Event ID 29 — Changes to 'Configuration' at 'ConfigPath' have successfully been committed.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational
Level: Verbose

Description

Changes to 'Configuration' at 'ConfigPath' have successfully been committed.

Message #

Changes to '%4' at '%2' have successfully been committed.

Fields #

Name	Description
`PhysicalPath` UnicodeString	—
`ConfigPath` UnicodeString	—
`EffectiveLocationPath` UnicodeString	—
`Configuration` UnicodeString	—
`EditOperationType` UInt32	—
`OldValue` UnicodeString	—
`NewValue` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IIS-Configuration",
    "guid": "DC0B8E51-4863-407A-BC3C-1B479B2978AC",
    "event_source_name": "",
    "event_id": 29,
    "version": 0,
    "level": 5,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-13T20:06:38.758372+00:00",
    "event_record_id": 2219,
    "correlation": {},
    "execution": {
      "process_id": 2732,
      "thread_id": 1444
    },
    "channel": "Microsoft-IIS-Configuration/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PhysicalPath": "\\\\?\\C:\\Windows\\system32\\inetsrv\\config\\applicationHost.config",
    "ConfigPath": "MACHINE/WEBROOT/APPHOST",
    "EffectiveLocationPath": "",
    "Configuration": "/system.webServer/handlers/add[@name=\"HttpRemotingHandlerFactory-rem-Integrated-4.0\"]/@type",
    "EditOperationType": 1,
    "OldValue": "",
    "NewValue": "System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory, System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

ETW Logging/Processing Option Disabled On IIS Server source medium: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
HTTP Logging Disabled On IIS Server source high: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
New Module Module Added To IIS Server source medium: Detects the addition of a new module to an IIS server.

Show 1 more (4 total)

Previously Installed IIS Module Was Removed source low: Detects the removal of a previously installed IIS module.