Microsoft-Windows-Privacy-Auditing-CPSS

12 events across 1 channel

Event ID	Title	Channel
1000	The System Setting {(%9) (%10) (%11)} owned by %8 was changed from %4 to %5 by …	Operational
1001	%2 failed to change the System Setting {(%9) (%10) (%11)} owned by %8.	Operational
1002	The User Setting {(%9) (%10) (%11)} for user %6 owned by %8 was changed from %4 …	Operational
1003	%2 failed to change the User Setting {(%9) (%10) (%11)} for user %6 owned by %8.	Operational
1004	The System Setting {(%8) (%9) (%10)} owned by %7 was successfully created as %4 …	Operational
1005	%2 failed to create the System Setting {(%8) (%9) (%10)} owned by %7.	Operational
1006	The User Setting {(%8) (%9) (%10)} owned by %7 for user %5 was successfully …	Operational
1007	%2 failed to create the User Setting {(%8) (%9) (%10)} owned by %7 for user %5.	Operational
1008	The User Setting {(%7) (%8) (%9)} owned by %6 for user %5 was successfully …	Operational
1009	%2 failed to remove the User Setting {(%7) (%8) (%9)} owned by %6 for user %5.	Operational
1010	The System Setting {(%7) (%8) (%9)} owned by %6 was successfully removed by %2.	Operational
1011	%2 failed to remove the System Setting {(%7) (%8) (%9)} owned by %6.	Operational

Event ID 1000 — The System Setting {(%9) (%10) (%11)} owned by %8 was changed from %4 to %5 by %2.

Provider: Microsoft-Windows-Privacy-Auditing-CPSS
Channel: Operational
Level: 4
Samples: 1

Message

The System Setting {(%9) (%10) (%11)} owned by %8 was changed from %4 to %5 by %2. Justification: %12.

Fields

Name	Description
`ProcessUserSid`	—
`ProcessName`	—
`ProcessAppPackageFullName`	—
`OldSettingValue`	—
`NewSettingValue`	—
`TargetUserSid`	—
`HResult`	—
`Component`	—
`Area`	—
`SubArea`	—
`ID`	—
`Justification`	2. Justification.
`TestCode`	—

Example Event

system:
  provider: Microsoft-Windows-Privacy-Auditing-CPSS
  guid: 15F4CD44-CA53-5422-DB17-4E76821B5A69
  event_source_name: ''
  event_id: 1000
  version: 0
  level: 4
  task: 10
  opcode: 0
  keywords: 9223372036854775809
  time_created: '2023-10-26T04:17:21.725904+00:00'
  event_record_id: 1
  correlation: {}
  execution:
    process_id: 2748
    thread_id: 2976
  channel: Microsoft-Windows-Privacy-Auditing/Operational
  computer: WIN-OQ6R0RVA4NF
  security:
    user_id: S-1-5-18
event_data:
  ProcessUserSid: S-1-5-18
  ProcessName: svchost.exe
  ProcessAppPackageFullName: ''
  OldSettingValue: 'NULL'
  NewSettingValue: 'false'
  TargetUserSid: ''
  HResult: '0x0'
  Component: TailoredExperiencesWithDiagnosticDataEnabled
  Area: Area
  SubArea: SubArea
  ID: ID
  Justification: Projection overrode CPSS value
  TestCode: false
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1001 — %2 failed to change the System Setting {(%9) (%10) (%11)} owned by %8.

Provider: Microsoft-Windows-Privacy-Auditing-CPSS
Channel: Operational

Message

%2 failed to change the System Setting {(%9) (%10) (%11)} owned by %8. Justification: %12.

Fields

Name	Description
`ProcessUserSid`	—
`ProcessName`	—
`ProcessAppPackageFullName`	—
`OldSettingValue`	—
`NewSettingValue`	—
`TargetUserSid`	—
`HResult`	—
`Component`	—
`Area`	—
`SubArea`	—
`ID`	—
`Justification`	—
`TestCode`	—

Event ID 1002 — The User Setting {(%9) (%10) (%11)} for user %6 owned by %8 was changed from %4 to %5 by %2.

Provider: Microsoft-Windows-Privacy-Auditing-CPSS
Channel: Operational
Level: 4
Samples: 1

Message

The User Setting {(%9) (%10) (%11)} for user %6 owned by %8 was changed from %4 to %5 by %2. Justification: %12.

Fields

Name	Description
`ProcessUserSid`	—
`ProcessName`	—
`ProcessAppPackageFullName`	—
`OldSettingValue`	—
`NewSettingValue`	—
`TargetUserSid`	—
`HResult`	—
`Component`	—
`Area`	—
`SubArea`	—
`ID`	—
`Justification`	2. Justification.
`TestCode`	—

Example Event

system:
  provider: Microsoft-Windows-Privacy-Auditing-CPSS
  guid: 15F4CD44-CA53-5422-DB17-4E76821B5A69
  event_source_name: ''
  event_id: 1002
  version: 0
  level: 4
  task: 10
  opcode: 0
  keywords: 9223372036854775810
  time_created: '2023-11-05T22:28:55.211293+00:00'
  event_record_id: 98
  correlation: {}
  execution:
    process_id: 2748
    thread_id: 2616
  channel: Microsoft-Windows-Privacy-Auditing/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  ProcessUserSid: S-1-5-18
  ProcessName: svchost.exe
  ProcessAppPackageFullName: ''
  OldSettingValue: 'NULL'
  NewSettingValue: '2'
  TargetUserSid: S-1-5-21-1992711665-1655669231-58201500-1000
  HResult: '0x0'
  Component: TailoredExperiencesWithDiagnosticDataEnabled
  Area: Area
  SubArea: SubArea
  ID: ID
  Justification: Projection overrode CPSS value
  TestCode: false
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1003 — %2 failed to change the User Setting {(%9) (%10) (%11)} for user %6 owned by %8.

Provider: Microsoft-Windows-Privacy-Auditing-CPSS
Channel: Operational

Message

%2 failed to change the User Setting {(%9) (%10) (%11)} for user %6 owned by %8. Justification: %12.

Fields

Name	Description
`ProcessUserSid`	—
`ProcessName`	—
`ProcessAppPackageFullName`	—
`OldSettingValue`	—
`NewSettingValue`	—
`TargetUserSid`	—
`HResult`	—
`Component`	—
`Area`	—
`SubArea`	—
`ID`	—
`Justification`	—
`TestCode`	—

Event ID 1004 — The System Setting {(%8) (%9) (%10)} owned by %7 was successfully created as %4 by %2.

Provider: Microsoft-Windows-Privacy-Auditing-CPSS
Channel: Operational

Message

The System Setting {(%8) (%9) (%10)} owned by %7 was successfully created as %4 by %2. Source: %11

Fields

Name	Description
`ProcessUserSid`	—
`ProcessName`	—
`ProcessAppPackageFullName`	—
`NewSettingValue`	—
`TargetUserSid`	—
`HResult`	—
`Component`	—
`Area`	—
`SubArea`	—
`ID`	—
`Source`	—

Event ID 1005 — %2 failed to create the System Setting {(%8) (%9) (%10)} owned by %7.

Provider: Microsoft-Windows-Privacy-Auditing-CPSS
Channel: Operational

Message

%2 failed to create the System Setting {(%8) (%9) (%10)} owned by %7. Source: %11

Fields

Name	Description
`ProcessUserSid`	—
`ProcessName`	—
`ProcessAppPackageFullName`	—
`NewSettingValue`	—
`TargetUserSid`	—
`HResult`	—
`Component`	—
`Area`	—
`SubArea`	—
`ID`	—
`Source`	—

Event ID 1006 — The User Setting {(%8) (%9) (%10)} owned by %7 for user %5 was successfully created as %4 by %2.

Provider: Microsoft-Windows-Privacy-Auditing-CPSS
Channel: Operational

Message

The User Setting {(%8) (%9) (%10)} owned by %7 for user %5 was successfully created as %4 by %2. Source: %11

Fields

Name	Description
`ProcessUserSid`	—
`ProcessName`	—
`ProcessAppPackageFullName`	—
`NewSettingValue`	—
`TargetUserSid`	—
`HResult`	—
`Component`	—
`Area`	—
`SubArea`	—
`ID`	—
`Source`	—

Event ID 1007 — %2 failed to create the User Setting {(%8) (%9) (%10)} owned by %7 for user %5.

Provider: Microsoft-Windows-Privacy-Auditing-CPSS
Channel: Operational

Message

%2 failed to create the User Setting {(%8) (%9) (%10)} owned by %7 for user %5. Source: %11

Fields

Name	Description
`ProcessUserSid`	—
`ProcessName`	—
`ProcessAppPackageFullName`	—
`NewSettingValue`	—
`TargetUserSid`	—
`HResult`	—
`Component`	—
`Area`	—
`SubArea`	—
`ID`	—
`Source`	—

Event ID 1008 — The User Setting {(%7) (%8) (%9)} owned by %6 for user %5 was successfully removed by %2.

Provider: Microsoft-Windows-Privacy-Auditing-CPSS
Channel: Operational

Message

The User Setting {(%7) (%8) (%9)} owned by %6 for user %5 was successfully removed by %2. Justification: %11

Fields

Name	Description
`ProcessUserSid`	—
`ProcessName`	—
`ProcessAppPackageFullName`	—
`TargetUserSid`	—
`HResult`	—
`Component`	—
`Area`	—
`SubArea`	—
`ID`	—
`Justification`	—
`TestCode`	—

Event ID 1009 — %2 failed to remove the User Setting {(%7) (%8) (%9)} owned by %6 for user %5.

Provider: Microsoft-Windows-Privacy-Auditing-CPSS
Channel: Operational

Message

%2 failed to remove the User Setting {(%7) (%8) (%9)} owned by %6 for user %5. Justification: %11

Fields

Name	Description
`ProcessUserSid`	—
`ProcessName`	—
`ProcessAppPackageFullName`	—
`TargetUserSid`	—
`HResult`	—
`Component`	—
`Area`	—
`SubArea`	—
`ID`	—
`Justification`	—
`TestCode`	—

Event ID 1010 — The System Setting {(%7) (%8) (%9)} owned by %6 was successfully removed by %2.

Provider: Microsoft-Windows-Privacy-Auditing-CPSS
Channel: Operational

Message

The System Setting {(%7) (%8) (%9)} owned by %6 was successfully removed by %2. Justification: %11

Fields

Name	Description
`ProcessUserSid`	—
`ProcessName`	—
`ProcessAppPackageFullName`	—
`TargetUserSid`	—
`HResult`	—
`Component`	—
`Area`	—
`SubArea`	—
`ID`	—
`Justification`	—
`TestCode`	—

Event ID 1011 — %2 failed to remove the System Setting {(%7) (%8) (%9)} owned by %6.

Provider: Microsoft-Windows-Privacy-Auditing-CPSS
Channel: Operational

Message

%2 failed to remove the System Setting {(%7) (%8) (%9)} owned by %6. Justification: %11

Fields

Name	Description
`ProcessUserSid`	—
`ProcessName`	—
`ProcessAppPackageFullName`	—
`TargetUserSid`	—
`HResult`	—
`Component`	—
`Area`	—
`SubArea`	—
`ID`	—
`Justification`	—
`TestCode`	—