Microsoft-Windows-Diagnosis-Scripted
25 events across 4 channels
Event ID 1 — The scripted diagnostic engine executed a diagnostic package located at %1 with ID %2.
Message
Fields
| Name | Description |
|---|---|
PackagePath | — |
PackageId | — |
Example Event
system:
provider: Microsoft-Windows-Diagnosis-Scripted
guid: E1DD7E52-621D-44E3-A1AD-0370C2B25946
event_source_name: ''
event_id: 1
version: 0
level: 4
task: 0
opcode: 0
keywords: 9223372054034644992
time_created: '2022-04-04T07:40:10.131934+00:00'
event_record_id: 1
correlation: {}
execution:
process_id: 4124
thread_id: 4192
channel: Microsoft-Windows-Diagnosis-Scripted/Admin
computer: WIN-TKC15D7KHUR
security:
user_id: S-1-5-21-1958040314-2592322477-2606035944-500
event_data:
PackagePath: C:\Windows\diagnostics\scheduled\Maintenance
PackageId: MaintenanceDiagnostic
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 101 — The scripted diagnostic engine started initializing a diagnostic package located at %1.
Message
Fields
| Name | Description |
|---|---|
PackagePath | — |
Example Event
system:
provider: Microsoft-Windows-Diagnosis-Scripted
guid: E1DD7E52-621D-44E3-A1AD-0370C2B25946
event_source_name: ''
event_id: 101
version: 0
level: 4
task: 0
opcode: 0
keywords: 4611686052787126272
time_created: '2022-04-04T07:40:09.755421+00:00'
event_record_id: 1
correlation: {}
execution:
process_id: 4124
thread_id: 4192
channel: Microsoft-Windows-Diagnosis-Scripted/Operational
computer: WIN-TKC15D7KHUR
security:
user_id: S-1-5-21-1958040314-2592322477-2606035944-500
event_data:
PackagePath: C:\Windows\diagnostics\scheduled\Maintenance
message: ''
Sigma Rules
- Loading Diagcab Package From Remote Path
Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 102 — The scripted diagnostic engine completed initializing a diagnostic package located at %1.
Message
Fields
| Name | Description |
|---|---|
PackagePath | — |
Example Event
system:
provider: Microsoft-Windows-Diagnosis-Scripted
guid: E1DD7E52-621D-44E3-A1AD-0370C2B25946
event_source_name: ''
event_id: 102
version: 0
level: 4
task: 0
opcode: 0
keywords: 4611686052787126272
time_created: '2022-04-04T07:40:10.131933+00:00'
event_record_id: 2
correlation: {}
execution:
process_id: 4124
thread_id: 4192
channel: Microsoft-Windows-Diagnosis-Scripted/Operational
computer: WIN-TKC15D7KHUR
security:
user_id: S-1-5-21-1958040314-2592322477-2606035944-500
event_data:
PackagePath: C:\Windows\diagnostics\scheduled\Maintenance
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 103 — The scripted diagnostic engine started diagnosing the diagnostic package %1.
Message
Fields
| Name | Description |
|---|---|
PackageId | — |
Example Event
system:
provider: Microsoft-Windows-Diagnosis-Scripted
guid: E1DD7E52-621D-44E3-A1AD-0370C2B25946
event_source_name: ''
event_id: 103
version: 0
level: 4
task: 0
opcode: 0
keywords: 4611686052787126272
time_created: '2022-04-04T07:40:10.133706+00:00'
event_record_id: 3
correlation: {}
execution:
process_id: 4124
thread_id: 4192
channel: Microsoft-Windows-Diagnosis-Scripted/Operational
computer: WIN-TKC15D7KHUR
security:
user_id: S-1-5-21-1958040314-2592322477-2606035944-500
event_data:
PackageId: MaintenanceDiagnostic
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 104 — The scripted diagnostic engine completed diagnosing the diagnostic package %1.
Message
Fields
| Name | Description |
|---|---|
PackageId | — |
Example Event
system:
provider: Microsoft-Windows-Diagnosis-Scripted
guid: E1DD7E52-621D-44E3-A1AD-0370C2B25946
event_source_name: ''
event_id: 104
version: 0
level: 4
task: 0
opcode: 0
keywords: 4611686052787126272
time_created: '2022-04-04T07:40:22.886890+00:00'
event_record_id: 4
correlation: {}
execution:
process_id: 4124
thread_id: 4192
channel: Microsoft-Windows-Diagnosis-Scripted/Operational
computer: WIN-TKC15D7KHUR
security:
user_id: S-1-5-21-1958040314-2592322477-2606035944-500
event_data:
PackageId: MaintenanceDiagnostic
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 105 — The scripted diagnostic engine started running the resolution %2 in the diagnostic package %1.
Message
Fields
| Name | Description |
|---|---|
PackageId | — |
ResolutionId | — |
Event ID 106 — The scripted diagnostic engine completed running the resolution %2 in the diagnostic package %1.
Message
Fields
| Name | Description |
|---|---|
PackageId | — |
ResolutionId | — |
Event ID 107 — The scripted diagnostic engine started verifying the diagnostic package %1.
Message
Fields
| Name | Description |
|---|---|
PackageId | — |
Event ID 108 — The scripted diagnostic engine completed verifying the diagnostic package %1.
Message
Fields
| Name | Description |
|---|---|
PackageId | — |
Event ID 201 — The scripted diagnostic engine has encountered an error %1.
Message
Fields
| Name | Description |
|---|---|
Status | — |
Event ID 301 — The scripted diagnostic engine has encountered an error in function %1, line %2: %3.
Message
Fields
| Name | Description |
|---|---|
FunctionName | — |
LineNumber | — |
ErrorCode | — |
Event ID 401 — Rootcause %2 was detected in package %1.
Message
Fields
| Name | Description |
|---|---|
PackageId | — |
RootCauseId | — |
Event ID 402 — Rootcause %2 was resolved in package %1.
Message
Fields
| Name | Description |
|---|---|
PackageId | — |
RootCauseId | — |