MsiInstaller

45 events across 1 channel

Event ID	Title	Channel
1001	Detection of product '%1', feature '%2' failed during request for component '%3'	Application
1002	Unexpected or missing value (name: '%1', value: '%2') in key '%3'	Application
1003	Unexpected or missing subkey '%1' in key '%2'	Application
1004	Detection of product '%1', feature '%2', component '%3' failed.	Application
1005		Application
1006	Verification of the digital signature for cabinet '%1' cannot be performed.	Application
1007	The installation of %1 is not permitted by software restriction policy.	Application
1008	The installation of %1 is not permitted due to an error in software restriction …	Application
1012	This version of Windows does not support deploying 64-bit packages.	Application
1013	{Unhandled exception report}	Application
1014	Windows Installer proxy information not registered correctly	Application
1015	Failed to connect to server.	Application
1016	Detection of product '%1', feature '%2', component '%3' failed.	Application
1017	User SID had changed from '%1' to '%2' but the managed app and the user data …	Application
1018	The application '%1' cannot be installed because it is not compatible with this …	Application
1019	Product: %1 - Update '%2' was successfully removed.	Application
1020	Product: %1 - Update '%2' could not be removed.	Application
1021	Product: %1 - Update '%2' could not be removed.	Application
1022	Product: Microsoft .	Application
1023	Product: %1 - Update '%2' could not be installed.	Application
1024	Product: %1 - Update '%2' could not be installed.	Application
1025	Product: VMware Tools.	Application
1026	Windows Installer has determined that its configuration data registry key was …	Application
1027	Windows Installer has determined that a registry sub key %1 within its …	Application
1028	Windows Installer has determined that its configuration data cache folder was …	Application
1029	Product: VMware Tools.	Application
1030	Product attempted to install newer protected Windows file	Application
1031	Product assembly component in use	Application
1032		Application
1033	Windows Installer installed the product.	Application
1034		Application
1035	Windows Installer reconfigured the product.	Application
1036	Windows Installer installed an update.	Application
1037	Product update removal completed	Application
1038	Windows Installer requires a system restart.	Application
1040	Beginning a Windows Installer transaction: C:\ProgramData\Package …	Application
1042	Ending a Windows Installer transaction: C:\ProgramData\Package …	Application
1044	%1 is not Microsoft signed.	Application
10005		Application
11704	Product: VMware Tools -- Error 1704.	Application
11707	Product: Python 3.	Application
11708		Application
11724		Application
11728	Product: Virtio-win-driver-installer -- Configuration completed successfully.	Application
11729		Application

Event ID 1001 — Detection of product '%1', feature '%2' failed during request for component '%3'

Provider: MsiInstaller
Channel: Application

Event ID 1002 — Unexpected or missing value (name: '%1', value: '%2') in key '%3'

Provider: MsiInstaller
Channel: Application

Event ID 1003 — Unexpected or missing subkey '%1' in key '%2'

Provider: MsiInstaller
Channel: Application

Event ID 1004 — Detection of product '%1', feature '%2', component '%3' failed.

Provider: MsiInstaller
Channel: Application

Message

Detection of product '%1', feature '%2', component '%3' failed. Note: Beginning with Windows Installer version 2.0, this message is: Detection of product '%1', feature '%2', component '%3' failed. The resource '%4' does not exist.

Event ID 1005 —

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 1005
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2014-11-26T23:25:02.000000Z'
  event_record_id: 1185
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE10Win7
  security:
    user_id: S-1-5-21-3463664321-2923530833-3546627382-1000
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1006 — Verification of the digital signature for cabinet '%1' cannot be performed.

Provider: MsiInstaller
Channel: Application

Message

Verification of the digital signature for cabinet '%1' cannot be performed. WinVerifyTrust is not available on the computer.

Event ID 1007 — The installation of %1 is not permitted by software restriction policy.

Provider: MsiInstaller
Channel: Application

Message

The installation of %1 is not permitted by software restriction policy. The Windows Installer only allows execution of unrestricted items. The authorization level returned by software restriction policy was %2.

Event ID 1008 — The installation of %1 is not permitted due to an error in software restriction policy processing.

Provider: MsiInstaller
Channel: Application

Message

The installation of %1 is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

Event ID 1012 — This version of Windows does not support deploying 64-bit packages.

Provider: MsiInstaller
Channel: Application

Message

This version of Windows does not support deploying 64-bit packages. The script '%1' is for a 64-bit package.

Event ID 1013 — {Unhandled exception report}

Provider: MsiInstaller
Channel: Application

Event ID 1014 — Windows Installer proxy information not registered correctly

Provider: MsiInstaller
Channel: Application

Event ID 1015 — Failed to connect to server.

Provider: MsiInstaller
Channel: Application

Message

Failed to connect to server. Error: %d

Event ID 1016 — Detection of product '%1', feature '%2', component '%3' failed.

Provider: MsiInstaller
Channel: Application

Message

Detection of product '%1', feature '%2', component '%3' failed. The resource '%4' in a run-from-source component could not be located because no valid and accessible source could be found.

Event ID 1017 — User SID had changed from '%1' to '%2' but the managed app and the user data keys cannot be updated.

Provider: MsiInstaller
Channel: Application

Message

User SID had changed from '%1' to '%2' but the managed app and the user data keys cannot be updated. Error = '%3'.

Event ID 1018 — The application '%1' cannot be installed because it is not compatible with this version of Windows.

Provider: MsiInstaller
Channel: Application

Event ID 1019 — Product: %1 - Update '%2' was successfully removed.

Provider: MsiInstaller
Channel: Application

Event ID 1020 — Product: %1 - Update '%2' could not be removed.

Provider: MsiInstaller
Channel: Application

Message

Product: %1 - Update '%2' could not be removed. Error code %3. Additional information is available in the log file %4.

Event ID 1021 — Product: %1 - Update '%2' could not be removed.

Provider: MsiInstaller
Channel: Application

Message

Product: %1 - Update '%2' could not be removed. Error code %3.

Event ID 1022 — Product: Microsoft .

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 1022
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2013-10-23T18:31:57+00:00'
  event_record_id: 267
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE8Win7
  security:
    user_id: S-1-5-18
event_data:
  Data:
  - Microsoft .NET Framework 4 Client Profile
  - KB2789642
  - (NULL)
  - (NULL)
  - (NULL)
  - (NULL)
  Binary: ezNDMzkwMUM1LTM0NTUtM0UwQS1BMjE0LTBCMDkzQTUwNzBBNn0ge0I3QzIwRTE2LTlBM0EtM0YwNS1BNkI1LUUxNUFBMDkyMDBFMH0=
message: 'Product: Microsoft .NET Framework 4 Client Profile - Update ''KB2789642''
  installed successfully.'

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 1023 — Product: %1 - Update '%2' could not be installed.

Provider: MsiInstaller
Channel: Application

Message

Product: %1 - Update '%2' could not be installed. Error code %3. Additional information is available in the log file %4.

Event ID 1024 — Product: %1 - Update '%2' could not be installed.

Provider: MsiInstaller
Channel: Application

Message

Product: %1 - Update '%2' could not be installed. Error code %3.

Event ID 1025 — Product: VMware Tools.

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Message

Product: %1. The file %2 is being used by the following process: Name: %3, Id %4.

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 1025
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-05T22:30:14.286069+00:00'
  event_record_id: 1510
  correlation: {}
  execution:
    process_id: 7244
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Data:
  - VMware Tools
  - C:\Program Files\VMware\VMware Tools\plugins\vmsvc\vmbackup.dll
  - vmtoolsd
  - '3188'
  - (NULL)
  - (NULL)
  Binary: e0FGMTc0RTY0LTIyQ0YtNDM4Ni1BOUVDLTczRjI4NTczOTk5OH0=
message: 'Product: VMware Tools. The file C:\Program Files\VMware\VMware Tools\plugins\vmsvc\vmbackup.dll
  is being used by the following process: Name: vmtoolsd , Id 3188.'

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1026 — Windows Installer has determined that its configuration data registry key was not secured properly.

Provider: MsiInstaller
Channel: Application

Message

Windows Installer has determined that its configuration data registry key was not secured properly. The owner of the key must be either Local System or Builtin\Administrators. The existing key will be deleted and re-created with the appropriate security settings.

Event ID 1027 — Windows Installer has determined that a registry sub key %1 within its configuration data was not secured properly.

Provider: MsiInstaller
Channel: Application

Message

Windows Installer has determined that a registry sub key %1 within its configuration data was not secured properly. The owner of the key must be either Local System or Builtin\Administrators. The existing sub key and all of its contents will be deleted.

Event ID 1028 — Windows Installer has determined that its configuration data cache folder was not secured properly.

Provider: MsiInstaller
Channel: Application

Message

Windows Installer has determined that its configuration data cache folder was not secured properly. The owner of the key must be either Local System or Builtin\Administrators. The existing folder will be deleted and re-created with the appropriate security settings.

Event ID 1029 — Product: VMware Tools.

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Message

Product: %1. Restart required.

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 1029
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-05T22:30:57.687962+00:00'
  event_record_id: 1527
  correlation: {}
  execution:
    process_id: 7244
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Data:
  - VMware Tools
  - (NULL)
  - (NULL)
  - (NULL)
  - (NULL)
  - (NULL)
  Binary: e0FGMTc0RTY0LTIyQ0YtNDM4Ni1BOUVDLTczRjI4NTczOTk5OH0sIDMwMTA=
message: 'Product: VMware Tools. Restart required. The installation or update for
  the product required a restart for all changes to take effect.  The restart was
  deferred to a later time.'

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1030 — Product attempted to install newer protected Windows file

Provider: MsiInstaller
Channel: Application

Message

Product: %1. The application tried to install a more recent version of the protected Windows file %2. You may need to update your operating system for this application to work correctly. (Package Version: %3, Operating System Protected Version: %4).

Event ID 1031 — Product assembly component in use

Provider: MsiInstaller
Channel: Application

Message

Product: %1. The assembly '%2' for component '%3' is in use.

Event ID 1032 —

Provider: MsiInstaller
Channel: Application
Level: 3
Samples: 1

Fields

Name	Description
`Data_0`	—
`Data_1`	—
`Data_2`	—
`Data_3`	—
`Data_4`	—
`Data_5`	—
`Data_6`	—
`Binary`	—

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 1032
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-06T00:29:59.405233+00:00'
  event_record_id: 1937
  correlation: {}
  execution:
    process_id: 11432
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  Data_0: ''
  Data_1: (NULL)
  Data_2: (NULL)
  Data_3: (NULL)
  Data_4: (NULL)
  Data_5: (NULL)
  Data_6: ''
  Binary: ''
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1033 — Windows Installer installed the product.

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Message

Product: %1. Version: %2. Language: %3. Installation completed with status: %4. Manufacturer: %5.

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 1033
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-05T23:15:56.232306+00:00'
  event_record_id: 1723
  correlation: {}
  execution:
    process_id: 4436
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  Data:
  - Python 3.12.0 Test Suite (64-bit)
  - 3.12.150.0
  - '1033'
  - '0'
  - Python Software Foundation
  - (NULL)
  Binary: ezBBOUIzOEE3LUQzOTMtNDRBNS1BOTRFLTlGRUM5MjdEQzM5Q30wMDAwOWUwZTEzODZmMjM2YThjYzdiYzZhNmQ4ODJjNjZkZGIwMDAwMDkwNA==
message: 'Windows Installer installed the product. Product Name: Python 3.12.0 Test
  Suite (64-bit). Product Version: 3.12.150.0. Product Language: 1033. Manufacturer:
  Python Software Foundation. Installation success or error status: 0.'

Sigma Rules

Atera Agent Installation
Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 1034 —

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Message

Product: %1. Version: %2. Language: %3. Removal completed with status: %4. Manufacturer: %5.

Fields

Name	Description
`Data_0`	—
`Data_1`	—
`Data_2`	—
`Data_3`	—
`Data_4`	—
`Data_5`	—
`Data_6`	—
`Binary`	—

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 1034
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-06T00:55:30.989129+00:00'
  event_record_id: 1972
  correlation: {}
  execution:
    process_id: 12792
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Data_0: Avira
  Data_1: 1.2.166.28430
  Data_2: '1033'
  Data_3: '0'
  Data_4: Avira Operations GmbH & Co. KG
  Data_5: (NULL)
  Data_6: ''
  Binary: 7B36463131434143332D443333442D343336302D423133392D3733463332373641324239417D3030303032646464353631343830653530323239613162623366626534343539323961643030303030393034
message: ''

Sigma Rules

Application Uninstalled
An application has been removed. Check if it is critical.

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1035 — Windows Installer reconfigured the product.

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Message

Product: %1. Version: %2. Language: %3. Configuration change completed with status: %4. Manufacturer: %5.

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 1035
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2025-12-31T19:37:29.772246+00:00'
  event_record_id: 135
  correlation: {}
  execution:
    process_id: 6696
    thread_id: 0
  channel: Application
  computer: WIN11-22H2-X64
  security:
    user_id: S-1-5-21-3407486967-1585450050-1838039599-1000
event_data:
  Data:
  - Virtio-win-driver-installer
  - 0.1.240
  - '1033'
  - '0'
  - Red Hat, Inc.
  - (NULL)
  Binary: ezhDQUNCNjU3LTA4RTEtNDlEMS1BMTAwLUZCRUI3NTkxNTJFNX0wMDAwMDkzYjVmYjVmOGEwYjRhYTNjNzllNWI2MDRlYmQ4M2QwMDAwMDkwNA==
message: 'Windows Installer reconfigured the product. Product Name: Virtio-win-driver-installer.
  Product Version: 0.1.240. Product Language: 1033. Manufacturer: Red Hat, Inc.. Reconfiguration
  success or error status: 0.'

