Microsoft-Windows-SEC

61 events across 1 channel

Event ID	Title	Channel
1		Operational
2		Operational
3		Operational
4		Operational
5		Operational
6		Operational
7		Operational
8		Operational
9		Operational
10		Operational
11		Operational
12		Operational
13		Operational
14		Operational
15		Operational
16		Operational
17		Operational
18		Operational
19		Operational
20		Operational
21		Operational
22		Operational
23		Operational
24		Operational
25		Operational
26		Operational
27		Operational
28		Operational
29		Operational
30		Operational
31		Operational
32		Operational
33		Operational
34		Operational
35		Operational
36		Operational
37		Operational
38		Operational
39		Operational
40		Operational
41		Operational
42		Operational
43		Operational
44		Operational
45		Operational
46		Operational
47		Operational
48		Operational
49		Operational
50		Operational
51		Operational
52		Operational
53		Operational
54		Operational
55		Operational
56		Operational
57		Operational
58		Operational
59		Operational
60		Operational
61		Operational

Event ID 1 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`CreatorProcessId` HexInt32	—
`CreatorProcessTime` Int64	—
`CreatorProcessName` UnicodeString	—
`ProcessName` UnicodeString	—
`CommandLine` UnicodeString	—
`ImageSHA256` Binary	—
`ImageSHA1` Binary	—
`ImageMD5` Binary	—
`PartialCRC1` HexInt32	—
`PartialCRC2` HexInt32	—
`PartialCRC3` HexInt32	—
`MotW` Boolean	—
`IntegrityLevel` HexInt32	—
`TokenElevationType` HexInt32	— Known values `%%1936` TokenElevationTypeDefault (1) `%%1937` TokenElevationTypeFull (2) `%%1938` TokenElevationTypeLimited (3) `1` TokenElevationTypeDefault `2` TokenElevationTypeFull `3` TokenElevationTypeLimited
`Elevated` Boolean	—
`Impersonation` Boolean	—
`SubjectLogonId` HexInt64	—
`ProcessStartKey` UInt64	—
`CreatorProcessStartKey` UInt64	—
`CommandLineTruncated` Boolean	—
`CommandLineSize` HexInt32	—
`ImageLSH` Binary	—
`MitigationPolicy` UInt64	—
`ProtectionLevel` UInt8	—
`EnterprisePolicy` HexInt32	—
`InferredParentProcessId` HexInt32	—
`InferredParentProcessTime` Int64	—
`InferredParentProcessName` UnicodeString	—
`InferredParentProcessStartKey` UInt64	—
`CiIsSigningChainValid` UInt32	—
`CiIsMicrosoftRoot` UInt32	—
`CiIsMicrosoftApplicationRoot` UInt32	—
`CiSigningLevel` UInt8	—
`ImageOriginalName` UnicodeString	—
`CreationAnomalies` UInt64	—
`InitialThreadId` HexInt32	—
`InitialThreadStartAddress` Pointer	—
`WindowFlags` HexInt32	—
`ShowWindowFlags` HexInt32	—
`StandardInputDeviceType` HexInt32	—
`StandardOutputDeviceType` HexInt32	—
`StandardErrorDeviceType` HexInt32	—
`DesktopInfo` UnicodeString	—

Event ID 2 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`DriverUnloadTime` Int64	—

Event ID 3 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`DriverLoadTime` Int64	—

Event ID 4 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`FileName` UnicodeString	—
`FileAttributes` HexInt32	—
`Dispositon` HexInt32	—
`ProcessStartKey` UInt64	—
`RequestSource` UInt8	—
`ShareName` UnicodeString	—
`RemoteIpAddressLength` UInt32	—
`RemoteIpAddress` Binary	—

Event ID 5 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`FileName` UnicodeString	—
`NewFileName` UnicodeString	—
`FileAttributes` HexInt32	—
`ProcessStartKey` UInt64	—
`RequestSource` UInt8	—
`ShareName` UnicodeString	—
`RemoteIpAddressLength` UInt32	—
`RemoteIpAddress` Binary	—

Event ID 6 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`FileName` UnicodeString	—
`FileAttributes` HexInt32	—
`ProcessStartKey` UInt64	—
`IsSensitive` Boolean	—
`RequestSource` UInt8	—
`ShareName` UnicodeString	—
`RemoteIpAddressLength` UInt32	—
`RemoteIpAddress` Binary	—

Event ID 7 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`FileName` UnicodeString	—
`FileAttributes` HexInt32	—
`ProcessStartKey` UInt64	—
`IsSensitive` Boolean	—
`RequestSource` UInt8	—
`ShareName` UnicodeString	—
`RemoteIpAddressLength` UInt32	—
`RemoteIpAddress` Binary	—

Event ID 8 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`Key` UnicodeString	—
`ProcessStartKey` UInt64	—

Event ID 9 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`Key` UnicodeString	—
`ProcessStartKey` UInt64	—

Event ID 10 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`Key` UnicodeString	—
`NewKey` UnicodeString	—
`ProcessStartKey` UInt64	—

Event ID 11 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`Key` UnicodeString	—
`Hive` UnicodeString	—
`RestoreFlags` HexInt32	—
`ProcessStartKey` UInt64	—

Event ID 12 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`Key` UnicodeString	—
`Hive` UnicodeString	—
`NewHive` UnicodeString	—
`ProcessStartKey` UInt64	—

Event ID 13 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`Key` UnicodeString	—
`Value` UnicodeString	—
`OldValueDataType` HexInt32	—
`OldValueDataSize` HexInt32	—
`OldValueCopiedSize` UInt32	—
`OldValueData` Binary	—
`NewValueDataType` HexInt32	—
`NewValueDataSize` HexInt32	—
`NewValueCopiedSize` UInt32	—
`NewValueData` Binary	—
`ProcessStartKey` UInt64	—

Event ID 14 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`VolumeName` UnicodeString	—
`VolReadOffset` HexInt64	—
`VolReadSize` HexInt64	—
`SystemVolume` Boolean	—
`ProcessStartKey` UInt64	—
`VolumeShadowCopy` Boolean	—

Event ID 15 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`VolumeName` UnicodeString	—
`AccessMask` HexInt32	— Access mask reference
`SystemVolume` Boolean	—
`ProcessStartKey` UInt64	—
`VolumeShadowCopy` Boolean	—

Event ID 16 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`Key` UnicodeString	—
`Value` UnicodeString	—
`DataType` HexInt32	—
`ValueDataSize` HexInt32	—
`ValueCopiedSize` UInt32	—
`ValueData` Binary	—
`ProcessStartKey` UInt64	—

Event ID 17 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`PipeName` UnicodeString	—
`RemoteClientsAccess` UInt32	—
`NamedPipeEnd` UInt32	—
`DesiredAccess` HexInt32	— Process access rights reference
`FileOperation` UInt32	—
`ProcessStartKey` UInt64	—
`ShareName` UnicodeString	—
`RemoteIpAddressLength` UInt32	—
`RemoteIpAddress` Binary	—

Event ID 18 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`TargetProcessId` HexInt32	—
`TargetProcessTime` Int64	—
`TargetProcessName` UnicodeString	—
`TargetThreadId` HexInt32	—
`TargetThreadStartAddress` Pointer	—
`StartAddressVadQueryResult` UInt32	—
`StartAddressVadAllocationBase` Pointer	—
`StartAddressVadAllocationProtect` UInt32	—
`StartAddressVadRegionType` UInt32	—
`StartAddressVadRegionSize` Pointer	—
`StartAddressVadProtect` UInt32	—
`SourceProcessStartKey` UInt64	—
`TargetProcessStartKey` UInt64	—
`MappedModuleName` UnicodeString	—

