Microsoft-Windows-SystemDataArchiver

4 events across 1 channel

Event ID	Title	Channel
2049		Diagnostic
2050		Diagnostic
2051		Diagnostic
2052		Diagnostic

Event ID 2049 —

Provider: Microsoft-Windows-SystemDataArchiver
Channel: Diagnostic
Level: 5
Samples: 1

Fields

Name	Description
`LogString`	—

Example Event

system:
  provider: Microsoft-Windows-SystemDataArchiver
  guid: 4389F802-0C4F-56D0-63C6-D77DB206D237
  event_source_name: ''
  event_id: 2049
  version: 0
  level: 5
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:43:34.840798+00:00'
  event_record_id: 6110
  correlation:
    ActivityID: CACE61E7-00AC-4858-AC64-C0736A8F99E6
  execution:
    process_id: 3500
    thread_id: 1644
  channel: Microsoft-Windows-SystemDataArchiver/Diagnostic
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-19
event_data:
  LogString: '[SDP Network] Skipping result(no name) \Network Adapter(WAN Miniport
    [Network Monitor])\Bytes Total/sec = 0.000'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2050 —

Provider: Microsoft-Windows-SystemDataArchiver
Channel: Diagnostic
Level: 4
Samples: 1

Fields

Name	Description
`LogString`	—

Example Event

system:
  provider: Microsoft-Windows-SystemDataArchiver
  guid: 4389F802-0C4F-56D0-63C6-D77DB206D237
  event_source_name: ''
  event_id: 2050
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:44:00.315873+00:00'
  event_record_id: 6146
  correlation:
    ActivityID: CACE61E7-00AC-4858-AC64-C0736A8F99E6
  execution:
    process_id: 3500
    thread_id: 4712
  channel: Microsoft-Windows-SystemDataArchiver/Diagnostic
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-19
event_data:
  LogString: '[SDP Base]  SRUM calling FreeMemory for provider data type 1 into provider
    Physical Disk Provider.'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2051 —

Provider: Microsoft-Windows-SystemDataArchiver
Channel: Diagnostic
Level: 3
Samples: 1

Fields

Name	Description
`LogString`	—

Example Event

system:
  provider: Microsoft-Windows-SystemDataArchiver
  guid: 4389F802-0C4F-56D0-63C6-D77DB206D237
  event_source_name: ''
  event_id: 2051
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:44:00.315636+00:00'
  event_record_id: 6131
  correlation:
    ActivityID: CACE61E7-00AC-4858-AC64-C0736A8F99E6
  execution:
    process_id: 3500
    thread_id: 2080
  channel: Microsoft-Windows-SystemDataArchiver/Diagnostic
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-19
event_data:
  LogString: '[VolumeQuery] IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS failed with error
    1 for volume path ''\\?\Volume{61e10b73-b69a-11ec-9774-806e6f6e6963}\'', skipping
    query of its disks.'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2052 —

Provider: Microsoft-Windows-SystemDataArchiver
Channel: Diagnostic

Fields

Name	Description
`LogString`	—