detection.wiki

Microsoft-Windows-Services

15 events across 1 channel

Event IDTitleChannel
101Diagnostic
102Diagnostic
103Diagnostic
104Diagnostic
105Diagnostic
106Diagnostic
107Diagnostic
108Diagnostic
109Diagnostic
200Diagnostic
201Diagnostic
202Diagnostic
203Diagnostic
204Diagnostic
205Diagnostic

Event ID 101 —

Provider
Microsoft-Windows-Services
Channel
Diagnostic
Task
Autostart
Opcode
Start

Event ID 102 —

Provider
Microsoft-Windows-Services
Channel
Diagnostic
Task
Autostart
Opcode
Stop

Event ID 103 —

Provider
Microsoft-Windows-Services
Channel
Diagnostic
Task
StartingGroup
Opcode
Start

Fields #

NameDescription
GroupName UnicodeString

Event ID 104 —

Provider
Microsoft-Windows-Services
Channel
Diagnostic
Task
StartingGroup
Opcode
Stop

Fields #

NameDescription
GroupName UnicodeString

Event ID 105 —

Provider
Microsoft-Windows-Services
Channel
Diagnostic
Task
ServiceStatusChange
Opcode
StatusChange

Fields #

NameDescription
ExecutionPhase UInt32
CurrentState UInt32
StartType UInt32
Known values
0
Boot
1
System
2
Automatic
3
Manual
4
Disabled
PID UInt32
ServiceName UnicodeString
ImageName UnicodeString

Event ID 106 —

Provider
Microsoft-Windows-Services
Channel
Diagnostic
Task
PerfCriticalAutostart
Opcode
Start

Event ID 107 —

Provider
Microsoft-Windows-Services
Channel
Diagnostic
Task
PerfCriticalAutostart
Opcode
Stop

Event ID 108 —

Provider
Microsoft-Windows-Services
Channel
Diagnostic
Task
WaitForLsa
Opcode
Start

Event ID 109 —

Provider
Microsoft-Windows-Services
Channel
Diagnostic
Task
WaitForLsa
Opcode
Stop

Event ID 200 —

Provider
Microsoft-Windows-Services
Channel
Diagnostic
Task
SendControl

Fields #

NameDescription
ServiceName UnicodeString
DisplayName UnicodeString
ControlCode UInt32
ClientProcessStartKey UInt64
ClientProcessId UInt32
ParentProcessId UInt32

Event ID 201 —

Provider
Microsoft-Windows-Services
Channel
Diagnostic
Task
ServiceConfigChange

Fields #

NameDescription
ServiceName UnicodeString
NewStartType UInt32
ClientProcessStartKey UInt64
ClientProcessId UInt32
ParentProcessId UInt32

Event ID 202 —

Provider
Microsoft-Windows-Services
Channel
Diagnostic
Task
ServiceConfigChange

Fields #

NameDescription
ServiceName UnicodeString
NewValueName UnicodeString
ClientProcessStartKey UInt64
ClientProcessId UInt32
ParentProcessId UInt32

Event ID 203 —

Provider
Microsoft-Windows-Services
Channel
Diagnostic
Task
ServiceConfigChange

Fields #

NameDescription
ServiceName UnicodeString
NewValueName UnicodeString
ClientProcessStartKey UInt64
ClientProcessId UInt32
ParentProcessId UInt32

Event ID 204 —

Provider
Microsoft-Windows-Services
Channel
Diagnostic
Task
ServiceStart

Fields #

NameDescription
ServiceName UnicodeString
ServiceHostName UnicodeString
ClientProcessStartKey UInt64
ClientProcessId UInt32
ParentProcessId UInt32

Event ID 205 —

Provider
Microsoft-Windows-Services
Channel
Diagnostic
Task
ServiceStart

Fields #

NameDescription
ServiceName UnicodeString
LoadOrderGroup UnicodeString
SvchostGroup UnicodeString
IsCritical Boolean
IsUserService Boolean
IsOwnProcess Boolean
ClientProcessStartKey UInt64
ClientProcessId UInt32
ParentProcessId UInt32