Microsoft-Windows-Privacy-Auditing

33 events across 1 channel

Event ID	Title	Channel
1000	Allow access to %12 on this device setting has successfully changed from %4 to …	Operational
1001	Allow access to %12 on this device setting has failed to change by %2.	Operational
1002	Allow apps to access your %12 setting for user %8 successfully changed from %4 …	Operational
1003	Allow apps to access your %12 setting for user %8 failed to change by %2.	Operational
1004	User %8 setting for allow app %10 access to %12 successfully changed from %4 to …	Operational
1005	User %8 setting for allow app %10 access to %12 failed to change by %2.	Operational
1006	Allow access to %6 on this device default setting successfully created as %1.	Operational
1007	Allow access to %6 on this device default setting failed creation.	Operational
1008	Allow apps to access your %6 setting default for user %2 successfully created as …	Operational
1009	Allow apps to access your %6 setting default for user %2 failed creation.	Operational
1010	User %2 setting for allow app %4 access to %6 default successfully created as …	Operational
1011	User %2 setting for allow app %4 access to %6 default failed creation.	Operational
1012	During app %3 installation setting %5 default set for user %2 as %1.	Operational
1013	During app %3 installation setting %5 default failed to be set.	Operational
1014	User %2 answered prompt successfully for capability %6 and app %4.	Operational
1015	User %2 could not be prompted for capability %6 and app %4.	Operational
1016	During app %3 installation for user %2, secondary setup for capability %5 with …	Operational
1017	During app %3 installation for user %2, secondary setup for capability %5 with …	Operational
1018	Compliance database successfully created at version %1.	Operational
1019	Compliance database could not be created at version %1.	Operational
1020	Database schema was successfully migrated in %3 UTC (unit 100NS).	Operational
1021	Database could not be migrated.	Operational
1022	Database was successfully recovered in %4 UTC (unit 100NS) - old data was lost.	Operational
1023	Database recovery could not be completed, database is in an unhealthy state.	Operational
1024	Package %2 for user %1 successfully deprovisioned.	Operational
1025	Consent for Package %2 and User %1 has been deemed invalid for capability %3.	Operational
1026	Settings Database was successfully recovered - ALL SETTINGS DATA was lost.	Operational
1027	Settings Database recovery could not be completed, database is in an unhealthy …	Operational
1028	Settings Database is in a corrupt state due to major version mismatch.	Operational
1029	Settings database successfully created at version %1.	Operational
1030	Settings database could not be created at version %1.	Operational
1031	Settings Database schema was successfully migrated.	Operational
1032	Settings Database could not be migrated.	Operational

Event ID 1000 — Allow access to %12 on this device setting has successfully changed from %4 to %5 by %2.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Allow access to %12 on this device setting has successfully changed from %4 to %5 by %2.

Fields

Name	Description
`CallerUserSid`	—
`CallerProcessName`	—
`CallerAppPackageFamilyName`	—
`OldConsentValue`	—
`NewConsentValue`	—
`SetByHigherAuthority`	—
`EffectiveConsentValue`	—
`TargetUserSid`	—
`ConsentID`	—
`AppPackageFamilyName`	—
`HResult`	—
`SettingName`	—

Event ID 1001 — Allow access to %12 on this device setting has failed to change by %2.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Allow access to %12 on this device setting has failed to change by %2.

Fields

Name	Description
`CallerUserSid`	—
`CallerProcessName`	—
`CallerAppPackageFamilyName`	—
`OldConsentValue`	—
`NewConsentValue`	—
`SetByHigherAuthority`	—
`EffectiveConsentValue`	—
`TargetUserSid`	—
`ConsentID`	—
`AppPackageFamilyName`	—
`HResult`	—
`SettingName`	—

Event ID 1002 — Allow apps to access your %12 setting for user %8 successfully changed from %4 to %5 by %2.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Allow apps to access your %12 setting for user %8 successfully changed from %4 to %5 by %2.

Fields

Name	Description
`CallerUserSid`	—
`CallerProcessName`	—
`CallerAppPackageFamilyName`	—
`OldConsentValue`	—
`NewConsentValue`	—
`SetByHigherAuthority`	—
`EffectiveConsentValue`	—
`TargetUserSid`	—
`ConsentID`	—
`AppPackageFamilyName`	—
`HResult`	—
`SettingName`	—

Event ID 1003 — Allow apps to access your %12 setting for user %8 failed to change by %2.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Allow apps to access your %12 setting for user %8 failed to change by %2.

