detection.wiki

Microsoft-Windows-LoadPerf › Event 1001

Event ID 1001 — Performance counters for the WmiApRpl!

Provider
Microsoft-Windows-LoadPerf
Channel
Application
Level
Informational

Description

Performance counters for the () service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.

Message #

Performance counters for the %1 (%2) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.

Fields #

NameDescription
EventXML.param1
EventXML.param2
EventXML.binaryDataSize
EventXML.binaryData

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-LoadPerf",
    "guid": "122EE297-BB47-41AE-B265-1CA8D1886D40",
    "event_source_name": "",
    "event_id": 1001,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T16:59:10.681381+00:00",
    "event_record_id": 206,
    "correlation": {},
    "execution": {
      "process_id": 4204,
      "thread_id": 4208
    },
    "channel": "Application",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "EventXML": {
      "param1": "WmiApRpl",
      "param2": "WmiApRpl",
      "binaryDataSize": 12,
      "binaryData": "7CgAAO0oAADSBQAA"
    }
  },
  "message": "Performance counters for the WmiApRpl!s! (WmiApRpl!s!) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries."
}

References #