Microsoft-Windows-Winsrv

13 events across 2 channels

Event ID	Title	Channel
10001	The following application attempted to veto the shutdown.	Application
10002	The following application was terminated because it was hung: ServerManager.	Application
12001		Analytic
12002		Analytic
12003		Analytic
12005		Analytic
12006		Analytic
12007		Analytic
12008		Analytic
12009		Analytic
12010		Analytic
12011		Analytic
12012		Analytic

Event ID 10001 — The following application attempted to veto the shutdown.

Provider: Microsoft-Windows-Winsrv
Channel: Application

Message

The following application attempted to veto the shutdown: %1.

Fields

Name	Description
`AppName`	—
`ResponseTime`	—

Event ID 10002 — The following application was terminated because it was hung: ServerManager.

Provider: Microsoft-Windows-Winsrv
Channel: Application
Level: 4
Samples: 1

Message

The following application was terminated because it was hung: %1.

Fields

Name	Description
`HungAppEvent.AppName`	—

Example Event

system:
  provider: Microsoft-Windows-Winsrv
  guid: 9D55B53D-449B-4824-A637-24F9D69AA02F
  event_source_name: ''
  event_id: 10002
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-03-04T12:03:13.945898+00:00'
  event_record_id: 68
  correlation: {}
  execution:
    process_id: 464
    thread_id: 3484
  channel: Application
  computer: WIN-TKC15D7KHUR
  security:
    user_id: S-1-5-18
user_data:
  HungAppEvent:
    AppName: ServerManager.exe
message: 'The following application was terminated because it was hung: ServerManager.exe.'

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 12001 —

Provider: Microsoft-Windows-Winsrv
Channel: Analytic

Fields

Name	Description
`ThreadId`	—
`Flags`	—
`ProcessId`	—

Event ID 12002 —

Provider: Microsoft-Windows-Winsrv
Channel: Analytic

Fields

Name	Description
`Command`	—
`ThreadId`	—

Event ID 12003 —

Provider: Microsoft-Windows-Winsrv
Channel: Analytic

Fields

Name	Description
`MessageId`	—
`Flags`	—
`ThreadId`	—

Event ID 12005 —

Provider: Microsoft-Windows-Winsrv
Channel: Analytic

Fields

Name	Description
`ProcessId`	—

Event ID 12006 —

Provider: Microsoft-Windows-Winsrv
Channel: Analytic

Fields

Name	Description
`ProcessId`	—
`TerminateStatus`	—

Event ID 12007 —

Provider: Microsoft-Windows-Winsrv
Channel: Analytic

Fields

Name	Description
`ProcessId`	—

Event ID 12008 —

Provider: Microsoft-Windows-Winsrv
Channel: Analytic

Fields

Name	Description
`WaitStatus`	—
`ProcessId`	—

Event ID 12009 —

Provider: Microsoft-Windows-Winsrv
Channel: Analytic

Fields

Name	Description
`ProcessId`	—
`Flags`	—

Event ID 12010 —

Provider: Microsoft-Windows-Winsrv
Channel: Analytic

Fields

Name	Description
`ProcessId`	—
`Status`	—

Event ID 12011 —

Provider: Microsoft-Windows-Winsrv
Channel: Analytic

Fields

Name	Description
`EventType`	—

Event ID 12012 —

Provider: Microsoft-Windows-Winsrv
Channel: Analytic

Fields

Name	Description
`EventType`	—