Fields

Fields

Message

Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.

Fields

Message

LSASS.exe was started as a protected process with level: %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-Wininit
  guid: 206F6DEA-D3C5-4D10-BC72-989F03C8B84B
  event_source_name: ''
  event_id: 12
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2021-02-09T11:59:37.890339+00:00'
  event_record_id: 5456
  correlation: {}
  execution:
    process_id: 560
    thread_id: 564
  channel: System
  computer: WIN10-client01.offsec.lan
  security:
    user_id: S-1-5-18
event_data:
  Data:
    Name: Level
    Value: 4
message: 'LSASS.exe was started as a protected process with level: Level.'

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

Credential Guard was started and will protect LSA credentials.

Message

Credential Guard configuration:

Registry Configuration: %1
Test Configuration: %2
Auto Enablement: %3

Fields

Example Event

system:
  provider: Microsoft-Windows-Wininit
  guid: 206F6DEA-D3C5-4D10-BC72-989F03C8B84B
  event_source_name: ''
  event_id: 14
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T06:25:27.117050+00:00'
  event_record_id: 1653
  correlation: {}
  execution:
    process_id: 636
    thread_id: 640
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Config: 2
  IsTestConfig: 0
  IsAutoEnabled: 1
message: ''

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

Credential Guard and/or VBS Key Isolation are configured but the secure kernel is not running; continuing without them.

Example Event

system:
  provider: Microsoft-Windows-Wininit
  guid: 206F6DEA-D3C5-4D10-BC72-989F03C8B84B
  event_source_name: ''
  event_id: 15
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T06:25:27.117090+00:00'
  event_record_id: 1654
  correlation: {}
  execution:
    process_id: 636
    thread_id: 640
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

LsaIso.exe, the host process for Credential Guard and VBS Key Isolation, failed to launch: %1

Fields

Message

Error reading Credential Guard (LsaIso.exe) UEFI configuration: %1

Fields

Message

VBS Key Isolation was started and will protect VSM-isolated keys.

Message

Virtualization Based Security new timer creation status

HRESULT: %1
New latch timer needed: %2
New latch timer waiting for system update completion: %3
Previous latch timer exists but disabled by registry: %4
Policy file exists: %5

Fields

Message

Virtualization Based Security master key timer start status

Win32Error: %1
Start time: %2
Grace period: %3
Due time: %4
Policy version: %5

Fields

Message

Virtualization Based Security previous timer resume status

HRESULT: %1
Previous timer present: %2
Start time: %3
Grace period: %4
Policy version: %5
Attempted recovery increment succeeded: %6
Previous timer invalid: %7
Unlatched policy file exists: %8

Fields

Message

Virtualization Based Security latch policy status

HRESULT: %1
TPM counter value: %2
Expected TPM counter value: %3
Policy version: %4
Incremented: %5

Fields

Message

Boot App Anti-Rollback: Initialize Completed with status:
HRESULT: %1
New timer needed: %2
New timer waiting for system update completion: %3
Previous latch timer exists but disabled by registry: %4

Fields

Message

Boot App Anti-Rollback: Timer start completed with status:

Win32Error: %1
Start time: %2
Grace period: %3
Due time: %4

Fields

Message

Boot App Anti-Rollback: Previous timer resumed with status:

HRESULT: %1
Previous timer present: %2
Start time: %3
Grace period: %4
Attempted recovery enforcement succeeded: %5

Fields

Message

Boot App Anti-Rollback: Boot.stl Enforcement completed with status:

HRESULT: %1
Boot Stl Enforced Successfully: %2
WNF Published with result: %3

Fields

Fields

Fields

Message

Hybrid shutdown has been overridden by a disk check request. The system will perform a full shutdown instead.

Fields

Fields

Message

%1

Message

Windows start-up process has failed to start the remote shutdown server.

Message

Windows start-up process has failed to synchronize with the local security subsystem during setup.

Message

A critical system process, %1, failed with status code %2.  The machine must now be restarted.

Message

Windows start-up process has unexpectedly terminated.

Message

Windows start-up process has failed to terminate system processes.

Message

Windows shudown failed with error code %1 in phase: %2.