Event ID 19 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`TargetProcessId` HexInt32	—
`TargetProcessTime` Int64	—
`TargetProcess` UnicodeString	—
`Access` HexInt32	—
`SourceProcessStartKey` UInt64	—
`TargetProcessStartKey` UInt64	—

Event ID 20 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`Desktop` UnicodeString	—
`Access` HexInt32	—
`Duplicate` Boolean	—
`Kernel` Boolean	—
`ProcessStartKey` UInt64	—

Event ID 21 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`VolumeName` UnicodeString	—
`VolWriteOffset` HexInt64	—
`VolWriteSize` HexInt64	—
`SystemVolume` Boolean	—
`ProcessStartKey` UInt64	—
`VolumeShadowCopy` Boolean	—

Event ID 22 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`ProcessName` UnicodeString	—
`CommandLine` UnicodeString	—
`ProcessStartKey` UInt64	—
`CommandLineTruncated` Boolean	—
`CommandLineSize` HexInt32	—

Event ID 23 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`ImageName` UnicodeString	—
`MotW` Boolean	—
`ImageSHA256` Binary	—
`ImageSHA1` Binary	—
`ImageMD5` Binary	—
`PartialCRC1` HexInt32	—
`PartialCRC2` HexInt32	—
`PartialCRC3` HexInt32	—
`SystemModeImage` Boolean	—
`LoadImageAddress` Pointer	—
`ProcessStartKey` UInt64	—
`LoadImageSize` UInt64	—
`ImageLSH` Binary	—
`CiIsSigningChainValid` UInt32	—
`CiIsMicrosoftRoot` UInt32	—
`CiIsMicrosoftApplicationRoot` UInt32	—
`CiSigningLevel` UInt8	—
`ImageOriginalName` UnicodeString	—
`ImageSignatureLevel` UInt32	—
`ImageDeviceType` UInt32	—
`ImageDeviceCharacteristics` UInt32	—
`ImageDeviceFlags` UInt32	—

Event ID 24 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`ImageName` UnicodeString	—
`MotW` Boolean	—
`ImageSHA256` Binary	—
`ImageSHA1` Binary	—
`ImageMD5` Binary	—
`PartialCRC1` HexInt32	—
`PartialCRC2` HexInt32	—
`PartialCRC3` HexInt32	—
`ImageSignatureLevel` UInt32	—
`ImageSignatureType` UInt32	—
`CurrentCodeIntegrityOptions` UInt32	—
`OriginalCodeIntegrityOptions` UInt32	—
`ProcessStartKey` UInt64	—
`ImageBase` Pointer	—
`ImageSize` UInt64	—
`ImageLSH` Binary	—

Event ID 25 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`AffectedProcessId` HexInt32	—
`AffectedProcessTime` Int64	—
`CurrentTokenPointer` Pointer	—
`CurrentTokenSource` Binary	—
`CurrentTokenPrivPresent` UInt64	—
`CurrentTokenPrivEnabled` UInt64	—
`CurrentTokenPrivEnabledByDefault` UInt64	—
`CurrentTokenIntegrityLevel` UInt32	—
`CurrentTokenUserSid` SID	—
`PreviousTokenPointer` Pointer	—
`PreviousTokenSource` Binary	—
`PreviousTokenPrivPresent` UInt64	—
`PreviousTokenPrivEnabled` UInt64	—
`PreviousTokenPrivEnabledByDefault` UInt64	—
`PreviousTokenIntegrityLevel` UInt32	—
`PreviousTokenUserSid` SID	—
`OriginalTokenPointer` Pointer	—
`OriginalTokenSource` Binary	—
`OriginalTokenPrivPresent` UInt64	—
`OriginalTokenPrivEnabled` UInt64	—
`OriginalTokenPrivEnabledByDefault` UInt64	—
`OriginalTokenIntegrityLevel` UInt32	—
`OriginalTokenUserSid` SID	—
`SystemTokenPointer` Pointer	—
`InlineCheck` Boolean	—
`AffectedProcessStartKey` UInt64	—
`PrimaryTokenFrozen` Boolean	—
`ParentTokenIntegrityLevel` UInt32	—

Event ID 26 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ProcessStartKey` UInt64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`NormalizedSharePath` UnicodeString	—
`ShareName` UnicodeString	—
`SocketAddress` UnicodeString	—
`OpenDirection` UInt8	—

Event ID 27 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`AffectedProcessId` HexInt32	—
`AffectedProcessStartKey` UInt64	—
`AffectedProcessTime` Int64	—
`InlineCheck` Boolean	—
`CurrentDaclPointer` Pointer	—
`CurrentDaclValidAceList` Boolean	—
`CurrentDaclAceCount` UInt32	—
`CurrentDaclSids` UnicodeString	—
`CurrentDaclAccessMaskBlobSize` UInt32	—
`CurrentDaclAccessMasks` Binary	—
`PreviousDaclPointer` Pointer	—
`PreviousDaclValidAceList` Boolean	—
`PreviousDaclAceCount` UInt32	—
`PreviousDaclSids` UnicodeString	—
`PreviousDaclAccessMaskBlobSize` UInt32	—
`PreviousDaclAccessMasks` Binary	—
`OriginalDaclPointer` Pointer	—
`OriginalDaclValidAceList` Boolean	—
`OriginalDaclAceCount` UInt32	—
`OriginalDaclSids` UnicodeString	—
`OriginalDaclAccessMaskBlobSize` UInt32	—
`OriginalDaclAccessMasks` Binary	—

Event ID 28 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessStartKey` UInt64	—
`Flags` UInt32	—
`ThreadId` HexInt32	—
`CallerAddress` Pointer	—
`StartAddress` Pointer	—
`BackTraceSize` UInt32	—
`BackTrace` Binary	—
`TargetCodeSize` UInt32	—
`TargetCode` Binary	—
`CallerCodeSize` UInt32	—
`CallerCode` Binary	—

Event ID 29 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`CurrentValue` Pointer	—
`OriginalValue` Pointer	—
`IsSynchronous` Boolean	—

Event ID 30 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`CurrentValue` Pointer	—
`PreviousValue` Pointer	—
`OriginalValue` Pointer	—
`IsSynchronous` Boolean	—

Event ID 31 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ProcessStartKey` UInt64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`RequestSource` UInt8	—
`ShareName` UnicodeString	—
`RemoteIpAddressLength` UInt32	—
`RemoteIpAddress` Binary	—

Event ID 32 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`SuspiciousPointerIndex` UInt32	—
`TableSize` UInt32	—
`Table` Binary	—
`CodeSize` UInt32	—
`Code` Binary	—

Event ID 33 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`SuspiciousPointerIndex` UInt32	—
`TableSize` UInt32	—
`Table` Binary	—
`CodeSize` UInt32	—
`Code` Binary	—

Event ID 34 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`TargetProcessId` HexInt32	—
`TargetProcessTime` Int64	—
`TargetProcess` UnicodeString	—
`Access` HexInt32	—
`SourceProcessStartKey` UInt64	—
`TargetProcessStartKey` UInt64	—

Event ID 35 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`FileName` UnicodeString	—
`OriginalCreationTime` Int64	—
`OriginalLastAccessTime` Int64	—
`OriginalLastWriteTime` Int64	—
`OriginalChangeTime` Int64	—
`ModifiedCreationTime` Int64	—
`ModifiedLastAccessTime` Int64	—
`ModifiedLastWriteTime` Int64	—
`ModifiedChangeTime` Int64	—
`FileAttributes` HexInt32	—
`ProcessStartKey` UInt64	—

Event ID 36 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`AffectedProcessId` HexInt32	—
`AffectedProcessTime` Int64	—
`AffectedProcessStartKey` UInt64	—
`InlineCheck` Boolean	—

Event ID 37 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ImageName` UnicodeString	—
`ImageBase` Pointer	—
`ImageSize` UInt64	—
`DriverName` UnicodeString	—
`DriverObject` Pointer	—
`DriverInit` Pointer	—
`DriverStartIo` Pointer	—
`DriverUnload` Pointer	—
`MajorFunctionArraySize` UInt32	—
`MajorFunctionArray` Binary	—
`FastIoDispatchArraySize` UInt32	—
`FastIoDispatchArray` Binary	—
`SuspiciousDispatchBitmap` UInt64	—
`ContextInfoArraySize` UInt32	—
`ContextInfoArray` Binary	—

Event ID 38 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ProcessStartKey` UInt64	—
`OldFlags` UInt64	—
`NewFlags` UInt64	—

Event ID 39 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`SourceThreadId` HexInt32	—
`TargetThreadId` HexInt32	—
`UserSid` SID	—
`TargetProcessId` HexInt32	—
`TargetProcessTime` Int64	—
`AccessMask` HexInt32	— Access mask reference
`ProcessStartKey` UInt64	—
`TargetProcessStartKey` UInt64	—

Event ID 40 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`FileName` UnicodeString	—
`FileAttributes` HexInt32	—
`ProcessStartKey` UInt64	—
`IsSensitive` Boolean	—
`RequestSource` UInt8	—
`ShareName` UnicodeString	—
`RemoteIpAddressLength` UInt32	—
`RemoteIpAddress` Binary	—

Event ID 41 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`Key` UnicodeString	—
`Value` UnicodeString	—
`ProcessStartKey` UInt64	—

Event ID 42 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`FileName` UnicodeString	—
`FileAttributes` HexInt32	—
`DesiredAccess` HexInt32	— Process access rights reference
`Dispositon` HexInt32	—
`ProcessStartKey` UInt64	—
`VolumeShadowCopy` Boolean	—
`FileOpenSource` HexInt32	—
`ShareAccess` UInt16	—
`RequestSource` UInt8	—
`ShareName` UnicodeString	—
`RemoteIpAddressLength` UInt32	—
`RemoteIpAddress` Binary	—

Event ID 43 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`FileName` UnicodeString	—
`NewFileName` UnicodeString	—
`FileAttributes` HexInt32	—
`ProcessStartKey` UInt64	—
`RequestSource` UInt8	—
`ShareName` UnicodeString	—
`RemoteIpAddressLength` UInt32	—
`RemoteIpAddress` Binary	—

Event ID 44 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`Key` UnicodeString	—
`FileName` UnicodeString	—
`ProcessStartKey` UInt64	—

Event ID 45 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`Key` UnicodeString	—
`ProcessStartKey` UInt64	—
`SecurityInformation` HexInt32	—
`OriginalSecurityDescriptor` UnicodeString	—
`NewSecurityDescriptor` UnicodeString	—

Event ID 46 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`AffectedProcessId` HexInt32	—
`AffectedProcessTime` Int64	—
`AffectedProcessStartKey` UInt64	—
`InlineCheck` Boolean	—
`OriginalCommandLine` UnicodeString	—
`ModifiedCommandLine` UnicodeString	—
`CorruptedCommandLine` Boolean	—

Event ID 47 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ProcessStartKey` UInt64	—
`IoControlCode` HexInt32	—
`DeviceName` UnicodeString	—
`VolumeName` UnicodeString	—
`MaximumVolumeSpace` UInt64	—
`ApplicationGuid` GUID	—

Event ID 48 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ProcessStartKey` UInt64	—
`DriverName` UnicodeString	—
`DriverOriginalName` UnicodeString	—
`FunctionName` UnicodeString	—
`IsEnforced` Boolean	—

