Event ID 171 — The reader was created successfully for app package packageFullName.
Description
The reader was created successfully for app package packageFullName.
Message #
Fields #
| Name | Description |
|---|---|
packageFullName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppxPackagingOM",
"guid": "BA723D81-0D0C-4F1E-80C8-54740F508DDF",
"event_source_name": "",
"event_id": 171,
"version": 0,
"level": 4,
"task": 2,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:19:35.789343+00:00",
"event_record_id": 1752,
"correlation": {},
"execution": {
"process_id": 2352,
"thread_id": 11172
},
"channel": "Microsoft-Windows-AppxPackaging/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"packageFullName": "Microsoft.Winget.Source_2023.1105.1744.368_neutral__8wekyb3d8bbwe"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows MSIX Package Interaction source: This hunting query detects user interactions with MSIX packages by monitoring EventCode 171 in the Microsoft-Windows-AppXPackaging/Operational logs. These events are generated when a user clicks on or attempts to interact with an MSIX package, even if the package is not fully installed. This information can be valuable for security teams to identify what MSIX packages users are attempting to open in their environment, which may help detect malicious MSIX packages before they're fully installed. Monitoring these interactions can provide early warning of potential MSIX package abuse, which has been leveraged by threat actors such as FIN7, Zloader (Storm-0569), and FakeBat (Storm-1113).
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline