detection.wiki

Microsoft-Windows-GroupPolicy › Event 4005

Event ID 4005 — Starting manual processing of policy for user PrincipalSamName.

Provider
Microsoft-Windows-GroupPolicy
Channel
Operational
Level
Informational
Opcode
Start

Description

Starting manual processing of policy for user PrincipalSamName.

Message #

Starting manual processing of policy for user %2. 
Activity id: %1

Fields #

NameDescription
PolicyActivityId GUIDActivity id.
PrincipalSamName UnicodeStringSAM name of the user account for which GPO processing was started
IsMachine UInt32
IsDomainJoined Boolean
IsBackgroundProcessing Boolean
IsAsyncProcessing Boolean
IsServiceRestart Boolean
ReasonForSyncProcessing UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
    "event_source_name": "",
    "event_id": 4005,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2022-04-07T17:34:37.483672+00:00",
    "event_record_id": 835,
    "correlation": {
      "ActivityID": "DCA9073D-A053-4D86-A71A-A22443FB751F"
    },
    "execution": {
      "process_id": 1352,
      "thread_id": 1684
    },
    "channel": "Microsoft-Windows-GroupPolicy/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PolicyActivityId": "DCA9073D-A053-4D86-A71A-A22443FB751F",
    "PrincipalSamName": "SIGMA\\Administrator",
    "IsMachine": 0,
    "IsDomainJoined": true,
    "IsBackgroundProcessing": true,
    "IsAsyncProcessing": false,
    "IsServiceRestart": false,
    "ReasonForSyncProcessing": 0
  },
  "message": ""
}

References #