Fields

Name	Description
`CallerUserSid`	—
`CallerProcessName`	—
`CallerAppPackageFamilyName`	—
`OldConsentValue`	—
`NewConsentValue`	—
`SetByHigherAuthority`	—
`EffectiveConsentValue`	—
`TargetUserSid`	—
`ConsentID`	—
`AppPackageFamilyName`	—
`HResult`	—
`SettingName`	—

Event ID 1004 — User %8 setting for allow app %10 access to %12 successfully changed from %4 to %5 by %2.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

User %8 setting for allow app %10 access to %12 successfully changed from %4 to %5 by %2.

Fields

Name	Description
`CallerUserSid`	—
`CallerProcessName`	—
`CallerAppPackageFamilyName`	—
`OldConsentValue`	—
`NewConsentValue`	—
`SetByHigherAuthority`	—
`EffectiveConsentValue`	—
`TargetUserSid`	—
`ConsentID`	—
`AppPackageFamilyName`	—
`HResult`	—
`SettingName`	—

Event ID 1005 — User %8 setting for allow app %10 access to %12 failed to change by %2.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

User %8 setting for allow app %10 access to %12 failed to change by %2.

Fields

Name	Description
`CallerUserSid`	—
`CallerProcessName`	—
`CallerAppPackageFamilyName`	—
`OldConsentValue`	—
`NewConsentValue`	—
`SetByHigherAuthority`	—
`EffectiveConsentValue`	—
`TargetUserSid`	—
`ConsentID`	—
`AppPackageFamilyName`	—
`HResult`	—
`SettingName`	—

Event ID 1006 — Allow access to %6 on this device default setting successfully created as %1.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Level: 4
Samples: 1

Message

Allow access to %6 on this device default setting successfully created as %1.

Fields

Name	Description
`NewConsentValue`	—
`TargetUserSid`	—
`ConsentID`	—
`AppPackageFamilyName`	—
`HResult`	—
`SettingName`	—
`Migrated`	—
`Suppressed`	—

Example Event

system:
  provider: Microsoft-Windows-Privacy-Auditing
  guid: D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62
  event_source_name: ''
  event_id: 1006
  version: 0
  level: 4
  task: 20
  opcode: 0
  keywords: 9223372036854775809
  time_created: '2023-10-25T21:24:02.614760+00:00'
  event_record_id: 42
  correlation: {}
  execution:
    process_id: 2376
    thread_id: 6016
  channel: Microsoft-Windows-Privacy-Auditing/Operational
  computer: WinDevEval
  security:
    user_id: S-1-5-18
event_data:
  NewConsentValue: Allow
  TargetUserSid: 'NULL'
  ConsentID: 'NULL'
  AppPackageFamilyName: 'NULL'
  HResult: '0x0'
  SettingName: wiFiDirect
  Migrated: false
  Suppressed: false
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1007 — Allow access to %6 on this device default setting failed creation.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Allow access to %6 on this device default setting failed creation.

Fields

Name	Description
`NewConsentValue`	—
`TargetUserSid`	—
`ConsentID`	—
`AppPackageFamilyName`	—
`HResult`	—
`SettingName`	—
`Migrated`	—
`Suppressed`	—

Event ID 1008 — Allow apps to access your %6 setting default for user %2 successfully created as %1.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Level: 4
Samples: 1

Message

Allow apps to access your %6 setting default for user %2 successfully created as %1.

Fields

Name	Description
`NewConsentValue`	—
`TargetUserSid`	—
`ConsentID`	—
`AppPackageFamilyName`	—
`HResult`	—
`SettingName`	—
`Migrated`	—
`Suppressed`	—

Example Event

system:
  provider: Microsoft-Windows-Privacy-Auditing
  guid: D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62
  event_source_name: ''
  event_id: 1008
  version: 0
  level: 4
  task: 20
  opcode: 0
  keywords: 9223372036854775810
  time_created: '2023-11-05T22:37:47.009514+00:00'
  event_record_id: 160
  correlation: {}
  execution:
    process_id: 5264
    thread_id: 4196
  channel: Microsoft-Windows-Privacy-Auditing/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  NewConsentValue: Allow
  TargetUserSid: S-1-5-21-1992711665-1655669231-58201500-1000
  ConsentID: ''
  AppPackageFamilyName: 'NULL'
  HResult: '0x0'
  SettingName: microphone
  Migrated: false
  Suppressed: false
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1009 — Allow apps to access your %6 setting default for user %2 failed creation.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Allow apps to access your %6 setting default for user %2 failed creation.

Fields

Name	Description
`NewConsentValue`	—
`TargetUserSid`	—
`ConsentID`	—
`AppPackageFamilyName`	—
`HResult`	—
`SettingName`	—
`Migrated`	—
`Suppressed`	—

Event ID 1010 — User %2 setting for allow app %4 access to %6 default successfully created as %1.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Level: 4
Samples: 1

Message

User %2 setting for allow app %4 access to %6 default successfully created as %1.

Fields

Name	Description
`NewConsentValue`	—
`TargetUserSid`	—
`ConsentID`	—
`AppPackageFamilyName`	—
`HResult`	—
`SettingName`	—
`Migrated`	—
`Suppressed`	—

Example Event

system:
  provider: Microsoft-Windows-Privacy-Auditing
  guid: D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62
  event_source_name: ''
  event_id: 1010
  version: 0
  level: 4
  task: 20
  opcode: 0
  keywords: 9223372036854775812
  time_created: '2023-11-05T22:37:51.451442+00:00'
  event_record_id: 161
  correlation: {}
  execution:
    process_id: 5264
    thread_id: 5356
  channel: Microsoft-Windows-Privacy-Auditing/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  NewConsentValue: Allow
  TargetUserSid: S-1-5-21-1992711665-1655669231-58201500-1000
  ConsentID: ''
  AppPackageFamilyName: MicrosoftWindows.Client.WebExperience_cw5n1h2txyewy
  HResult: '0x0'
  SettingName: location
  Migrated: false
  Suppressed: false
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1011 — User %2 setting for allow app %4 access to %6 default failed creation.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

User %2 setting for allow app %4 access to %6 default failed creation.

Fields

Name	Description
`NewConsentValue`	—
`TargetUserSid`	—
`ConsentID`	—
`AppPackageFamilyName`	—
`HResult`	—
`SettingName`	—
`Migrated`	—
`Suppressed`	—

Event ID 1012 — During app %3 installation setting %5 default set for user %2 as %1.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Level: 4
Samples: 1

Message

During app %3 installation setting %5 default set for user %2 as %1.

Fields

Name	Description
`NewConsentValue`	—
`TargetUserSid`	—
`AppPackageFamilyName`	—
`HResult`	—
`SettingName`	—
`Migrated`	—

Example Event

system:
  provider: Microsoft-Windows-Privacy-Auditing
  guid: D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62
  event_source_name: ''
  event_id: 1012
  version: 0
  level: 4
  task: 30
  opcode: 0
  keywords: 9223372036854775812
  time_created: '2023-11-05T22:33:54.035083+00:00'
  event_record_id: 159
  correlation:
    ActivityID: E4DB489E-1037-0000-5D8E-DBE43710DA01
  execution:
    process_id: 5264
    thread_id: 5356
  channel: Microsoft-Windows-Privacy-Auditing/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  NewConsentValue: Allow
  TargetUserSid: S-1-5-21-1992711665-1655669231-58201500-1000
  AppPackageFamilyName: Microsoft.549981C3F5F10_8wekyb3d8bbwe
  HResult: '0x0'
  SettingName: microphone
  Migrated: false
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1013 — During app %3 installation setting %5 default failed to be set.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Level: 2
Samples: 1

Message

During app %3 installation setting %5 default failed to be set.

Fields

Name	Description
`NewConsentValue`	—
`TargetUserSid`	—
`AppPackageFamilyName`	—
`HResult`	—
`SettingName`	—
`Migrated`	—

Example Event

system:
  provider: Microsoft-Windows-Privacy-Auditing
  guid: D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62
  event_source_name: ''
  event_id: 1013
  version: 0
  level: 2
  task: 30
  opcode: 0
  keywords: 9223372036854775876
  time_created: '2022-04-07T16:48:29.235595+00:00'
  event_record_id: 35
  correlation:
    ActivityID: DD7B0B6A-4A9E-0001-6F24-7BDD9E4AD801
  execution:
    process_id: 3104
    thread_id: 1276
  channel: Microsoft-Windows-Privacy-Auditing/Operational
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-18
event_data:
  NewConsentValue: Allow
  TargetUserSid: S-1-5-21-2121334350-1110938707-2888912545-500
  AppPackageFamilyName: Microsoft.Windows.Search_cw5n1h2txyewy
  HResult: '0x8000ffff'
  SettingName: wifiData
  Migrated: false
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1014 — User %2 answered prompt successfully for capability %6 and app %4.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

User %2 answered prompt successfully for capability %6 and app %4. Response was %1.

Fields

Name	Description
`NewConsentValue`	—
`TargetUserSid`	—
`ConsentID`	—
`AppID`	—
`HResult`	—
`SettingName`	—
`AutoAccepted`	—
`FileID`	—
`ProgramID`	—

Event ID 1015 — User %2 could not be prompted for capability %6 and app %4.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

User %2 could not be prompted for capability %6 and app %4.

Fields

Name	Description
`NewConsentValue`	—
`TargetUserSid`	—
`ConsentID`	—
`AppID`	—
`HResult`	—
`SettingName`	—
`AutoAccepted`	—
`FileID`	—
`ProgramID`	—

Event ID 1016 — During app %3 installation for user %2, secondary setup for capability %5 with initial value %1 was successfully completed.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

During app %3 installation for user %2, secondary setup for capability %5 with initial value %1 was successfully completed.

Fields

Name	Description
`NewConsentValue`	—
`TargetUserSid`	—
`AppPackageFamilyName`	—
`HResult`	—
`Capability`	—

Event ID 1017 — During app %3 installation for user %2, secondary setup for capability %5 with initial value %1 failed with error code %4.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

During app %3 installation for user %2, secondary setup for capability %5 with initial value %1 failed with error code %4.

Fields

Name	Description
`NewConsentValue`	—
`TargetUserSid`	—
`AppPackageFamilyName`	—
`HResult`	—
`Capability`	—

Event ID 1018 — Compliance database successfully created at version %1.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Compliance database successfully created at version %1. Creation took %2 UTC (unit 100NS)

Fields

Name	Description
`DatabaseVersion`	—
`Duration`	—
`HResult`	—

Event ID 1019 — Compliance database could not be created at version %1.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Compliance database could not be created at version %1. Result code: %3

Fields

Name	Description
`DatabaseVersion`	—
`Duration`	—
`HResult`	—

Event ID 1020 — Database schema was successfully migrated in %3 UTC (unit 100NS).

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Database schema was successfully migrated in %3 UTC (unit 100NS). Old Version: %1. New Version %2

Fields

Name	Description
`OldDatabaseVersion`	—
`NewDatabaseVersion`	—
`Duration`	—
`HResult`	—

Event ID 1021 — Database could not be migrated.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Database could not be migrated. Old Version: %1. New Version: %2. Result code: %4

Fields

Name	Description
`OldDatabaseVersion`	—
`NewDatabaseVersion`	—
`Duration`	—
`HResult`	—

Event ID 1022 — Database was successfully recovered in %4 UTC (unit 100NS) - old data was lost.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Database was successfully recovered in %4 UTC (unit 100NS) - old data was lost. Old database version: %1. Runtime version: %2. Justification string: %3

Fields

Name	Description
`DatabaseVersion`	—
`RuntimeVersion`	—
`Justification`	—
`Duration`	—
`HResult`	—

Event ID 1023 — Database recovery could not be completed, database is in an unhealthy state.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Database recovery could not be completed, database is in an unhealthy state. Database version: %1. Runtime version: %2. Justification string: %3. Result code: %5

Fields

Name	Description
`DatabaseVersion`	—
`RuntimeVersion`	—
`Justification`	—
`Duration`	—
`HResult`	—

Event ID 1024 — Package %2 for user %1 successfully deprovisioned.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Package %2 for user %1 successfully deprovisioned

Fields

Name	Description
`UserSid`	—
`AppPackageFamilyName`	—

Event ID 1025 — Consent for Package %2 and User %1 has been deemed invalid for capability %3.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Consent for Package %2 and User %1 has been deemed invalid for capability %3. Removing consent. Justification: %4

Fields

Name	Description
`UserSid`	—
`AppPackageFamilyName`	—
`Capability`	—
`Justification`	—

Event ID 1026 — Settings Database was successfully recovered - ALL SETTINGS DATA was lost.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Settings Database was successfully recovered - ALL SETTINGS DATA was lost. Runtime version: %1. Context string: %2

Fields

Name	Description
`RuntimeVersion`	—
`ContextString`	—
`HResult`	—

Event ID 1027 — Settings Database recovery could not be completed, database is in an unhealthy state.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Settings Database recovery could not be completed, database is in an unhealthy state. Runtime version: %1. Context string: %2. Result code: %3

Fields

Name	Description
`RuntimeVersion`	—
`ContextString`	—
`HResult`	—

Event ID 1028 — Settings Database is in a corrupt state due to major version mismatch.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Settings Database is in a corrupt state due to major version mismatch. Runtime expects major version: %1, database major version: %2

Fields

Name	Description
`RuntimeMajorVersion`	—
`DatabaseMajorVersion`	—

Event ID 1029 — Settings database successfully created at version %1.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Settings database successfully created at version %1

Fields

Name	Description
`DatabaseVersion`	—
`HResult`	—

Event ID 1030 — Settings database could not be created at version %1.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Settings database could not be created at version %1. Result code: %2

Fields

Name	Description
`DatabaseVersion`	—
`HResult`	—

Event ID 1031 — Settings Database schema was successfully migrated.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Settings Database schema was successfully migrated. Old Version: %1. New Version %2

Fields

Name	Description
`OldDatabaseVersion`	—
`NewDatabaseVersion`	—
`HResult`	—

Event ID 1032 — Settings Database could not be migrated.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational

Message

Settings Database could not be migrated. Old Version: %1. New Version: %2. Result code: %3

Fields

Name	Description
`OldDatabaseVersion`	—
`NewDatabaseVersion`	—
`HResult`	—