Microsoft-Windows-RestartManager
11 events across 2 channels
| Event ID | Title | Channel |
|---|---|---|
| 10000 | Starting session 0 - 1. | Application |
| 10001 | Ending session 0 started 1. | Application |
| 10002 | Shutting down application or service 'VMware Snapshot Provider'. | Application |
| 10003 | Restarting application or service '. | Application |
| 10004 | Registering %2 file(s), %3 process(es), %4 service(s). | Operational |
| 10005 | Machine restart is required. | Application |
| 10006 | Application or service '. | Application |
| 10007 | Application or service '. | Application |
| 10008 | Restart Manager encountered an internal error. | Application |
| 10009 | Service tagging failed to find target service in process %2. | Application |
| 10010 | Application 'C:\Program Files\WindowsApps\MicrosoftWindows. | Application |
Event ID 10000 — Starting session 0 - 1.
Message
Fields
| Name | Description |
|---|---|
RmSessionEvent.RmSessionId | — |
RmSessionEvent.UTCStartTime | — |
Example Event
system:
provider: Microsoft-Windows-RestartManager
guid: 0888E5EF-9B98-4695-979D-E92CE4247224
event_source_name: ''
event_id: 10000
version: 0
level: 4
task: 0
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-05T23:15:57.318722+00:00'
event_record_id: 1727
correlation: {}
execution:
process_id: 4436
thread_id: 7344
channel: Application
computer: WinDev2310Eval
security:
user_id: S-1-5-21-1992711665-1655669231-58201500-1000
user_data:
RmSessionEvent:
RmSessionId: 0
UTCStartTime: 1699226157.3092785
message: Starting session 0 - 1.6992261573092785e+09.
References
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 10001 — Ending session 0 started 1.
Message
Fields
| Name | Description |
|---|---|
RmSessionEvent.RmSessionId | — |
RmSessionEvent.UTCStartTime | — |
Example Event
system:
provider: Microsoft-Windows-RestartManager
guid: 0888E5EF-9B98-4695-979D-E92CE4247224
event_source_name: ''
event_id: 10001
version: 0
level: 4
task: 0
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-05T23:15:56.333139+00:00'
event_record_id: 1726
correlation: {}
execution:
process_id: 4436
thread_id: 6676
channel: Application
computer: WinDev2310Eval
security:
user_id: S-1-5-21-1992711665-1655669231-58201500-1000
user_data:
RmSessionEvent:
RmSessionId: 0
UTCStartTime: 1699226123.2852097
message: Ending session 0 started 1.6992261232852097e+09.
References
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 10002 — Shutting down application or service 'VMware Snapshot Provider'.
Message
Fields
| Name | Description |
|---|---|
RmApplicationEvent.RmSessionId | — |
RmApplicationEvent.FullPath | — |
RmApplicationEvent.DisplayName | — |
RmApplicationEvent.AppVersion | — |
RmApplicationEvent.AppType | — |
RmApplicationEvent.TSSessionId | — |
RmApplicationEvent.Status | — |
RmApplicationEvent.Pid | — |
RmApplicationEvent.nFiles | — |
RmApplicationEvent.Files | — |
Example Event
system:
provider: Microsoft-Windows-RestartManager
guid: 0888E5EF-9B98-4695-979D-E92CE4247224
event_source_name: ''
event_id: 10002
version: 0
level: 4
task: 0
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-05T22:27:35.029379+00:00'
event_record_id: 1464
correlation: {}
execution:
process_id: 1520
thread_id: 5908
channel: Application
computer: WinDev2310Eval
security:
user_id: S-1-5-18
user_data:
RmApplicationEvent:
RmSessionId: 0
FullPath: C:\Windows\System32\dllhost.exe
DisplayName: VMware Snapshot Provider
AppVersion: 0
AppType: 3
TSSessionId: 0
Status: 262146
Pid: 4400
nFiles: 0
Files:
File:
- ''
message: Shutting down application or service 'VMware Snapshot Provider'.
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 10003 — Restarting application or service '.
