Description

Process 'ProcessPath' (PID CallingProcessId) would have been blocked from generating dynamic code.

Message #

Process '%2' (PID %5) would have been blocked from generating dynamic code.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Mitigations",
    "guid": "FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF",
    "event_source_name": "",
    "event_id": 1,
    "version": 0,
    "level": 0,
    "task": 1,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-04T14:07:23.788203+00:00",
    "event_record_id": 7,
    "correlation": {},
    "execution": {
      "process_id": 4808,
      "thread_id": 4432
    },
    "channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": "S-1-5-21-1958040314-2592322477-2606035944-500"
    }
  },
  "event_data": {
    "ProcessPathLength": 60,
    "ProcessPath": "\\Device\\HarddiskVolume2\\Windows\\System32\\inetsrv\\InetMgr.exe",
    "ProcessCommandLineLength": 42,
    "ProcessCommandLine": "\"C:\\Windows\\system32\\inetsrv\\InetMgr.exe\" ",
    "CallingProcessId": 4808,
    "CallingProcessCreateTime": "2022-04-04T14:07:23.009253Z",
    "CallingProcessStartKey": 1407374883554550,
    "CallingProcessSignatureLevel": 0,
    "CallingProcessSectionSignatureLevel": 0,
    "CallingProcessProtection": 0,
    "CallingThreadId": 4432,
    "CallingThreadCreateTime": "2022-04-04T14:07:23.009255Z"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Process 'ProcessPath' (PID CallingProcessId) was blocked from generating dynamic code.

Message #

Process '%2' (PID %5) was blocked from generating dynamic code.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Mitigations",
    "guid": "FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF",
    "event_source_name": "",
    "event_id": 2,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:01:34.932541+00:00",
    "event_record_id": 88,
    "correlation": {},
    "execution": {
      "process_id": 11664,
      "thread_id": 10404
    },
    "channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "ProcessPathLength": 59,
    "ProcessPath": "\\Device\\HarddiskVolume4\\Program Files\\TeamViewer\\tv_x64.exe",
    "ProcessCommandLineLength": 192,
    "ProcessCommandLine": "\"C:\\Program Files\\TeamViewer\\tv_x64.exe\" --action installpnpdriver --inf \"C:\\Program Files\\TeamViewer\\x64\\TVVirtualMonitorDriver.inf\" --log \"C:\\Program Files\\TeamViewer\\TeamViewer15_Hooks.log\"",
    "CallingProcessId": 11664,
    "CallingProcessCreateTime": "2023-11-06T01:01:34.836839Z",
    "CallingProcessStartKey": 3659174697240700,
    "CallingProcessSignatureLevel": 2,
    "CallingProcessSectionSignatureLevel": 2,
    "CallingProcessProtection": 0,
    "CallingThreadId": 10404,
    "CallingThreadCreateTime": "2023-11-06T01:01:34.836843Z"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Process 'ProcessPath' (PID CallingProcessId) would have been blocked from creating a child process 'ChildImagePathName' with command line 'ChildCommandLine'.

Message #

Process '%2' (PID %5) would have been blocked from creating a child process '%14' with command line '%16'.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Mitigations",
    "guid": "FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF",
    "event_source_name": "",
    "event_id": 3,
    "version": 0,
    "level": 0,
    "task": 2,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-10-26T04:19:22.802481+00:00",
    "event_record_id": 6,
    "correlation": {},
    "execution": {
      "process_id": 2524,
      "thread_id": 452
    },
    "channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
    "computer": "WIN-OQ6R0RVA4NF",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ProcessPathLength": 52,
    "ProcessPath": "\\Device\\HarddiskVolume4\\Windows\\System32\\spoolsv.exe",
    "ProcessCommandLineLength": 31,
    "ProcessCommandLine": "C:\\Windows\\System32\\spoolsv.exe",
    "CallingProcessId": 2524,
    "CallingProcessCreateTime": "2023-10-26T04:17:19.791140Z",
    "CallingProcessStartKey": 281474976710715,
    "CallingProcessSignatureLevel": 2,
    "CallingProcessSectionSignatureLevel": 2,
    "CallingProcessProtection": 0,
    "CallingThreadId": 452,
    "CallingThreadCreateTime": "2023-10-26T04:19:20.206505Z",
    "ChildImagePathNameLength": 32,
    "ChildImagePathName": "C:\\Windows\\SysWOW64\\regsvr32.exe",
    "ChildCommandLineLength": 73,
    "ChildCommandLine": "C:\\Windows\\SysWOW64\\regsvr32.exe /s \"C:\\Windows\\SysWOW64\\PrintConfig.dll\""
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Process 'ProcessPath' (PID CallingProcessId) was blocked from creating a child process 'ChildImagePathName' with command line 'ChildCommandLine'.

Message #

Process '%2' (PID %5) was blocked from creating a child process '%14' with command line '%16'.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Mitigations",
    "guid": "FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF",
    "event_source_name": "",
    "event_id": 4,
    "version": 0,
    "level": 3,
    "task": 2,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:27:47.998503+00:00",
    "event_record_id": 3000,
    "correlation": {},
    "execution": {
      "process_id": 6084,
      "thread_id": 6236
    },
    "channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ProcessPathLength": 94,
    "ProcessPath": "\\Device\\HarddiskVolume4\\Program Files\\Windows Defender Advanced Threat Protection\\SenseNdr.exe",
    "ProcessCommandLineLength": 512,
    "ProcessCommandLine": "\"C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseNdr.exe\"  \"eyJDbGllbnRWZXIiOiIxMC44MjEwLjIyNjIxLjQ1NyIsIkNvbXBvbmVudHMiOlt7IkFkYXB0ZXJJZCI6Ins4QTE3NjBCNi1EQzk5LTRCOTAtOUM0QS0wMjk2OThFNUFFMjd9IiwiQ2F0ZWdvcnkiOjIsIkRlZmF1bHRHYXRld2F5cyI6W3siQWRkcmVzcyI6IjEwLjIuMTAuMjU0IiwiTUFDIjoiYmM6MjQ6MTE6MjI6NWI6NTcifV0sIkRvbWFpblR5cGUiOjAsIklwQWRkcmVzc2VzIjpbeyJBZGRyZXNzIjoiMTAuMi4xMC4yMSIsIk1BU0siOjI0fV0sIk5ldE5hbWUiOiJOZXR3b3JrIDIiLCJQaHlzaWNhbEFkZHIiOiJiYzI0MTE5YTRkYzIiLCJQa3RNb25JZCI6MSwiUmVnaXN0cn",
    "CallingProcessId": 6084,
    "CallingProcessCreateTime": "2026-03-11T06:27:47.450908Z",
    "CallingProcessStartKey": 4222124650660002,
    "CallingProcessSignatureLevel": 8,
    "CallingProcessSectionSignatureLevel": 8,
    "CallingProcessProtection": 0,
    "CallingThreadId": 6236,
    "CallingThreadCreateTime": "2026-03-11T06:27:47.450927Z",
    "ChildImagePathNameLength": 35,
    "ChildImagePathName": "\\??\\C:\\Windows\\system32\\conhost.exe",
    "ChildCommandLineLength": 55,
    "ChildCommandLine": "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
  },
  "message": ""
}

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the low-integrity binary 'ImageName'.

Message #

Process '%2' (PID %5) would have been blocked from loading the low-integrity binary '%14'.

Fields #

Description

Process 'ProcessPath' (PID ProcessId) was blocked from loading the low-integrity binary 'ImageName'.

Message #

Process '%2' (PID %5) was blocked from loading the low-integrity binary '%14'.

Fields #

Description

Process 'ProcessPath' (PID CallingProcessId) would have been blocking from loading a binary from a remote share.

Message #

Process '%2' (PID %5) would have been blocking from loading a binary from a remote share.

Fields #

Description

Process 'ProcessPath' (PID CallingProcessId) was blocked from loading a binary from a remote share.

Message #

Process '%2' (PID %5) was blocked from loading a binary from a remote share.

Fields #

Description

Process 'ProcessPath' (PID CallingProcessId) would have been blocked from making system calls to Win32k.sys.

Message #

Process '%2' (PID %5) would have been blocked from making system calls to Win32k.sys.

Fields #

Description

Process 'ProcessPath' (PID CallingProcessId) was blocked from making system calls to Win32k.sys.

Message #

Process '%2' (PID %5) was blocked from making system calls to Win32k.sys.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Mitigations",
    "guid": "FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF",
    "event_source_name": "",
    "event_id": 10,
    "version": 0,
    "level": 3,
    "task": 5,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:55:30.233087+00:00",
    "event_record_id": 194,
    "correlation": {},
    "execution": {
      "process_id": 17736,
      "thread_id": 9464
    },
    "channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "ProcessPathLength": 65,
    "ProcessPath": "\\Device\\HarddiskVolume4\\Program Files\\Mozilla Firefox\\firefox.exe",
    "ProcessCommandLineLength": 412,
    "ProcessCommandLine": "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -contentproc --channel=7928 -childID 13 -isForBrowser -prefsHandle 7924 -prefMapHandle 7272 -prefsLen 37923 -prefMapSize 235045 -jsInitHandle 1588 -jsInitLen 235336 -parentBuildID 20231019122658 -win32kLockedDown -appDir \"C:\\Program Files\\Mozilla Firefox\\browser\" - {9095c7bc-c09b-4e88-a55a-1b4a7ff727a7} 4148 \"\\\\.\\pipe\\gecko-crash-server-pipe.4148\" 22025387bd0 tab",
    "CallingProcessId": 17736,
    "CallingProcessCreateTime": "2023-11-06T01:55:29.635202Z",
    "CallingProcessStartKey": 3659174697241340,
    "CallingProcessSignatureLevel": 2,
    "CallingProcessSectionSignatureLevel": 2,
    "CallingProcessProtection": 0,
    "CallingThreadId": 9464,
    "CallingThreadCreateTime": "2023-11-06T01:55:29.635208Z"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the non-Microsoft-signed binary 'ImageName'.

Message #

Process '%2' (PID %5) would have been blocked from loading the non-Microsoft-signed binary '%16'.

Fields #

Description

Process 'ProcessPath' (PID ProcessId) was blocked from loading the non-Microsoft-signed binary 'ImageName'.

Message #

Process '%2' (PID %5) was blocked from loading the non-Microsoft-signed binary '%16'.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Mitigations",
    "guid": "FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF",
    "event_source_name": "",
    "event_id": 12,
    "version": 0,
    "level": 3,
    "task": 6,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:51:38.699135+00:00",
    "event_record_id": 190,
    "correlation": {},
    "execution": {
      "process_id": 18848,
      "thread_id": 20656
    },
    "channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "ProcessPathLength": 74,
    "ProcessPath": "\\Device\\HarddiskVolume4\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
    "ProcessCommandLineLength": 475,
    "ProcessCommandLine": "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=renderer --disable-nacl --origin-trial-disabled-features=WebGPU --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=52 --time-ticks-at-unix-epoch=-1699223515372207 --launch-time-ticks=11971985687 --mojo-platform-channel-handle=7792 --field-trial-handle=1832,i,15435703333515679192,1539963582152160407,262144 /prefetch:1",
    "ProcessId": 18848,
    "ProcessCreateTime": "2023-11-06T01:51:27.394536Z",
    "ProcessStartKey": 3659174697241317,
    "ProcessSignatureLevel": 8,
    "ProcessSectionSignatureLevel": 8,
    "ProcessProtection": 0,
    "TargetThreadId": 20656,
    "TargetThreadCreateTime": "2023-11-06T01:51:27.394551Z",
    "RequiredSignatureLevel": 8,
    "SignatureLevel": 4,
    "ImageNameLength": 51,
    "ImageName": "\\Program Files\\Malwarebytes\\Anti-Malware\\mbae64.dll"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from accessing the Export Address Table for module 'MemModuleFullPath'.

Message #

Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'.

Fields #

Description

Process 'ProcessPath' (PID ProcessId) was blocked from accessing the Export Address Table for module 'MemModuleFullPath'.

Message #

Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-14-registryevent-key-and-value-rename

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from accessing the Export Address Table for module 'MemModuleFullPath'.

Message #

Process '%2' (PID %3) would have been blocked from accessing the Export Address Table for module '%8'.

Fields #

Description

Process 'ProcessPath' (PID ProcessId) was blocked from accessing the Export Address Table for module 'MemModuleFullPath'.

Message #

Process '%2' (PID %3) was blocked from accessing the Export Address Table for module '%8'.

Fields #

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from accessing the Import Address Table for API 'APIName'.

Message #

Process '%2' (PID %3) would have been blocked from accessing the Import Address Table for API '%10'.

Fields #

Description

Process 'ProcessPath' (PID ProcessId) was blocked from accessing the Import Address Table for API 'APIName'.

Message #

Process '%2' (PID %3) was blocked from accessing the Import Address Table for API '%10'.

Fields #

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Message #

Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected

Description

Process 'ProcessPath' (PID ProcessId) was blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Message #

Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Message #

Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected

Description

Process 'ProcessPath' (PID ProcessId) was blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Message #

Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields #

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Message #

Process '%2' (PID %3) would have been blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-23-filedelete-file-delete-archived

Description

Process 'ProcessPath' (PID ProcessId) was blocked from calling the API 'HookedAPI' due to return-oriented programming (ROP) exploit indications.

Message #

Process '%2' (PID %3) was blocked from calling the API '%4' due to return-oriented programming (ROP) exploit indications.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager

Description

Process 'ProcessPath' (PID ProcessId) has encountered a shadow stack return address mismatch. The process will be allowed to continue execution.

Message #

Process '%2' (PID %5) has encountered a shadow stack return address mismatch. The process will be allowed to continue execution.

Return instruction executed from module '%12'.
Attempting to return to module '%14'.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager

Description

Process 'ProcessPath' (PID ProcessId) has encountered a shadow stack return address mismatch. The process will be terminated.

Message #

Process '%2' (PID %5) has encountered a shadow stack return address mismatch. The process will be terminated.

Return instruction executed from module '%12'.
Attempting to return to module '%14'.

Fields #

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from setting context due to instruction pointer validation failure when user-mode shadow stack is enabled.

Message #

Process '%2' (PID %5) would have been blocked from setting context due to instruction pointer validation failure when user-mode shadow stack is enabled.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-27-fileblockexecutable

Description

Process 'ProcessPath' (PID ProcessId) was blocked from setting context due to instruction pointer validation failure when user-mode shadow stack is enabled.

Message #

Process '%2' (PID %5) was blocked from setting context due to instruction pointer validation failure when user-mode shadow stack is enabled.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-28-fileblockshredding

Description

Process 'ProcessPath' (PID ProcessId) would have been blocked from loading an image binary due to the binary not being compatible with shadow stacks and/or missing exception handling continuation data.

Message #

Process '%2' (PID %5) would have been blocked from loading an image binary due to the binary not being compatible with shadow stacks and/or missing exception handling continuation data.
Process requires binaries to also contain exception handling continuation data: %15

Binary path: %12
Binary compatible with shadow stacks: %13
Binary contains exception handling continuation data: %14

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• Microsoft Learn https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-29-fileexecutabledetected

Description

Process 'ProcessPath' (PID ProcessId) was blocked from loading an image binary due to the binary not being compatible with shadow stacks and/or missing exception handling continuation data.

Message #

Process '%2' (PID %5) was blocked from loading an image binary due to the binary not being compatible with shadow stacks and/or missing exception handling continuation data.
Process requires binaries to also contain exception handling continuation data: %15

Binary path: %12
Binary compatible with shadow stacks: %13
Binary contains exception handling continuation data: %14

Fields #

Description

Process 'Arguments' (PID Impersonating) would have been blocked from following an untrusted redirection.

Message #

Process '%2' (PID %5) would have been blocked from following an untrusted redirection: 

Binary path: %2
Arguments: %4
Redirection Type: %11
Operation Path: %13
Impersonating: %14

Fields #

Description

Process 'Arguments' (PID Impersonating) was blocked from following an untrusted redirection.

Message #

Process '%2' (PID %5) was blocked from following an untrusted redirection: 

Binary path: %2
Arguments: %4
Redirection Type: %11
Operation Path: %13
Impersonating: %14

Fields #

Description

The system has encountered a kernel-mode shadow stack return address mismatch. The system will be allowed to continue execution because: NonenforcementReason.

Message #

The system has encountered a kernel-mode shadow stack return address mismatch. The system will be allowed to continue execution because: %5.

Return instruction executed from module '%2'.
(Instruction address: %6, module offset: %7)

Attempting to return to module '%4'.
(Instruction address: %9, module offset: %10)

Fields #

Description

The system has encountered a kernel-mode shadow stack return address mismatch. The system will be terminated.

Message #

The system has encountered a kernel-mode shadow stack return address mismatch. The system will be terminated.

Return instruction executed from module '%2'.
(Instruction address: %6, module offset: %7)

Attempting to return to module '%4'.
(Instruction address: %9, module offset: %10)

Fields #

Description

Process 'ProcessPath' (PID CallingProcessId) would have been blocked from making the NtFsControlFile system call.

Message #

Process '%2' (PID %5) would have been blocked from making the NtFsControlFile system call.

Fields #

Description

Process 'ProcessPath' (PID CallingProcessId) was blocked from making the NtFsControlFile system call.

Message #

Process '%2' (PID %5) was blocked from making the NtFsControlFile system call.

Fields #