Microsoft-Windows-Kernel-Dump
12 events across 1 channel
| Event ID | Title | Channel |
|---|---|---|
| 1 | AllowCrashDump policy. | Operational |
| 2 | AllowCrashDump policy value changed (AllowCrashDump = %1). | Operational |
| 3 | CrashDump disabled on boot by policy (AllowCrashDump = %1). | Operational |
| 4 | Crash dump disable failed. | Operational |
| 5 | Crash dump initialization failed. | Operational |
| 6 | Crash dump load driver failed. | Operational |
| 7 | Crash dump dump stack initialization failed. | Operational |
| 8 | Crash dump free dump stack failed. | Operational |
| 9 | Crash dump load dump stack failed. | Operational |
| 10 | Crash dump disabled. | Operational |
| 11 | Crash dump reconfigured. | Operational |
| 12 | Dump disabled forcefully (ForceDumpDisabled: %1). | Operational |
Event ID 1 — AllowCrashDump policy.
Message
Fields
| Name | Description |
|---|---|
AllowCrashDump_policy | — |
OperationType | — |
Event ID 2 — AllowCrashDump policy value changed (AllowCrashDump = %1).
Message
Fields
| Name | Description |
|---|---|
PolicyValue | — |
NTStatus | — |
Event ID 3 — CrashDump disabled on boot by policy (AllowCrashDump = %1).
Message
Fields
| Name | Description |
|---|---|
PolicyValue | — |
Event ID 4 — Crash dump disable failed.
Message
Fields
| Name | Description |
|---|---|
Crash_dump_disable_failed_NT_status | Crash dump disable failed. NT status. |
NTStatus | — |
Event ID 5 — Crash dump initialization failed.
Message
Fields
| Name | Description |
|---|---|
NTStatus | Crash dump initialization failed. NT status. |
Example Event
system:
provider: Microsoft-Windows-Kernel-Dump
guid: 17D2A329-4539-5F4D-3435-F510634CE3B9
event_source_name: ''
event_id: 5
version: 0
level: 3
task: 2
opcode: 15
keywords: 9223372036854775808
time_created: '2023-10-26T04:16:27.309101+00:00'
event_record_id: 1
correlation: {}
execution:
process_id: 4
thread_id: 8
channel: Microsoft-Windows-Kernel-Dump/Operational
computer: WIN-OQ6R0RVA4NF
security:
user_id: S-1-5-18
event_data:
NTStatus: 3221225487
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6 — Crash dump load driver failed.
Message
Fields
| Name | Description |
|---|---|
Crash_dump_load_driver_failed_NT_status | Crash dump load driver failed. NT status. |
NTStatus | — |
Event ID 7 — Crash dump dump stack initialization failed.
Message
Fields
| Name | Description |
|---|---|
NTStatus | — |
Event ID 8 — Crash dump free dump stack failed.
Message
Fields
| Name | Description |
|---|---|
NTStatus | — |
Event ID 9 — Crash dump load dump stack failed.
Message
Fields
| Name | Description |
|---|---|
NTStatus | — |
Event ID 10 — Crash dump disabled.
Message
Example Event
system:
provider: Microsoft-Windows-Kernel-Dump
guid: 17D2A329-4539-5F4D-3435-F510634CE3B9
event_source_name: ''
event_id: 10
version: 0
level: 4
task: 2
opcode: 20
keywords: 9223372036854775808
time_created: '2023-11-06T06:25:25.603988+00:00'
event_record_id: 11
correlation: {}
execution:
process_id: 396
thread_id: 408
channel: Microsoft-Windows-Kernel-Dump/Operational
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data: {}
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 11 — Crash dump reconfigured.
Message
Fields
| Name | Description |
|---|---|
Crash_dump_reconfigured_NT_status | Crash dump reconfigured. NT status. |
NTStatus | — |
Event ID 12 — Dump disabled forcefully (ForceDumpDisabled: %1).
Message
Fields
| Name | Description |
|---|---|
Dump_disabled_forcefully_ForceDumpDisabled | Dump disabled forcefully (ForceDumpDisabled. |
ForceDumpDisabled | — |