Event ID 603 — Started deployment DeploymentOperation operation on a package with main parameter Path and Options Flags and FlagsHigh.
Description
Started deployment DeploymentOperation operation on a package with main parameter Path and Options Flags and FlagsHigh. See http://go.microsoft.com/fwlink/?LinkId=235160 for help diagnosing app deployment issues.
Message #
Fields #
| Name | Description |
|---|---|
DeploymentOperation UInt32 | — |
Path UnicodeString | — |
Flags UInt32 | — |
FlagsHigh UInt32 | — |
CallingProcess UnicodeString | — |
ExternalLocation UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment-Server",
"guid": "3F471139-ACB7-4A01-B7A7-FF5DA4BA2D43",
"event_source_name": "",
"event_id": 603,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 4611686018427387905,
"time_created": "2023-11-06T06:22:35.420135+00:00",
"event_record_id": 5855,
"correlation": {
"ActivityID": "626F7C94-1079-0003-2383-6F627910DA01"
},
"execution": {
"process_id": 1532,
"thread_id": 1840
},
"channel": "Microsoft-Windows-AppXDeploymentServer/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DeploymentOperation": 10,
"Path": "MicrosoftWindows.UndockedDevKit_10.0.22621.1_neutral_neutral_cw5n1h2txyewy",
"Flags": 0,
"FlagsHigh": 0,
"CallingProcess": "svchost.exe,AppXSvc",
"ExternalLocation": ""
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Windows AppX Deployment Unsigned Package Installation source medium: Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline