Microsoft-Windows-AppXDeployment
93 events across 2 channels
Event ID 301 — The calling process is {FileName}.
Event ID 302 — Failed to start system service: ServiceName with error: ErrorCode.
#Description
Failed to start system service: ServiceName with error: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
ServiceName UnicodeString | Failed to start system service. |
ErrorCode HexInt32 | with error. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"guid": "8127F6D4-59F9-4ABF-8952-3E3A02073D5F",
"event_source_name": "",
"event_id": 302,
"version": 0,
"level": 2,
"task": 4,
"opcode": 0,
"keywords": 4611756387171631104,
"time_created": "2022-04-07T16:45:08.860422+00:00",
"event_record_id": 2,
"correlation": {
"ActivityID": "C1DC836A-4A9E-0000-538F-DCC19E4AD801"
},
"execution": {
"process_id": 3864,
"thread_id": 3868
},
"channel": "Microsoft-Windows-AppXDeployment/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ServiceName": "appxsvc",
"ErrorCode": "0x8007045b"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 303 — Failed to start system service: ServiceName with error: ErrorCode.
Event ID 304 — Starting recovery of package repository during a RecoveryType.
Event ID 305 — Finished recovery of package repository with result code ErrorCode.
Event ID 306 — Skipping recovery of package PackageFullName because it is already installed.
Event ID 307 — Recovery has completed for package PackageFullName with result code ErrorCode.
Event ID 308 — Starting staged package recovery.
Description
Starting staged package recovery.
Message #
Event ID 309 — Finished staged package recovery with result code ErrorCode.
Event ID 310 — Skipping recovery of package PackageFullName because of error ErrorCode.
Event ID 311 — Failed to bind to the APPXSVC RPC server with error: ErrorCode.
Event ID 312 — ErrorCode: Package runtime information FileName is corrupted (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId).
Description
ErrorCode: Package runtime information FileName is corrupted (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId). Reinstall the package to fix this issue.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | — |
ErrorCode HexInt32 | — |
Size UInt64 | — |
Offset UInt32 | — |
HeaderAddr Pointer | — |
Section UnicodeString | — |
ProcessId UInt32 | — |
Event ID 313 — ErrorCode: Package runtime information FileName is missing expected data (address=HeaderAddr, size=Size, section=Section, processid=ProcessId).
Description
ErrorCode: Package runtime information FileName is missing expected data (address=HeaderAddr, size=Size, section=Section, processid=ProcessId). Reinstall the package to fix this issue.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | — |
ErrorCode HexInt32 | — |
Size UInt64 | — |
HeaderAddr Pointer | — |
Section UnicodeString | — |
ProcessId UInt32 | — |
Event ID 314 — ErrorCode: Package runtime information FileName contains conflicting data (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId).
Description
ErrorCode: Package runtime information FileName contains conflicting data (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId). Reinstall the package to fix this issue.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | — |
ErrorCode HexInt32 | — |
Size UInt64 | — |
Offset UInt32 | — |
HeaderAddr Pointer | — |
Section UnicodeString | — |
ProcessId UInt32 | — |
Event ID 315 — ErrorCode: Package runtime information FileName contains unexpected data (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId).
Description
ErrorCode: Package runtime information FileName contains unexpected data (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId). Reinstall the package to fix this issue.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | — |
ErrorCode HexInt32 | — |
Size UInt64 | — |
Offset UInt32 | — |
HeaderAddr Pointer | — |
Section UnicodeString | — |
ProcessId UInt32 | — |
Event ID 316 — ErrorCode: Package runtime information FileName failed to load (processid=ProcessId).
Event ID 317 — Package runtime information FileName failed to load because exception ExceptionCode occurred.
Event ID 318 — ErrorCode: Package runtime information FileName is missing expected data (address=HeaderAddr, size=Size, section=ApplicationUserModelId, processid=ProcessId).
Description
ErrorCode: Package runtime information FileName is missing expected data (address=HeaderAddr, size=Size, section=ApplicationUserModelId, processid=ProcessId). Reinstall the package to fix this issue.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | — |
ErrorCode Int32 | — |
Size UInt64 | — |
HeaderAddr Pointer | — |
ApplicationUserModelId UnicodeString | — |
ProcessId UInt32 | — |
Event ID 319 — ErrorCode: Application identity not accessible while loading package runtime information FileName (address=HeaderAddr, size=Size, processid=ProcessId).
Event ID 320 — Failed to queue removal of package PackageName for user UserSid with error: ErrorCode.
Event ID 321 — Failed to remove the package files of package PackageName with error: ErrorCode.
Event ID 322 — Failed to set the package status of package PackageName with error: ErrorCode.