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 1036 — Windows Installer installed an update.

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Message

Product: %1. Version: %2. Language: %3. Update: %4. Update installation completed with status: %5. Manufacturer: %6.

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 1036
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2013-10-23T18:31:57+00:00'
  event_record_id: 268
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE8Win7
  security:
    user_id: S-1-5-18
event_data:
  Data:
  - Microsoft .NET Framework 4 Client Profile
  - 4.0.30319
  - '0'
  - KB2789642
  - '0'
  - Microsoft Corporation
  Binary: ezNDMzkwMUM1LTM0NTUtM0UwQS1BMjE0LTBCMDkzQTUwNzBBNn0wMDAwZDJlYmY0NjgzMWQyY2IzMjlhZjc2NzI5M2ViMjBjZmQwMDAwMDAwMA==
message: 'Windows Installer installed an update. Product Name: Microsoft .NET Framework
  4 Client Profile. Product Version: 4.0.30319. Product Language: 0. Manufacturer:
  Microsoft Corporation. Update Name: KB2789642. Installation success or error status:
  0.'

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 1037 — Product update removal completed

Provider: MsiInstaller
Channel: Application

Message

Product: %1. Version: %2. Language: %3. Update: %4. Update removal completed with status: %5. Manufacturer: %6.

Event ID 1038 — Windows Installer requires a system restart.

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Message

Product: %1. Version: %2. Language: %3. Reboot required. Reboot Type: %4. Reboot Reason: %5. Manufacturer: %6.

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 1038
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-05T22:30:57.687221+00:00'
  event_record_id: 1526
  correlation: {}
  execution:
    process_id: 7244
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Data:
  - VMware Tools
  - 12.3.0.22234872
  - '1033'
  - '2'
  - '1'
  - VMware, Inc.
  Binary: e0FGMTc0RTY0LTIyQ0YtNDM4Ni1BOUVDLTczRjI4NTczOTk5OH0wMDAwMDU3NWRlNDhkMWMwMDc0MzgxYmNjODViZDhmNzNlMDYwMDAwMDkwNA==
message: 'Windows Installer requires a system restart. Product Name: VMware Tools.
  Product Version: 12.3.0.22234872. Product Language: 1033. Manufacturer: VMware,
  Inc.. Type of System Restart: 2. Reason for Restart: 1.'

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1040 — Beginning a Windows Installer transaction: C:\ProgramData\Package Cache\{5DF0B8D8-4E7F-43EB-AD16-30FFA931A905}v3.

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 1040
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-05T23:15:56.406360+00:00'
  event_record_id: 1725
  correlation: {}
  execution:
    process_id: 4436
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  Data:
  - C:\ProgramData\Package Cache\{5DF0B8D8-4E7F-43EB-AD16-30FFA931A905}v3.12.150.0\doc.msi
  - '1924'
  - (NULL)
  - (NULL)
  - (NULL)
  - (NULL)
message: 'Beginning a Windows Installer transaction: C:\ProgramData\Package Cache\{5DF0B8D8-4E7F-43EB-AD16-30FFA931A905}v3.12.150.0\doc.msi.
  Client Process Id: 1924.'

Sigma Rules

MSI Installation From Suspicious Locations
Detects MSI package installation from suspicious locations
MSI Installation From Web
Detects installation of a remote msi file from web.

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 1042 — Ending a Windows Installer transaction: C:\ProgramData\Package Cache\{0A9B38A7-D393-44A5-A94E-9FEC927DC39C}v3.

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 1042
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-05T23:15:56.355022+00:00'
  event_record_id: 1724
  correlation: {}
  execution:
    process_id: 4436
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Data:
  - C:\ProgramData\Package Cache\{0A9B38A7-D393-44A5-A94E-9FEC927DC39C}v3.12.150.0\test.msi
  - '1924'
  - (NULL)
  - (NULL)
  - (NULL)
  - (NULL)
message: 'Ending a Windows Installer transaction: C:\ProgramData\Package Cache\{0A9B38A7-D393-44A5-A94E-9FEC927DC39C}v3.12.150.0\test.msi.
  Client Process Id: 1924.'

