Microsoft-Windows-Eventlog
41 events across 4 channels
Event ID 20 — The event logging service encountered an error ErrorCode while obtaining or processing configuration for channel Path.
Event ID 21 — The event logging service encountered a configuration-related error (res=ErrorCode) for channel ChannelPath.
Description
The event logging service encountered a configuration-related error (res=ErrorCode) for channel ChannelPath. The error was encountered while processing the ConfigProperty configuration property.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | — |
ChannelPath UnicodeString | — |
ConfigProperty UnicodeString | — |
Event ID 22 — The event logging service encountered an error while initializing publishing resources for channel Path.
Event ID 23 — The event logging service encountered an error (res=ErrorCode) while initializing logging resources for channel Path.
Event ID 25 — The event logging service encountered a corrupt log file for channel ChannelPath.
Event ID 26 — The event logging service encountered a log file for channel ChannelPath which is an unsupported version.
Event ID 27 — The event logging service encountered an error (res=ErrorCode) while opening log file for channel ChannelPath.
Description
The event logging service encountered an error (res=ErrorCode) while opening log file for channel ChannelPath. Trying again using default log file path FailedLogFilePath.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | — |
ChannelPath UnicodeString | — |
FailedLogFilePath UnicodeString | — |
NewLogFilePath UnicodeString | — |
Event ID 28 — The event logging service encountered an error (res=ErrorCode) while parsing filter for channel ChannelPath.
Event ID 29 — The event logging service encountered a fatal error (res=ErrorCode) when applying settings to the ChannelPath channel.
Event ID 30 — The event logging service encountered an error (InitChannelPublisherEnableFailure.ErrorCode) while enabling publisher InitChannelPublisherEnableFailure.PublisherGuid to channel InitChannelPublisher...
Message #
Fields #
| Name | Description |
|---|---|
InitChannelPublisherEnableFailure.ErrorCode UInt32 | — |
InitChannelPublisherEnableFailure.ChannelPath UnicodeString | — |
InitChannelPublisherEnableFailure.PublisherGuid GUID | — |
ErrorCode UInt32 | — |
ChannelPath UnicodeString | — |
PublisherGuid GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Eventlog",
"guid": "FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148",
"event_source_name": "",
"event_id": 30,
"version": 0,
"level": 2,
"task": 100,
"opcode": 0,
"keywords": 9223372036854906880,
"time_created": "2026-03-13T19:59:15.259008+00:00",
"event_record_id": 11634,
"correlation": {},
"execution": {
"process_id": 1844,
"thread_id": 8176
},
"channel": "System",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"InitChannelPublisherEnableFailure": {
"ErrorCode": 5,
"ChannelPath": "Microsoft-Windows-WinINet-Capture/Analytic",
"PublisherGuid": "A70FF94F-570B-4979-BA5C-E59C9FEAB61B"
}
},
"message": ""
}
Event ID 31 — The event logging service encountered an error (res=ErrorCode) while opening configuration for primary channel ChannelPath.
Event ID 40 — The event logging service encountered an error when attempting to apply one or more policy settings.
Event ID 100 — The event logging service encountered an error while processing an incoming event published from PubID.
Event ID 102 — The event logging service encountered an error while processing an incoming event from publisher PublisherName and trying to process the metadata for it.
Event ID 103 — Events have been dropped by the transport.
Event ID 104 — The LogFileCleared.Channel log file was cleared.
#Description
The LogFileCleared.Channel log file was cleared.
Message #
Fields #
| Name | Description |
|---|---|
LogFileCleared.SubjectUserName | — |
LogFileCleared.SubjectDomainName | — |
LogFileCleared.Channel | — |
LogFileCleared.BackupPath | — |
LogFileCleared.ClientProcessId | — |
LogFileCleared.ClientProcessStartKey | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Eventlog",
"guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"event_source_name": "",
"event_id": 104,
"version": 1,
"level": 4,
"task": 104,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-10-25T22:53:10.300656+00:00",
"event_record_id": 1453,
"correlation": {},
"execution": {
"process_id": 1796,
"thread_id": 2028
},
"channel": "System",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"user_data": {
"LogFileCleared": {
"SubjectUserName": "Administrator",
"SubjectDomainName": "WINDEVEVAL",
"Channel": "Application",
"BackupPath": null,
"ClientProcessId": 4544,
"ClientProcessStartKey": 2533274790396090
}
},
"message": ""
}
Detection Patterns #
Defense Evasion: Clear Windows Event Logs
Defense Evasion: Clear Windows Event Logs
Community Notes #
This will show System, Application, and other non-Security logs being cleared. Review the event to identify which one.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Eventlog Cleared source medium: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
- Important Windows Eventlog Cleared source high: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 105 — Event log automatic backup.
Description
Event log automatic backup.
Message #
Fields #
| Name | Description |
|---|---|
Log UnicodeString | — |
File UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Eventlog",
"guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"event_source_name": "",
"event_id": 105,
"version": 0,
"level": 4,
"task": 105,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2012-03-26T05:50:08.470644Z",
"event_record_id": 13049,
"correlation": {},
"execution": {
"process_id": 772,
"thread_id": 4256
},
"channel": "System",
"computer": "WKS-WIN764BITB.shieldbase.local",
"security": {
"user_id": ""
}
},
"user_data": {
"AutoBackup": {
"xmlns:auto-ns3": "http://schemas.microsoft.com/win/2004/08/events",
"Channel": "Application",
"BackupPath": "C:\\Windows\\System32\\Winevt\\Logs\\Archive-Application-2012-03-26-05-50-01-755.evtx"
}
}
}
Event ID 106 — Corruption was detected in the log for the Channel channel and some data was erased.
Event ID 107 — The event logging service encountered an error ErrorCode while going through publisher configuration.
Event ID 108 — The previous system shutdown was unexpected.
Description
The previous system shutdown was unexpected.
Message #
Fields #
| Name | Description |
|---|---|
ShutdownTime SYSTEMTIME | — |
ActualMaxInterval UInt32 | — |
DiskPmDisabledMaxInterval UInt32 | — |
DiskPmEnabledFlag UInt32 | — |
DiskPmEnabledMaxInterval UInt32 | — |
TimestampForced UInt32 | — |
DiskPmPolicy UInt32 | — |
BiasValid UInt32 | — |
StartBias UInt32 | — |
Event ID 109 — The event logging service encountered an error while processing an incoming event from publisher PublisherName and trying to process the metadata for it.
Description
The event logging service encountered an error while processing an incoming event from publisher PublisherName and trying to process the metadata for it.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | — |
EventID UInt16 | — |
PublisherName UnicodeString | — |
PublisherGuid GUID | — |
ProcessID UInt32 | — |
EventName UnicodeString | — |
Event ID 110 — Loading metadata for publisher PublisherName (PublisherGuid) and trying to process the metadata for it.
Event ID 111 — Finished loading metadata for publisher PublisherName (PublisherGuid), with EventMetaDataCount event metadatas processed.
Event ID 112 — Failed to load metadata for publisher PublisherName (PublisherGuid).
Event ID 200 — Channel ChannelName (ChannelType) was enabled (Enabled) programmatically.
Event ID 201 — A push subscription was created for ChannelName.
Event ID 202 — A pull subscription was created for ChannelName.
Event ID 203 — OpenEventLog legacy API was used to open ModuleName.
Event ID 204 — RegisterEventSource legacy API was used to register ModuleName.
Description
RegisterEventSource legacy API was used to register ModuleName.
Message #
Fields #
| Name | Description |
|---|---|
ModuleNameLen UInt8 | — |
ModuleName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Eventlog",
"guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"event_source_name": "",
"event_id": "204",
"version": "0",
"level": "5",
"task": "109",
"opcode": "0",
"keywords": 576460752304472064,
"time_created": "2026-03-15T04:33:36.389555800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00102311-0000-0000-0000-0000bebcad59}"
},
"execution": {
"process_id": "5820",
"thread_id": "8064"
},
"channel": "Microsoft-Windows-EventLog/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ModuleNameLen": "10",
"ModuleName": "PowerShell"
},
"message": ""
}
Event ID 205 — ReportEvent legacy API was used to write an event to ModuleName.
Description
ReportEvent legacy API was used to write an event to ModuleName.
Message #
Fields #
| Name | Description |
|---|---|
ModuleNameLen UInt8 | — |
ModuleName AnsiString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Eventlog",
"guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"event_source_name": "",
"event_id": "205",
"version": "1",
"level": "5",
"task": "109",
"opcode": "0",
"keywords": 576460752304472064,
"time_created": "2026-03-15T04:33:36.390335800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00102311-0000-0000-0000-0000bebcad59}"
},
"execution": {
"process_id": "5820",
"thread_id": "8064"
},
"channel": "Microsoft-Windows-EventLog/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ModuleNameLen": "10",
"ModuleName": "PowerShell"
},
"message": ""
}
Event ID 517 — The audit log was cleared (legacy Windows 2000/XP/2003 event; superseded by 1102).
Description
Legacy security-log clear event from Windows 2000/XP/2003. Superseded by EventID 1102 in Vista+.
Detection Patterns #
Defense Evasion: Clear Windows Event Logs
Eventlog Event ID 517: The audit log was cleared (legacy Windows 2000/XP/2003 event; superseded by 1102).OREvent ID 1102: The audit log was cleared.
1 rule
Event ID 1100 — The event logging service has shut down.
#Description
The event logging service has shut down.
Message #
Fields #
| Name | Description |
|---|---|
ServiceShutdown | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Eventlog",
"guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"event_source_name": "",
"event_id": 1100,
"version": 0,
"level": 4,
"task": 103,
"opcode": 0,
"keywords": 4620693217682128896,
"time_created": "2023-11-05T22:31:36.994928+00:00",
"event_record_id": 3371,
"correlation": {},
"execution": {
"process_id": 1816,
"thread_id": 1352
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"user_data": {
"ServiceShutdown": {}
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Event Logging Service Has Shutdown source: The following analytic detects the shutdown of the Windows Event Log service by leveraging Windows Event ID 1100. This event is logged every time the service stops, including during normal system shutdowns. Monitoring this activity is crucial as it can indicate attempts to cover tracks or disable logging. If confirmed malicious, an attacker could hide their activities, making it difficult to trace their actions and investigate further incidents. Analysts should verify if the shutdown was planned and review other alerts and data sources for additional suspicious behavior.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1100
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection
Event ID 1101 — Audit events have been dropped by the transport.
#Description
Audit events have been dropped by the transport. AuditEventsDropped.Reason.
Message #
Fields #
| Name | Description |
|---|---|
AuditEventsDropped.Reason UInt8 | — |
Reason UInt8 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Eventlog",
"guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"event_source_name": "",
"event_id": 1101,
"version": 0,
"level": 2,
"task": 101,
"opcode": 0,
"keywords": 4620693217682128896,
"time_created": "2026-03-06T19:18:41.161306+00:00",
"event_record_id": 13453892,
"correlation": {},
"execution": {
"process_id": 1788,
"thread_id": 2828
},
"channel": "Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"user_data": {
"AuditEventsDropped": {
"Reason": 0
}
},
"message": ""
}
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1101
Event ID 1102 — The audit log was cleared.
#Description
The audit log was cleared.
Message #
Fields #
| Name | Description |
|---|---|
LogFileCleared.SubjectUserSid | [Subject] Security ID. |
LogFileCleared.SubjectUserName | [Subject] Account Name. |
LogFileCleared.SubjectDomainName | [Subject] Domain Name. |
LogFileCleared.SubjectLogonId | [Subject] Logon ID. |
LogFileCleared.ClientProcessId | — |
LogFileCleared.ClientProcessStartKey | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Eventlog",
"guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"event_source_name": "",
"event_id": 1102,
"version": 1,
"level": 4,
"task": 104,
"opcode": 0,
"keywords": 4620693217682128896,
"time_created": "2023-10-25T22:53:10.300656+00:00",
"event_record_id": 2625,
"correlation": {},
"execution": {
"process_id": 1796,
"thread_id": 2028
},
"channel": "Security",
"computer": "WinDevEval",
"security": {
"user_id": ""
}
},
"user_data": {
"LogFileCleared": {
"SubjectUserSid": "S-1-5-21-2533829718-189860685-2477588761-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "WINDEVEVAL",
"SubjectLogonId": "0x42eea",
"ClientProcessId": 4544,
"ClientProcessStartKey": 2533274790396090
}
},
"message": ""
}
Detection Patterns #
Defense Evasion: Clear Windows Event Logs
Defense Evasion: Clear Windows Event Logs
Defense Evasion: Clear Windows Event Logs
Eventlog Event ID 517: The audit log was cleared (legacy Windows 2000/XP/2003 event; superseded by 1102).OREvent ID 1102: The audit log was cleared.
1 rule
Detection Rules #
View all rules referencing this event →
Kusto Query Language # view in reference
- Security Event log cleared source medium: 'Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name "Microsoft-Windows-Eventlog" to avoid generating false positives from other sources, like AD FS servers for instance.'
- NRT Security Event log cleared source medium: 'Checks for event id 1102 which indicates the security event log was cleared. It uses Event Source Name "Microsoft-Windows-Eventlog" to avoid generating false positives from other sources, like AD FS servers for instance.'
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1102
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- NSA/CISA - Best Practices for Event Logging https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection
Event ID 1103 — The security log is now PercentFull percent full.
Event ID 1104 — The security log is now full.
Event ID 1105 — Event log automatic backup.
Event ID 1106 — Events have been dropped by the event logging service.
Event ID 1107 — The event logging service encountered an error while processing an incoming event from publisher PublisherName and trying to process the metadata for it.
#Description
The event logging service encountered an error while processing an incoming event from publisher PublisherName and trying to process the metadata for it.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | — |
EventID UInt16 | — |
PublisherName UnicodeString | — |
PublisherGuid GUID | — |
ProcessID UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Eventlog",
"guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"event_source_name": "",
"event_id": 1107,
"version": 0,
"level": 2,
"task": 101,
"opcode": 0,
"keywords": 4620693217682128896,
"time_created": "2016-08-18T16:53:04.313375Z",
"event_record_id": 5538,
"correlation": {},
"execution": {
"process_id": 716,
"thread_id": 1128
},
"channel": "Security",
"computer": "IE10Win7",
"security": {
"user_id": ""
}
},
"user_data": {
"EventPublisherMetaDataFailure": {
"#attributes": {
"xmlns:auto-ns3": "http://schemas.microsoft.com/win/2004/08/events",
"xmlns": "http://manifests.microsoft.com/win/2004/08/windows/eventlog"
},
"Error": {
"#attributes": {
"Code": 15002
}
},
"EventID": 0,
"PublisherName": null,
"PublisherGuid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"ProcessID": 0
}
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1108 — The event logging service encountered an error while processing an incoming event published from EventProcessingFailure.PublisherID.
#Description
The event logging service encountered an error while processing an incoming event published from EventProcessingFailure.PublisherID.
Message #
Fields #
| Name | Description |
|---|---|
EventProcessingFailure.ErrorCode UInt32 | — |
EventProcessingFailure.EventID UInt16 | — |
EventProcessingFailure.PublisherID | — |
ErrorCode UInt32 | — |
EventID UInt16 | — |
PubID UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Eventlog",
"guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"event_source_name": "",
"event_id": 1108,
"version": 0,
"level": 2,
"task": 101,
"opcode": 0,
"keywords": 4620693217682128896,
"time_created": "2026-03-12T03:08:47.632904+00:00",
"event_record_id": 2761579,
"correlation": {},
"execution": {
"process_id": 1916,
"thread_id": 2348
},
"channel": "Security",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"user_data": {
"EventProcessingFailure": {
"ErrorCode": 15003,
"EventID": 4688,
"PublisherID": "Microsoft-Windows-Security-Auditing"
}
},
"message": ""
}