Microsoft-Windows-Setup
6 events across 2 channels
| Event ID | Title | Channel |
|---|---|---|
| 1001 | Setup phase SetupPhase started. | Analytic |
| 1002 | Setup phase completed with status ErrorCode. | Analytic |
| 2001 | Sysprep specialize started. | Analytic |
| 2002 | Sysprep specialize completed with status ErrorCode. | Analytic |
| 2003 | Successfully logged Setup information | System |
| 2004 | Successfully logged OS information | System |
Event ID 1001 — Setup phase SetupPhase started.
Event ID 1002 — Setup phase completed with status ErrorCode.
Event ID 2001 — Sysprep specialize started.
Description
Sysprep specialize started.
Message #
Event ID 2002 — Sysprep specialize completed with status ErrorCode.
Event ID 2003 — Successfully logged Setup information
#Description
Successfully logged Setup information.
Message #
Fields #
| Name | Description |
|---|---|
HostOSName UnicodeString | — |
Installwasanupgrade Boolean | — |
HostOSwasWindowsPE Boolean | — |
HostOSmajorversion UInt32 | — |
HostOSminorversion UInt32 | — |
HostOSbuildversion UInt32 | — |
HostOSservicepackName UnicodeString | — |
HostOSservicepackmajorversion UInt32 | — |
HostOSservicepackminorversion UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Setup",
"guid": "75EBC33E-997F-49CF-B49F-ECC50184B75D",
"event_source_name": "",
"event_id": 2003,
"version": 0,
"level": 4,
"task": 3000,
"opcode": 0,
"keywords": 2305983746702049280,
"time_created": "2022-04-07T16:45:05.982246+00:00",
"event_record_id": 152,
"correlation": {
"ActivityID": "C1DC836A-4A9E-0000-4C8D-DCC19E4AD801"
},
"execution": {
"process_id": 1132,
"thread_id": 1136
},
"channel": "System",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HostOSName": "Windows (TM) 10 Preinstallation Environment",
"Installwasanupgrade": false,
"HostOSwasWindowsPE": true,
"HostOSmajorversion": 10,
"HostOSminorversion": 0,
"HostOSbuildversion": 20348,
"HostOSservicepackName": "",
"HostOSservicepackmajorversion": 0,
"HostOSservicepackminorversion": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 2004 — Successfully logged OS information
#Description
Successfully logged OS information.
Message #
Fields #
| Name | Description |
|---|---|
OSName UnicodeString | — |
OSEditionID UnicodeString | — |
OSmajorversion UInt32 | — |
OSminorversion UInt32 | — |
OSbuildversion UInt32 | — |
OSservicepackName UnicodeString | — |
OSservicepackmajorversion UInt32 | — |
OSservicepackminorversion UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Setup",
"guid": "75EBC33E-997F-49CF-B49F-ECC50184B75D",
"event_source_name": "",
"event_id": 2004,
"version": 0,
"level": 4,
"task": 4000,
"opcode": 0,
"keywords": 2305913377957871616,
"time_created": "2023-11-06T06:23:39.584525+00:00",
"event_record_id": 1619,
"correlation": {
"ActivityID": "626F7C94-1079-0001-3790-6F627910DA01"
},
"execution": {
"process_id": 1416,
"thread_id": 1420
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"OSName": "Windows 10 Enterprise Evaluation",
"OSEditionID": "EnterpriseEval",
"OSmajorversion": 10,
"OSminorversion": 0,
"OSbuildversion": 22621,
"OSservicepackName": "",
"OSservicepackmajorversion": 0,
"OSservicepackminorversion": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx