detection.wiki

Microsoft-Windows-LiveId › Event 2024

Event ID 2024 — Operation: Operation.

Provider
Microsoft-Windows-LiveId
Channel
Operational
Level
Informational
Task
WLIDServiceOperation

Description

Operation: Operation.

Message #

Operation: %1
Details: %2
Status: %3

Fields #

NameDescription
Operation UnicodeString
Known values
%%2456
Open key file.
%%2457
Delete key file.
%%2458
Read persisted key from file.
%%2459
Write persisted key to file.
%%2464
Export of persistent cryptographic key.
%%2465
Import of persistent cryptographic key.
%%2480
Open Key.
%%2481
Create Key.
%%2482
Delete Key.
%%2483
Encrypt.
%%2484
Decrypt.
%%2485
Sign hash.
%%2486
Secret agreement.
%%2487
Domain settings.
%%2488
Local settings.
%%2489
Add provider.
%%2490
Remove provider.
%%2491
Add context.
%%2492
Remove context.
%%2493
Add function.
%%2494
Remove function.
%%2495
Add function provider.
%%2496
Remove function provider.
%%2497
Add function property.
%%2498
Remove function property.
%%2499
Machine key.
%%2500
User key.
%%2501
Key Derivation.
%%2502
Claim Creation.
%%2503
Claim Verification.
Details UnicodeString
Status HexInt32NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-LiveId",
    "guid": "05F02597-FE85-4E67-8542-69567AB8FD4F",
    "event_source_name": "",
    "event_id": 2024,
    "version": 0,
    "level": 4,
    "task": 101,
    "opcode": 0,
    "keywords": 4611686018427387920,
    "time_created": "2023-11-06T06:25:38.920252+00:00",
    "event_record_id": 264,
    "correlation": {},
    "execution": {
      "process_id": 1612,
      "thread_id": 1804
    },
    "channel": "Microsoft-Windows-LiveId/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Operation": "Service started",
    "Details": "The service will auto stop if no requests received for some period of time.",
    "Status": "0x0"
  },
  "message": ""
}

References #