Microsoft-Windows-Kernel-ShimEngine

21 events across 3 channels

Event ID	Title	Channel
1		Debug
2		Debug
3	%3 shim(s) were applied to driver [%1].	Operational
4	Flags [.	Operational
5		Operational
6		Operational
10		Diagnostic
11		Diagnostic
12		Diagnostic
13		Diagnostic
14		Diagnostic
15		Diagnostic
16		Diagnostic
17		Diagnostic
18		Diagnostic
19		Diagnostic
20		Diagnostic
21		Diagnostic
22		Diagnostic
23		Diagnostic
24		Diagnostic

Event ID 1 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Debug

Fields

Name	Description
`EventId`	—
`DebugMessage`	—

Event ID 2 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Debug

Fields

Name	Description
`EventId`	—
`DebugMessage`	—

Event ID 3 — %3 shim(s) were applied to driver [%1].

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Operational
Level: 4
Samples: 1

Message

%3 shim(s) were applied to driver [%1].

Shim(s) source: %2.

Shim GUID(s): %4.

Fields

Name	Description
`DriverName`	—
`ShimSource`	Shim(s) source.
`ShimCount`	—
`AppliedGuids`	Shim GUID(s).

Example Event

system:
  provider: Microsoft-Windows-Kernel-ShimEngine
  guid: 0BF2FB94-7B60-4B4D-9766-E82F658DF540
  event_source_name: ''
  event_id: 3
  version: 1
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T06:20:55.625365+00:00'
  event_record_id: 23
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: Microsoft-Windows-Kernel-ShimEngine/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  DriverName: storahci.sys
  ShimSource: 0
  ShimCount: 1
  AppliedGuids: '{434abafd-08fa-4c3d-a88d-d09a88e2ab17}'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 4 — Flags [.

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Operational
Level: 4
Samples: 1

Message

Flags [%4] were applied to device [%1] - class [%2].

Flags source: %3.

Fields

Name	Description
`DeviceName`	—
`DeviceClass`	—
`FlagSource`	Flags source.
`Flags`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-ShimEngine
  guid: 0BF2FB94-7B60-4B4D-9766-E82F658DF540
  event_source_name: ''
  event_id: 4
  version: 1
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T06:25:19.963498+00:00'
  event_record_id: 27
  correlation: {}
  execution:
    process_id: 4
    thread_id: 224
  channel: Microsoft-Windows-Kernel-ShimEngine/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  DeviceName: NDIS:PCI\VEN_8086&DEV_100F
  DeviceClass: NdisMp
  FlagSource: 1
  Flags: 1
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 5 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Operational

Fields

Name	Description
`DriverName`	—
`DriverBase`	—
`DriverSize`	—
`DriverTimeStamp`	—
`DriverCheckSum`	—

Event ID 6 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Operational

Fields

Name	Description
`DriverObject`	—
`DriverBase`	—

Event ID 10 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Diagnostic

Fields

Name	Description
`DriverName`	—
`DriverBase`	—
`DriverSize`	—
`DriverTimeStamp`	—
`DriverCheckSum`	—

Event ID 11 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Diagnostic

Fields

Name	Description
`DriverObject`	—
`DriverBase`	—

Event ID 12 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Diagnostic

Fields

Name	Description
`DriverBase`	—
`DriverSize`	—
`DriverObject`	—
`Pdo`	—
`Status`	—
`ServiceName`	—
`HardwareId`	—

Event ID 13 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Diagnostic

Fields

Name	Description
`Address`	—
`Caller`	—
`Type`	—
`Size`	—
`Tag`	—

Event ID 14 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Diagnostic

Fields

Name	Description
`Address`	—
`Caller`	—
`Tag`	—

Event ID 15 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Diagnostic

Fields

Name	Description
`DriverObject`	—
`Fdo`	—
`Irp`	—

Event ID 16 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Diagnostic

Fields

Name	Description
`DriverObject`	—
`Fdo`	—
`DeviceType`	—
`DeviceCharacteristics`	—
`Exclusive`	—
`Status`	—

Event ID 17 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Diagnostic

Fields

Name	Description
`DriverObject`	—
`Fdo`	—
`Irp`	—
`MajorCode`	—
`Status`	—

Event ID 18 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Diagnostic

Fields

Name	Description
`DriverObject`	—
`Fdo`	—
`Irp`	—
`MinorCode`	—
`Status`	—

Event ID 19 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Diagnostic

Fields

Name	Description
`DriverObject`	—
`Fdo`	—
`Irp`	—
`Status`	—

Event ID 20 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Diagnostic

Fields

Name	Description
`DriverObject`	—
`Fdo`	—
`Irp`	—
`Status`	—

Event ID 21 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Diagnostic

Fields

Name	Description
`DriverObject`	—
`Fdo`	—
`Irp`	—
`MinorCode`	—
`PowerType`	—
`PowerState`	—
`Status`	—

Event ID 22 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Diagnostic

Fields

Name	Description
`DriverObject`	—
`Fdo`	—
`Irp`	—
`MinorCode`	—
`PowerType`	—
`PowerState`	—
`Status`	—

Event ID 23 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Diagnostic

Fields

Name	Description
`DriverObject`	—
`Fdo`	—
`Irp`	—
`MinorCode`	—
`PowerState`	—
`Status`	—

Event ID 24 —

Provider: Microsoft-Windows-Kernel-ShimEngine
Channel: Diagnostic

Fields

Name	Description
`DriverObject`	—
`Fdo`	—
`Irp`	—
`Status`	—