Message
Fields
| Name | Description |
|---|---|
RmSessionId | — |
FullPath | — |
DisplayName | — |
AppVersion | — |
AppType | — |
TSSessionId | — |
Status | — |
Pid | — |
nFiles | — |
File | — |
Event ID 10004 — Registering %2 file(s), %3 process(es), %4 service(s).
Message
Fields
| Name | Description |
|---|---|
RmSessionId | — |
nFiles | — |
nRegProcs | — |
nRegServices | — |
Files | — |
RegProcs | — |
RegServices | — |
Event ID 10005 — Machine restart is required.
Message
Fields
| Name | Description |
|---|---|
RmRestartEvent.RmSessionId | — |
RmRestartEvent.nApplications | — |
RmRestartEvent.Applications | — |
RmRestartEvent.RebootReasons | — |
Example Event
system:
provider: Microsoft-Windows-RestartManager
guid: 0888E5EF-9B98-4695-979D-E92CE4247224
event_source_name: ''
event_id: 10005
version: 0
level: 4
task: 0
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-05T22:52:15.682048+00:00'
event_record_id: 1604
correlation: {}
execution:
process_id: 6576
thread_id: 7344
channel: Application
computer: WinDev2310Eval
security:
user_id: S-1-5-18
user_data:
RmRestartEvent:
RmSessionId: 0
nApplications: 1
Applications:
Application:
- Widgets
RebootReasons: 2
message: Machine restart is required.
References
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 10006 — Application or service '.
Message
Fields
| Name | Description |
|---|---|
RmSessionId | — |
FullPath | — |
DisplayName | — |
AppVersion | — |
AppType | — |
TSSessionId | — |
Status | — |
Pid | — |
nFiles | — |
File | — |
Event ID 10007 — Application or service '.
Message
Fields
| Name | Description |
|---|---|
RmSessionId | — |
FullPath | — |
DisplayName | — |
AppVersion | — |
AppType | — |
TSSessionId | — |
Status | — |
Pid | — |
nFiles | — |
File | — |
Event ID 10008 — Restart Manager encountered an internal error.
Message
Fields
| Name | Description |
|---|---|
RmSessionId | — |
cbSize | — |
pbBinary | — |
Event ID 10009 — Service tagging failed to find target service in process %2.
Message
Fields
| Name | Description |
|---|---|
RmSessionId | — |
SvcHostPid | — |
nFiles | — |
nServices | — |
FileName | — |
Service | — |
Event ID 10010 — Application 'C:\Program Files\WindowsApps\MicrosoftWindows.
Message
Fields
| Name | Description |
|---|---|
RmUnsupportedRestartEvent.RmSessionId | — |
RmUnsupportedRestartEvent.Pid | — |
RmUnsupportedRestartEvent.FullPath | — |
RmUnsupportedRestartEvent.DisplayName | — |
RmUnsupportedRestartEvent.AppVersion | — |
RmUnsupportedRestartEvent.AppType | — |
RmUnsupportedRestartEvent.TSSessionId | — |
RmUnsupportedRestartEvent.Status | — |
RmUnsupportedRestartEvent.Reason | — |
Example Event
system:
provider: Microsoft-Windows-RestartManager
guid: 0888E5EF-9B98-4695-979D-E92CE4247224
event_source_name: ''
event_id: 10010
version: 0
level: 3
task: 0
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-05T22:52:15.648333+00:00'
event_record_id: 1603
correlation: {}
execution:
process_id: 6576
thread_id: 7344
channel: Application
computer: WinDev2310Eval
security:
user_id: S-1-5-18
user_data:
RmUnsupportedRestartEvent:
RmSessionId: 0
Pid: 6212
FullPath: C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy\Dashboard\Widgets.exe
DisplayName: Widgets
AppVersion: 0
AppType: 0
TSSessionId: 1
Status: 67108865
Reason: 1
message: Application 'C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy\Dashboard\Widgets.exe'
(pid 6212) cannot be restarted - 1.
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline