Fields

Fields

Example Event

system:
  provider: Microsoft-Windows-Search
  guid: '{CA4E628D-8567-4896-AB6B-835B221F373F}'
  event_source_name: Windows Search Service
  event_id: 1003
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-06T06:25:51.885710+00:00'
  event_record_id: 1450
  correlation: {}
  execution:
    process_id: 5004
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  Data:
    Name: ExtraInfo
    Value: '

      '
message: The Windows Search Service started.ExtraInfo

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Fields

Fields

Example Event

system:
  provider: Microsoft-Windows-Search
  guid: '{CA4E628D-8567-4896-AB6B-835B221F373F}'
  event_source_name: Windows Search Service
  event_id: 1004
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-06T06:25:51.187482+00:00'
  event_record_id: 1447
  correlation: {}
  execution:
    process_id: 5004
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  ExtraInfo: '

    '
  Reason: Full Index Reset
message: "The Windows Search service is creating the new search index {Reason: Full
  Index Reset}. \n"

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Fields

Fields

Example Event

system:
  provider: Microsoft-Windows-Search
  guid: '{CA4E628D-8567-4896-AB6B-835B221F373F}'
  event_source_name: Windows Search Service
  event_id: 1005
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-06T06:25:51.828936+00:00'
  event_record_id: 1449
  correlation: {}
  execution:
    process_id: 5004
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  Data:
    Name: ExtraInfo
    Value: '

      '
message: The Windows Search Service has successfully created the new search index.
  ExtraInfo

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Fields

Fields

Fields

Fields

Example Event

system:
  provider: Microsoft-Windows-Search
  guid: '{CA4E628D-8567-4896-AB6B-835B221F373F}'
  event_source_name: Windows Search Service
  event_id: 1008
  version: 0
  level: 3
  task: 1
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-06T06:25:47.791114+00:00'
  event_record_id: 1444
  correlation: {}
  execution:
    process_id: 5004
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  ExtraInfo: '

    '
  Reason: Full Index Reset
message: "The Windows Search Service is starting up and attempting to remove the old
  search index {Reason: Full Index Reset}. \n"

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Fields

Fields

Fields

Example Event

system:
  provider: Microsoft-Windows-Search
  guid: '{CA4E628D-8567-4896-AB6B-835B221F373F}'
  event_source_name: Windows Search Service
  event_id: 1010
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-06T06:25:47.798155+00:00'
  event_record_id: 1445
  correlation: {}
  execution:
    process_id: 5004
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  Data:
    Name: ExtraInfo
    Value: '

      '
message: The Windows Search Service has successfully removed the old search index.
  ExtraInfo

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Fields

Fields

Fields

Example Event

system:
  provider: Microsoft-Windows-Search
  guid: '{CA4E628D-8567-4896-AB6B-835B221F373F}'
  event_source_name: Windows Search Service
  event_id: 1013
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-10-25T22:56:14.357450+00:00'
  event_record_id: 1432
  correlation: {}
  execution:
    process_id: 7916
    thread_id: 0
  channel: Application
  computer: WinDevEval
  security:
    user_id: ''
event_data:
  Data:
    Name: ExtraInfo
    Value: '

      '
message: Windows Search Service stopped normally.ExtraInfo

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Example Event

system:
  provider: Microsoft-Windows-Search
  guid: '{CA4E628D-8567-4896-AB6B-835B221F373F}'
  event_source_name: Windows Search Service
  event_id: 4121
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 36028797018963968
  time_created: '2014-11-26T23:22:14.000000Z'
  event_record_id: 1157
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE10Win7
  security:
    user_id: ''
event_data:
  ExtraInfo: '

    '
  CatalogName: SystemIndex

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Example Event

system:
  provider: Microsoft-Windows-Search
  guid: '{CA4E628D-8567-4896-AB6B-835B221F373F}'
  event_source_name: Windows Search Service
  event_id: 10024
  version: 0
  level: 3
  task: 3
  opcode: 0
  keywords: 36028797018963968
  time_created: '2014-11-25T22:48:11.000000Z'
  event_record_id: 1044
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE8Win7
  security:
    user_id: ''
event_data:
  ExtraInfo: '

    '
  FilterHostProcessID: '4008'

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Fields

Fields

Fields

Fields

Message

The Windows Search Service started.%1

Fields

Message

The Windows Search service is creating the new search index {Reason: %2}. %1

Fields

Message

The Windows Search Service has successfully created the new search index. %1

Fields

Message

The Windows Search Service has successfully removed the old search index. %1

Fields

Message

Windows Search Service stopped normally.%1

Fields

Message

The Windows Search Service successfully moved index files from %2 to %3. %1

Fields

Message

The index is being reset.%1

Fields

Message

The gatherer index resumed.%1

Fields

Message

The crawl was requested to be stopped.%1

Fields

Message

An update cannot begin because the content source <%2> is in use by another update already in progress. The update will start as soon as all its content sources are released by updates already in progress.%1

Fields

Message

The group %2\%3 contains %4 members. Groups over %5 members are not expanded. %1

Fields

Message

The local groups cache was flushed, because %2. %1

Fields

Message

%1A master merge has completed for catalog %2.

Fields

Message

%1A master merge has been paused for catalog %2 due to error %3. It will be rescheduled later.

Fields

Message

%1A master merge has restarted for catalog %2.

Fields

Message

An index corruption was detected in component %2 in catalog %3.%1

Fields

Message

%1A master merge has been paused for catalog %2 due to low disk space. The merge will be rescheduled later.  Please free some disk space for indexing to continue.

Fields

Message

%1Catalog: %2. A master merge was started due to an external request.

Fields

Message

%1Catalog: %2. A master merge was started because the catalog reached the maximum number of indexes on the last level (%3).

Fields

Message

%1Catalog: %2. A master merge was started because the expected number of documents in the catalog (%3) were indexed.

Fields

Message

%1Catalog: %2. The master merge was started because of internal reason number %3.

Fields

Message

The Windows Search Service is being stopped because there is a problem with the indexer: %2.%1

Fields

Message

The Windows Search Service is starting up and attempting to remove the old search index {Reason: %2}. %1

Fields

Message

The Windows Search Service has failed to create one or more path rules.  The service will continue creating the SystemIndex search index.  Debug information: <%2>. %1

Fields

Message

Event ID %2 for the Windows Search Service has been suppressed %3 time(s) since %4. This event is used to suppress Windows Search Service events that have occurred frequently within a short period of time.  See Event ID %2 for further details on this event.%1

Fields

Message

While rolling back the index, the Windows Search Service encountered the following error: <%4,%5>. Index files were not moved from %2 to %3. %1

Fields

Message

An error occurred in configuration file <%2>.%1

Fields

Message

The system exception %1 occurred, and will be handled.  If this causes problems, contact Microsoft Product Support Services and include the stack trace in the event. %2.

Fields

Message

The update cannot be started because all of the content sources were excluded by site path rules, or removed from the index configuration.%1

Fields

Message

The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.%1

Fields

Message

Crawl could not be completed on content source <%2>.%1

Fields

Message

Crawl could not be started on content source <%2>.%1

Fields

Message

The gatherer is unable to read the registry %2.%1

Fields

Message

A request to start the update has been ignored because the update is already in progress or is scheduled on one or more content sources.%1

Fields

Message

The index was paused.%1

Fields

Message

The automatic description length was adjusted from %2 to %3.%1

Fields

Message

The update for the index cannot be started because the specified content sources were not configured for updates. Add at least one content source.%1

Fields