID 14 — ErrorCode: Package runtime information FileName is corrupted (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId).
Description
ErrorCode: Package runtime information FileName is corrupted (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId). Reinstall the package to fix this issue.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | — |
ErrorCode Int32 | — |
Size UInt64 | — |
Offset UInt32 | — |
HeaderAddr Pointer | — |
Section UnicodeString | — |
ProcessId UInt32 | — |
Event ID 15 — ErrorCode: Package runtime information FileName is missing expected data (address=HeaderAddr, size=Size, section=Section, processid=ProcessId).
Description
ErrorCode: Package runtime information FileName is missing expected data (address=HeaderAddr, size=Size, section=Section, processid=ProcessId). Reinstall the package to fix this issue.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | — |
ErrorCode Int32 | — |
Size UInt64 | — |
HeaderAddr Pointer | — |
Section UnicodeString | — |
ProcessId UInt32 | — |
Event ID 16 — ErrorCode: Package runtime information FileName contains conflicting data (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId).
Description
ErrorCode: Package runtime information FileName contains conflicting data (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId). Reinstall the package to fix this issue.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | — |
ErrorCode Int32 | — |
Size UInt64 | — |
Offset UInt32 | — |
HeaderAddr Pointer | — |
Section UnicodeString | — |
ProcessId UInt32 | — |
Event ID 17 — ErrorCode: Package runtime information FileName contains unexpected data (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId).
Description
ErrorCode: Package runtime information FileName contains unexpected data (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId). Reinstall the package to fix this issue.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | — |
ErrorCode Int32 | — |
Size UInt64 | — |
Offset UInt32 | — |
HeaderAddr Pointer | — |
Section UnicodeString | — |
ProcessId UInt32 | — |
Event ID 18 — ErrorCode: Package runtime information FileName failed to load (processid=ProcessId).
Event ID 19 — Package runtime information FileName failed to load because exception ExceptionCode occurred.
Event ID 20 — ErrorCode: Cannot create the process for package PackageFullName because an error was encountered while loading the runtime information.
Event ID 21 — CreateAppContainerProfile failed for AppContainer Context with error ErrorCode.
#Description
CreateAppContainerProfile failed for AppContainer Context with error ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | — |
Context UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppModel-Runtime",
"guid": "F1EF270A-0D32-4352-BA52-DBAB41E1D859",
"event_source_name": "",
"event_id": 21,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 2305913377957871618,
"time_created": "2022-04-07T16:44:41.304110+00:00",
"event_record_id": 1,
"correlation": {},
"execution": {
"process_id": 500,
"thread_id": 556
},
"channel": "Microsoft-Windows-AppModel-Runtime/Admin",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ErrorCode": 2147942410,
"Context": "onecore\\ds\\security\\gina\\profile\\profext\\appcontainer.cpp Line:1862 Usermode Font Driver Host microsoft.windows.fontdrvhost"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 22 — DeleteAppContainerProfile failed for AppContainer Context with error ErrorCode.
Event ID 23 — UpdateAppContainerProfile failed for AppContainer Context with error ErrorCode.
Event ID 24 — CreateAppContainerProfile failed with error ErrorCode because it was unable to create registry key Context.
Event ID 25 — CreateAppContainerProfile failed with error ErrorCode because it was unable to set security on registry key Context.
Event ID 26 — AppContainer profile failed with error ErrorCode because it was unable to delete registry key Context.
Event ID 27 — CreateAppContainerProfile failed with error ErrorCode because it was unable to create folder Context.
Event ID 28 — CreateAppContainerProfile failed with error ErrorCode because it was unable to set attributes on folder Context.
Event ID 29 — CreateAppContainerProfile failed with error ErrorCode because it was unable to verify the existence of registry key Context.
Event ID 30 — CreateAppContainerProfile failed with error ErrorCode because it was unable to verify the existence of folder Context.
Event ID 31 — CreateAppContainerProfile failed with error ErrorCode because it was unable to find the users local app data folder.
Event ID 32 — AppContainer profile failed with error ErrorCode because it was unable to delete folder Context or its contents.
Event ID 33 — AppContainer profile failed with error ErrorCode because it was unable to look up the AppContainer name.
Event ID 34 — AppContainer profile failed with error ErrorCode because it was unable to look up the AppContainer display name.
Event ID 35 — CreateAppContainerProfile failed with error ErrorCode because it was unable to register with the firewall.
Event ID 36 — End
#Description
DeleteAppContainerProfile failed with error because it was unable to unregister with the firewall.
Message #
Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppModel-Runtime",
"guid": "F1EF270A-0D32-4352-BA52-DBAB41E1D859",
"event_source_name": "",
"event_id": 36,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693954,
"time_created": "2023-10-26T04:16:53.639661+00:00",
"event_record_id": 1,
"correlation": {},
"execution": {
"process_id": 684,
"thread_id": 748
},
"channel": "Microsoft-Windows-AppModel-Runtime/Admin",
"computer": "WIN-OQ6R0RVA4NF",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data": {
"Name": "ErrorCode",
"Value": 2147944122
}
},
"message": "End"
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 37 — App Container profile failed with error ErrorCode because it was unable to register the AppContainer SID.
Event ID 38 — DeleteAppContainerProfile failed with error ErrorCode because it was unable to unregister the AppContainer SID.
Event ID 39 — Successfully created AppContainer Data.
#Description
Successfully created AppContainer .
Message #
Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppModel-Runtime",
"guid": "F1EF270A-0D32-4352-BA52-DBAB41E1D859",
"event_source_name": "",
"event_id": 39,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693954,
"time_created": "2023-11-05T22:33:20.087771+00:00",
"event_record_id": 251,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-F76B-DBE43710DA01"
},
"execution": {
"process_id": 4660,
"thread_id": 5424
},
"channel": "Microsoft-Windows-AppModel-Runtime/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"Data": {
"Name": "AppContainerName",
"Value": "Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy"
}
},
"message": "The Scenario Event Mapper is configured with more than the maximum number of context providers for the scenario with provider AppContainerName (event ID Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy). The scenario will be ignored."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 40 — AppContainer Data was not created because it already exists.
#Description
AppContainer was not created because it already exists.
Message #
Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppModel-Runtime",
"guid": "F1EF270A-0D32-4352-BA52-DBAB41E1D859",
"event_source_name": "",
"event_id": 40,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693954,
"time_created": "2023-11-06T06:25:28.239888+00:00",
"event_record_id": 202,
"correlation": {},
"execution": {
"process_id": 736,
"thread_id": 776
},
"channel": "Microsoft-Windows-AppModel-Runtime/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data": {
"Name": "AppContainerName",
"Value": "onecore\\ds\\security\\gina\\profile\\profext\\appcontainer.cpp Line:1850 Usermode Font Driver Host microsoft.windows.fontdrvhost"
}
},
"message": "The Scenario Event Mapper is configured with more than the maximum number of end events for the scenario with provider AppContainerName (event ID onecore\\ds\\security\\gina\\profile\\profext\\appcontainer.cpp Line:1850 Usermode Font Driver Host microsoft.windows.fontdrvhost). The scenario will be ignored."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 41 — The Scenario Event Mapper is configured with more than the maximum number of providers.
#Description
Successfully deleted AppContainer .
Message #
Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppModel-Runtime",
"guid": "F1EF270A-0D32-4352-BA52-DBAB41E1D859",
"event_source_name": "",
"event_id": 41,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693954,
"time_created": "2023-10-26T04:18:43.498634+00:00",
"event_record_id": 5,
"correlation": {},
"execution": {
"process_id": 2888,
"thread_id": 3124
},
"channel": "Microsoft-Windows-AppModel-Runtime/Admin",
"computer": "WIN-OQ6R0RVA4NF",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data": {
"Name": "AppContainerName",
"Value": "MPENG_9430677C-98FB-4F60-AE90-7960774C825F"
}
},
"message": "The Scenario Event Mapper is configured with more than the maximum number of providers. The provider AppContainerName will be ignored."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 42 — The Scenario Event Mapper is configured with an unsupported scenario.
#Description
Successfully updated AppContainer .
Message #
Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppModel-Runtime",
"guid": "F1EF270A-0D32-4352-BA52-DBAB41E1D859",
"event_source_name": "",
"event_id": 42,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693954,
"time_created": "2023-11-05T22:29:23.081725+00:00",
"event_record_id": 227,
"correlation": {
"ActivityID": "59A0D65F-1037-0001-20F2-A0593710DA01"
},
"execution": {
"process_id": 5296,
"thread_id": 5800
},
"channel": "Microsoft-Windows-AppModel-Runtime/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"Data": {
"Name": "AppContainerName",
"Value": "Microsoft.VCLibs.140.00.UWPDesktop_8wekyb3d8bbwe"
}
},
"message": "The Scenario Event Mapper is configured with an unsupported scenario. The scenario for provider AppContainerName (event ID Microsoft.VCLibs.140.00.UWPDesktop_8wekyb3d8bbwe) encountered error code %3 and will be ignored."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 43 — ErrorCode: Package runtime information FileName is missing expected data (address=HeaderAddr, size=Size, section=ApplicationUserModelId, processid=ProcessId).
Description
ErrorCode: Package runtime information FileName is missing expected data (address=HeaderAddr, size=Size, section=ApplicationUserModelId, processid=ProcessId). Reinstall the package to fix this issue.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | — |
ErrorCode Int32 | — |
Size UInt64 | — |
HeaderAddr Pointer | — |
ApplicationUserModelId UnicodeString | — |
ProcessId UInt32 | — |
Event ID 44 — ErrorCode: Application identity not accessible while loading package runtime information FileName (address=HeaderAddr, size=Size, processid=ProcessId).
Event ID 45 — Failed with ErrorCode while retrieving AppContainer Context information during interaction with Restricted AppContainer.
Event ID 46 — Failed with ErrorCode while retrieving AppContainer information during interaction with Restricted AppContainer.
Event ID 47 — Failed with ErrorCode while retrieving AppContainer information.
Event ID 48 — Failed to create shared context object for Restricted AppContainer Context with ErrorCode.
Event ID 49 — Failed to activate Restricted AppContainer Context with ErrorCode.
Event ID 50 — Creation of Restricted AppContainer Context failed with ErrorCode because an invalid capability was specified.
Event ID 51 — Opening existing Restricted AppContainer Context failed with ErrorCode because the capabilities storage value could not be read.
Event ID 52 — Failed to create the capabilities storage value for Restricted AppContainer Context with ErrorCode.
Event ID 53 — The package PackageFullName requires validation.
Event ID 54 — Modification was detected in package PackageFullName.
Event ID 55 — Failed to terminate app with package PackageFullName.
Event ID 56 — Validation of app with package PackageFullName was successful.
Event ID 57 — Failed with ErrorCode to retrieve the trust state of the package PackageFullName folder.
Event ID 58 — App Integrity check failed with ErrorCode while checking PackageFullName.
Event ID 59 — App Integrity terminated an application.
Event ID 60 — App Integrity check for PackageFullName timed out.
Event ID 61 — ErrorCode: Cannot create the process for package PackageFullName because an error was encountered while performing the integrity check.
Event ID 62 — Deployment server integrity check of package ErrorCode failed with PackageFullName.
Event ID 63 — Failed with ErrorCode retrieving AppModel Runtime group policy values.
Event ID 64 — Failed with ErrorCode validating AppModel Runtime group policy values.
Event ID 65 — Failed with ErrorCode retrieving AppModel Runtime status for package PackageFullName.
Event ID 66 — Failed with ErrorCode retrieving AppModel Runtime status for package PackageFullName for user User.
#Description
Failed with ErrorCode retrieving AppModel Runtime status for package PackageFullName for user User.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | — |
PackageFullName UnicodeString | — |
User SID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppModel-Runtime",
"guid": "F1EF270A-0D32-4352-BA52-DBAB41E1D859",
"event_source_name": "",
"event_id": 66,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693953,
"time_created": "2022-04-07T16:53:25.460837+00:00",
"event_record_id": 56,
"correlation": {},
"execution": {
"process_id": 4128,
"thread_id": 5340
},
"channel": "Microsoft-Windows-AppModel-Runtime/Admin",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"ErrorCode": 87,
"PackageFullName": "Windows",
"User": "S-1-5-21-2121334350-1110938707-2888912545-500"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 67 — Failed with ErrorCode modifying AppModel Runtime status for package PackageFullName (current status = CurrentStatus, desired status = DesiredStatus).
Event ID 68 — AppModel Runtime status for package PackageFullName successfully updated to DesiredStatus (previous status = CurrentStatus).
Description
AppModel Runtime status for package PackageFullName successfully updated to DesiredStatus (previous status = CurrentStatus).
Message #
Fields #
| Name | Description |
|---|---|
PackageFullName UnicodeString | — |
DesiredStatus UInt32 | — |
CurrentStatus UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppModel-Runtime",
"guid": "F1EF270A-0D32-4352-BA52-DBAB41E1D859",
"event_source_name": "",
"event_id": 68,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693953,
"time_created": "2026-03-11T07:23:17.083333+00:00",
"event_record_id": 759,
"correlation": {
"ActivityID": "164E10E5-B120-0001-EE6E-4F1620B1DC01"
},
"execution": {
"process_id": 4624,
"thread_id": 3408
},
"channel": "Microsoft-Windows-AppModel-Runtime/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PackageFullName": "Microsoft.WinDbg_1.2601.12001.0_x64__8wekyb3d8bbwe",
"DesiredStatus": 131072,
"CurrentStatus": 0
},
"message": ""
}
Event ID 69 — Failed with ErrorCode modifying AppModel Runtime status for package PackageFullName for user User (clear=DesiredStatus, set=CurrentStatus).
#Description
Failed with ErrorCode modifying AppModel Runtime status for package PackageFullName for user User (clear=DesiredStatus, set=CurrentStatus).
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | — |
PackageFullName UnicodeString | — |
User SID | — |
DesiredStatus UInt32 | — |
CurrentStatus UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppModel-Runtime",
"guid": "F1EF270A-0D32-4352-BA52-DBAB41E1D859",
"event_source_name": "",
"event_id": 69,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693953,
"time_created": "2022-04-07T17:04:34.316467+00:00",
"event_record_id": 69,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0001-314A-7BDD9E4AD801"
},
"execution": {
"process_id": 5972,
"thread_id": 2672
},
"channel": "Microsoft-Windows-AppModel-Runtime/Admin",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ErrorCode": 1168,
"PackageFullName": "Microsoft.UI.Xaml.2.4_2.42007.9001.0_x64__8wekyb3d8bbwe",
"User": "S-1-5-21-2121334350-1110938707-2888912545-500",
"DesiredStatus": 32,
"CurrentStatus": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 70 — Successfully updated AppModel Runtime status for package PackageFullName for user User (clear=DesiredStatus, set=CurrentStatus).
#Description
Successfully updated AppModel Runtime status for package PackageFullName for user User (clear=DesiredStatus, set=CurrentStatus).
Message #
Fields #
| Name | Description |
|---|---|
PackageFullName UnicodeString | — |
User SID | — |
DesiredStatus UInt32 | — |
CurrentStatus UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppModel-Runtime",
"guid": "F1EF270A-0D32-4352-BA52-DBAB41E1D859",
"event_source_name": "",
"event_id": 70,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693953,
"time_created": "2022-04-07T17:04:43.551444+00:00",
"event_record_id": 139,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0001-7475-7BDD9E4AD801"
},
"execution": {
"process_id": 5972,
"thread_id": 904
},
"channel": "Microsoft-Windows-AppModel-Runtime/Admin",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PackageFullName": "MicrosoftWindows.UndockedDevKit_10.0.20348.1_neutral_neutral_cw5n1h2txyewy",
"User": "S-1-5-21-2121334350-1110938707-2888912545-500",
"DesiredStatus": 0,
"CurrentStatus": 2048
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 71 — Failed with ErrorCode modifying AppModel Runtime status version (context = Context).
Event ID 72 — AppModel Runtime status version successfully updated.
Description
AppModel Runtime status version successfully updated.
Message #
Event ID 73 — ErrorCode: Cannot create the process for package PackageFullName because an error was encountered while performing the app data creation.
Event ID 74 — Package runtime information FileName failed to refresh because the following error ErrorCode occurred in operation type Type.
Event ID 75 — error ErrorCode: Cannot register the PackageFullName package because the following error was encountered while opening the HKEY_USERS registry key.
Event ID 76 — error ErrorCode: Cannot register the PackageFullName package because the following error was encountered while enumerating to remove the Key\Subkey package family registry ...
Description
error ErrorCode: Cannot register the PackageFullName package because the following error was encountered while enumerating to remove the Key\Subkey package family registry key.
Message #
Fields #
| Name | Description |
|---|---|
PackageFullName UnicodeString | — |
Key UnicodeString | — |
Subkey UnicodeString | — |
ErrorCode HexInt32 | — |
Event ID 77 — error ErrorCode : Cannot register the PackageFullName package because the following error was encountered while creating the Key\Subkey package family registry key.
Event ID 78 — error ErrorCode: Cannot register the PackageFullName package because the following error was encountered while removing the Key\Subkey package family registry key.
Event ID 79 — ErrorCode: Package family PackageFamilyName runtime information is corrupted.
Event ID 80 — ErrorCode: Package family PackageFamilyName runtime information is corrupted but we cannot repair it at this time.
Event ID 81 — Failed with ErrorCode to get IsPackageStageInPlace info from State Repository cache for package PackageFullName.
Event ID 101 — Creating AppContainer AppContainerName.
Event ID 102 — Finished creating AppContainer Context with ErrorCode.
Event ID 103 — Deleting AppContainer AppContainerName.
Event ID 104 — Finished deleting AppContainer Context with ErrorCode.
Event ID 105 — Updating AppContainer AppContainerName.
Event ID 106 — Finished updating AppContainer Context with ErrorCode.
Event ID 107 — Creating firewall rules for AppContainer AppContainerName.
Event ID 108 — Finished creating firewall rules for AppContainer Context with ErrorCode.
Event ID 109 — Deleting firewall rules for AppContainer AppContainerName.
Event ID 110 — Finished deleting firewall rules for AppContainer Context with ErrorCode.
Event ID 111 — Creating Restricted AppContainer AppContainerName.
Event ID 112 — Finished creating Restricted AppContainer Context with ErrorCode.
Event ID 113 — Deleting Restricted AppContainer AppContainerName.
Event ID 114 — Finished deleting Restricted AppContainer Context with ErrorCode.
Event ID 115 — Opening Restricted AppContainer AppContainerName.
Event ID 116 — Finished opening Restricted AppContainer Context with ErrorCode.
Event ID 117 — Enumerating all Restricted AppContainers for AppContainerName.
Event ID 118 — Finished enumerating all Restricted AppContainers for AppContainer Context with ErrorCode.
Event ID 119 — Launching process in Restricted AppContainer AppContainerName.
Event ID 120 — Finished launching process in Restricted AppContainer Context with ErrorCode.
Event ID 121 — Terminating all processes in Restricted AppContainer AppContainerName.
Event ID 122 — Finished terminating all processes in Restricted AppContainer Context with ErrorCode.
Event ID 123 — Checking package graph for PackageFullName.
Event ID 124 — Package graph check for PackageFullName finished with ErrorCode.
Event ID 125 — Performing app integrity check for package PackageFullName.
Event ID 126 — App integrity check for package PackageFullName finished with ErrorCode.
Event ID 127 — Performing runtime app integrity check for package PackageFullName.
Event ID 128 — Runtime app integrity check for package PackageFullName finished with ErrorCode.
Event ID 129 — Firewall Service not running.
Event ID 130 — Updating Restricted AppContainer Capabilities AppContainerName.
Event ID 131 — Finished Updating Restricted AppContainer Capabilities Context with ErrorCode.
Event ID 201 — Created process ProcessID for application ApplicationName in package PackageName.
#Description
Created process ProcessID for application ApplicationName in package PackageName. Message.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | — |
PackageName UnicodeString | — |
ImageName UnicodeString | — |
ApplicationName UnicodeString | — |
Message UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppModel-Runtime",
"guid": "F1EF270A-0D32-4352-BA52-DBAB41E1D859",
"event_source_name": "",
"event_id": 201,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693956,
"time_created": "2023-11-06T01:55:56.247720+00:00",
"event_record_id": 466,
"correlation": {},
"execution": {
"process_id": 5324,
"thread_id": 18660
},
"channel": "Microsoft-Windows-AppModel-Runtime/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ProcessID": 21588,
"PackageName": "Microsoft.WindowsNotepad_11.2307.27.0_x64__8wekyb3d8bbwe",
"ImageName": "Notepad.exe",
"ApplicationName": "Microsoft.WindowsNotepad_8wekyb3d8bbwe!App",
"Message": "[FinishPackageActivation]"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Sysinternals Tools AppX Versions Execution source low: Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 202 — ErrorCode: Cannot create the process for package PackageName because an error was encountered.
Event ID 203 — ErrorCode: Cannot create the process for package PackageName because an error was encountered while preparing for activation.
Event ID 204 — ErrorCode: Cannot create the process for package PackageName because an error was encountered while elevating the token.
Event ID 205 — ErrorCode: Cannot create the process for package PackageName because UI Access is not supported for Desktop AppX processes.
Event ID 206 — ErrorCode: Cannot create the process for package PackageName because an error was encountered while adjusting the token.
Event ID 207 — ErrorCode: Cannot create the process for package PackageName because an error was encountered while launching.
Event ID 208 — ErrorCode: Cannot create the process for package PackageName because an error was encountered while configuring runtime.
Event ID 209 — ErrorCode: Cannot create the process for package PackageName because an error was encountered while resuming the thread.
Event ID 210 — Intel TXT SENTER time: MicrosoftWindows.
#Description
Created Desktop AppX container for package .
Message #
Fields #
| Name | Description |
|---|---|
PackageName UnicodeString | — |
ContainerName UnicodeString | — |
ContainerId UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppModel-Runtime",
"guid": "F1EF270A-0D32-4352-BA52-DBAB41E1D859",
"event_source_name": "",
"event_id": 210,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693960,
"time_created": "2023-11-05T22:32:34.540536+00:00",
"event_record_id": 239,
"correlation": {
"ActivityID": "E4DB489E-1037-0003-2157-DBE43710DA01"
},
"execution": {
"process_id": 920,
"thread_id": 472
},
"channel": "Microsoft-Windows-AppModel-Runtime/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PackageName": "MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy",
"ContainerName": "MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy-S-1-5-21-1992711665-1655669231-58201500-1000",
"ContainerId": "{22A04431-7C2B-11EE-936C-000C293379BA}"
},
"message": "Intel TXT SENTER time: MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy ms."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 211 — Added process 6212 to Desktop AppX container {22A04431-7C2B-11EE-936C-000C293379BA} for package MicrosoftWindows.
#Description
Added process to Desktop AppX container for package .
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | — |
PackageName UnicodeString | — |
ContainerId UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppModel-Runtime",
"guid": "F1EF270A-0D32-4352-BA52-DBAB41E1D859",
"event_source_name": "",
"event_id": 211,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693960,
"time_created": "2023-11-05T22:32:34.540594+00:00",
"event_record_id": 240,
"correlation": {
"ActivityID": "E4DB489E-1037-0003-2157-DBE43710DA01"
},
"execution": {
"process_id": 920,
"thread_id": 472
},
"channel": "Microsoft-Windows-AppModel-Runtime/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ProcessID": 6212,
"PackageName": "MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy",
"ContainerId": "{22A04431-7C2B-11EE-936C-000C293379BA}"
},
"message": "Added process 6212 to Desktop AppX container {22A04431-7C2B-11EE-936C-000C293379BA} for package MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 212 — ErrorCode: Cannot add process ProcessID to Desktop AppX container ContainerId for package PackageName because an error was encountered.
Event ID 213 — ErrorCode: Cannot create the Desktop AppX container for package PackageName because an error was encountered creating the job.
Event ID 214 — ErrorCode: Cannot create the Desktop AppX container for package PackageName because an error was encountered creating the description.
Event ID 215 — ErrorCode: Cannot create the Desktop AppX container for package PackageName because an error was encountered converting the job.
Event ID 216 — ErrorCode: Cannot create the Desktop AppX container for package PackageName because an error was encountered configuring the runtime.
Event ID 217 — Soft reboot complete prepare finished: MicrosoftWindows.
#Description
Destroyed Desktop AppX container for package .
Message #
Fields #
| Name | Description |
|---|---|
PackageName UnicodeString | — |
ContainerId UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppModel-Runtime",
"guid": "F1EF270A-0D32-4352-BA52-DBAB41E1D859",
"event_source_name": "",
"event_id": 217,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693960,
"time_created": "2023-11-05T22:31:32.531960+00:00",
"event_record_id": 236,
"correlation": {
"ActivityID": "59A0D65F-1037-0002-A9F7-A0593710DA01"
},
"execution": {
"process_id": 928,
"thread_id": 6576
},
"channel": "Microsoft-Windows-AppModel-Runtime/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PackageName": "MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy",
"ContainerId": "{975E2192-7C2A-11EE-936B-000C293379BA}"
},
"message": "Soft reboot complete prepare finished: MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 218 — Cannot destroy Desktop AppX container MakeTemporaryErrorCode for package CleanupContainerErrorCode.
Event ID 219 — PSMFlags for Desktop AppX process PackageFullName with applicationID ApplicationId is PsmFlags.
#Description
PSMFlags for Desktop AppX process PackageFullName with applicationID ApplicationId is PsmFlags.
Message #
Fields #
| Name | Description |
|---|---|
PackageFullName UnicodeString | — |
ApplicationId UnicodeString | — |
PsmFlags UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppModel-Runtime",
"guid": "{f1ef270a-0d32-4352-ba52-dbab41e1d859}",
"event_source_name": "",
"event_id": 219,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693956,
"time_created": "2023-11-06T01:55:55.914607+00:00",
"event_record_id": 463,
"correlation": {},
"execution": {
"process_id": 5324,
"thread_id": 18660
},
"channel": "Microsoft-Windows-AppModel-Runtime/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 220 — Cannot start the process ImageName because the executable was not found the package PackageName.
Event ID 220 —
Description
Cannot start the process because the executable was not found the package .
Fields #
| Name | Description |
|---|---|
PackageName UnicodeString | — |
ImageName UnicodeString | — |
ApplicationName UnicodeString | — |
ErrorCode UInt32 | — |
Message UnicodeString | — |