Microsoft-Windows-CertificateServicesClient-Lifecycle-System
10 events across 1 channel
| Event ID | Title | Channel |
|---|---|---|
| 1001 | A certificate has been replaced. | Operational |
| 1002 | A certificate has expired. | Operational |
| 1003 | A certificate is about to expire. | Operational |
| 1004 | A certificate has been deleted. | Operational |
| 1005 | A certificate has been archived. | Operational |
| 1006 | A new certificate has been installed. | Operational |
| 1007 | A certificate has been exported. | Operational |
| 1008 | A certificate has been associated with its private key. | Operational |
| 1009 | A certificate could not be associated with its private key. | Operational |
| 1010 | A certificate has been deleted from Active Directory. | Operational |
Event ID 1001 — A certificate has been replaced.
#Description
A certificate has been replaced. Please refer to the "Details" section for more information.
Message #
Fields #
| Name | Description |
|---|---|
CertNotificationData.ProcessName | — |
CertNotificationData.AccountName | — |
CertNotificationData.Context | — |
CertNotificationData.Action | — |
CertNotificationData.OldCertificateDetails | — |
CertNotificationData.NewCertificateDetails | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System",
"guid": "{bc0669e1-a10d-4a78-834e-1ca3c806c93b}",
"event_source_name": "",
"event_id": 1001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T23:08:39.437859+00:00",
"event_record_id": 8,
"correlation": {},
"execution": {
"process_id": 7080,
"thread_id": 1724
},
"channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CertNotificationData": {
"ProcessName": "taskhostw.exe",
"AccountName": "ludus\\LAB-DC01$",
"Context": "Machine",
"Action": "Renew",
"OldCertificateDetails": {
"Thumbprint": "db0fea9b641f3814fc5168ae83ef7839af1bb012",
"Template": {
"Name": "DomainController"
},
"SubjectNames": {
"SubjectName": "CN=LAB-DC01.ludus.domain",
"SubjectName_1": "997a085b-5e01-4f75-9c22-ed3af23d348a",
"SubjectName_2": "LAB-DC01.ludus.domain"
},
"EKUs": {
"EKU": {
"Name": "Client Authentication",
"OID": "1.3.6.1.5.5.7.3.2"
},
"EKU_1": {
"Name": "Server Authentication",
"OID": "1.3.6.1.5.5.7.3.1"
}
},
"NotValidAfter": "2027-03-13T20:07:39Z"
},
"NewCertificateDetails": {
"Thumbprint": "1a202ed21d19f873e0a448f967dfe428f278fccd",
"Template": {
"Name": "DomainController"
},
"SubjectNames": {
"SubjectName": "CN=LAB-DC01.ludus.domain",
"SubjectName_1": "997a085b-5e01-4f75-9c22-ed3af23d348a",
"SubjectName_2": "LAB-DC01.ludus.domain"
},
"EKUs": {
"EKU": {
"Name": "Client Authentication",
"OID": "1.3.6.1.5.5.7.3.2"
},
"EKU_1": {
"Name": "Server Authentication",
"OID": "1.3.6.1.5.5.7.3.1"
}
},
"NotValidAfter": "2027-03-13T22:58:39Z"
}
}
},
"message": ""
}
References #
Event ID 1002 — A certificate has expired.
Event ID 1003 — A certificate is about to expire.
Event ID 1004 — A certificate has been deleted.
#Description
A certificate has been deleted. Please refer to the "Details" section for more information.
Message #
Fields #
| Name | Description |
|---|---|
CertNotificationData.ProcessName | — |
CertNotificationData.AccountName | — |
CertNotificationData.Context | — |
CertNotificationData.CertificateDetails | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System",
"guid": "{bc0669e1-a10d-4a78-834e-1ca3c806c93b}",
"event_source_name": "",
"event_id": 1004,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T20:16:33.121721+00:00",
"event_record_id": 1,
"correlation": {
"ActivityID": "8B83AF9E-B321-000D-10CD-838B21B3DC01"
},
"execution": {
"process_id": 8232,
"thread_id": 2328
},
"channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"CertNotificationData": {
"ProcessName": "powershell.exe",
"AccountName": "ludus\\domainadmin",
"Context": "Machine",
"CertificateDetails": {
"Thumbprint": "bd0fed7feaded6142a26dac68454f5e58bec0eaf",
"SubjectNames": {
"SubjectName": "CN=evtgen.local",
"SubjectName_1": "evtgen.local"
},
"EKUs": {
"EKU": {
"Name": "Client Authentication",
"OID": "1.3.6.1.5.5.7.3.2"
},
"EKU_1": {
"Name": "Server Authentication",
"OID": "1.3.6.1.5.5.7.3.1"
}
},
"NotValidAfter": "2027-03-13T20:26:26Z"
}
}
},
"message": ""
}
References #
Event ID 1005 — A certificate has been archived.
#Description
A certificate has been archived. Please refer to the "Details" section for more information.
Message #
Fields #
| Name | Description |
|---|---|
CertNotificationData.ProcessName | — |
CertNotificationData.AccountName | — |
CertNotificationData.Context | — |
CertNotificationData.CertificateDetails | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System",
"guid": "{bc0669e1-a10d-4a78-834e-1ca3c806c93b}",
"event_source_name": "",
"event_id": 1005,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T23:08:39.464773+00:00",
"event_record_id": 9,
"correlation": {},
"execution": {
"process_id": 7080,
"thread_id": 1724
},
"channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CertNotificationData": {
"ProcessName": "taskhostw.exe",
"AccountName": "ludus\\LAB-DC01$",
"Context": "Machine",
"CertificateDetails": {
"Thumbprint": "db0fea9b641f3814fc5168ae83ef7839af1bb012",
"Template": {
"Name": "DomainController"
},
"SubjectNames": {
"SubjectName": "CN=LAB-DC01.ludus.domain",
"SubjectName_1": "997a085b-5e01-4f75-9c22-ed3af23d348a",
"SubjectName_2": "LAB-DC01.ludus.domain"
},
"EKUs": {
"EKU": {
"Name": "Client Authentication",
"OID": "1.3.6.1.5.5.7.3.2"
},
"EKU_1": {
"Name": "Server Authentication",
"OID": "1.3.6.1.5.5.7.3.1"
}
},
"NotValidAfter": "2027-03-13T20:07:39Z"
}
}
},
"message": ""
}
References #
Event ID 1006 — A new certificate has been installed.
#Description
A new certificate has been installed. Please refer to the "Details" section for more information.
Message #
Fields #
| Name | Description |
|---|---|
CertNotificationData.ProcessName | — |
CertNotificationData.AccountName | — |
CertNotificationData.Context | — |
CertNotificationData.Action | — |
CertNotificationData.CertificateDetails | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System",
"guid": "{bc0669e1-a10d-4a78-834e-1ca3c806c93b}",
"event_source_name": "",
"event_id": 1006,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T20:17:39.800243+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 4972,
"thread_id": 4200
},
"channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"CertNotificationData": {
"ProcessName": "taskhostw.exe",
"AccountName": "ludus\\LAB-DC01$",
"Context": "Machine",
"Action": "Enroll",
"CertificateDetails": {
"Thumbprint": "db0fea9b641f3814fc5168ae83ef7839af1bb012",
"Template": {
"Name": "DomainController"
},
"SubjectNames": {
"SubjectName": "CN=LAB-DC01.ludus.domain",
"SubjectName_1": "997a085b-5e01-4f75-9c22-ed3af23d348a",
"SubjectName_2": "LAB-DC01.ludus.domain"
},
"EKUs": {
"EKU": {
"Name": "Client Authentication",
"OID": "1.3.6.1.5.5.7.3.2"
},
"EKU_1": {
"Name": "Server Authentication",
"OID": "1.3.6.1.5.5.7.3.1"
}
},
"NotValidAfter": "2027-03-13T20:07:39Z"
}
}
},
"message": ""
}
References #
Event ID 1007 — A certificate has been exported.
#Description
A certificate has been exported. Please refer to the "Details" section for more information.
Message #
Fields #
| Name | Description |
|---|---|
CertNotificationData.ProcessName | — |
CertNotificationData.AccountName | — |
CertNotificationData.Context | — |
CertNotificationData.CertificateDetails | — |
EventWriteData UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System",
"guid": "{bc0669e1-a10d-4a78-834e-1ca3c806c93b}",
"event_source_name": "",
"event_id": 1007,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T23:18:01.045510+00:00",
"event_record_id": 15,
"correlation": {
"ActivityID": "0D26E79C-B333-0002-70D1-280D33B3DC01"
},
"execution": {
"process_id": 12036,
"thread_id": 13520
},
"channel": "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"CertNotificationData": {
"ProcessName": "powershell.exe",
"AccountName": "ludus\\domainadmin",
"Context": "Machine",
"CertificateDetails": {
"Thumbprint": "f3c772f22d13c2ce651009a42dfef27f1b371f59",
"SubjectNames": {
"SubjectName": "CN=selftest.ludus.domain",
"SubjectName_1": "selftest.ludus.domain"
},
"EKUs": {
"EKU": {
"Name": "Client Authentication",
"OID": "1.3.6.1.5.5.7.3.2"
},
"EKU_1": {
"Name": "Server Authentication",
"OID": "1.3.6.1.5.5.7.3.1"
}
},
"NotValidAfter": "2026-04-12T23:18:01Z"
}
}
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Certificate Exported From Local Certificate Store source medium: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
Splunk # view in reference
- Windows Export Certificate source: The following analytic detects the export of a certificate from the Windows Certificate Store. It leverages the Certificates Lifecycle log channel, specifically event ID 1007, to identify this activity. Monitoring certificate exports is crucial as certificates can be used for authentication to VPNs or private resources. If malicious actors export certificates, they could potentially gain unauthorized access to sensitive systems or data, leading to significant security breaches.