Microsoft-Windows-Winsrv
13 events across 2 channels
| Event ID | Title | Channel |
|---|---|---|
| 10001 | The following application attempted to veto the shutdown: VetoAppEvent.AppName. | Application |
| 10002 | The following application was terminated because it was hung: ServerManager. | Application |
| 12001 | Analytic | |
| 12002 | Analytic | |
| 12003 | Analytic | |
| 12005 | Analytic | |
| 12006 | Analytic | |
| 12007 | Analytic | |
| 12008 | Analytic | |
| 12009 | Analytic | |
| 12010 | Analytic | |
| 12011 | Analytic | |
| 12012 | Analytic |
Event ID 10001 — The following application attempted to veto the shutdown: VetoAppEvent.AppName.
Description
The following application attempted to veto the shutdown: VetoAppEvent.AppName.
Message #
Fields #
| Name | Description |
|---|---|
VetoAppEvent.AppName UnicodeString | — |
VetoAppEvent.ResponseTime UInt32 | — |
AppName UnicodeString | — |
ResponseTime UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsrv",
"guid": "9D55B53D-449B-4824-A637-24F9D69AA02F",
"event_source_name": "",
"event_id": 10001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-14T21:57:27.378644+00:00",
"event_record_id": 5369,
"correlation": {},
"execution": {
"process_id": 788,
"thread_id": 4912
},
"channel": "Application",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"VetoAppEvent": {
"AppName": "WINWORD.EXE",
"ResponseTime": 141
}
},
"message": ""
}
Event ID 10002 — The following application was terminated because it was hung: ServerManager.
#Description
The following application was terminated because it was hung: .
Message #
Fields #
| Name | Description |
|---|---|
HungAppEvent.AppName | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsrv",
"guid": "9D55B53D-449B-4824-A637-24F9D69AA02F",
"event_source_name": "",
"event_id": 10002,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2022-03-04T12:03:13.945898+00:00",
"event_record_id": 68,
"correlation": {},
"execution": {
"process_id": 464,
"thread_id": 3484
},
"channel": "Application",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"HungAppEvent": {
"AppName": "ServerManager.exe"
}
},
"message": "The following application was terminated because it was hung: ServerManager.exe."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 12001 —
Fields #
| Name | Description |
|---|---|
ThreadId UInt32 | — |
Flags UInt32 | — |
ProcessId UInt32 | — |
Event ID 12002 —
Fields #
| Name | Description |
|---|---|
Command UInt32 | — |
ThreadId UInt32 | — |
Event ID 12003 —
Fields #
| Name | Description |
|---|---|
MessageId UInt32 | — |
Flags UInt32 | — |
ThreadId UInt32 | — |
Event ID 12005 —
Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | — |
Event ID 12006 —
Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | — |
TerminateStatus UInt32 | — |
Event ID 12007 —
Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | — |
Event ID 12008 —
Fields #
| Name | Description |
|---|---|
WaitStatus UInt32 | — |
ProcessId UInt32 | — |
Event ID 12009 —
Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | — |
Flags UInt32 | — |
Event ID 12010 —
Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 12011 —
Fields #
| Name | Description |
|---|---|
EventType UInt32 | — |
Event ID 12012 —
Fields #
| Name | Description |
|---|---|
EventType UInt32 | — |