Microsoft-Windows-RestartManager
11 events across 2 channels
| Event ID | Title | Channel |
|---|---|---|
| 10000 | Starting session 0 - 1. | Application |
| 10001 | Ending session 0 started 1. | Application |
| 10002 | Shutting down application or service 'VMware Snapshot Provider'. | Application |
| 10003 | Restarting application or service 'DisplayName'. | Application |
| 10004 | Registering nFiles file(s), nRegProcs process(es), nRegServices service(s). | Operational |
| 10005 | Machine restart is required. | Application |
| 10006 | Application or service 'DisplayName' could not be shut down. | Application |
| 10007 | Application or service 'DisplayName' could not be restarted. | Application |
| 10008 | Restart Manager encountered an internal error. | Application |
| 10009 | Service tagging failed to find target service in process SvcHostPid. | Application |
| 10010 | Application 'C:\Program Files\WindowsApps\MicrosoftWindows. | Application |
Event ID 10000 — Starting session 0 - 1.
#Description
Starting session - .
Message #
Fields #
| Name | Description |
|---|---|
RmSessionEvent.RmSessionId | — |
RmSessionEvent.UTCStartTime | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RestartManager",
"guid": "0888E5EF-9B98-4695-979D-E92CE4247224",
"event_source_name": "",
"event_id": 10000,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T23:15:57.318722+00:00",
"event_record_id": 1727,
"correlation": {},
"execution": {
"process_id": 4436,
"thread_id": 7344
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"user_data": {
"RmSessionEvent": {
"RmSessionId": 0,
"UTCStartTime": 1699226157.3092785
}
},
"message": "Starting session 0 - 1.6992261573092785e+09."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 10001 — Ending session 0 started 1.
#Description
Ending session started .
Message #
Fields #
| Name | Description |
|---|---|
RmSessionEvent.RmSessionId | — |
RmSessionEvent.UTCStartTime | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RestartManager",
"guid": "0888E5EF-9B98-4695-979D-E92CE4247224",
"event_source_name": "",
"event_id": 10001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T23:15:56.333139+00:00",
"event_record_id": 1726,
"correlation": {},
"execution": {
"process_id": 4436,
"thread_id": 6676
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"user_data": {
"RmSessionEvent": {
"RmSessionId": 0,
"UTCStartTime": 1699226123.2852097
}
},
"message": "Ending session 0 started 1.6992261232852097e+09."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 10002 — Shutting down application or service 'VMware Snapshot Provider'.
#Description
Shutting down application or service 'VMware Snapshot Provider'.
Message #
Fields #
| Name | Description |
|---|---|
RmApplicationEvent.RmSessionId | — |
RmApplicationEvent.FullPath | — |
RmApplicationEvent.DisplayName | — |
RmApplicationEvent.AppVersion | — |
RmApplicationEvent.AppType | — |
RmApplicationEvent.TSSessionId | — |
RmApplicationEvent.Status | — |
RmApplicationEvent.Pid | — |
RmApplicationEvent.nFiles | — |
RmApplicationEvent.Files | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RestartManager",
"guid": "0888E5EF-9B98-4695-979D-E92CE4247224",
"event_source_name": "",
"event_id": 10002,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T22:27:35.029379+00:00",
"event_record_id": 1464,
"correlation": {},
"execution": {
"process_id": 1520,
"thread_id": 5908
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"RmApplicationEvent": {
"RmSessionId": 0,
"FullPath": "C:\\Windows\\System32\\dllhost.exe",
"DisplayName": "VMware Snapshot Provider",
"AppVersion": 0,
"AppType": 3,
"TSSessionId": 0,
"Status": 262146,
"Pid": 4400,
"nFiles": 0,
"Files": {
"File": [
""
]
}
}
},
"message": "Shutting down application or service 'VMware Snapshot Provider'."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 10003 — Restarting application or service 'DisplayName'.
Description
Restarting application or service 'DisplayName'.
Message #
Fields #
| Name | Description |
|---|---|
RmSessionId UInt32 | — |
FullPath UnicodeString | — |
DisplayName UnicodeString | — |
AppVersion UInt32 | — |
AppType UInt32 | — |
TSSessionId UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Pid UInt32 | — |
nFiles UInt32 | — |
File UnicodeString | — |
Event ID 10004 — Registering nFiles file(s), nRegProcs process(es), nRegServices service(s).
Event ID 10005 — Machine restart is required.
#Description
Machine restart is required.
Message #
Fields #
| Name | Description |
|---|---|
RmRestartEvent.RmSessionId | — |
RmRestartEvent.nApplications | — |
RmRestartEvent.Applications | — |
RmRestartEvent.RebootReasons | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RestartManager",
"guid": "0888E5EF-9B98-4695-979D-E92CE4247224",
"event_source_name": "",
"event_id": 10005,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T22:52:15.682048+00:00",
"event_record_id": 1604,
"correlation": {},
"execution": {
"process_id": 6576,
"thread_id": 7344
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"RmRestartEvent": {
"RmSessionId": 0,
"nApplications": 1,
"Applications": {
"Application": [
"Widgets"
]
},
"RebootReasons": 2
}
},
"message": "Machine restart is required."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 10006 — Application or service 'DisplayName' could not be shut down.
Description
Application or service 'DisplayName' could not be shut down.
Message #
Fields #
| Name | Description |
|---|---|
RmSessionId UInt32 | — |
FullPath UnicodeString | — |
DisplayName UnicodeString | — |
AppVersion UInt32 | — |
AppType UInt32 | — |
TSSessionId UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Pid UInt32 | — |
nFiles UInt32 | — |
File UnicodeString | — |
Event ID 10007 — Application or service 'DisplayName' could not be restarted.
Description
Application or service 'DisplayName' could not be restarted.
Message #
Fields #
| Name | Description |
|---|---|
RmSessionId UInt32 | — |
FullPath UnicodeString | — |
DisplayName UnicodeString | — |
AppVersion UInt32 | — |
AppType UInt32 | — |
TSSessionId UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Pid UInt32 | — |
nFiles UInt32 | — |
File UnicodeString | — |
Event ID 10008 — Restart Manager encountered an internal error.
Event ID 10009 — Service tagging failed to find target service in process SvcHostPid.
Event ID 10010 — Application 'C:\Program Files\WindowsApps\MicrosoftWindows.
#Description
Application 'C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy\Dashboard\Widgets.exe' (pid 6212) cannot be restarted - 1.
Message #
Fields #
| Name | Description |
|---|---|
RmUnsupportedRestartEvent.RmSessionId | — |
RmUnsupportedRestartEvent.Pid | — |
RmUnsupportedRestartEvent.FullPath | — |
RmUnsupportedRestartEvent.DisplayName | — |
RmUnsupportedRestartEvent.AppVersion | — |
RmUnsupportedRestartEvent.AppType | — |
RmUnsupportedRestartEvent.TSSessionId | — |
RmUnsupportedRestartEvent.Status | — |
RmUnsupportedRestartEvent.Reason | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RestartManager",
"guid": "0888E5EF-9B98-4695-979D-E92CE4247224",
"event_source_name": "",
"event_id": 10010,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T22:52:15.648333+00:00",
"event_record_id": 1603,
"correlation": {},
"execution": {
"process_id": 6576,
"thread_id": 7344
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"RmUnsupportedRestartEvent": {
"RmSessionId": 0,
"Pid": 6212,
"FullPath": "C:\\Program Files\\WindowsApps\\MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy\\Dashboard\\Widgets.exe",
"DisplayName": "Widgets",
"AppVersion": 0,
"AppType": 0,
"TSSessionId": 1,
"Status": 67108865,
"Reason": 1
}
},
"message": "Application 'C:\\Program Files\\WindowsApps\\MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy\\Dashboard\\Widgets.exe' (pid 6212) cannot be restarted - 1."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline