Event ID 1040 — Beginning a Windows Installer transaction: %0

Provider: MsiInstaller
Channel: Application
Level: Informational

Fields #

Name	Description
`Data`	—

Example Event #

{
  "system": {
    "provider": "MsiInstaller",
    "guid": "",
    "event_source_name": "",
    "event_id": 1040,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2023-11-05T23:15:56.406360+00:00",
    "event_record_id": 1725,
    "correlation": {},
    "execution": {
      "process_id": 4436,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "Data": [
      "C:\\ProgramData\\Package Cache\\{5DF0B8D8-4E7F-43EB-AD16-30FFA931A905}v3.12.150.0\\doc.msi",
      "1924",
      "(NULL)",
      "(NULL)",
      "(NULL)",
      "(NULL)"
    ]
  },
  "message": "Beginning a Windows Installer transaction: C:\\ProgramData\\Package Cache\\{5DF0B8D8-4E7F-43EB-AD16-30FFA931A905}v3.12.150.0\\doc.msi. Client Process Id: 1924."
}

Detection Patterns #

Defense Evasion: Msiexec

MsiInstaller Event ID 1040: Beginning a Windows Installer transaction: %0OREvent ID 1042: Ending a Windows Installer transaction: %0

1 rule

Sigma

MSI Installation From Web (source)

Stamatis Chatzimangou

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

MSI Installation From Suspicious Locations source medium: Detects MSI package installation from suspicious locations↳ also matches:Event ID 1042: Ending a Windows Installer transaction: %0

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx