detection.wiki

Microsoft-Windows-VerifyHardwareSecurity

13 events across 2 channels

Event IDTitleChannel
3001Hardware Security Check: CurrentCheckBit.Operational
3002SecureBoot is currently disabled.Admin
3003Failed to check if secureboot is enabled.Admin
3004PreRelease/Test cert found in SecureBoot database.Admin
3005Failed to check for PreRelease/Test certificates found in SecureBoot DB.Admin
3006A non-production SecureBoot Policy was detected.Admin
3007Failed to check for non-production SecureBoot Policy.Admin
3008Host provider HostProvider is trying to load ModulePath to invoke its Method …Operational
3009Host provider HostProvider is trying to load ModulePath to invoke its Method …Operational
3010Host provider HostProvider is trying to load ModulePath to invoke its Method …Operational
3011Host provider HostProvider is trying to load ModulePath to invoke its Method …Operational
3012Host provider HostProvider is trying to load ModulePath to invoke its Method …Operational
3013Host provider HostProvider is trying to load ModulePath to invoke its Method …Operational

Event ID 3001 — Hardware Security Check: CurrentCheckBit.

Provider
Microsoft-Windows-VerifyHardwareSecurity
Channel
Operational
Task
CheckGeneric
Opcode
reportCheck

Description

Hardware Security Check: CurrentCheckBit.

Message #

Hardware Security Check: %1

Fields #

NameDescription
CurrentCheckBit UInt32

Event ID 3002 — SecureBoot is currently disabled.

Provider
Microsoft-Windows-VerifyHardwareSecurity
Channel
Admin
Task
CheckSecureBootEnabled
Opcode
securebootEnabledFailedCheck

Description

SecureBoot is currently disabled. Please enable SecureBoot through the system firmware.

Message #

SecureBoot is currently disabled. Please enable SecureBoot through the system firmware.

Event ID 3003 — Failed to check if secureboot is enabled.

Provider
Microsoft-Windows-VerifyHardwareSecurity
Channel
Admin
Task
CheckSecureBootEnabled
Opcode
securebootEnabledFailedToCheck

Description

Failed to check if secureboot is enabled. Status: hr.

Message #

Failed to check if secureboot is enabled. Status: %1

Fields #

NameDescription
hr Int32

Event ID 3004 — PreRelease/Test cert found in SecureBoot database.

Provider
Microsoft-Windows-VerifyHardwareSecurity
Channel
Admin
Task
CheckCertificates
Opcode
certsFailedCheck

Description

PreRelease/Test cert found in SecureBoot database. Please re-provision SecureBoot to not include name in variable database of EFI database. Certificate Thumbprint = bytes.

Message #

PreRelease/Test cert found in SecureBoot database. Please re-provision SecureBoot to not include %1 in variable %2 of EFI database. Certificate Thumbprint = %3

Fields #

NameDescription
name UnicodeString
database UnicodeString
bytes Binary

Event ID 3005 — Failed to check for PreRelease/Test certificates found in SecureBoot DB.

Provider
Microsoft-Windows-VerifyHardwareSecurity
Channel
Admin
Task
CheckCertificates
Opcode
certsFailedToCheck

Description

Failed to check for PreRelease/Test certificates found in SecureBoot DB. Status: hr.

Message #

Failed to check for PreRelease/Test certificates found in SecureBoot DB. Status: %1

Fields #

NameDescription
hr Int32

Event ID 3006 — A non-production SecureBoot Policy was detected.

Provider
Microsoft-Windows-VerifyHardwareSecurity
Channel
Admin
Task
CheckSecureBootPolicy
Opcode
securebootPolicyFailedCheck

Description

A non-production SecureBoot Policy was detected. Remove Debug/PreRelease policy through the system firmware.

Message #

A non-production SecureBoot Policy was detected. Remove Debug/PreRelease policy through the system firmware.

Event ID 3007 — Failed to check for non-production SecureBoot Policy.

Provider
Microsoft-Windows-VerifyHardwareSecurity
Channel
Admin
Task
CheckSecureBootPolicy
Opcode
securebootPolicyFailedToCheck

Description

Failed to check for non-production SecureBoot Policy. Status: hr.

Message #

Failed to check for non-production SecureBoot Policy. Status: %1

Fields #

NameDescription
hr Int32

Event ID 3008 — Host provider HostProvider is trying to load ModulePath to invoke its Method API.

Provider
Microsoft-Windows-VerifyHardwareSecurity
Channel
Operational
Task
CheckHostLockdownPolicy
Opcode
HostLockdownCheck

Description

Host provider HostProvider is trying to load ModulePath to invoke its Method API. ModulePath has an OriginalFilename or InternalName of InternalName.

Message #

Host provider %1 is trying to load %2 to invoke its %3 API. %2 has an OriginalFilename or InternalName of %4.

Fields #

NameDescription
HostProvider UnicodeString
ModulePath UnicodeString
Method UnicodeString
InternalName UnicodeString

Event ID 3009 — Host provider HostProvider is trying to load ModulePath to invoke its Method API.

Provider
Microsoft-Windows-VerifyHardwareSecurity
Channel
Operational
Task
CheckHostLockdownPolicy
Opcode
HostLockdownCheck

Description

Host provider HostProvider is trying to load ModulePath to invoke its Method API. ModulePath has an OriginalFilename or InternalName of InternalName. NtQuerySecurityPolicy failed with error code hr.

Message #

Host provider %1 is trying to load %2 to invoke its %3 API. %2 has an OriginalFilename or InternalName of %4. NtQuerySecurityPolicy failed with error code %5.

Fields #

NameDescription
HostProvider UnicodeString
ModulePath UnicodeString
Method UnicodeString
InternalName UnicodeString
hr Int32

Event ID 3010 — Host provider HostProvider is trying to load ModulePath to invoke its Method API.

Provider
Microsoft-Windows-VerifyHardwareSecurity
Channel
Operational
Task
CheckHostLockdownPolicy
Opcode
HostLockdownCheck

Description

Host provider HostProvider is trying to load ModulePath to invoke its Method API. ModulePath has an OriginalFilename or InternalName of InternalName. It is blocked by host lockdown security policy.

Message #

Host provider %1 is trying to load %2 to invoke its %3 API. %2 has an OriginalFilename or InternalName of %4. It is blocked by host lockdown security policy.

Fields #

NameDescription
HostProvider UnicodeString
ModulePath UnicodeString
Method UnicodeString
InternalName UnicodeString

Event ID 3011 — Host provider HostProvider is trying to load ModulePath to invoke its Method API.

Provider
Microsoft-Windows-VerifyHardwareSecurity
Channel
Operational
Task
CheckHostLockdownPolicy
Opcode
HostLockdownCheck

Description

Host provider HostProvider is trying to load ModulePath to invoke its Method API. Failed to find the OriginalFilename or InternalName from resource with error code hr.

Message #

Host provider %1 is trying to load %2 to invoke its %3 API. Failed to find the OriginalFilename or InternalName from resource with error code %4.

Fields #

NameDescription
HostProvider UnicodeString
ModulePath UnicodeString
Method UnicodeString
hr Int32

Event ID 3012 — Host provider HostProvider is trying to load ModulePath to invoke its Method API.

Provider
Microsoft-Windows-VerifyHardwareSecurity
Channel
Operational
Task
CheckHostLockdownPolicy
Opcode
HostLockdownCheck

Description

Host provider HostProvider is trying to load ModulePath to invoke its Method API. ModulePath has an OriginalFilename or InternalName of InternalName. The invoking is allowed because UMCI or host lockdown policy is not enabled.

Message #

Host provider %1 is trying to load %2 to invoke  its %3 API. %2 has an OriginalFilename or InternalName of %4. The invoking is allowed because UMCI or host lockdown policy is not enabled.

Fields #

NameDescription
HostProvider UnicodeString
ModulePath UnicodeString
Method UnicodeString
InternalName UnicodeString

Event ID 3013 — Host provider HostProvider is trying to load ModulePath to invoke its Method API.

Provider
Microsoft-Windows-VerifyHardwareSecurity
Channel
Operational
Task
CheckHostLockdownPolicy
Opcode
HostLockdownCheck

Description

Host provider HostProvider is trying to load ModulePath to invoke its Method API. ModulePath has an OriginalFilename or InternalName of InternalName. The invoking is allowed because of the audit mode of the host lockdown security policy.

Message #

Host provider %1 is trying to load %2 to invoke its %3 API. %2 has an OriginalFilename or InternalName of %4. The invoking is allowed because of the audit mode of the host lockdown security policy.

Fields #

NameDescription
HostProvider UnicodeString
ModulePath UnicodeString
Method UnicodeString
InternalName UnicodeString