Sigma Rules

MSI Installation From Suspicious Locations
Detects MSI package installation from suspicious locations
MSI Installation From Web
Detects installation of a remote msi file from web.

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 1044 — %1 is not Microsoft signed.

Provider: MsiInstaller
Channel: Application

Message

%1 is not Microsoft signed. So, rejecting per the Windows Lockdown Policy.

Event ID 10005 —

Provider: MsiInstaller
Channel: Application
Level: 2
Samples: 1

Message

The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is [1]. {{The arguments are: [2], [3], [4]}}

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 10005
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2016-08-30T15:21:35.000000Z'
  event_record_id: 1723
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE10Win7
  security:
    user_id: S-1-5-21-3463664321-2923530833-3546627382-1000
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 11704 — Product: VMware Tools -- Error 1704.

Provider: MsiInstaller
Channel: Application
Level: 2
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 11704
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-05T22:29:54.331227+00:00'
  event_record_id: 1487
  correlation: {}
  execution:
    process_id: 7244
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Data:
  - 'Product: VMware Tools -- Error 1704. An installation for VMware Tools is currently
    suspended. You must undo the changes made by that installation to continue. Do
    you want to undo those changes?'
  - (NULL)
  - (NULL)
  - (NULL)
  - (NULL)
  - (NULL)
  Binary: e0FGMTc0RTY0LTIyQ0YtNDM4Ni1BOUVDLTczRjI4NTczOTk5OH0=
message: 'Product: VMware Tools -- Error 1704. An installation for VMware Tools is
  currently suspended. You must undo the changes made by that installation to continue.
  Do you want to undo those changes?'

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 11707 — Product: Python 3.

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 11707
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-05T23:15:56.230966+00:00'
  event_record_id: 1722
  correlation: {}
  execution:
    process_id: 4436
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  Data:
  - 'Product: Python 3.12.0 Test Suite (64-bit) -- Installation completed successfully.'
  - (NULL)
  - (NULL)
  - (NULL)
  - (NULL)
  - (NULL)
  Binary: ezBBOUIzOEE3LUQzOTMtNDRBNS1BOTRFLTlGRUM5MjdEQzM5Q30=
message: 'Product: Python 3.12.0 Test Suite (64-bit) -- Installation completed successfully.'

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 11708 —

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 11708
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2016-08-30T15:21:37.000000Z'
  event_record_id: 1724
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE10Win7
  security:
    user_id: S-1-5-21-3463664321-2923530833-3546627382-1000
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 11724 —

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data_0`	—
`Data_1`	—
`Data_2`	—
`Data_3`	—
`Data_4`	—
`Data_5`	—
`Data_6`	—
`Binary`	—

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 11724
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-06T00:55:30.987658+00:00'
  event_record_id: 1971
  correlation: {}
  execution:
    process_id: 12792
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Data_0: 'Product: Avira -- Removal completed successfully.'
  Data_1: (NULL)
  Data_2: (NULL)
  Data_3: (NULL)
  Data_4: (NULL)
  Data_5: (NULL)
  Data_6: ''
  Binary: 7B36463131434143332D443333442D343336302D423133392D3733463332373641324239417D
message: ''

Sigma Rules

Application Uninstalled
An application has been removed. Check if it is critical.

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 11728 — Product: Virtio-win-driver-installer -- Configuration completed successfully.

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 11728
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2025-12-31T19:37:29.771787+00:00'
  event_record_id: 134
  correlation: {}
  execution:
    process_id: 6696
    thread_id: 0
  channel: Application
  computer: WIN11-22H2-X64
  security:
    user_id: S-1-5-21-3407486967-1585450050-1838039599-1000
event_data:
  Data:
  - 'Product: Virtio-win-driver-installer -- Configuration completed successfully.'
  - (NULL)
  - (NULL)
  - (NULL)
  - (NULL)
  - (NULL)
  Binary: ezhDQUNCNjU3LTA4RTEtNDlEMS1BMTAwLUZCRUI3NTkxNTJFNX0=
message: 'Product: Virtio-win-driver-installer -- Configuration completed successfully.'

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 11729 —

Provider: MsiInstaller
Channel: Application
Level: 4
Samples: 1

Example Event

system:
  provider: MsiInstaller
  guid: ''
  event_source_name: ''
  event_id: 11729
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2016-08-18T16:33:01.000000Z'
  event_record_id: 1434
  correlation: {}
  execution:
    process_id: 0
    thread_id: 0
  channel: Application
  computer: IE10Win7
  security:
    user_id: S-1-5-18
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline