System Restore

4 events across 1 channel

Event ID	Title	Channel
8194	Successfully created restore point (Process = …	Application
8195	System Restore has been disabled (Process = …	Application
8196	System Restore has been enabled (Process = …	Application
8216	Skipping creation of restore point (Process = …	Application

Event ID 8194 — Successfully created restore point (Process = C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.

Provider: System Restore
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: System Restore
  guid: ''
  event_source_name: ''
  event_id: 8194
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2025-12-31T19:34:02.772981+00:00'
  event_record_id: 32
  correlation: {}
  execution:
    process_id: 4524
    thread_id: 0
  channel: Application
  computer: WIN11-22H2-X64
  security:
    user_id: ''
event_data:
  Data:
  - C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\TiWorker.exe
    -Embedding
  - Windows Modules Installer
  Binary: AAAAAFkCAABLAgAAAAAAACLOKGd8bdp54owcAAAAAAAAAAAA
message: Successfully created restore point (Process = C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\TiWorker.exe
  -Embedding; Description = Windows Modules Installer).

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 8195 — System Restore has been disabled (Process = C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.

Provider: System Restore
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: System Restore
  guid: ''
  event_source_name: ''
  event_id: 8195
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2023-11-05T22:27:07.967517+00:00'
  event_record_id: 1452
  correlation: {}
  execution:
    process_id: 5140
    thread_id: 0
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  Data:
  - C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.2423_none_e946dbb842dfcc3f\TiWorker.exe
    -Embedding
  Binary: AAAAAIkAAACDAAAAAAAAAEOGJSMHAAAAAAAAAAAAAAAAAAAA
message: System Restore has been disabled (Process = C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.2423_none_e946dbb842dfcc3f\TiWorker.exe
  -Embedding; Volume = [0 0 0 0 137 0 0 0 131 0 0 0 0 0 0 0 67 134 37 35 7 0 0 0 0
  0 0 0 0 0 0 0 0 0 0 0]).

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 8196 — System Restore has been enabled (Process = C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.

Provider: System Restore
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: System Restore
  guid: ''
  event_source_name: ''
  event_id: 8196
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2025-12-31T19:33:51.507827+00:00'
  event_record_id: 31
  correlation: {}
  execution:
    process_id: 4524
    thread_id: 0
  channel: Application
  computer: WIN11-22H2-X64
  security:
    user_id: ''
event_data:
  Data:
  - C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\TiWorker.exe
    -Embedding
  Binary: AAAAAKcAAAChAAAAAAAAAC0sGS8HAAAAAAAAAAAAAAAAAAAA
message: System Restore has been enabled (Process = C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\TiWorker.exe
  -Embedding; Volume = [0 0 0 0 167 0 0 0 161 0 0 0 0 0 0 0 45 44 25 47 7 0 0 0 0
  0 0 0 0 0 0 0 0 0 0 0]).

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 8216 — Skipping creation of restore point (Process = C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.

Provider: System Restore
Channel: Application
Level: 4
Samples: 1

Fields

Name	Description
`Data`	—
`Binary`	—

Example Event

system:
  provider: System Restore
  guid: ''
  event_source_name: ''
  event_id: 8216
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 36028797018963968
  time_created: '2025-12-31T19:34:12.244576+00:00'
  event_record_id: 33
  correlation: {}
  execution:
    process_id: 4524
    thread_id: 0
  channel: Application
  computer: WIN11-22H2-X64
  security:
    user_id: ''
event_data:
  Data:
  - C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\TiWorker.exe
    -Embedding
  - Windows Modules Installer
  Binary: AAAAAFUCAABLAgAAAAAAACLOKGd8bdp54owcAAAAAAAAAAAA
message: Skipping creation of restore point (Process = C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\TiWorker.exe
  -Embedding; Description = Windows Modules Installer) as there is a restore point
  avaliable which is recent enough for System Restore.

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline