Event ID 28117 — Shortcut for application Name with ID AppID and flags Flags is updated in app resolver cache.

Provider: Microsoft-Windows-Shell-Core
Channel: Operational
Level: Informational
Task: Shell32_AppResolverCache_UpdateShortcut

Description

Shortcut for application Name with ID AppID and flags Flags is updated in app resolver cache.

Message #

Shortcut for application %1 with ID %2 and flags %3 is updated in app resolver cache.

Fields #

Name	Description
`Name` UnicodeString	—
`AppID` UnicodeString	—
`Flags` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Shell-Core",
    "guid": "30336ED4-E327-447C-9DE0-51B652C86108",
    "event_source_name": "",
    "event_id": 28117,
    "version": 0,
    "level": 4,
    "task": 28143,
    "opcode": 0,
    "keywords": 2305843009213759488,
    "time_created": "2023-11-06T00:55:14.841614+00:00",
    "event_record_id": 2815,
    "correlation": {},
    "execution": {
      "process_id": 10860,
      "thread_id": 17252
    },
    "channel": "Microsoft-Windows-Shell-Core/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "Name": "Avast Free Antivirus",
    "AppID": "avast! Antivirus",
    "Flags": 17
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline