Fields #

Fields #

Message #

Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.

Fields #

Description

LSASS.exe was started as a protected process with level: .

Message #

LSASS.exe was started as a protected process with level: %1.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wininit",
    "guid": "206F6DEA-D3C5-4D10-BC72-989F03C8B84B",
    "event_source_name": "",
    "event_id": 12,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2021-02-09T11:59:37.890339+00:00",
    "event_record_id": 5456,
    "correlation": {},
    "execution": {
      "process_id": 560,
      "thread_id": 564
    },
    "channel": "System",
    "computer": "WIN10-client01.offsec.lan",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Data": {
      "Name": "Level",
      "Value": 4
    }
  },
  "message": "LSASS.exe was started as a protected process with level: Level."
}

References #

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Description

Credential Guard was started and will protect LSA credentials.

Message #

Credential Guard was started and will protect LSA credentials.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wininit",
    "guid": "206F6DEA-D3C5-4D10-BC72-989F03C8B84B",
    "event_source_name": "",
    "event_id": 13,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-11T06:27:21.619522+00:00",
    "event_record_id": 2749,
    "correlation": {},
    "execution": {
      "process_id": 928,
      "thread_id": 932
    },
    "channel": "System",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

Description

Credential Guard configuration.

Message #

Credential Guard configuration:

Registry Configuration: %1
Test Configuration: %2
Auto Enablement: %3

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wininit",
    "guid": "206F6DEA-D3C5-4D10-BC72-989F03C8B84B",
    "event_source_name": "",
    "event_id": 14,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-06T06:25:27.117050+00:00",
    "event_record_id": 1653,
    "correlation": {},
    "execution": {
      "process_id": 636,
      "thread_id": 640
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Config": 2,
    "IsTestConfig": 0,
    "IsAutoEnabled": 1
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Description

Credential Guard and/or VBS Key Isolation are configured but the secure kernel is not running; continuing without them.

Message #

Credential Guard and/or VBS Key Isolation are configured but the secure kernel is not running; continuing without them.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wininit",
    "guid": "206F6DEA-D3C5-4D10-BC72-989F03C8B84B",
    "event_source_name": "",
    "event_id": 15,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-06T06:25:27.117090+00:00",
    "event_record_id": 1654,
    "correlation": {},
    "execution": {
      "process_id": 636,
      "thread_id": 640
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

LsaIso.exe, the host process for Credential Guard and VBS Key Isolation, failed to launch: Level.

Message #

LsaIso.exe, the host process for Credential Guard and VBS Key Isolation, failed to launch: %1

Fields #

Description

Error reading Credential Guard (LsaIso.exe) UEFI configuration: Level.

Message #

Error reading Credential Guard (LsaIso.exe) UEFI configuration: %1

Fields #

Description

VBS Key Isolation was started and will protect VSM-isolated keys.

Message #

VBS Key Isolation was started and will protect VSM-isolated keys.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wininit",
    "guid": "206F6DEA-D3C5-4D10-BC72-989F03C8B84B",
    "event_source_name": "",
    "event_id": 18,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-11T06:27:21.619506+00:00",
    "event_record_id": 2748,
    "correlation": {},
    "execution": {
      "process_id": 928,
      "thread_id": 932
    },
    "channel": "System",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

Description

Virtualization Based Security new timer creation status.

Message #

Virtualization Based Security new timer creation status

HRESULT: %1
New latch timer needed: %2
New latch timer waiting for system update completion: %3
Previous latch timer exists but disabled by registry: %4
Policy file exists: %5

Fields #

Description

Virtualization Based Security master key timer start status.

Message #

Virtualization Based Security master key timer start status

Win32Error: %1
Start time: %2
Grace period: %3
Due time: %4
Policy version: %5

Fields #

Description

Virtualization Based Security previous timer resume status.

Message #

Virtualization Based Security previous timer resume status

HRESULT: %1
Previous timer present: %2
Start time: %3
Grace period: %4
Policy version: %5
Attempted recovery increment succeeded: %6
Previous timer invalid: %7
Unlatched policy file exists: %8

Fields #

Description

Virtualization Based Security latch policy status.

Message #

Virtualization Based Security latch policy status

HRESULT: %1
TPM counter value: %2
Expected TPM counter value: %3
Policy version: %4
Incremented: %5

Fields #

Description

Boot App Anti-Rollback: Initialize Completed with status.

Message #

Boot App Anti-Rollback: Initialize Completed with status:
HRESULT: %1
New timer needed: %2
New timer waiting for system update completion: %3
Previous latch timer exists but disabled by registry: %4

Fields #

Description

Boot App Anti-Rollback: Timer start completed with status.

Message #

Boot App Anti-Rollback: Timer start completed with status:

Win32Error: %1
Start time: %2
Grace period: %3
Due time: %4

Fields #

Description

Boot App Anti-Rollback: Previous timer resumed with status.

Message #

Boot App Anti-Rollback: Previous timer resumed with status:

HRESULT: %1
Previous timer present: %2
Start time: %3
Grace period: %4
Attempted recovery enforcement succeeded: %5

Fields #

Description

Boot App Anti-Rollback: Boot.stl Enforcement completed with status.

Message #

Boot App Anti-Rollback: Boot.stl Enforcement completed with status:

HRESULT: %1
Boot Stl Enforced Successfully: %2
WNF Published with result: %3

Fields #

Fields #

Fields #

Description

Hybrid shutdown has been overridden by a disk check request. The system will perform a full shutdown instead.

Message #

Hybrid shutdown has been overridden by a disk check request. The system will perform a full shutdown instead.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wininit",
    "guid": "{206f6dea-d3c5-4d10-bc72-989f03c8b84b}",
    "event_source_name": "Wininit",
    "event_id": 1015,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T19:07:39.959249+00:00",
    "event_record_id": 3508,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "C:\\Windows\\system32\\lsass.exe",
    "Data_1": "c0000005",
    "Binary": ""
  },
  "message": ""
}

Fields #

Fields #

Message #

%1

Description

Windows start-up process has failed to start the remote shutdown server.

Message #

Windows start-up process has failed to start the remote shutdown server.

Description

Windows start-up process has failed to start the remote shutdown server.

Description

Windows start-up process has failed to synchronize with the local security subsystem during setup.

Message #

Windows start-up process has failed to synchronize with the local security subsystem during setup.

Description

Windows start-up process has failed to synchronize with the local security subsystem during setup.

Description

A critical system process, , failed with status code . The machine must now be restarted.

Message #

A critical system process, %1, failed with status code %2.  The machine must now be restarted.

Description

A critical system process, , failed with status code . The machine must now be restarted.

Description

Windows start-up process has unexpectedly terminated.

Message #

Windows start-up process has unexpectedly terminated.

Description

Windows start-up process has unexpectedly terminated.

Description

Windows start-up process has failed to terminate system processes.

Message #

Windows start-up process has failed to terminate system processes.

Description

Windows start-up process has failed to terminate system processes.

Description

Windows shudown failed with error code in phase: .

Message #

Windows shudown failed with error code %1 in phase: %2.

Description

Windows shudown failed with error code in phase: .