Microsoft-Windows-Audit
6 events across 1 channel
| Event | Title | Channel |
|---|---|---|
| 1001 | Audit. | Analytic |
| 1002 | Audit. | Analytic |
| 2001 | Executing unattend settings pass "Pass". | Analytic |
| 2002 | Finished executing unattend pass with status ErrorCode. | Analytic |
| 2003 | Failed to execute unattend pass with status ErrorCode. | Analytic |
| 2004 | Using unattend file "FilePath" for pass "Pass". | Analytic |
Event ID 1001: Audit.
#Event ID 1002: Audit.
#Event ID 2001: Executing unattend settings pass "Pass".
#Event ID 2002: Finished executing unattend pass with status ErrorCode.
#Event ID 2003: Failed to execute unattend pass with status ErrorCode.
#Event ID 2004: Using unattend file "FilePath" for pass "Pass".
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 75ebc33e-0936-4a55-9d26-5f298f3180bf
Defined in audit.exe, which carries the event manifest.
Observed on:
- WS2022-20348.4893 · schema read from the registered manifest · binary version 10.0.20348.1 · captured 2026-06-02
- Win11-26200.6584 · schema read from the registered manifest · binary version 10.0.26100.1 · captured 2026-06-02
Downloads
- Microsoft-Windows-Audit registered manifest XML (WS2022-20348.4893) manifest-xml
- Microsoft-Windows-Audit registered manifest XML (Win11-26200.6584) manifest-xml