Message #

%1

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-EventSystem",
    "guid": "{899daace-4868-4295-afcd-9eb8fb497561}",
    "event_source_name": "EventSystem",
    "event_id": 4625,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2023-11-06T06:25:40.864290+00:00",
    "event_record_id": 1434,
    "correlation": {},
    "execution": {
      "process_id": 2696,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "86400",
    "param2": "SuppressDuplicateDuration",
    "param3": "Software\\Microsoft\\EventSystem\\EventLog"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Fields #

Fields #

Fields #

Fields #

Fields #

Message #

The EventSystem sub system is suppressing duplicate event log entries for a duration of %1 seconds.  The suppression timeout can be controlled by a REG_DWORD value named %2 under the following registry key: HKLM\%3.

Fields #

Message #

The COM+ Event System fired the %2 method on event class %3 for publisher %4 and subscriber %5 but the subscriber returned an error. The display name of the subscription is "%6". The subscriber returned HRESULT %1.

Fields #

Description

The COM+ Event System failed to fire the param2 method on event class param3 for publisher param4 and subscriber param5. The display name of the subscription is "param6". The HRESULT was param1.

Message #

The COM+ Event System failed to fire the %2 method on event class %3 for publisher %4 and subscriber %5. The display name of the subscription is "%6". The HRESULT was %1.

Fields #

Description

The COM+ Event System could not determine the name of the current user. A call to param3 returned error code param1: "param2".

Message #

The COM+ Event System could not determine the name of the current user.  A call to %3 returned error code %1: "%2"

Fields #

Description

The COM+ Event System failed to create an instance of the subscriber param2. param3 returned HRESULT param1.

Message #

The COM+ Event System failed to create an instance of the subscriber %2.  %3 returned HRESULT %1.

Fields #

Message #

The COM+ Event System could not fire an EventObjectChange event to subscription %2 because the query criteria string "%3" contained an error.  The approximate location of the error in the criteria string is at character index %4; the criteria sub-text at this location is "%5".  The HRESULT was %1.

Fields #

Description

The COM+ Event System could not fire an EventObjectChange event to subscription param2 because a bad HRESULT was detected during filtering. The HRESULT was param1.

Message #

The COM+ Event System could not fire an EventObjectChange event to subscription %2 because a bad HRESULT was detected during filtering.  The HRESULT was %1.

Fields #

Description

The type library "param2" specified in EventClass param3 ("param4") could not be loaded, or is not correct for this EventClass. The HRESULT was param1.

Message #

The type library "%2" specified in EventClass %3 ("%4") could not be loaded, or is not correct for this EventClass.  The HRESULT was %1.

Fields #

Description

The COM+ Event System detected a corrupt IEventClass object. The COM+ Event System has removed object ID . The publisher will no longer be able to create an instance of the class. The HRESULT was .

Message #

The COM+ Event System detected a corrupt IEventClass object.  The COM+ Event System has removed object ID %2.  The publisher will no longer be able to create an instance of the class.  The HRESULT was %1.

Fields #

Description

The COM+ Event System detected a corrupt IEventSubscription object. The COM+ Event System has removed object ID param1. The subscriber will no longer be notified when the event occurs.

Message #

The COM+ Event System detected a corrupt IEventSubscription object.  The COM+ Event System has removed object ID %1.  The subscriber will no longer be notified when the event occurs.

Fields #

Message #

The COM+ Event System detected a bad return code during its internal processing.  HRESULT was %3 from line %2 of %1.  This warning may be expected if the computer is low on resources.  If the computer is not low on resources, and these warnings persist, it may indicate a problem in the COM+ Event System.

Fields #

Message #

The COM+ Event System detected an unexpected null pointer during its internal processing, at line %2 of %1.  This warning may be expected if the computer is low on resources.  If the computer is not low on resources, and these warnings persist, it may indicate a problem in the COM+ Event System.

Fields #

Message #

The COM+ Event System detected an unexpected error from a Win32 API call at line %2 of %1.  A call to %3 failed with error code %5: "%4"  This warning may be expected if the computer is low on resources.  If the computer is not low on resources, and these warnings persist, it may indicate a problem in the COM+ Event System.

Fields #

Message #

The COM+ Event System detected an inconsistency in its internal state.  The assertion "%3" failed at line %2 of %1.  This warning may be expected if the computer is low on resources.  If the computer is not low on resources, and these warnings persist, it may indicate a problem in the COM+ Event System.

