detection.wiki

Microsoft-Windows-SecurityMitigationsBroker

30 events across 3 channels

Event IDTitleChannel
1001Perf
1002Perf
1003Failed to get the COM call context.Operational
1004Failed to get the calling process information.Operational
1005Failed to get the DX adapter driver capabilities.Operational
1006ACG status of the DX adapter driver, AdapterId=DriverId, capability=ACGState.Admin
1007Failed to get the mitigation status of the calling proces.Operational
1008Failed to set the mitigation status of the calling proces.Operational
1009Calling process ACG status, AdapterId=DriverId, ProcessId=ProcessId, ACG …Admin
1010Calling process is in ACG telemetry mode.Admin
1011Calling process is not in an AppContainer.Admin
1012Failed to adjust the calling process ACG status for the reported DX adapter …Operational
1013Finished applying the security protection policies for the reported DX adapter …Admin
1014Calling process does not have ACG turned on.Admin
1015ACG will be turned off for the calling process due to unsupportive DX adapter …Admin
1016Failed to create the DX object factory.Operational
1017Failed to enumerate the DX adapters.Operational
1018Failed to query the descriptor for the adapter id.Operational
1019Enumerated a DX adapter.Admin
1020Calling process uses the software rendering adapter.Admin
1021Failed to query the IDXGIAdapter2 interface from the enumerated adapter.Operational
1022Encountered a DX adapter that does not support ACG.Admin
1023Forced ACG on the DX Adapter which uses a WDDM 2.Admin
1024Calling process does not allow remote ACG downgrade.Admin
1025Remote downgrade is disabled through settings.Admin
1026Non-primary adapter ID is supplied.Admin
1027Remote downgrade is rejected since software rendering only policy is set.Admin
1028Perf
1029Perf
1030DisableAcgEnforcement is not enabled on current architecture.Admin

Event ID 1001 —

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Perf
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate
Opcode
Start

Event ID 1002 —

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Perf
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate
Opcode
Stop

Event ID 1003 — Failed to get the COM call context.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to get the COM call context. AdapterId=DriverId, ErrorCode=ErrorCode.

Message #

Failed to get the COM call context. AdapterId=%1, ErrorCode=%2

Fields #

NameDescription
DriverId UInt64
ErrorCode UInt32

Event ID 1004 — Failed to get the calling process information.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to get the calling process information. AdapterId=DriverId, ErrorCode=ErrorCode.

Message #

Failed to get the calling process information. AdapterId=%1, ErrorCode=%2

Fields #

NameDescription
DriverId UInt64
ErrorCode UInt32

Event ID 1005 — Failed to get the DX adapter driver capabilities.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to get the DX adapter driver capabilities. AdapterId=DriverId, ErrorCode=ErrorCode.

Message #

Failed to get the DX adapter driver capabilities. AdapterId=%1, ErrorCode=%2

Fields #

NameDescription
DriverId UInt64
ErrorCode UInt32

Event ID 1006 — ACG status of the DX adapter driver, AdapterId=DriverId, capability=ACGState.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

ACG status of the DX adapter driver, AdapterId=DriverId, capability=ACGState.

Message #

ACG status of the DX adapter driver, AdapterId=%1, capability=%2

Fields #

NameDescription
DriverId UInt64
ACGState UInt32

Event ID 1007 — Failed to get the mitigation status of the calling proces.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to get the mitigation status of the calling proces. AdapterId=DriverId, ProcessId=ProcessId, ErrorCode=ErrorCode.

Message #

Failed to get the mitigation status of the calling proces. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32
ErrorCode UInt32

Event ID 1008 — Failed to set the mitigation status of the calling proces.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to set the mitigation status of the calling proces. AdapterId=DriverId, ProcessId=ProcessId, ErrorCode=ErrorCode.

Message #

Failed to set the mitigation status of the calling proces. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32
ErrorCode UInt32

Event ID 1009 — Calling process ACG status, AdapterId=DriverId, ProcessId=ProcessId, ACG status=ACGState.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Calling process ACG status, AdapterId=DriverId, ProcessId=ProcessId, ACG status=ACGState.

Message #

Calling process ACG status, AdapterId=%1, ProcessId=%2, ACG status=%3

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32
ACGState UInt32

Event ID 1010 — Calling process is in ACG telemetry mode.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Calling process is in ACG telemetry mode. AdapterId=DriverId, ProcessId=ProcessId.

Message #

Calling process is in ACG telemetry mode. AdapterId=%1, ProcessId=%2

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32

Event ID 1011 — Calling process is not in an AppContainer.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Calling process is not in an AppContainer. Driver=DriverId, ProcessId=ProcessId.

Message #

Calling process is not in an AppContainer. Driver=%1, ProcessId=%2

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32

Event ID 1012 — Failed to adjust the calling process ACG status for the reported DX adapter change event.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to adjust the calling process ACG status for the reported DX adapter change event. AdapterId=DriverId, ProcessId=ProcessId, ErrorCode=ErrorCode.

Message #

Failed to adjust the calling process ACG status for the reported DX adapter change event. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32
ErrorCode UInt32

Event ID 1013 — Finished applying the security protection policies for the reported DX adapter change event.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Finished applying the security protection policies for the reported DX adapter change event. AdapterId=DriverId, ProcessId=ProcessId.

Message #

Finished applying the security protection policies for the reported DX adapter change event. AdapterId=%1, ProcessId=%2

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32

Event ID 1014 — Calling process does not have ACG turned on.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Calling process does not have ACG turned on. AdapterId=DriverId, ProcessId=ProcessId.

Message #

Calling process does not have ACG turned on. AdapterId=%1, ProcessId=%2

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32

Event ID 1015 — ACG will be turned off for the calling process due to unsupportive DX adapter driver.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

ACG will be turned off for the calling process due to unsupportive DX adapter driver. AdapterId=DriverId, ProcessId=ProcessId.

Message #

ACG will be turned off for the calling process due to unsupportive DX adapter driver. AdapterId=%1, ProcessId=%2

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32

Event ID 1016 — Failed to create the DX object factory.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to create the DX object factory. AdapterId=DriverId, ProcessId=ProcessId, ErrorCode=ErrorCode.

Message #

Failed to create the DX object factory. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32
ErrorCode UInt32

Event ID 1017 — Failed to enumerate the DX adapters.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to enumerate the DX adapters. AdapterId=DriverId, ProcessId=ProcessId, ErrorCode=ErrorCode.

Message #

Failed to enumerate the DX adapters. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32
ErrorCode UInt32

Event ID 1018 — Failed to query the descriptor for the adapter id.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to query the descriptor for the adapter id. AdapterId=DriverId, ProcessId=ProcessId, ErrorCode=ErrorCode.

Message #

Failed to query the descriptor for the adapter id. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32
ErrorCode UInt32

Event ID 1019 — Enumerated a DX adapter.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Enumerated a DX adapter. AdapterId=DriverId1, enumerated AdapterId=DriverId2, ProcessId=ProcessId.

Message #

Enumerated a DX adapter. AdapterId=%1, enumerated AdapterId=%2, ProcessId=%3

Fields #

NameDescription
DriverId1 UInt64
DriverId2 UInt64
ProcessId UInt32

Event ID 1020 — Calling process uses the software rendering adapter.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Calling process uses the software rendering adapter. Driver=DriverId, ProcessId=ProcessId.

Message #

Calling process uses the software rendering adapter. Driver=%1, ProcessId=%2

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32

Event ID 1021 — Failed to query the IDXGIAdapter2 interface from the enumerated adapter.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Operational
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to query the IDXGIAdapter2 interface from the enumerated adapter. AdapterId=DriverId, ProcessId=ProcessId, ErrorCode=ErrorCode.

Message #

Failed to query the IDXGIAdapter2 interface from the enumerated adapter. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32
ErrorCode UInt32

Event ID 1022 — Encountered a DX adapter that does not support ACG.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Encountered a DX adapter that does not support ACG. Description:Description, VendorId:VendorId, DeviceId:DeviceId, AdapterId=DriverId, ProcessId=ProcessId.

Message #

Encountered a DX adapter that does not support ACG. Description:%1, VendorId:%2, DeviceId:%3, AdapterId=%4, ProcessId=%5

Fields #

NameDescription
Description UnicodeString
VendorId UInt32
DeviceId UInt32
DriverId UInt64
ProcessId UInt32

Event ID 1023 — Forced ACG on the DX Adapter which uses a WDDM 2.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Forced ACG on the DX Adapter which uses a WDDM 2.0 and above driver from a supported vendor. Description:Description, VendorId:VendorId, DeviceId:DeviceId, AdapterId=DriverId, ProcessId=ProcessId.

Message #

Forced ACG on the DX Adapter which uses a WDDM 2.0 and above driver from a supported vendor. Description:%1, VendorId:%2, DeviceId:%3, AdapterId=%4, ProcessId=%5

Fields #

NameDescription
Description UnicodeString
VendorId UInt32
DeviceId UInt32
DriverId UInt64
ProcessId UInt32

Event ID 1024 — Calling process does not allow remote ACG downgrade.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Calling process does not allow remote ACG downgrade. AdapterId=DriverId, ProcessId=ProcessId.

Message #

Calling process does not allow remote ACG downgrade. AdapterId=%1, ProcessId=%2

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32

Event ID 1025 — Remote downgrade is disabled through settings.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Remote downgrade is disabled through settings. AdapterId=DriverId, ProcessId=ProcessId.

Message #

Remote downgrade is disabled through settings. AdapterId=%1, ProcessId=%2

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32

Event ID 1026 — Non-primary adapter ID is supplied.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Non-primary adapter ID is supplied. Description:Description, VendorId:VendorId, DeviceId:DeviceId, AdapterId=DriverId, ProcessId=ProcessId.

Message #

Non-primary adapter ID is supplied. Description:%1, VendorId:%2, DeviceId:%3, AdapterId=%4, ProcessId=%5

Fields #

NameDescription
Description UnicodeString
VendorId UInt32
DeviceId UInt32
DriverId UInt64
ProcessId UInt32

Event ID 1027 — Remote downgrade is rejected since software rendering only policy is set.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Remote downgrade is rejected since software rendering only policy is set. AdapterId=DriverId, ProcessId=ProcessId.

Message #

Remote downgrade is rejected since software rendering only policy is set. AdapterId=%1, ProcessId=%2

Fields #

NameDescription
DriverId UInt64
ProcessId UInt32

Event ID 1028 —

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Perf
Task
SecurityMitigationsBroker.Task.DisableAcgEnforcement
Opcode
Start

Event ID 1029 —

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Perf
Task
SecurityMitigationsBroker.Task.DisableAcgEnforcement
Opcode
Stop

Event ID 1030 — DisableAcgEnforcement is not enabled on current architecture.

Provider
Microsoft-Windows-SecurityMitigationsBroker
Channel
Admin
Task
SecurityMitigationsBroker.Task.DisableAcgEnforcement

Description

DisableAcgEnforcement is not enabled on current architecture. ModuleName=ModuleName.

Message #

DisableAcgEnforcement is not enabled on current architecture. ModuleName=%1

Fields #

NameDescription
ModuleName UnicodeString