Microsoft-Windows-Kernel-ShimEngine
21 events across 3 channels
| Event ID | Title | Channel |
|---|---|---|
| 1 | Debug | |
| 2 | Debug | |
| 3 | ShimCount shim(s) were applied to driver [DriverName]. | Operational |
| 4 | Flags [Flags] were applied to device [DeviceName] - class [DeviceClass]. | Operational |
| 5 | Operational | |
| 6 | Operational | |
| 10 | Diagnostic | |
| 11 | Diagnostic | |
| 12 | Diagnostic | |
| 13 | Diagnostic | |
| 14 | Diagnostic | |
| 15 | Diagnostic | |
| 16 | Diagnostic | |
| 17 | Diagnostic | |
| 18 | Diagnostic | |
| 19 | Diagnostic | |
| 20 | Diagnostic | |
| 21 | Diagnostic | |
| 22 | Diagnostic | |
| 23 | Diagnostic | |
| 24 | Diagnostic |
Event ID 1 —
Fields #
| Name | Description |
|---|---|
EventId UInt32 | — |
DebugMessage AnsiString | — |
Event ID 2 —
Fields #
| Name | Description |
|---|---|
EventId UInt32 | — |
DebugMessage AnsiString | — |
Event ID 3 — ShimCount shim(s) were applied to driver [DriverName].
#Description
ShimCount shim(s) were applied to driver [DriverName].
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | — |
ShimSource UInt32 | Shim(s) source. |
ShimCount UInt32 | — |
AppliedGuids UnicodeString | Shim GUID(s). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-ShimEngine",
"guid": "0BF2FB94-7B60-4B4D-9766-E82F658DF540",
"event_source_name": "",
"event_id": 3,
"version": 1,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T06:20:55.625365+00:00",
"event_record_id": 23,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8
},
"channel": "Microsoft-Windows-Kernel-ShimEngine/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DriverName": "storahci.sys",
"ShimSource": 0,
"ShimCount": 1,
"AppliedGuids": "{434abafd-08fa-4c3d-a88d-d09a88e2ab17}"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4 — Flags [Flags] were applied to device [DeviceName] - class [DeviceClass].
#Description
Flags [Flags] were applied to device [DeviceName] - class [DeviceClass].
Message #
Fields #
| Name | Description |
|---|---|
DeviceName UnicodeString | — |
DeviceClass UnicodeString | — |
FlagSource UInt32 | Flags source. |
Flags UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-ShimEngine",
"guid": "0BF2FB94-7B60-4B4D-9766-E82F658DF540",
"event_source_name": "",
"event_id": 4,
"version": 1,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T06:25:19.963498+00:00",
"event_record_id": 27,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 224
},
"channel": "Microsoft-Windows-Kernel-ShimEngine/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DeviceName": "NDIS:PCI\\VEN_8086&DEV_100F",
"DeviceClass": "NdisMp",
"FlagSource": 1,
"Flags": 1
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5 —
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | — |
DriverBase Pointer | — |
DriverSize UInt32 | — |
DriverTimeStamp UInt32 | — |
DriverCheckSum UInt32 | — |
Event ID 6 —
Fields #
| Name | Description |
|---|---|
DriverObject Pointer | — |
DriverBase Pointer | — |
Event ID 10 —
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | — |
DriverBase Pointer | — |
DriverSize UInt32 | — |
DriverTimeStamp UInt32 | — |
DriverCheckSum UInt32 | — |
Event ID 11 —
Fields #
| Name | Description |
|---|---|
DriverObject Pointer | — |
DriverBase Pointer | — |
Event ID 12 —
Fields #
| Name | Description |
|---|---|
DriverBase Pointer | — |
DriverSize UInt32 | — |
DriverObject Pointer | — |
Pdo Pointer | — |
Status UInt32 | — NTSTATUS reference |
ServiceName UnicodeString | — |
HardwareId UnicodeString | — |
Event ID 13 —
Fields #
| Name | Description |
|---|---|
Address Pointer | — |
Caller Pointer | — |
Type UInt32 | — |
Size Pointer | — |
Tag UInt32 | — |
Event ID 14 —
Fields #
| Name | Description |
|---|---|
Address Pointer | — |
Caller Pointer | — |
Tag UInt32 | — |
Event ID 15 —
Fields #
| Name | Description |
|---|---|
DriverObject Pointer | — |
Fdo Pointer | — |
Irp Pointer | — |
Event ID 16 —
Fields #
| Name | Description |
|---|---|
DriverObject Pointer | — |
Fdo Pointer | — |
DeviceType UInt32 | — |
DeviceCharacteristics UInt32 | — |
Exclusive UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 17 —
Fields #
| Name | Description |
|---|---|
DriverObject Pointer | — |
Fdo Pointer | — |
Irp Pointer | — |
MajorCode UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 18 —
Fields #
| Name | Description |
|---|---|
DriverObject Pointer | — |
Fdo Pointer | — |
Irp Pointer | — |
MinorCode UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 19 —
Fields #
| Name | Description |
|---|---|
DriverObject Pointer | — |
Fdo Pointer | — |
Irp Pointer | — |
Status UInt32 | — NTSTATUS reference |
Event ID 20 —
Fields #
| Name | Description |
|---|---|
DriverObject Pointer | — |
Fdo Pointer | — |
Irp Pointer | — |
Status UInt32 | — NTSTATUS reference |
Event ID 21 —
Fields #
| Name | Description |
|---|---|
DriverObject Pointer | — |
Fdo Pointer | — |
Irp Pointer | — |
MinorCode UInt32 | — |
PowerType UInt32 | — |
PowerState UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 22 —
Fields #
| Name | Description |
|---|---|
DriverObject Pointer | — |
Fdo Pointer | — |
Irp Pointer | — |
MinorCode UInt32 | — |
PowerType UInt32 | — |
PowerState UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 23 —
Fields #
| Name | Description |
|---|---|
DriverObject Pointer | — |
Fdo Pointer | — |
Irp Pointer | — |
MinorCode UInt32 | — |
PowerState UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 24 —
Fields #
| Name | Description |
|---|---|
DriverObject Pointer | — |
Fdo Pointer | — |
Irp Pointer | — |
Status UInt32 | — NTSTATUS reference |