Microsoft-Windows-Kernel-Dump
12 events across 1 channel
| Event ID | Title | Channel |
|---|---|---|
| 1 | AllowCrashDump policy: AllowCrashDump_policy. | Operational |
| 2 | AllowCrashDump policy value changed (AllowCrashDump = PolicyValue). | Operational |
| 3 | CrashDump disabled on boot by policy (AllowCrashDump = PolicyValue). | Operational |
| 4 | Crash dump disable failed. | Operational |
| 5 | Crash dump initialization failed. | Operational |
| 6 | Crash dump load driver failed. | Operational |
| 7 | Crash dump dump stack initialization failed. | Operational |
| 8 | Crash dump free dump stack failed. | Operational |
| 9 | Crash dump load dump stack failed. | Operational |
| 10 | Crash dump disabled. | Operational |
| 11 | Crash dump reconfigured. | Operational |
| 12 | Dump disabled forcefully (ForceDumpDisabled: … | Operational |
Event ID 1 — AllowCrashDump policy: AllowCrashDump_policy.
Description
AllowCrashDump policy: AllowCrashDump_policy.
Message #
Fields #
| Name | Description |
|---|---|
AllowCrashDump_policy AnsiString | — |
OperationType AnsiString | — Known values
|
Event ID 2 — AllowCrashDump policy value changed (AllowCrashDump = PolicyValue).
Event ID 3 — CrashDump disabled on boot by policy (AllowCrashDump = PolicyValue).
Event ID 4 — Crash dump disable failed.
Event ID 5 — Crash dump initialization failed.
#Description
Crash dump initialization failed. NT status: NTStatus.
Message #
Fields #
| Name | Description |
|---|---|
NTStatus UInt32 | Crash dump initialization failed. NT status. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Dump",
"guid": "17D2A329-4539-5F4D-3435-F510634CE3B9",
"event_source_name": "",
"event_id": 5,
"version": 0,
"level": 3,
"task": 2,
"opcode": 15,
"keywords": 9223372036854775808,
"time_created": "2023-10-26T04:16:27.309101+00:00",
"event_record_id": 1,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8
},
"channel": "Microsoft-Windows-Kernel-Dump/Operational",
"computer": "WIN-OQ6R0RVA4NF",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"NTStatus": 3221225487
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6 — Crash dump load driver failed.
Event ID 7 — Crash dump dump stack initialization failed.
Event ID 8 — Crash dump free dump stack failed.
Event ID 9 — Crash dump load dump stack failed.
Event ID 10 — Crash dump disabled.
#Description
Crash dump disabled.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Dump",
"guid": "17D2A329-4539-5F4D-3435-F510634CE3B9",
"event_source_name": "",
"event_id": 10,
"version": 0,
"level": 4,
"task": 2,
"opcode": 20,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T06:25:25.603988+00:00",
"event_record_id": 11,
"correlation": {},
"execution": {
"process_id": 396,
"thread_id": 408
},
"channel": "Microsoft-Windows-Kernel-Dump/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline