Microsoft-Windows-SystemDataArchiver

4 events across 1 channel

Event ID	Title	Channel
2049		Diagnostic
2050		Diagnostic
2051		Diagnostic
2052		Diagnostic

Event ID 2049 —

Provider: Microsoft-Windows-SystemDataArchiver
Channel: Diagnostic
Level: Verbose

Fields #

Name	Description
`LogString` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SystemDataArchiver",
    "guid": "4389F802-0C4F-56D0-63C6-D77DB206D237",
    "event_source_name": "",
    "event_id": 2049,
    "version": 0,
    "level": 5,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:43:34.840798+00:00",
    "event_record_id": 6110,
    "correlation": {
      "ActivityID": "CACE61E7-00AC-4858-AC64-C0736A8F99E6"
    },
    "execution": {
      "process_id": 3500,
      "thread_id": 1644
    },
    "channel": "Microsoft-Windows-SystemDataArchiver/Diagnostic",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "LogString": "[SDP Network] Skipping result(no name) \\Network Adapter(WAN Miniport [Network Monitor])\\Bytes Total/sec = 0.000"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2050 —

Provider: Microsoft-Windows-SystemDataArchiver
Channel: Diagnostic
Level: Informational

Fields #

Name	Description
`LogString` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SystemDataArchiver",
    "guid": "4389F802-0C4F-56D0-63C6-D77DB206D237",
    "event_source_name": "",
    "event_id": 2050,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:44:00.315873+00:00",
    "event_record_id": 6146,
    "correlation": {
      "ActivityID": "CACE61E7-00AC-4858-AC64-C0736A8F99E6"
    },
    "execution": {
      "process_id": 3500,
      "thread_id": 4712
    },
    "channel": "Microsoft-Windows-SystemDataArchiver/Diagnostic",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "LogString": "[SDP Base]  SRUM calling FreeMemory for provider data type 1 into provider Physical Disk Provider."
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2051 —

Provider: Microsoft-Windows-SystemDataArchiver
Channel: Diagnostic
Level: Warning

Fields #

Name	Description
`LogString` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SystemDataArchiver",
    "guid": "4389F802-0C4F-56D0-63C6-D77DB206D237",
    "event_source_name": "",
    "event_id": 2051,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:44:00.315636+00:00",
    "event_record_id": 6131,
    "correlation": {
      "ActivityID": "CACE61E7-00AC-4858-AC64-C0736A8F99E6"
    },
    "execution": {
      "process_id": 3500,
      "thread_id": 2080
    },
    "channel": "Microsoft-Windows-SystemDataArchiver/Diagnostic",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "LogString": "[VolumeQuery] IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS failed with error 1 for volume path '\\\\?\\Volume{61e10b73-b69a-11ec-9774-806e6f6e6963}\\', skipping query of its disks."
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2052 —

Provider: Microsoft-Windows-SystemDataArchiver
Channel: Diagnostic

Fields #

Name	Description
`LogString` UnicodeString	—