Microsoft-Windows-Kernel-Audit-API-Calls

8 events across 1 channel

Event ID	Title	Channel
1		Operational
2		Operational
3		Operational
4		Operational
5		Operational
6		Operational
7		Operational
8		Operational

Event ID 1 —

Provider: Microsoft-Windows-Kernel-Audit-API-Calls
Channel: Operational
Opcode: Info

Fields #

Name	Description
`NotifyRoutineAddress` Pointer	—
`ReturnCode` UInt32	—

Event ID 2 —

Provider: Microsoft-Windows-Kernel-Audit-API-Calls
Channel: Operational
Opcode: Info

Fields #

Name	Description
`TargetProcessId` UInt32	—
`ReturnCode` UInt32	—
`TargetProcessStartKey` UInt64	—
`TargetProcessCreationTime` FILETIME	—

Event ID 3 —

Provider: Microsoft-Windows-Kernel-Audit-API-Calls
Channel: Operational
Opcode: Info

Fields #

Name	Description
`LinkSourceName` UnicodeString	—
`LinkTargetName` UnicodeString	—
`DesiredAccess` UInt32	— Process access rights reference
`ReturnCode` UInt32	—

Event ID 4 —

Provider: Microsoft-Windows-Kernel-Audit-API-Calls
Channel: Operational
Opcode: Info

Fields #

Name	Description
`ReturnCode` UInt32	—

Event ID 5 —

Provider: Microsoft-Windows-Kernel-Audit-API-Calls
Channel: Operational
Opcode: Info

Fields #

Name	Description
`TargetProcessId` UInt32	—
`DesiredAccess` UInt32	— Process access rights reference
`ReturnCode` UInt32	—

Event ID 6 —

Provider: Microsoft-Windows-Kernel-Audit-API-Calls
Channel: Operational
Opcode: Info

Fields #

Name	Description
`TargetProcessId` UInt32	—
`TargetThreatId` UInt32	—
`DesiredAccess` UInt32	— Process access rights reference
`ReturnCode` UInt32	—

Event ID 7 —

Provider: Microsoft-Windows-Kernel-Audit-API-Calls
Channel: Operational
Opcode: Info

Fields #

Name	Description
`DriverName` UnicodeString	—
`ReturnCode` UInt32	—

Event ID 8 —

Provider: Microsoft-Windows-Kernel-Audit-API-Calls
Channel: Operational
Opcode: Info

Fields #

Name	Description
`DriverName` UnicodeString	—
`ReturnCode` UInt32	—