detection.wiki

Microsoft-Windows-Crypto-RNG

10 events across 1 channel

Event IDTitleChannel
1An entropy source was registered.Analytic
2Entropy source SourceNumber (SourceName) was unregistered.Analytic
3Entropy source SourceNumber provided BytesProvided bytes with EntropyEstimate …Analytic
4Callback to source SourceNumber returned status ResultStatus, taking time …Analytic
16Boot entropy result.Analytic
32Pool reseed: Count PoolReseedCount Type ReseedType Data Data.Analytic
33Pool add: Pool PoolNo Data Data.Analytic
48Prng (re)seed: Addr PrngAddress Data Data.Analytic
49Prng output: Addr PrngAddress Bytes BytesProduced Data Data.Analytic
50New process created.Analytic

Event ID 1 — An entropy source was registered.

Provider
Microsoft-Windows-Crypto-RNG
Channel
Analytic
Task
Gatherentropyforthesystemrandomnumbergenerator
Opcode
Start

Description

An entropy source was registered.

Message #

An entropy source was registered.
	Source	%1
	Name	%2
	Type	%3

Fields #

NameDescription
SourceNumber UInt64
SourceName UnicodeString
SourceType UInt32

Event ID 2 — Entropy source SourceNumber (SourceName) was unregistered.

Provider
Microsoft-Windows-Crypto-RNG
Channel
Analytic
Task
Gatherentropyforthesystemrandomnumbergenerator
Opcode
Stop

Description

Entropy source SourceNumber (SourceName) was unregistered.

Message #

Entropy source %1 (%2) was unregistered.

Fields #

NameDescription
SourceNumber UInt64
SourceName UnicodeString

Event ID 3 — Entropy source SourceNumber provided BytesProvided bytes with EntropyEstimate millibits of entropy.

Provider
Microsoft-Windows-Crypto-RNG
Channel
Analytic
Task
Gatherentropyforthesystemrandomnumbergenerator

Description

Entropy source SourceNumber provided BytesProvided bytes with EntropyEstimate millibits of entropy.

Message #

Entropy source %1 provided %2 bytes with %3 millibits of entropy
Data	%5

Fields #

NameDescription
SourceNumber UInt64
BytesProvided UInt32
EntropyEstimate Int32
nData UInt32
Data Binary
Counter HexInt64

Event ID 4 — Callback to source SourceNumber returned status ResultStatus, taking time TimeTaken.

Provider
Microsoft-Windows-Crypto-RNG
Channel
Analytic
Task
Gatherentropyforthesystemrandomnumbergenerator

Description

Callback to source SourceNumber returned status ResultStatus, taking time TimeTaken.

Message #

Callback to source %1 returned status %2, taking time %3

Fields #

NameDescription
SourceNumber UInt64
ResultStatus HexInt32
TimeTaken UInt64

Event ID 16 — Boot entropy result.

Provider
Microsoft-Windows-Crypto-RNG
Channel
Analytic
Task
Gatherentropyforthesystemrandomnumbergenerator

Description

Boot entropy result.

Message #

Boot entropy result:
	Source	%1
	Policy	%2
	Code	%3
	Status	%4
	Time	%5
	BytesProvided	%6
	Bytes	%8

Fields #

NameDescription
Source UInt32
Policy UInt32
ResultCode UInt32
ResultStatus HexInt32
Time UInt64
BytesProvided UInt32
nData UInt32
Data Binary

Event ID 32 — Pool reseed: Count PoolReseedCount Type ReseedType Data Data.

Provider
Microsoft-Windows-Crypto-RNG
Channel
Analytic
Task
Gatherentropyforthesystemrandomnumbergenerator

Description

Pool reseed.

Message #

Pool reseed:
	Count	%1
	Type	%2
	Data	%4

Fields #

NameDescription
PoolReseedCount UInt64
ReseedType UInt32
nData UInt32
Data Binary
Counter HexInt64

Event ID 33 — Pool add: Pool PoolNo Data Data.

Provider
Microsoft-Windows-Crypto-RNG
Channel
Analytic
Task
Gatherentropyforthesystemrandomnumbergenerator

Message #

Pool add:
	Pool	%1
	Data	%3

Fields #

NameDescription
PoolNo UInt32
nData UInt32
Data Binary
Counter HexInt64

Event ID 48 — Prng (re)seed: Addr PrngAddress Data Data.

Provider
Microsoft-Windows-Crypto-RNG
Channel
Analytic
Task
Prng

Description

Prng (re)seed.

Message #

Prng (re)seed:
Addr	%1
Data	%3

Fields #

NameDescription
PrngAddress HexInt64
nData UInt32
Data Binary
UserMode Boolean
Counter HexInt64

Event ID 49 — Prng output: Addr PrngAddress Bytes BytesProduced Data Data.

Provider
Microsoft-Windows-Crypto-RNG
Channel
Analytic
Task
Prng

Description

Prng output.

Message #

Prng output:
	Addr	%1
	Bytes	%2
	Data	%4

Fields #

NameDescription
PrngAddress HexInt64
BytesProduced UInt64
nData UInt32
Data Binary
UserMode Boolean
Counter HexInt64

Event ID 50 — New process created.

Provider
Microsoft-Windows-Crypto-RNG
Channel
Analytic
Task
Prng

Description

New process created. Old Prng states under this proces ID are no longer valid.

Message #

New process created. Old Prng states under this proces ID are no longer valid

Fields #

NameDescription
UserMode Boolean