Fields #

Message #

The COM+ Event System timed out attempting to fire the %2 method on event class %3 for publisher %4 and subscriber %5.  The subscriber failed to respond within %7 seconds. The display name of the subscription is "%6". The HRESULT was %1.

Fields #

Description

The COM+ Event System service blocked the creation of a subscription to the event class with CLSID.

Message #

The COM+ Event System service blocked the creation of a subscription to the event class with CLSID

Fields #

Description

The COM+ Event System did not fire the.

Message #

The COM+ Event System did not fire the

Fields #

Message #

The COM+ Event System detected a bad return code during its internal processing.  HRESULT was {param3} from line {param2} of {param1}.  Please contact Microsoft Product Support Services to report this error.

Fields #

Message #

The COM+ Event System detected a bad return code during its internal processing.  HRESULT was %3 from line %2 of %1.  This may indicate that the COM+ Event System is not properly installed.  Please try reinstalling the COM+ Event System.

Fields #

Description

The COM+ Event System detected an unexpected null pointer during its internal processing; at line {param2} of {param1}. Please contact Microsoft Product Support Services to report this error.

Message #

The COM+ Event System detected an unexpected null pointer during its internal processing; at line {param2} of {param1}.  Please contact Microsoft Product Support Services to report this error.

Fields #

Description

The COM+ Event System ran out of memory during its internal processing, at line param2 of param1.

Message #

The COM+ Event System ran out of memory during its internal processing, at line %2 of %1.

Fields #

Message #

The COM+ Event System detected an unexpected error from a Win32 API call at line {param2} of {param1}.  A call to {param3} failed with error code {param5}: '{param4}'  Please contact Microsoft Product Support Services to report this error.

Fields #

Message #

The COM+ Event System detected an inconsistency in its internal state.  The assertion '{param3}' failed at line {param2} of {param1}.  Please contact Microsoft Product Support Services to report this error.

Fields #

Description

The COM+ Event System caught an exception param1 at address param2 within method param3 of interface param4.param5.

Message #

The COM+ Event System caught an exception %1 at address %2 within method %3 of interface %4.%5

Fields #

Description

The COM+ Event System caught an access violation at address param1 within method param3 of interface param4. The method attempted to access address param2.param5.

Message #

The COM+ Event System caught an access violation at address %1 within method %3 of interface %4.  The method attempted to access address %2.%5

Fields #

Description

The COM+ Event System raised an unexpected exception {param1} at address {param2}. Please contact Microsoft Product Support Services to report this error.{param3}.

Message #

The COM+ Event System raised an unexpected exception {param1} at address {param2}.  Please contact Microsoft Product Support Services to report this error.{param3}

Fields #

Description

The COM+ Event System raised an unexpected access violation at address {param1}; attempting to access address {param2}. Please contact Microsoft Product Support Services to report this error.{param3}.

Message #

The COM+ Event System raised an unexpected access violation at address {param1}; attempting to access address {param2}.  Please contact Microsoft Product Support Services to report this error.{param3}

Fields #

Description

The COM+ Event System could not store the per-user subscription param2 because the registry key HKEY_USERS\param3 could not be opened. The HRESULT was param1.

Message #

The COM+ Event System could not store the per-user subscription %2 because the registry key HKEY_USERS\%3 could not be opened.  The HRESULT was %1.

Fields #

Message #

The COM+ Event System detected an error trying to query an %1 object because the criteria string "%2" contained an error.  The approximate location of the error is at character index %3; the criteria sub-text at this location is "%4".

Fields #

Description

The COM+ Event System could not remove the param2 object param3.

Message #

The COM+ Event System could not remove the %2 object %3.
Object name: %4
Object description: %5
The HRESULT was %1.

Fields #

Description

The COM+ Event System could not marshal the subscriber for subscription param2. The HRESULT was param1.

Message #

The COM+ Event System could not marshal the subscriber for subscription %2.  The HRESULT was %1.

Fields #

Description

The COM+ Event System failed to create an instance of the MultiInterfacePublisherFilter param2 defined in event class param3. param4 returned HRESULT param1.

Message #

The COM+ Event System failed to create an instance of the MultiInterfacePublisherFilter %2 defined in event class %3.  %4 returned HRESULT %1.

Fields #

Message #

The COM+ Event System could not apply the filter criteria to subscription %2 with display name "%6" because the criteria string "%3" contained an error.  The approximate location of the error is at character index %4; the criteria sub-text at this location is "%5".  The HRESULT was %1.

Fields #