detection.wiki
Blog

Microsoft-Windows-UAC-FileVirtualization

27 events across 1 channel

Event IDTitleChannel
2000Failed to register with Filter Manager.Operational
2001Failed to read the settings.Operational
2002Failed to read the file list.Operational
2003Failed to initialize security.Operational
2004Failed to start filtering.Operational
2005Failed to set up the instance for a volume.Operational
2006Failed to query the virtualization mode.Operational
2007Failed to query virtual store file information.Operational
2008Failed to select which file to create.Operational
2009Failed to create a stream handle context.Operational
2010Failed to set the stream handle context.Operational
2011Failed to perform the administrator access check.Operational
2012Failed to prepare for delayed virtualization.Operational
2013Failed to perform delayed virtualization.Operational
2014Failed to switch one or more delayed file objects.Operational
2015Failed to create the virtual file path.Operational
2016Failed to copy the file into the virtual store.Operational
2017Failed to perform the merged directory query.Operational
2018Failed to query information for the file object.Operational
2019Failed to check target file for WRP protection.Operational
4000Virtual file ".Operational
4001Virtual file ".Operational
4002Virtual delete of file ".Operational
5000Operation on file ".Operational
5002Delayed virtual file ".Operational
5003Access was denied on WRP file ".Operational
5004Access was denied to delete file ".Operational

Event ID 2000 — Failed to register with Filter Manager.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to register with Filter Manager.

Fields

NameDescription
Error

Event ID 2001 — Failed to read the settings.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to read the settings.

Fields

NameDescription
Error

Event ID 2002 — Failed to read the file list.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to read the file list.

Fields

NameDescription
Error

Event ID 2003 — Failed to initialize security.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to initialize security.

Fields

NameDescription
Error

Event ID 2004 — Failed to start filtering.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to start filtering.

Fields

NameDescription
Error

Event ID 2005 — Failed to set up the instance for a volume.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to set up the instance for a volume.

Fields

NameDescription
Error

Event ID 2006 — Failed to query the virtualization mode.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to query the virtualization mode.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
Error

Event ID 2007 — Failed to query virtual store file information.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to query virtual store file information.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
Error

Event ID 2008 — Failed to select which file to create.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to select which file to create.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
Error

Event ID 2009 — Failed to create a stream handle context.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to create a stream handle context.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
Error

Event ID 2010 — Failed to set the stream handle context.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to set the stream handle context.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
Error

Event ID 2011 — Failed to perform the administrator access check.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to perform the administrator access check.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
Error

Event ID 2012 — Failed to prepare for delayed virtualization.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to prepare for delayed virtualization.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
Error

Event ID 2013 — Failed to perform delayed virtualization.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to perform delayed virtualization.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
Error

Event ID 2014 — Failed to switch one or more delayed file objects.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to switch one or more delayed file objects.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
Error

Event ID 2015 — Failed to create the virtual file path.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to create the virtual file path.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
Error

Event ID 2016 — Failed to copy the file into the virtual store.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to copy the file into the virtual store.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
Error

Event ID 2017 — Failed to perform the merged directory query.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to perform the merged directory query.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
Error

Event ID 2018 — Failed to query information for the file object.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to query information for the file object.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
Error

Event ID 2019 — Failed to check target file for WRP protection.

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Failed to check target file for WRP protection.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
Error

Event ID 4000 — Virtual file ".

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Virtual file "%5" created.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
CreateOptions
DesiredAccess
IrpMajorFunction

Event ID 4001 — Virtual file ".

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Virtual file "%5" renamed to "%9"

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
TargetFileNameLength
TargetFileNameBuffer

Event ID 4002 — Virtual delete of file ".

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Virtual delete of file "%5" requested.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer

Event ID 5000 — Operation on file ".

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Operation on file "%5" excluded from virtualization.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
CreateOptions
DesiredAccess
IrpMajorFunction
Exclusions

Event ID 5002 — Delayed virtual file ".

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Delayed virtual file "%5" not virtualized.

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer
CreateOptions
DesiredAccess

Event ID 5003 — Access was denied on WRP file ".

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Access was denied on WRP file "%5"

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer

Event ID 5004 — Access was denied to delete file ".

Provider
Microsoft-Windows-UAC-FileVirtualization
Channel
Operational

Message

Access was denied to delete file "%5"

Fields

NameDescription
Flags
SidLength
Sid
FileNameLength
FileNameBuffer
ProcessImageNameLength
ProcessImageNameBuffer