detection.wiki
Blog

Microsoft-Windows-SecurityMitigationsBroker

30 events across 3 channels

Event IDTitleChannel
1001Perf
1002Perf
1003Failed to get the COM call context.Operational
1004Failed to get the calling process information.Operational
1005Failed to get the DX adapter driver capabilities.Operational
1006ACG status of the DX adapter driver, AdapterId=.Admin
1007Failed to get the mitigation status of the calling proces.Operational
1008Failed to set the mitigation status of the calling proces.Operational
1009Calling process ACG status, AdapterId=.Admin
1010Calling process is in ACG telemetry mode.Admin
1011Calling process is not in an AppContainer.Admin
1012Failed to adjust the calling process ACG status for the reported DX adapter …Operational
1013Finished applying the security protection policies for the reported DX adapter …Admin
1014Calling process does not have ACG turned on.Admin
1015ACG will be turned off for the calling process due to unsupportive DX adapter …Admin
1016Failed to create the DX object factory.Operational
1017Failed to enumerate the DX adapters.Operational
1018Failed to query the descriptor for the adapter id.Operational
1019Enumerated a DX adapter.Admin
1020Calling process uses the software rendering adapter.Admin
1021Failed to query the IDXGIAdapter2 interface from the enumerated adapter.Operational
1022Encountered a DX adapter that does not support ACG.Admin
1023Forced ACG on the DX Adapter which uses a WDDM 2.Admin
1024Calling process does not allow remote ACG downgrade.Admin
1025Remote downgrade is disabled through settings.Admin
1026Non-primary adapter ID is supplied.Admin
1027Remote downgrade is rejected since software rendering only policy is set.Admin
1028Perf
1029Perf
1030DisableAcgEnforcement is not enabled on current architecture.Admin

Event ID 1001 —

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Perf

Event ID 1002 —

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Perf

Event ID 1003 — Failed to get the COM call context.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational

Message

Failed to get the COM call context. AdapterId=%1, ErrorCode=%2

Fields

NameDescription
DriverId
ErrorCode

Event ID 1004 — Failed to get the calling process information.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational

Message

Failed to get the calling process information. AdapterId=%1, ErrorCode=%2

Fields

NameDescription
DriverId
ErrorCode

Event ID 1005 — Failed to get the DX adapter driver capabilities.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational

Message

Failed to get the DX adapter driver capabilities. AdapterId=%1, ErrorCode=%2

Fields

NameDescription
DriverId
ErrorCode

Event ID 1006 — ACG status of the DX adapter driver, AdapterId=.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

ACG status of the DX adapter driver, AdapterId=%1, capability=%2

Fields

NameDescription
DriverId
ACGState

Event ID 1007 — Failed to get the mitigation status of the calling proces.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational

Message

Failed to get the mitigation status of the calling proces. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields

NameDescription
DriverId
ProcessId
ErrorCode

Event ID 1008 — Failed to set the mitigation status of the calling proces.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational

Message

Failed to set the mitigation status of the calling proces. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields

NameDescription
DriverId
ProcessId
ErrorCode

Event ID 1009 — Calling process ACG status, AdapterId=.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

Calling process ACG status, AdapterId=%1, ProcessId=%2, ACG status=%3

Fields

NameDescription
DriverId
ProcessId
ACGState

Event ID 1010 — Calling process is in ACG telemetry mode.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

Calling process is in ACG telemetry mode. AdapterId=%1, ProcessId=%2

Fields

NameDescription
DriverId
ProcessId

Event ID 1011 — Calling process is not in an AppContainer.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

Calling process is not in an AppContainer. Driver=%1, ProcessId=%2

Fields

NameDescription
DriverId
ProcessId

Event ID 1012 — Failed to adjust the calling process ACG status for the reported DX adapter change event.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational

Message

Failed to adjust the calling process ACG status for the reported DX adapter change event. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields

NameDescription
DriverId
ProcessId
ErrorCode

Event ID 1013 — Finished applying the security protection policies for the reported DX adapter change event.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

Finished applying the security protection policies for the reported DX adapter change event. AdapterId=%1, ProcessId=%2

Fields

NameDescription
DriverId
ProcessId

Event ID 1014 — Calling process does not have ACG turned on.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

Calling process does not have ACG turned on. AdapterId=%1, ProcessId=%2

Fields

NameDescription
DriverId
ProcessId

Event ID 1015 — ACG will be turned off for the calling process due to unsupportive DX adapter driver.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

ACG will be turned off for the calling process due to unsupportive DX adapter driver. AdapterId=%1, ProcessId=%2

Fields

NameDescription
DriverId
ProcessId

Event ID 1016 — Failed to create the DX object factory.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational

Message

Failed to create the DX object factory. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields

NameDescription
DriverId
ProcessId
ErrorCode

Event ID 1017 — Failed to enumerate the DX adapters.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational

Message

Failed to enumerate the DX adapters. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields

NameDescription
DriverId
ProcessId
ErrorCode

Event ID 1018 — Failed to query the descriptor for the adapter id.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational

Message

Failed to query the descriptor for the adapter id. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields

NameDescription
DriverId
ProcessId
ErrorCode

Event ID 1019 — Enumerated a DX adapter.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

Enumerated a DX adapter. AdapterId=%1, enumerated AdapterId=%2, ProcessId=%3

Fields

NameDescription
DriverId1
DriverId2
ProcessId

Event ID 1020 — Calling process uses the software rendering adapter.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

Calling process uses the software rendering adapter. Driver=%1, ProcessId=%2

Fields

NameDescription
DriverId
ProcessId

Event ID 1021 — Failed to query the IDXGIAdapter2 interface from the enumerated adapter.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational

Message

Failed to query the IDXGIAdapter2 interface from the enumerated adapter. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields

NameDescription
DriverId
ProcessId
ErrorCode

Event ID 1022 — Encountered a DX adapter that does not support ACG.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

Encountered a DX adapter that does not support ACG. Description:%1, VendorId:%2, DeviceId:%3, AdapterId=%4, ProcessId=%5

Fields

NameDescription
Description
VendorId
DeviceId
DriverId
ProcessId

Event ID 1023 — Forced ACG on the DX Adapter which uses a WDDM 2.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

Forced ACG on the DX Adapter which uses a WDDM 2.0 and above driver from a supported vendor. Description:%1, VendorId:%2, DeviceId:%3, AdapterId=%4, ProcessId=%5

Fields

NameDescription
Description
VendorId
DeviceId
DriverId
ProcessId

Event ID 1024 — Calling process does not allow remote ACG downgrade.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

Calling process does not allow remote ACG downgrade. AdapterId=%1, ProcessId=%2

Fields

NameDescription
DriverId
ProcessId

Event ID 1025 — Remote downgrade is disabled through settings.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

Remote downgrade is disabled through settings. AdapterId=%1, ProcessId=%2

Fields

NameDescription
DriverId
ProcessId

Event ID 1026 — Non-primary adapter ID is supplied.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

Non-primary adapter ID is supplied. Description:%1, VendorId:%2, DeviceId:%3, AdapterId=%4, ProcessId=%5

Fields

NameDescription
Description
VendorId
DeviceId
DriverId
ProcessId

Event ID 1027 — Remote downgrade is rejected since software rendering only policy is set.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

Remote downgrade is rejected since software rendering only policy is set. AdapterId=%1, ProcessId=%2

Fields

NameDescription
DriverId
ProcessId

Event ID 1028 —

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Perf

Event ID 1029 —

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Perf

Event ID 1030 — DisableAcgEnforcement is not enabled on current architecture.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin

Message

DisableAcgEnforcement is not enabled on current architecture. ModuleName=%1

Fields

NameDescription
ModuleName