detection.wiki
Blog

Microsoft-Windows-WindowsSystemAssessmentTool

14 events across 1 channel

Event IDTitleChannel
0Operational
1WinSAT Application Start.Operational
2WinSAT Application Command Line %2.Operational
3WinSAT Application Stop.Operational
4ERROR.Operational
5COM ERROR: %4 %6.Operational
6ERROR.Operational
7ERROR: %1 %3.Operational
8Operational
9%1:%3.Operational
10Operational
11Main watch dog timeout - terminating processOperational
12Assessment watch dog timeout - terminating processOperational
13Short watch dog timeout - terminating processOperational

Event ID 0 —

Provider
Microsoft-Windows-WindowsSystemAssessmentTool
Channel
Operational

Message

%1 %2 %3 %4

Fields

NameDescription
TestV1
TestV2
TestV3
TestV4

Event ID 1 — WinSAT Application Start.

Provider
Microsoft-Windows-WindowsSystemAssessmentTool
Channel
Operational
Samples
1

Message

WinSAT Application Start: %1

Fields

NameDescription
StartTimeOfDay

Example Event

system:
  provider: Microsoft-Windows-WindowsSystemAssessmentTool
  guid: 11A75546-3234-465E-BEC8-2D301CB501AC
  event_source_name: ''
  event_id: 1
  version: 0
  level: 0
  task: 1
  opcode: 1
  keywords: 9223372036854775808
  time_created: '2022-04-04T08:01:33.192091+00:00'
  event_record_id: 1
  correlation: {}
  execution:
    process_id: 3768
    thread_id: 4432
  channel: Microsoft-Windows-WindowsSystemAssessmentTool/Operational
  computer: WIN-TKC15D7KHUR
  security:
    user_id: S-1-5-21-1958040314-2592322477-2606035944-500
event_data:
  StartTimeOfDay: '2022-04-04T08:01:33.191900Z'
message: ''

References

Event ID 2 — WinSAT Application Command Line %2.

Provider
Microsoft-Windows-WindowsSystemAssessmentTool
Channel
Operational
Samples
1

Message

WinSAT Application Command Line %2

Fields

NameDescription
CommandLineSize
CommandLine

Example Event

system:
  provider: Microsoft-Windows-WindowsSystemAssessmentTool
  guid: 11A75546-3234-465E-BEC8-2D301CB501AC
  event_source_name: ''
  event_id: 2
  version: 0
  level: 0
  task: 1
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-04T08:01:33.246239+00:00'
  event_record_id: 3
  correlation: {}
  execution:
    process_id: 3768
    thread_id: 4432
  channel: Microsoft-Windows-WindowsSystemAssessmentTool/Operational
  computer: WIN-TKC15D7KHUR
  security:
    user_id: S-1-5-21-1958040314-2592322477-2606035944-500
event_data:
  CommandLineSize: 92
  CommandLine: C:\Windows\system32\winsat.exe formal -log -cancelevent c44be6b9-8148-4e99-84df-c74f2f9e27e2
message: ''

References

Event ID 3 — WinSAT Application Stop.

Provider
Microsoft-Windows-WindowsSystemAssessmentTool
Channel
Operational
Samples
1

Message

WinSAT Application Stop: %1

Fields

NameDescription
ExitCode

Example Event

system:
  provider: Microsoft-Windows-WindowsSystemAssessmentTool
  guid: 11A75546-3234-465E-BEC8-2D301CB501AC
  event_source_name: ''
  event_id: 3
  version: 0
  level: 0
  task: 1
  opcode: 2
  keywords: 9223372036854775808
  time_created: '2022-04-04T08:03:12.759191+00:00'
  event_record_id: 82
  correlation: {}
  execution:
    process_id: 3768
    thread_id: 4432
  channel: Microsoft-Windows-WindowsSystemAssessmentTool/Operational
  computer: WIN-TKC15D7KHUR
  security:
    user_id: S-1-5-21-1958040314-2592322477-2606035944-500
event_data:
  ExitCode: 0
message: ''

References

Event ID 4 — ERROR.

Provider
Microsoft-Windows-WindowsSystemAssessmentTool
Channel
Operational

Message

ERROR: %3

Fields

NameDescription
Win32Error
CantMsgSize
CantMsg

Event ID 5 — COM ERROR: %4 %6.

Provider
Microsoft-Windows-WindowsSystemAssessmentTool
Channel
Operational

Message

COM ERROR: %4 %6

Fields

NameDescription
FailingHresult
FailingInterfaceCLSID
SourceSize
Source
InfterfaceSize
Interface
ErrorMsgSize
ErrorMsg
CantMsgSize
CantMsg

Event ID 6 — ERROR.

Provider
Microsoft-Windows-WindowsSystemAssessmentTool
Channel
Operational

Message

ERROR: %2

Fields

NameDescription
ErrorMsgSize
ErrorMsg

Event ID 7 — ERROR: %1 %3.

Provider
Microsoft-Windows-WindowsSystemAssessmentTool
Channel
Operational

Message

ERROR: %1 %3

Fields

NameDescription
FailingHresult
ErrorMsgSize
ErrorMsg
CantMsgSize
CantMsg

Event ID 8 —

Provider
Microsoft-Windows-WindowsSystemAssessmentTool
Channel
Operational

Message

%2

Fields

NameDescription
MessageSize
Message

Event ID 9 — %1:%3.

Provider
Microsoft-Windows-WindowsSystemAssessmentTool
Channel
Operational
Level
4
Samples
1

Message

%1:%3

Fields

NameDescription
PhaseID
DescriptionSize
Description

Example Event

system:
  provider: Microsoft-Windows-WindowsSystemAssessmentTool
  guid: 11A75546-3234-465E-BEC8-2D301CB501AC
  event_source_name: ''
  event_id: 9
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-04T08:03:12.754854+00:00'
  event_record_id: 80
  correlation: {}
  execution:
    process_id: 3768
    thread_id: 4432
  channel: Microsoft-Windows-WindowsSystemAssessmentTool/Operational
  computer: WIN-TKC15D7KHUR
  security:
    user_id: S-1-5-21-1958040314-2592322477-2606035944-500
event_data:
  PhaseID: 140
  DescriptionSize: 24
  Description: Restore system policies
message: ''

References

Event ID 10 —

Provider
Microsoft-Windows-WindowsSystemAssessmentTool
Channel
Operational
Level
4
Samples
1

Message

%1

Fields

NameDescription
PhaseID

Example Event

system:
  provider: Microsoft-Windows-WindowsSystemAssessmentTool
  guid: 11A75546-3234-465E-BEC8-2D301CB501AC
  event_source_name: ''
  event_id: 10
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-04T08:03:12.761466+00:00'
  event_record_id: 83
  correlation: {}
  execution:
    process_id: 3768
    thread_id: 4432
  channel: Microsoft-Windows-WindowsSystemAssessmentTool/Operational
  computer: WIN-TKC15D7KHUR
  security:
    user_id: S-1-5-21-1958040314-2592322477-2606035944-500
event_data:
  PhaseID: 150
message: ''

References

Event ID 11 — Main watch dog timeout - terminating process

Provider
Microsoft-Windows-WindowsSystemAssessmentTool
Channel
Operational

Message

Main watch dog timeout - terminating process

Event ID 12 — Assessment watch dog timeout - terminating process

Provider
Microsoft-Windows-WindowsSystemAssessmentTool
Channel
Operational

Message

Assessment watch dog timeout - terminating process

Event ID 13 — Short watch dog timeout - terminating process

Provider
Microsoft-Windows-WindowsSystemAssessmentTool
Channel
Operational

Message

Short watch dog timeout - terminating process