Microsoft-Windows-Setup

6 events across 2 channels

Event ID	Title	Channel
1001	Setup phase %1 started.	Analytic
1002	Setup phase completed with status %1.	Analytic
2001	Sysprep specialize started.	Analytic
2002	Sysprep specialize completed with status %1.	Analytic
2003	Successfully logged Setup information	System
2004	Successfully logged OS information	System

Event ID 1001 — Setup phase %1 started.

Provider: Microsoft-Windows-Setup
Channel: Analytic

Message

Setup phase %1 started.

Fields

Name	Description
`SetupPhase`	—

Event ID 1002 — Setup phase completed with status %1.

Provider: Microsoft-Windows-Setup
Channel: Analytic

Message

Setup phase completed with status %1.

Fields

Name	Description
`ErrorCode`	—

Event ID 2001 — Sysprep specialize started.

Provider: Microsoft-Windows-Setup
Channel: Analytic

Message

Sysprep specialize started.

Event ID 2002 — Sysprep specialize completed with status %1.

Provider: Microsoft-Windows-Setup
Channel: Analytic

Message

Sysprep specialize completed with status %1.

Fields

Name	Description
`ErrorCode`	—

Event ID 2003 — Successfully logged Setup information

Provider: Microsoft-Windows-Setup
Channel: System
Level: 4
Samples: 1

Message

Successfully logged Setup information

Fields

Name	Description
`HostOSName`	—
`Installwasanupgrade`	—
`HostOSwasWindowsPE`	—
`HostOSmajorversion`	—
`HostOSminorversion`	—
`HostOSbuildversion`	—
`HostOSservicepackName`	—
`HostOSservicepackmajorversion`	—
`HostOSservicepackminorversion`	—

Example Event

system:
  provider: Microsoft-Windows-Setup
  guid: 75EBC33E-997F-49CF-B49F-ECC50184B75D
  event_source_name: ''
  event_id: 2003
  version: 0
  level: 4
  task: 3000
  opcode: 0
  keywords: 2305983746702049280
  time_created: '2022-04-07T16:45:05.982246+00:00'
  event_record_id: 152
  correlation:
    ActivityID: C1DC836A-4A9E-0000-4C8D-DCC19E4AD801
  execution:
    process_id: 1132
    thread_id: 1136
  channel: System
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-18
event_data:
  HostOSName: Windows (TM) 10 Preinstallation Environment
  Installwasanupgrade: false
  HostOSwasWindowsPE: true
  HostOSmajorversion: 10
  HostOSminorversion: 0
  HostOSbuildversion: 20348
  HostOSservicepackName: ''
  HostOSservicepackmajorversion: 0
  HostOSservicepackminorversion: 0
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 2004 — Successfully logged OS information

Provider: Microsoft-Windows-Setup
Channel: System
Level: 4
Samples: 1

Message

Successfully logged OS information

Fields

Name	Description
`OSName`	—
`OSEditionID`	—
`OSmajorversion`	—
`OSminorversion`	—
`OSbuildversion`	—
`OSservicepackName`	—
`OSservicepackmajorversion`	—
`OSservicepackminorversion`	—

Example Event

system:
  provider: Microsoft-Windows-Setup
  guid: 75EBC33E-997F-49CF-B49F-ECC50184B75D
  event_source_name: ''
  event_id: 2004
  version: 0
  level: 4
  task: 4000
  opcode: 0
  keywords: 2305913377957871616
  time_created: '2023-11-06T06:23:39.584525+00:00'
  event_record_id: 1619
  correlation:
    ActivityID: 626F7C94-1079-0001-3790-6F627910DA01
  execution:
    process_id: 1416
    thread_id: 1420
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  OSName: Windows 10 Enterprise Evaluation
  OSEditionID: EnterpriseEval
  OSmajorversion: 10
  OSminorversion: 0
  OSbuildversion: 22621
  OSservicepackName: ''
  OSservicepackmajorversion: 0
  OSservicepackminorversion: 0
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx