detection.wiki

Microsoft-Windows-Security-Mitigations › Event 10

Event ID 10 — Process 'ProcessPath' (PID CallingProcessId) was blocked from making system calls to Win32k.

Provider
Microsoft-Windows-Security-Mitigations
Channel
KernelMode
Level
Warning
Collection Priority
Recommended (JSCU-NL)
Task
KERNEL_MITIGATION_TASK_PROHIBIT_WIN32K_SYSTEM_CALLS

Description

Process 'ProcessPath' (PID CallingProcessId) was blocked from making system calls to Win32k.sys.

Message #

Process '%2' (PID %5) was blocked from making system calls to Win32k.sys.

Fields #

NameDescription
ProcessPathLength UInt16
ProcessPath UnicodeString
ProcessCommandLineLength UInt16
ProcessCommandLine UnicodeString
CallingProcessId UInt32
CallingProcessCreateTime FILETIME
CallingProcessStartKey UInt64
CallingProcessSignatureLevel UInt8
CallingProcessSectionSignatureLevel UInt8
CallingProcessProtection UInt8
CallingThreadId UInt32
CallingThreadCreateTime FILETIME

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Mitigations",
    "guid": "FAE10392-F0AF-4AC0-B8FF-9F4D920C3CDF",
    "event_source_name": "",
    "event_id": 10,
    "version": 0,
    "level": 3,
    "task": 5,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:55:30.233087+00:00",
    "event_record_id": 194,
    "correlation": {},
    "execution": {
      "process_id": 17736,
      "thread_id": 9464
    },
    "channel": "Microsoft-Windows-Security-Mitigations/KernelMode",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "ProcessPathLength": 65,
    "ProcessPath": "\\Device\\HarddiskVolume4\\Program Files\\Mozilla Firefox\\firefox.exe",
    "ProcessCommandLineLength": 412,
    "ProcessCommandLine": "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -contentproc --channel=7928 -childID 13 -isForBrowser -prefsHandle 7924 -prefMapHandle 7272 -prefsLen 37923 -prefMapSize 235045 -jsInitHandle 1588 -jsInitLen 235336 -parentBuildID 20231019122658 -win32kLockedDown -appDir \"C:\\Program Files\\Mozilla Firefox\\browser\" - {9095c7bc-c09b-4e88-a55a-1b4a7ff727a7} 4148 \"\\\\.\\pipe\\gecko-crash-server-pipe.4148\" 22025387bd0 tab",
    "CallingProcessId": 17736,
    "CallingProcessCreateTime": "2023-11-06T01:55:29.635202Z",
    "CallingProcessStartKey": 3659174697241340,
    "CallingProcessSignatureLevel": 2,
    "CallingProcessSectionSignatureLevel": 2,
    "CallingProcessProtection": 0,
    "CallingThreadId": 9464,
    "CallingThreadCreateTime": "2023-11-06T01:55:29.635208Z"
  },
  "message": ""
}

References #