Description

Allow access to SettingName on this device setting has successfully changed from OldConsentValue to NewConsentValue by CallerProcessName.

Message #

Allow access to %12 on this device setting has successfully changed from %4 to %5 by %2.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing",
    "guid": "D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62",
    "event_source_name": "",
    "event_id": 1000,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 9223372036854775809,
    "time_created": "2025-12-31T19:32:58.262536+00:00",
    "event_record_id": 4,
    "correlation": {},
    "execution": {
      "process_id": 3728,
      "thread_id": 3820
    },
    "channel": "Microsoft-Windows-Privacy-Auditing/Operational",
    "computer": "WIN11-22H2-X64",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "CallerUserSid": "S-1-5-18",
    "CallerProcessName": "msoobe.exe",
    "CallerAppPackageFamilyName": "",
    "OldConsentValue": "Undefined",
    "NewConsentValue": "Deny",
    "SetByHigherAuthority": false,
    "EffectiveConsentValue": "Deny",
    "TargetUserSid": "NULL",
    "ConsentID": "NULL",
    "AppPackageFamilyName": "NULL",
    "HResult": "0x0",
    "SettingName": "location"
  },
  "message": ""
}

Description

Allow access to SettingName on this device setting has failed to change by CallerProcessName.

Message #

Allow access to %12 on this device setting has failed to change by %2.

Fields #

Description

Allow apps to access your SettingName setting for user TargetUserSid successfully changed from OldConsentValue to NewConsentValue by CallerProcessName.

Message #

Allow apps to access your %12 setting for user %8 successfully changed from %4 to %5 by %2.

Fields #

Description

Allow apps to access your SettingName setting for user TargetUserSid failed to change by CallerProcessName.

Message #

Allow apps to access your %12 setting for user %8 failed to change by %2.

Fields #

Description

User TargetUserSid setting for allow app AppPackageFamilyName access to SettingName successfully changed from OldConsentValue to NewConsentValue by CallerProcessName.

Message #

User %8 setting for allow app %10 access to %12 successfully changed from %4 to %5 by %2.

Fields #

Description

User TargetUserSid setting for allow app AppPackageFamilyName access to SettingName failed to change by CallerProcessName.

Message #

User %8 setting for allow app %10 access to %12 failed to change by %2.

Fields #

Description

Allow access to SettingName on this device default setting successfully created as NewConsentValue.

Message #

Allow access to %6 on this device default setting successfully created as %1.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing",
    "guid": "D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62",
    "event_source_name": "",
    "event_id": 1006,
    "version": 0,
    "level": 4,
    "task": 20,
    "opcode": 0,
    "keywords": 9223372036854775809,
    "time_created": "2023-10-25T21:24:02.614760+00:00",
    "event_record_id": 42,
    "correlation": {},
    "execution": {
      "process_id": 2376,
      "thread_id": 6016
    },
    "channel": "Microsoft-Windows-Privacy-Auditing/Operational",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NewConsentValue": "Allow",
    "TargetUserSid": "NULL",
    "ConsentID": "NULL",
    "AppPackageFamilyName": "NULL",
    "HResult": "0x0",
    "SettingName": "wiFiDirect",
    "Migrated": false,
    "Suppressed": false
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Allow access to SettingName on this device default setting failed creation.

Message #

Allow access to %6 on this device default setting failed creation.

Fields #

Description

Allow apps to access your SettingName setting default for user TargetUserSid successfully created as NewConsentValue.

Message #

Allow apps to access your %6 setting default for user %2 successfully created as %1.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing",
    "guid": "D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62",
    "event_source_name": "",
    "event_id": 1008,
    "version": 0,
    "level": 4,
    "task": 20,
    "opcode": 0,
    "keywords": 9223372036854775810,
    "time_created": "2023-11-05T22:37:47.009514+00:00",
    "event_record_id": 160,
    "correlation": {},
    "execution": {
      "process_id": 5264,
      "thread_id": 4196
    },
    "channel": "Microsoft-Windows-Privacy-Auditing/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NewConsentValue": "Allow",
    "TargetUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
    "ConsentID": "",
    "AppPackageFamilyName": "NULL",
    "HResult": "0x0",
    "SettingName": "microphone",
    "Migrated": false,
    "Suppressed": false
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Allow apps to access your SettingName setting default for user TargetUserSid failed creation.

Message #

Allow apps to access your %6 setting default for user %2 failed creation.

Fields #

Description

User TargetUserSid setting for allow app AppPackageFamilyName access to SettingName default successfully created as NewConsentValue.

Message #

User %2 setting for allow app %4 access to %6 default successfully created as %1.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing",
    "guid": "D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62",
    "event_source_name": "",
    "event_id": 1010,
    "version": 0,
    "level": 4,
    "task": 20,
    "opcode": 0,
    "keywords": 9223372036854775812,
    "time_created": "2023-11-05T22:37:51.451442+00:00",
    "event_record_id": 161,
    "correlation": {},
    "execution": {
      "process_id": 5264,
      "thread_id": 5356
    },
    "channel": "Microsoft-Windows-Privacy-Auditing/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NewConsentValue": "Allow",
    "TargetUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
    "ConsentID": "",
    "AppPackageFamilyName": "MicrosoftWindows.Client.WebExperience_cw5n1h2txyewy",
    "HResult": "0x0",
    "SettingName": "location",
    "Migrated": false,
    "Suppressed": false
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

User TargetUserSid setting for allow app AppPackageFamilyName access to SettingName default failed creation.

Message #

User %2 setting for allow app %4 access to %6 default failed creation.

Fields #

Description

During app AppPackageFamilyName installation setting SettingName default set for user TargetUserSid as NewConsentValue.

Message #

During app %3 installation setting %5 default set for user %2 as %1.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing",
    "guid": "D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62",
    "event_source_name": "",
    "event_id": 1012,
    "version": 0,
    "level": 4,
    "task": 30,
    "opcode": 0,
    "keywords": 9223372036854775812,
    "time_created": "2023-11-05T22:33:54.035083+00:00",
    "event_record_id": 159,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0000-5D8E-DBE43710DA01"
    },
    "execution": {
      "process_id": 5264,
      "thread_id": 5356
    },
    "channel": "Microsoft-Windows-Privacy-Auditing/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NewConsentValue": "Allow",
    "TargetUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
    "AppPackageFamilyName": "Microsoft.549981C3F5F10_8wekyb3d8bbwe",
    "HResult": "0x0",
    "SettingName": "microphone",
    "Migrated": false
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

During app AppPackageFamilyName installation setting SettingName default failed to be set.

Message #

During app %3 installation setting %5 default failed to be set.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing",
    "guid": "D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62",
    "event_source_name": "",
    "event_id": 1013,
    "version": 0,
    "level": 2,
    "task": 30,
    "opcode": 0,
    "keywords": 9223372036854775876,
    "time_created": "2022-04-07T16:48:29.235595+00:00",
    "event_record_id": 35,
    "correlation": {
      "ActivityID": "DD7B0B6A-4A9E-0001-6F24-7BDD9E4AD801"
    },
    "execution": {
      "process_id": 3104,
      "thread_id": 1276
    },
    "channel": "Microsoft-Windows-Privacy-Auditing/Operational",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NewConsentValue": "Allow",
    "TargetUserSid": "S-1-5-21-2121334350-1110938707-2888912545-500",
    "AppPackageFamilyName": "Microsoft.Windows.Search_cw5n1h2txyewy",
    "HResult": "0x8000ffff",
    "SettingName": "wifiData",
    "Migrated": false
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

User TargetUserSid answered prompt successfully for capability SettingName and app AppID. Response was NewConsentValue.

Message #

User %2 answered prompt successfully for capability %6 and app %4. Response was %1.

Fields #

Description

User TargetUserSid could not be prompted for capability SettingName and app AppID.

Message #

User %2 could not be prompted for capability %6 and app %4.

Fields #

Description

During app AppPackageFamilyName installation for user TargetUserSid, secondary setup for capability Capability with initial value NewConsentValue was successfully completed.

Message #

During app %3 installation for user %2, secondary setup for capability %5 with initial value %1 was successfully completed.

Fields #

Description

During app AppPackageFamilyName installation for user TargetUserSid, secondary setup for capability Capability with initial value NewConsentValue failed with error code HResult.

Message #

During app %3 installation for user %2, secondary setup for capability %5 with initial value %1 failed with error code %4.

Fields #

Description

Compliance database successfully created at version DatabaseVersion. Creation took Duration UTC (unit 100NS).

Message #

Compliance database successfully created at version %1. Creation took %2 UTC (unit 100NS)

Fields #

Description

Compliance database could not be created at version DatabaseVersion. Result code: HResult.

Message #

Compliance database could not be created at version %1. Result code: %3

Fields #

Description

Database schema was successfully migrated in Duration UTC (unit 100NS). Old Version: OldDatabaseVersion. New Version NewDatabaseVersion.

Message #

Database schema was successfully migrated in %3 UTC (unit 100NS). Old Version: %1. New Version %2

Fields #

Description

Database could not be migrated. Old Version: OldDatabaseVersion. New Version: NewDatabaseVersion. Result code: HResult.

Message #

Database could not be migrated. Old Version: %1. New Version: %2. Result code: %4

Fields #

Description

Database was successfully recovered in Duration UTC (unit 100NS) - old data was lost. Old database version: DatabaseVersion. Runtime version: RuntimeVersion. Justification string: Justification.

Message #

Database was successfully recovered in %4 UTC (unit 100NS) - old data was lost. Old database version: %1. Runtime version: %2. Justification string: %3

Fields #

Description

Database recovery could not be completed, database is in an unhealthy state. Database version: DatabaseVersion. Runtime version: RuntimeVersion. Justification string: Justification. Result code: HResult.

Message #

Database recovery could not be completed, database is in an unhealthy state. Database version: %1. Runtime version: %2. Justification string: %3. Result code: %5

Fields #

Description

Package AppPackageFamilyName for user UserSid successfully deprovisioned.

Message #

Package %2 for user %1 successfully deprovisioned

Fields #

Description

Consent for Package AppPackageFamilyName and User UserSid has been deemed invalid for capability Capability. Removing consent. Justification: Justification.

Message #

Consent for Package %2 and User %1 has been deemed invalid for capability %3. Removing consent. Justification: %4

Fields #

Description

Settings Database was successfully recovered - ALL SETTINGS DATA was lost. Runtime version: RuntimeVersion. Context string: ContextString.

Message #

Settings Database was successfully recovered - ALL SETTINGS DATA was lost. Runtime version: %1. Context string: %2

Fields #

Description

Settings Database recovery could not be completed, database is in an unhealthy state. Runtime version: RuntimeVersion. Context string: ContextString. Result code: HResult.

Message #

Settings Database recovery could not be completed, database is in an unhealthy state. Runtime version: %1. Context string: %2. Result code: %3

Fields #

Description

Settings Database is in a corrupt state due to major version mismatch. Runtime expects major version: RuntimeMajorVersion, database major version: DatabaseMajorVersion.

Message #

Settings Database is in a corrupt state due to major version mismatch. Runtime expects major version: %1, database major version: %2

Fields #

Description

Settings database successfully created at version DatabaseVersion.

Message #

Settings database successfully created at version %1

Fields #

Description

Settings database could not be created at version DatabaseVersion. Result code: HResult.

Message #

Settings database could not be created at version %1. Result code: %2

Fields #

Description

Settings Database schema was successfully migrated. Old Version: OldDatabaseVersion. New Version NewDatabaseVersion.

Message #

Settings Database schema was successfully migrated. Old Version: %1. New Version %2

Fields #

Description

Settings Database could not be migrated. Old Version: OldDatabaseVersion. New Version: NewDatabaseVersion. Result code: HResult.

Message #

Settings Database could not be migrated. Old Version: %1. New Version: %2. Result code: %3

Fields #