Event ID 323 — Failed to remove {PackageName} for the user ({UserSid}) with error: {ErrorCode}.
Event ID 324 — Package runtime information FileName failed to refresh because the following error ErrorCode occurred in operation type Type.
Event ID 325 — PackageFamilyName is registered in good state, skip re-registering it.
Event ID 326 — Determining packages to be installed during logon for user: UserSid.
#Description
Determining packages to be installed during logon for user: UserSid.
Message #
Fields #
| Name | Description |
|---|---|
UserSid UnicodeString | Determining packages to be installed during logon for user. |
IsSpecialUserProfile Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"guid": "8127F6D4-59F9-4ABF-8952-3E3A02073D5F",
"event_source_name": "",
"event_id": 326,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 4611686018427453440,
"time_created": "2023-11-06T06:25:42.557627+00:00",
"event_record_id": 21,
"correlation": {},
"execution": {
"process_id": 1864,
"thread_id": 3472
},
"channel": "Microsoft-Windows-AppXDeployment/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UserSid": "",
"IsSpecialUserProfile": false
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 327 — The following packages will be installed: InstallPackageList.
#Description
The following packages will be installed: InstallPackageList. The following packages will be removed: RemovePackageList.
Message #
Fields #
| Name | Description |
|---|---|
InstallPackageList UnicodeString | The following packages will be installed. |
RemovePackageList UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"guid": "8127F6D4-59F9-4ABF-8952-3E3A02073D5F",
"event_source_name": "",
"event_id": 327,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 4611686018427453440,
"time_created": "2023-11-06T06:25:51.768104+00:00",
"event_record_id": 22,
"correlation": {},
"execution": {
"process_id": 1864,
"thread_id": 3472
},
"channel": "Microsoft-Windows-AppXDeployment/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"InstallPackageList": "Microsoft.Windows.CloudExperienceHost_10.0.22621.2361_neutral_neutral_cw5n1h2txyewy Microsoft.BioEnrollment_10.0.19587.1000_neutral_neutral_cw5n1h2txyewy Microsoft.AAD.BrokerPlugin_1000.19580.1000.0_neutral_neutral_cw5n1h2txyewy Microsoft.Windows.OOBENetworkConnectionFlow_10.0.21302.1000_neutral_neutral_cw5n1h2txyewy Microsoft.Windows.OOBENetworkCaptivePortal_10.0.21302.1000_neutral_neutral_cw5n1h2txyewy MicrosoftWindows.UndockedDevKit_10.0.22621.1_neutral_neutral_cw5n1h2txyewy Microsoft.UI.Xaml.CBS_8.2305.16002.0_neutral_neutral_8wekyb3d8bbwe MicrosoftWindows.Client.Core_1000.22643.1000.0_x64__cw5n1h2txyewy MicrosoftWindows.Client.CBS_1000.22674.1000.0_x64__cw5n1h2txyewy Microsoft.Windows.StartMenuExperienceHost_10.0.22621.2215_neutral_neutral_cw5n1h2txyewy Microsoft.Windows.ShellExperienceHost_10.0.22621.2215_neutral_neutral_cw5n1h2txyewy windows.immersivecontrolpanel_10.0.6.1000_neutral_neutral_cw5n1h2txyewy Microsoft.549981C3F5F10_3.2204.14815.0_neutral_~_8wekyb3d8bbwe CanonicalGroupLimited.UbuntuonWindows_2004.2022.1.0_neutral_~_79rhkp1fndgsc Clipchamp.Clipchamp_2.2.8.0_neutral_~_yxz26nhyzhsrt Microsoft.DesktopAppInstaller_2023.1005.18.0_neutral_~_8wekyb3d8bbwe Microsoft.GamingApp_2021.427.138.0_neutral_~_8wekyb3d8bbwe Microsoft.GetHelp_10.2201.421.0_neutral_~_8wekyb3d8bbwe Microsoft.Getstarted_2021.2204.1.0_neutral_~_8wekyb3d8bbwe Microsoft.HEIFImageExtension_1.0.43012.0_x64__8wekyb3d8bbwe Microsoft.HEVCVideoExtension_1.0.50361.0_x64__8wekyb3d8bbwe Microsoft.MicrosoftEdge.Stable_118.0.2088.61_neutral__8wekyb3d8bbwe Microsoft.MicrosoftStickyNotes_4.2.2.0_neutral_~_8wekyb3d8bbwe Microsoft.NET.Native.Framework.2.2_2.2.29512.0_x64__8wekyb3d8bbwe Microsoft.NET.Native.Framework.2.2_2.2.29512.0_x86__8wekyb3d8bbwe Microsoft.NET.Native.Runtime.2.2_2.2.28604.0_x64__8wekyb3d8bbwe Microsoft.NET.Native.Runtime.2.2_2.2.28604.0_x86__8wekyb3d8bbwe Microsoft.Paint_11.2308.30.0_neutral_~_8wekyb3d8bbwe Microsoft.PowerAutomateDesktop_10.0.3735.0_neutral_~_8wekyb3d8bbwe Microsoft.RawImageExtension_2.1.30391.0_neutral_~_8wekyb3d8bbwe Microsoft.ScreenSketch_2022.2201.12.0_neutral_~_8wekyb3d8bbwe Microsoft.SecHealthUI_1000.25873.9001.0_x64__8wekyb3d8bbwe Microsoft.StorePurchaseApp_12008.1001.113.0_neutral_~_8wekyb3d8bbwe Microsoft.UI.Xaml.2.4_2.42007.9001.0_x64__8wekyb3d8bbwe Microsoft.UI.Xaml.2.7_7.2208.15002.0_x64__8wekyb3d8bbwe Microsoft.UI.Xaml.2.7_7.2208.15002.0_x86__8wekyb3d8bbwe Microsoft.UI.Xaml.2.8_8.2306.22001.0_x64__8wekyb3d8bbwe Microsoft.UI.Xaml.2.8_8.2306.22001.0_x86__8wekyb3d8bbwe Microsoft.VCLibs.140.00.UWPDesktop_14.0.32530.0_x64__8wekyb3d8bbwe Microsoft.VCLibs.140.00.UWPDesktop_14.0.32530.0_x86__8wekyb3d8bbwe Microsoft.VCLibs.140.00_14.0.32530.0_x64__8wekyb3d8bbwe Microsoft.VCLibs.140.00_14.0.32530.0_x86__8wekyb3d8bbwe Microsoft.VP9VideoExtensions_1.0.50901.0_x64__8wekyb3d8bbwe Microsoft.WebMediaExtensions_1.0.42192.0_neutral_~_8wekyb3d8bbwe Microsoft.WebpImageExtension_1.0.42351.0_x64__8wekyb3d8bbwe Microsoft.Windows.Photos_21.21030.25003.0_neutral_~_8wekyb3d8bbwe Microsoft.WindowsAlarms_2022.2202.24.0_neutral_~_8wekyb3d8bbwe Microsoft.WindowsCalculator_2021.2307.4.0_neutral_~_8wekyb3d8bbwe Microsoft.WindowsCamera_2022.2201.4.0_neutral_~_8wekyb3d8bbwe Microsoft.WindowsFeedbackHub_2023.504.1552.0_neutral_~_8wekyb3d8bbwe Microsoft.WindowsNotepad_11.2307.27.0_neutral_~_8wekyb3d8bbwe Microsoft.WindowsSoundRecorder_2021.2103.28.0_neutral_~_8wekyb3d8bbwe Microsoft.WindowsStore_22309.1401.2.0_neutral_~_8wekyb3d8bbwe Microsoft.WindowsTerminal_3001.18.2822.0_neutral_~_8wekyb3d8bbwe Microsoft.Xbox.TCUI_1.23.28004.0_neutral_~_8wekyb3d8bbwe Microsoft.XboxGameOverlay_1.47.2385.0_neutral_~_8wekyb3d8bbwe Microsoft.XboxGamingOverlay_2.622.3232.0_neutral_~_8wekyb3d8bbwe Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe MicrosoftCorporationII.QuickAssist_2022.414.1758.0_neutral_~_8wekyb3d8bbwe MicrosoftWindows.Client.WebExperience_423.23500.0.0_neutral_~_cw5n1h2txyewy 1527c705-839a-4832-9118-54d4Bd6a0c89_10.0.19640.1000_neutral_neutral_cw5n1h2txyewy c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.22621.1_neutral_neutral_cw5n1h2txyewy E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.19640.1000_neutral_neutral_cw5n1h2txyewy F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_10.0.22621.1_neutral_neutral_cw5n1h2txyewy Microsoft.AccountsControl_10.0.22621.1_neutral_neutral_cw5n1h2txyewy Microsoft.AsyncTextService_10.0.22621.1_neutral_neutral_8wekyb3d8bbwe Microsoft.CredDialogHost_10.0.19595.1001_neutral_neutral_cw5n1h2txyewy Microsoft.ECApp_10.0.22621.1_neutral_neutral_8wekyb3d8bbwe Microsoft.LockApp_10.0.22621.1_neutral_neutral_cw5n1h2txyewy Microsoft.MicrosoftEdgeDevToolsClient_10.0.22621.1_neutral__8wekyb3d8bbwe Microsoft.Win32WebViewHost_10.0.22621.1_neutral_neutral_cw5n1h2txyewy Microsoft.Windows.AppRep.ChxApp_10.0.22621.1_neutral_neutral_cw5n1h2txyewy Microsoft.Windows.AssignedAccessLockApp_10.0.22621.1_neutral_neutral_cw5n1h2txyewy Microsoft.Windows.CallingShellApp_10.0.22621.1_neutral_neutral_cw5n1h2txyewy