Event ID 16 — The access history in hive HiveName was cleared updating KeysUpdated keys and creating DirtyPages modified pages.

Provider: Microsoft-Windows-Kernel-General
Channel: System
Level: Informational
Opcode: Info

Description

The access history in hive HiveName was cleared updating KeysUpdated keys and creating DirtyPages modified pages.

Message #

The access history in hive %2 was cleared updating %3 keys and creating %4 modified pages.

Fields #

Name	Description
`HiveNameLength` UInt16	—
`HiveName` UnicodeString	—
`KeysUpdated` UInt32	—
`DirtyPages` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-General",
    "guid": "A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D",
    "event_source_name": "",
    "event_id": 16,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:49.389450+00:00",
    "event_record_id": 1705,
    "correlation": {},
    "execution": {
      "process_id": 3584,
      "thread_id": 3588
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "HiveNameLength": 85,
    "HiveName": "\\??\\C:\\ProgramData\\Microsoft\\Provisioning\\Microsoft-Desktop-Provisioning-Sequence.dat",
    "KeysUpdated": 0,
    "DirtyPages": 0
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Critical Hive In Suspicious Location Access Bits Cleared source high: Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline