Microsoft-Windows-Kernel-General

24 events across 2 channels

Event ID	Title	Channel
1	The system time has changed to %1 from %2.	System
2	License policy-cache corruption detected.	System
3	License policy-cache corruption has been fixed.	System
4	License policy-cache has expired because it was not updated within expected …	System
5	{Registry Hive Recovered} Registry hive (file): '.	System
6	An I/O operation initiated by the Registry failed unrecoverably.	System
7	The system failed to open transaction log {LogFile} for hive {HivePath}.	System
11	TxR init phase for hive %2 (TM: %3, RM: %4) finished with result=%5 (Internal …	System
12	The operating system started at system time 1.3825413334687505e+09.	System
13	The operating system is shutting down at system time StopTime.	System
14		Operational
15	Hive %2 was reorganized with a starting size of %3 bytes and an ending size of …	System
16	The access history in hive %2 was cleared updating %3 keys and creating %4 …	System
17		Operational
18	The operating system is starting after soft restart.	System
19		Operational
20	The leap second configuration has been updated.	System
21	Failed to update leap second data from the registry.	System
22	The time zone bias has changed to %1 from %2.	System
23		Operational
24	The time zone information was refreshed with exit reason %1.	System
25	The system time was initialized to %1.	System
26		Operational
26	Token information was queried for TokenIsAppContainer.	System

Event ID 1 — The system time has changed to %1 from %2.

Provider: Microsoft-Windows-Kernel-General
Channel: System
Level: 4
Samples: 1

Message

The system time has changed to %1 from %2.

Fields

Name	Description
`NewTime`	—
`OldTime`	—
`TimeDeltaInMs`	Time Delta.
`Reason`	Change Reason.
`ProcessName`	—
`ProcessID`	—
`CmosTime`	RTC time.
`TimeZoneBias`	Current time zone bias.
`RealTimeIsUniversal`	RTC time is in UTC.
`SystemInCmosMode`	System time was based on RTC time.

Example Event

system:
  provider: Microsoft-Windows-Kernel-General
  guid: A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D
  event_source_name: ''
  event_id: 1
  version: 4
  level: 4
  task: 5
  opcode: 0
  keywords: 9223372036854775824
  time_created: '2023-11-05T22:32:22.236350+00:00'
  event_record_id: 1943
  correlation: {}
  execution:
    process_id: 3308
    thread_id: 3676
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  NewTime: '2023-11-05T22:32:22.232000Z'
  OldTime: '2023-11-05T22:32:20.942615Z'
  TimeDeltaInMs: 1289
  Reason: 1
  ProcessName: \Device\HarddiskVolume4\Program Files\VMware\VMware Tools\vmtoolsd.exe
  ProcessID: 3308
  CmosTime: '2023-11-05T14:32:22.232000Z'
  TimeZoneBias: 480
  RealTimeIsUniversal: false
  SystemInCmosMode: false
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2 — License policy-cache corruption detected.

Provider: Microsoft-Windows-Kernel-General
Channel: System

Message

License policy-cache corruption detected.

Event ID 3 — License policy-cache corruption has been fixed.

Provider: Microsoft-Windows-Kernel-General
Channel: System

Message

License policy-cache corruption has been fixed.

Event ID 4 — License policy-cache has expired because it was not updated within expected duration.

Provider: Microsoft-Windows-Kernel-General
Channel: System

Message

License policy-cache has expired because it was not updated within expected duration.

Event ID 5 — {Registry Hive Recovered} Registry hive (file): '.

Provider: Microsoft-Windows-Kernel-General
Channel: System

Message

{Registry Hive Recovered} Registry hive (file): '%3' was corrupted and it has been recovered. Some data might have been lost.

Fields

Name	Description
`FinalStatus`	—
`ExtraStringLength`	—
`ExtraString`	—

Event ID 6 — An I/O operation initiated by the Registry failed unrecoverably.

Provider: Microsoft-Windows-Kernel-General
Channel: System

Message

An I/O operation initiated by the Registry failed unrecoverably.The Registry could not flush hive (file): '%3'.

Fields

Name	Description
`FinalStatus`	—
`ExtraStringLength`	—
`ExtraString`	—

Event ID 7 — The system failed to open transaction log {LogFile} for hive {HivePath}.

Provider: Microsoft-Windows-Kernel-General
Channel: System

Message

The system failed to open transaction log {LogFile} for hive {HivePath}. Some transactional consistency might have been lost. (Failure status {Status}; TM: {TmId}; RM: {RmId}; InternalCode: {InternalCode})

Fields

Name	Description
`LogFile`	—
`HivePath`	—
`Status`	—
`TmId`	—
`RmId`	—
`InternalCode`	—

Event ID 11 — TxR init phase for hive %2 (TM: %3, RM: %4) finished with result=%5 (Internal code=%6).

Provider: Microsoft-Windows-Kernel-General
Channel: System

Message

TxR init phase for hive %2 (TM: %3, RM: %4) finished with result=%5 (Internal code=%6).

Fields

Name	Description
`RM`	—
`ExtraStringLength`	—
`ExtraString`	—
`TmId`	—
`RmId`	—
`Status`	—
`InternalCode`	—

Event ID 12 — The operating system started at system time 1.3825413334687505e+09.

Provider: Microsoft-Windows-Kernel-General
Channel: System
Level: 4
Samples: 1

Message

The operating system started at system time %7.

Fields

Name	Description
`MajorVersion`	—
`MinorVersion`	—
`BuildVersion`	—
`QfeVersion`	—
`ServiceVersion`	—
`BootMode`	—
`StartTime`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-General
  guid: A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D
  event_source_name: ''
  event_id: 12
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 9223372036854775936
  time_created: '2023-11-06T06:24:56.248018+00:00'
  event_record_id: 1624
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  MajorVersion: 10
  MinorVersion: 0
  BuildVersion: 22621
  QfeVersion: 2428
  ServiceVersion: 0
  BootMode: 0
  StartTime: '2023-11-06T06:24:49.500000Z'
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 13 — The operating system is shutting down at system time StopTime.

Provider: Microsoft-Windows-Kernel-General
Channel: System
Level: 4
Samples: 1

Message

The operating system is shutting down at system time %1.

Fields

Name	Description
`StopTime`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-General
  guid: A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D
  event_source_name: ''
  event_id: 13
  version: 0
  level: 4
  task: 2
  opcode: 0
  keywords: 9223372036854775936
  time_created: '2023-11-06T06:23:42.448179+00:00'
  event_record_id: 1623
  correlation: {}
  execution:
    process_id: 4
    thread_id: 388
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  StopTime: '2023-11-06T06:23:42.448171Z'
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 14 —

Provider: Microsoft-Windows-Kernel-General
Channel: Operational

Fields

Name	Description
`Mode`	—
`ObjectType`	—
`ObjectName`	—
`ProcessName`	—
`ObjectCreatorProcessName`	—
`AccessMask`	—
`TokenType`	—
`ImpersonationLevel`	—
`SessionId`	—
`LowBoxNumber`	—
`TokenGroupsCount`	—
`TokenGroups`	—
`TokenPackageCount`	—
`TokenPackage`	—
`TokenCapabilityCount`	—
`TokenCapabilities`	—
`TokenTrustLevelCount`	—
`TokenTrustLevel`	—
`SecurityDescriptorRevision`	—
`SecurityDescriptorControl`	—
`SecurityDescriptorOwner`	—
`SecurityDescriptorGroup`	—
`DaclRevision`	—
`DaclAceCount`	—
`DaclAce`	—
`SaclRevision`	—
`SaclAceCount`	—
`SaclAce`	—

Event ID 15 — Hive %2 was reorganized with a starting size of %3 bytes and an ending size of %4 bytes.

Provider: Microsoft-Windows-Kernel-General
Channel: System
Level: 4
Samples: 1

Message

Hive %2 was reorganized with a starting size of %3 bytes and an ending size of %4 bytes.

Fields

Name	Description
`HiveNameLength`	—
`HiveName`	—
`OriginalSize`	—
`NewSize`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-General
  guid: A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D
  event_source_name: ''
  event_id: 15
  version: 0
  level: 4
  task: 10
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:23:38.372509+00:00'
  event_record_id: 1618
  correlation: {}
  execution:
    process_id: 1416
    thread_id: 1420
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  HiveNameLength: 52
  HiveName: \??\C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
  OriginalSize: 11767808
  NewSize: 10665984
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 16 — The access history in hive %2 was cleared updating %3 keys and creating %4 modified pages.

Provider: Microsoft-Windows-Kernel-General
Channel: System
Level: 4
Samples: 1

Message

The access history in hive %2 was cleared updating %3 keys and creating %4 modified pages.

Fields

Name	Description
`HiveNameLength`	—
`HiveName`	—
`KeysUpdated`	—
`DirtyPages`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-General
  guid: A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D
  event_source_name: ''
  event_id: 16
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:49.389450+00:00'
  event_record_id: 1705
  correlation: {}
  execution:
    process_id: 3584
    thread_id: 3588
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  HiveNameLength: 85
  HiveName: \??\C:\ProgramData\Microsoft\Provisioning\Microsoft-Desktop-Provisioning-Sequence.dat
  KeysUpdated: 0
  DirtyPages: 0
message: ''

Sigma Rules

Critical Hive In Suspicious Location Access Bits Cleared
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 17 —

Provider: Microsoft-Windows-Kernel-General
Channel: Operational

Fields

Name	Description
`ActionName`	—
`ProcessName`	—
`AccountName`	—
`AuthorityName`	—
`TokenId`	—
`AuthenticationId`	—
`TokenType`	—
`ImpersonationLevel`	—
`TokenFlags`	—
`SidValuesReferenceCount`	—
`SidValuesCount`	—
`SidValues`	—
`SharedSidValuesReferenceCount`	—
`SharedSidValuesCount`	—
`SharedSidValues`	—

Event ID 18 — The operating system is starting after soft restart.

Provider: Microsoft-Windows-Kernel-General
Channel: System

Message

The operating system is starting after soft restart.

Fields

Name	Description
`TransitionStartTime`	—
`CurrentTime`	—
`SoftRestartCount`	—
`BugcheckRecovery`	—

Event ID 19 —

Provider: Microsoft-Windows-Kernel-General
Channel: Operational

Fields

Name	Description
`MmPhase0Start`	—
`MmPhase0Stop`	—
`Phase1Start`	—
`KsrExtensionStart`	—
`KsrExtensionStop`	—
`StartProcessorsStart`	—
`StartProcessorsStop`	—
`AutoLoggerInitStart`	—
`AutoLoggerInitStop`	—
`MmPhase1Start`	—
`MmPhase1Stop`	—
`HalPhase0StartCycleTime`	—
`HalPhase0StopCycleTime`	—
`MmMark`	—

Event ID 20 — The leap second configuration has been updated.

Provider: Microsoft-Windows-Kernel-General
Channel: System
Level: 4
Samples: 1

Message

The leap second configuration has been updated.
Reason: %1
Leap seconds enabled: %2
New leap second count: %3
Old leap second count: %4

Fields

Name	Description
`UpdateReason`	Reason.
`EnabledNew`	Leap seconds enabled.
`CountNew`	New leap second count.
`CountOld`	Old leap second count.

Example Event

system:
  provider: Microsoft-Windows-Kernel-General
  guid: A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D
  event_source_name: ''
  event_id: 20
  version: 0
  level: 4
  task: 6
  opcode: 0
  keywords: 9223372036854775824
  time_created: '2023-11-06T06:24:56.378127+00:00'
  event_record_id: 1634
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  UpdateReason: 0
  EnabledNew: true
  CountNew: 0
  CountOld: 0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 21 — Failed to update leap second data from the registry.

Provider: Microsoft-Windows-Kernel-General
Channel: System

Message

Failed to update leap second data from the registry. Reason: %1

Fields

Name	Description
`FailureResult`	—

Event ID 22 — The time zone bias has changed to %1 from %2.

Provider: Microsoft-Windows-Kernel-General
Channel: System
Level: 4
Samples: 1

Message

The time zone bias has changed to %1 from %2.

Fields

Name	Description
`NewBias`	—
`OldBias`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-General
  guid: A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D
  event_source_name: ''
  event_id: 22
  version: 0
  level: 4
  task: 8
  opcode: 0
  keywords: 9223372036854775824
  time_created: '2022-04-04T07:40:07.884201+00:00'
  event_record_id: 719
  correlation: {}
  execution:
    process_id: 1080
    thread_id: 1208
  channel: System
  computer: WIN-TKC15D7KHUR
  security:
    user_id: S-1-5-18
event_data:
  NewBias: 420
  OldBias: 480
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 23 —

Provider: Microsoft-Windows-Kernel-General
Channel: Operational

Fields

Name	Description
`VsmCleanupTime`	—
`Mark0`	—
`Mark1`	—
`Mark2`	—
`Mark3`	—
`Mark4`	—
`Mark5`	—
`Mark6`	—
`Mark7`	—
`VsmCleanupTimeFrequency`	—

Event ID 24 — The time zone information was refreshed with exit reason %1.

Provider: Microsoft-Windows-Kernel-General
Channel: System
Level: 4
Samples: 1

Message

The time zone information was refreshed with exit reason %1. Current time zone bias is %2.

Fields

Name	Description
`ExitReason`	—
`CurrentBias`	—
`CurrentTimeZoneID`	—
`TimeZoneInfoCacheUpdated`	—
`FirstRefresh`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-General
  guid: A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D
  event_source_name: ''
  event_id: 24
  version: 0
  level: 4
  task: 11
  opcode: 0
  keywords: 9223372036854775824
  time_created: '2023-11-06T06:25:25.525777+00:00'
  event_record_id: 1652
  correlation: {}
  execution:
    process_id: 100
    thread_id: 520
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  ExitReason: 0
  CurrentBias: 480
  CurrentTimeZoneID: 1
  TimeZoneInfoCacheUpdated: 0
  FirstRefresh: 0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 25 — The system time was initialized to %1.

Provider: Microsoft-Windows-Kernel-General
Channel: System

Message

The system time was initialized to %1. 

Loader time: %2
Internal boot flags: %3
HAL RTC error code: %4
RTC time is in UTC: %5
Soft boot: %6
Success: %7
Phase: %8

Fields

Name	Description
`SystemTime`	—
`LoaderTime`	—
`InternalBootFlags`	—
`HalRtcErrorCode`	—
`RealTimeIsUniversal`	—
`IsSoftBoot`	—
`Success`	—
`Phase`	—

Event ID 26 —

Provider: Microsoft-Windows-Kernel-General
Channel: Operational

Fields

Name	Description
`ProcessName`	—
`PackageSid`	—

Event ID 26 — Token information was queried for TokenIsAppContainer.

Provider: Microsoft-Windows-Kernel-General
Channel: System

Message

Token information was queried for TokenIsAppContainer.

Fields

Name	Description
`ProcessName`	—
`PackageSid`	—