Microsoft.Windows.CapturePicker_10.0.19580.1000_neutral_neutral_cw5n1h2txyewy Microsoft.Windows.ContentDeliveryManager_10.0.22621.2361_neutral_neutral_cw5n1h2txyewy Microsoft.Windows.NarratorQuickStart_10.0.22621.1_neutral_neutral_8wekyb3d8bbwe Microsoft.Windows.ParentalControls_10.0.22621.1_neutral_neutral_cw5n1h2txyewy Microsoft.Windows.PeopleExperienceHost_10.0.22621.1_neutral_neutral_cw5n1h2txyewy Microsoft.Windows.PinningConfirmationDialog_10.0.22621.1_neutral_neutral_cw5n1h2txyewy Microsoft.Windows.PrintQueueActionCenter_1.0.1.0_neutral_neutral_cw5n1h2txyewy Microsoft.Windows.SecureAssessmentBrowser_10.0.22621.900_neutral_neutral_cw5n1h2txyewy Microsoft.Windows.XGpuEjectDialog_10.0.22621.1_neutral_neutral_cw5n1h2txyewy Microsoft.WindowsAppRuntime.CBS_4000.1000.1727.0_x64__8wekyb3d8bbwe Microsoft.XboxGameCallableUI_10.0.22621.1_neutral_neutral_cw5n1h2txyewy MicrosoftWindows.Client.FileExp_1000.22651.1000.0_x64__cw5n1h2txyewy NcsiUwpApp_10.0.22621.1_neutral_neutral_8wekyb3d8bbwe Windows.CBSPreview_10.0.19580.1000_neutral_neutral_cw5n1h2txyewy Windows.PrintDialog_6.2.2.0_neutral_neutral_cw5n1h2txyewy ",
"RemovePackageList": "NULL"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 328 — Unable to determine packages to be installed during logon with error: ErrorCode.
#Description
Unable to determine packages to be installed during logon with error: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode HexInt32 | Unable to determine packages to be installed during logon with error. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"guid": "8127F6D4-59F9-4ABF-8952-3E3A02073D5F",
"event_source_name": "",
"event_id": 328,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 4611686018427453440,
"time_created": "2023-10-25T22:52:41.304385+00:00",
"event_record_id": 18,
"correlation": {
"ActivityID": "61A55000-55E5-1017-0000-000000000000"
},
"execution": {
"process_id": 536,
"thread_id": 796
},
"channel": "Microsoft-Windows-AppXDeployment/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ErrorCode": "0x800401f0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 329 — User Profile created for UserSid with path ProfilePath and type ProfileType.
Event ID 330 — User Profile deleted for UserSid with path ProfilePath and type ProfileType.
Event ID 331 — Outdated packages registered to user UserSid: OutdatedPackages.
Event ID 332 — Deployment operation deploymentOperation on mainParam with options deploymentOptions and calling process callerProcess with callstack callstack.
Description
Deployment operation deploymentOperation on mainParam with options deploymentOptions and calling process callerProcess with callstack callstack.
Message #
Fields #
| Name | Description |
|---|---|
mainParam UnicodeString | — |
deploymentOperation UInt32 | — |
deploymentOptions HexInt64 | — |
callerProcess UnicodeString | — |
callstack UnicodeString | — |
Event ID 1001 —
Event ID 1002 —
Event ID 1003 —
Event ID 1004 —
Event ID 1005 —
Event ID 1006 —
Event ID 1007 —
Event ID 1008 —
Event ID 1009 —
Event ID 1010 —
Event ID 1011 —
Event ID 1012 —
Event ID 1013 —
Event ID 1014 —
Event ID 1015 —
Event ID 1016 —
Event ID 1017 —
Event ID 1018 —
Event ID 1019 —
Event ID 1020 —
Event ID 1021 —
Event ID 1022 —
Event ID 1023 —
Event ID 1024 —
Event ID 1025 —
Event ID 1026 —
Event ID 1027 —
Event ID 1028 —
Event ID 1029 —
Event ID 1030 —
Event ID 1031 —
Event ID 1032 —
Event ID 1033 —
Fields #
| Name | Description |
|---|---|
ErrorCode HexInt32 | — |