Event ID 49 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ProcessStartKey` UInt64	—
`DriverName` UnicodeString	—
`DriverOriginalName` UnicodeString	—
`TargetDevice` UnicodeString	—
`MajorFunction` HexInt32	—
`IoControlCode` HexInt32	—
`IsEnforced` Boolean	—

Event ID 50 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ProcessStartKey` UInt64	—
`FileName` UnicodeString	—
`OperationBlocked` Boolean	—
`UserSid` SID	—
`ShareName` UnicodeString	—
`RemoteIpAddressLength` UInt32	—
`RemoteIpAddress` Binary	—
`Tag` UInt32	—

Event ID 51 —

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ProcessStartKey` UInt64	—
`KeyName` UnicodeString	—
`ValueName` UnicodeString	—
`RegistryOperations` UInt32	—
`OperationBlocked` Boolean	—

Event ID 52 —

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ProcessStartKey` UInt64	—
`FileName` UnicodeString	—
`OperationBlocked` Boolean	—
`UserSid` SID	—
`ShareName` UnicodeString	—
`RemoteIpAddressLength` UInt32	—
`RemoteIpAddress` Binary	—
`Tag` UInt32	—

Event ID 53 —

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64	—
`TimeBeforeAcquiringLock` UInt64	—
`TimeAfterAcquiringLock` UInt64	—
`TimeBeforeReleasingLock` UInt64	—
`StatusOplockAcquiring` UInt32	—
`StatusFileOpening` UInt32	—
`StatusDuplicateHandle` UInt32	—
`FileName` UnicodeString	—
`Access` HexInt32	—
`ShareMode` HexInt32	—
`OpenFlags` HexInt32	—

Event ID 54 —

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64	—
`TimeBeforeAcquiringLock` UInt64	—
`TimeAfterAcquiringLock` UInt64	—
`TimeBeforeReleasingLock` UInt64	—
`StatusBeforeRetry` UInt32	—
`StatusOfRetry` UInt32	—
`StatusAfterRetry` UInt32	—
`FileName` UnicodeString	—
`ProcessId` HexInt32	—
`ProcessStartKey` UInt64	—
`ProcessCreationTime` Int64	—
`IoFunction` UInt16	—
`Access` HexInt32	—
`ShareMode` HexInt32	—
`OpenFlags` HexInt32	—

Event ID 55 —

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`Key` UnicodeString	—
`Value` UnicodeString	—
`ProcessStartKey` UInt64	—

Event ID 56 —

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ProcessStartKey` UInt64	—
`FileName` UnicodeString	—
`OperationBlocked` Boolean	—
`UserSid` SID	—
`ShareName` UnicodeString	—
`RemoteIpAddressLength` UInt32	—
`RemoteIpAddress` Binary	—
`Tag` UInt32	—

Event ID 57 —

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ProcessStartKey` UInt64	—
`FileName` UnicodeString	—
`OperationBlocked` Boolean	—
`UserSid` SID	—
`ShareName` UnicodeString	—
`RemoteIpAddressLength` UInt32	—
`RemoteIpAddress` Binary	—
`Tag` UInt32	—

Event ID 58 —

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64	—
`ProcessId` HexInt32	—
`ProcessTime` Int64	—
`ThreadId` HexInt32	—
`UserSid` SID	—
`SessionId` HexInt32	—
`Key` UnicodeString	—
`ProcessStartKey` UInt64	—

Event ID 59 —

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64	—
`SuspiciousEntryIndex` UInt32	—
`TableSize` UInt32	—
`Table` Binary	—
`CodeSize` UInt32	—
`Code` Binary	—

Event ID 60 —

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64	—
`CurrentValue` Pointer	—
`OriginalValue` Pointer	—
`IsSynchronous` Boolean	—

Event ID 61 —

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64	—
`CurrentValue` Pointer	—
`OriginalValue` Pointer	—
`IsSynchronous` Boolean	—