Microsoft-Windows-ProcessExitMonitor
4 events across 2 channels
| Event ID | Title | Channel |
|---|---|---|
| 3000 | The process '. | Application |
| 3001 | The process '. | Application |
| 1073744824 | The process '. | Operational |
| 1073744825 | The process '. | Operational |
Event ID 3000 — The process '.
Message
Fields
| Name | Description |
|---|---|
param1 | — |
param2 | — |
param3 | — |
ExitingProcessId | — |
Event ID 3001 — The process '.
Message
Fields
| Name | Description |
|---|---|
param1 | — |
param2 | — |
param3 | — |
param4 | — |
ExitingProcessId | — |
InitiatingProcessId | — |
Example Event
system:
provider: Microsoft-Windows-ProcessExitMonitor
guid: '{FD771D53-8492-4057-8E35-8C02813AF49B}'
event_source_name: Process Exit Monitor
event_id: 3001
version: 0
level: 4
task: 0
opcode: 0
keywords: 36028797018963968
time_created: '2021-06-09T04:58:49.287418Z'
event_record_id: 32887
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Application
computer: MSEDGEWIN10
security:
user_id: S-1-5-21-3461203602-4096304019-2269080069-1000
event_data:
param1: C:\Windows\System32\lsass.exe
param2: C:\Users\IEUser\Desktop\LsassSilentProcessExit.exe
param3: '0'
param4: 01d75d3714c3280e
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1073744824 — The process '.
Message
Fields
| Name | Description |
|---|---|
param1 | — |
param2 | — |
param3 | — |
ExitingProcessId | — |
Event ID 1073744825 — The process '.
Message
Fields
| Name | Description |
|---|---|
param1 | — |
param2 | — |
param3 | — |
param4 | — |
ExitingProcessId | — |
InitiatingProcessId | — |