Microsoft-Windows-Kernel-General
24 events across 2 channels
Event ID 1 — The system time has changed to NewTime from OldTime.
#Description
The system time has changed to NewTime from OldTime.
Message #
Fields #
| Name | Description |
|---|---|
NewTime FILETIME | — |
OldTime FILETIME | — |
TimeDeltaInMs Int64 | Time Delta. |
Reason UInt32 | Change Reason. |
ProcessName UnicodeString | — |
ProcessID UInt32 | — |
CmosTime FILETIME | RTC time. |
TimeZoneBias Int32 | Current time zone bias. |
RealTimeIsUniversal Boolean | RTC time is in UTC. |
SystemInCmosMode Boolean | System time was based on RTC time. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D",
"event_source_name": "",
"event_id": 1,
"version": 4,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 9223372036854775824,
"time_created": "2023-11-05T22:32:22.236350+00:00",
"event_record_id": 1943,
"correlation": {},
"execution": {
"process_id": 3308,
"thread_id": 3676
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"NewTime": "2023-11-05T22:32:22.232000Z",
"OldTime": "2023-11-05T22:32:20.942615Z",
"TimeDeltaInMs": 1289,
"Reason": 1,
"ProcessName": "\\Device\\HarddiskVolume4\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe",
"ProcessID": 3308,
"CmosTime": "2023-11-05T14:32:22.232000Z",
"TimeZoneBias": 480,
"RealTimeIsUniversal": false,
"SystemInCmosMode": false
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2 — License policy-cache corruption detected.
Description
License policy-cache corruption detected.
Message #
Event ID 3 — License policy-cache corruption has been fixed.
Description
License policy-cache corruption has been fixed.
Message #
Event ID 4 — License policy-cache has expired because it was not updated within expected duration.
Description
License policy-cache has expired because it was not updated within expected duration.
Message #
Event ID 5 — {Registry Hive Recovered} Registry hive (file): 'ExtraString' was corrupted and it has been recovered.
Event ID 6 — An I/O operation initiated by the Registry failed unrecoverably.
Event ID 7 — The system failed to open transaction log {LogFile} for hive {HivePath}.
Message #
Fields #
| Name | Description |
|---|---|
LogFile | — |
HivePath | — |
Status | — NTSTATUS reference |
TmId | — |
RmId | — |
InternalCode | — |
Event ID 11 — TxR init phase for hive ExtraString (TM: TmId, RM: RmId) finished with result=Status (Internal code=InternalCode).
Description
TxR init phase for hive ExtraString (TM: TmId, RM: RmId) finished with result=Status (Internal code=InternalCode).
Message #
Fields #
| Name | Description |
|---|---|
ExtraStringLength UInt16 | — |
ExtraString UnicodeString | — |
TmId GUID | — |
RmId GUID | — |
Status HexInt32 | — NTSTATUS reference |
InternalCode UInt32 | — |
RM | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D",
"event_source_name": "",
"event_id": 11,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T02:31:13.021540+00:00",
"event_record_id": 2588,
"correlation": {},
"execution": {
"process_id": 4888,
"thread_id": 1608
},
"channel": "System",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ExtraStringLength": 79,
"ExtraString": "\\??\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\System32\\config\\DRIVERS",
"TmId": "465845D7-1B56-11F1-9FBF-C6B26F270F0B",
"RmId": "465845D6-1B56-11F1-9FBF-C6B26F270F0B",
"Status": "0xc00000a2",
"InternalCode": 7
},
"message": ""
}
Event ID 12 — The operating system started at system time StartTime.
#Description
The operating system started at system time StartTime.
Message #
Fields #
| Name | Description |
|---|---|
MajorVersion UInt32 | — |
MinorVersion UInt32 | — |
BuildVersion UInt32 | — |
QfeVersion UInt32 | — |
ServiceVersion UInt16 | — |
BootMode UInt32 | — |
StartTime FILETIME | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D",
"event_source_name": "",
"event_id": 12,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 9223372036854775936,
"time_created": "2023-11-06T06:24:56.248018+00:00",
"event_record_id": 1624,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"MajorVersion": 10,
"MinorVersion": 0,
"BuildVersion": 22621,
"QfeVersion": 2428,
"ServiceVersion": 0,
"BootMode": 0,
"StartTime": "2023-11-06T06:24:49.500000Z"
},
"message": ""
}
References #
Event ID 13 — The operating system is shutting down at system time StopTime.
#Description
The operating system is shutting down at system time StopTime.
Message #
Fields #
| Name | Description |
|---|---|
StopTime FILETIME | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D",
"event_source_name": "",
"event_id": 13,
"version": 0,
"level": 4,
"task": 2,
"opcode": 0,
"keywords": 9223372036854775936,
"time_created": "2023-11-06T06:23:42.448179+00:00",
"event_record_id": 1623,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 388
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"StopTime": "2023-11-06T06:23:42.448171Z"
},
"message": ""
}
References #
Event ID 14 —
Fields #
| Name | Description |
|---|---|
Mode UnicodeString | — |
ObjectType UnicodeString | — |
ObjectName UnicodeString | — |
ProcessName UnicodeString | — |
ObjectCreatorProcessName UnicodeString | — |
AccessMask HexInt32 | — Access mask reference |
TokenType UInt32 | — |
ImpersonationLevel UInt32 | — Known values
|
SessionId UInt32 | — |
LowBoxNumber UInt32 | — |
TokenGroupsCount UInt32 | — |
TokenGroups 28 | — |
TokenPackageCount UInt32 | — |
TokenPackage 30 | — |
TokenCapabilityCount UInt32 | — |
TokenCapabilities 31 | — |
TokenTrustLevelCount UInt32 | — |
TokenTrustLevel 33 | — |
SecurityDescriptorRevision UInt8 | — |
SecurityDescriptorControl UInt16 | — |
SecurityDescriptorOwner SID | — |
SecurityDescriptorGroup SID | — |
DaclRevision UInt8 | — |
DaclAceCount UInt16 | — |
DaclAce 34 | — |
SaclRevision UInt8 | — |
SaclAceCount UInt16 | — |
SaclAce 38 | — |
Event ID 15 — Hive HiveName was reorganized with a starting size of OriginalSize bytes and an ending size of NewSize bytes.
#Description
Hive HiveName was reorganized with a starting size of OriginalSize bytes and an ending size of NewSize bytes.
Message #
Fields #
| Name | Description |
|---|---|
HiveNameLength UInt16 | — |
HiveName UnicodeString | — |
OriginalSize UInt32 | — |
NewSize UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D",
"event_source_name": "",
"event_id": 15,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T06:23:38.372509+00:00",
"event_record_id": 1618,
"correlation": {},
"execution": {
"process_id": 1416,
"thread_id": 1420
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HiveNameLength": 52,
"HiveName": "\\??\\C:\\Windows\\System32\\SMI\\Store\\Machine\\SCHEMA.DAT",
"OriginalSize": 11767808,
"NewSize": 10665984
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 16 — The access history in hive HiveName was cleared updating KeysUpdated keys and creating DirtyPages modified pages.
#Description
The access history in hive HiveName was cleared updating KeysUpdated keys and creating DirtyPages modified pages.
Message #
Fields #
| Name | Description |
|---|---|
HiveNameLength UInt16 | — |
HiveName UnicodeString | — |
KeysUpdated UInt32 | — |
DirtyPages UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D",
"event_source_name": "",
"event_id": 16,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T06:25:49.389450+00:00",
"event_record_id": 1705,
"correlation": {},
"execution": {
"process_id": 3584,
"thread_id": 3588
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HiveNameLength": 85,
"HiveName": "\\??\\C:\\ProgramData\\Microsoft\\Provisioning\\Microsoft-Desktop-Provisioning-Sequence.dat",
"KeysUpdated": 0,
"DirtyPages": 0
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Critical Hive In Suspicious Location Access Bits Cleared source high: Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 17 —
Fields #
| Name | Description |
|---|---|
ActionName UnicodeString | — |
ProcessName UnicodeString | — |
AccountName UnicodeString | — |
AuthorityName UnicodeString | — |
TokenId HexInt64 | — |
AuthenticationId HexInt64 | — |
TokenType UInt32 | — |
ImpersonationLevel UInt32 | — Known values
|
TokenFlags HexInt32 | — |
SidValuesReferenceCount Int64 | — |
SidValuesCount UInt32 | — |
SidValues GUID | — |
SharedSidValuesReferenceCount Int64 | — |
SharedSidValuesCount UInt32 | — |
SharedSidValues Pointer | — |
Event ID 18 — The operating system is starting after soft restart.
Event ID 19 —
Fields #
| Name | Description |
|---|---|
MmPhase0Start UInt64 | — |
MmPhase0Stop UInt64 | — |
Phase1Start UInt64 | — |
KsrExtensionStart UInt64 | — |
KsrExtensionStop UInt64 | — |
StartProcessorsStart UInt64 | — |
StartProcessorsStop UInt64 | — |
AutoLoggerInitStart UInt64 | — |
AutoLoggerInitStop UInt64 | — |
MmPhase1Start UInt64 | — |
MmPhase1Stop UInt64 | — |
HalPhase0StartCycleTime UInt64 | — |
HalPhase0StopCycleTime UInt64 | — |
MmMark UInt64 | — |
Event ID 20 — The leap second configuration has been updated.
#Description
The leap second configuration has been updated.
Message #
Fields #
| Name | Description |
|---|---|
UpdateReason UInt32 | Reason. |
EnabledNew Boolean | Leap seconds enabled. |
CountNew UInt32 | New leap second count. |
CountOld UInt32 | Old leap second count. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D",
"event_source_name": "",
"event_id": 20,
"version": 0,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": 9223372036854775824,
"time_created": "2023-11-06T06:24:56.378127+00:00",
"event_record_id": 1634,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UpdateReason": 0,
"EnabledNew": true,
"CountNew": 0,
"CountOld": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 21 — Failed to update leap second data from the registry.
Event ID 22 — The time zone bias has changed to NewBias from OldBias.
#Description
The time zone bias has changed to NewBias from OldBias.
Message #
Fields #
| Name | Description |
|---|---|
NewBias Int32 | — |
OldBias Int32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D",
"event_source_name": "",
"event_id": 22,
"version": 0,
"level": 4,
"task": 8,
"opcode": 0,
"keywords": 9223372036854775824,
"time_created": "2022-04-04T07:40:07.884201+00:00",
"event_record_id": 719,
"correlation": {},
"execution": {
"process_id": 1080,
"thread_id": 1208
},
"channel": "System",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"NewBias": 420,
"OldBias": 480
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 23 —
Fields #
| Name | Description |
|---|---|
VsmCleanupTime UInt64 | — |
Mark0 UInt64 | — |
Mark1 UInt64 | — |
Mark2 UInt64 | — |
Mark3 UInt64 | — |
Mark4 UInt64 | — |
Mark5 UInt64 | — |
Mark6 UInt64 | — |
Mark7 UInt64 | — |
VsmCleanupTimeFrequency UInt64 | — |
Event ID 24 — The time zone information was refreshed with exit reason ExitReason.
#Description
The time zone information was refreshed with exit reason ExitReason. Current time zone bias is CurrentBias.
Message #
Fields #
| Name | Description |
|---|---|
ExitReason UInt32 | — |
CurrentBias Int32 | — |
CurrentTimeZoneID UInt32 | — |
TimeZoneInfoCacheUpdated UInt8 | — |
FirstRefresh UInt8 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D",
"event_source_name": "",
"event_id": 24,
"version": 0,
"level": 4,
"task": 11,
"opcode": 0,
"keywords": 9223372036854775824,
"time_created": "2023-11-06T06:25:25.525777+00:00",
"event_record_id": 1652,
"correlation": {},
"execution": {
"process_id": 100,
"thread_id": 520
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ExitReason": 0,
"CurrentBias": 480,
"CurrentTimeZoneID": 1,
"TimeZoneInfoCacheUpdated": 0,
"FirstRefresh": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 25 — The system time was initialized to SystemTime.
Event ID 26 —
Description
Token information was queried for TokenIsAppContainer.
Fields #
| Name | Description |
|---|---|
ProcessName UnicodeString | — |
PackageSid SID | — |