System Restore
5 events across 1 channel
| Event ID | Title | Channel |
|---|---|---|
| 8194 | Successfully created restore point. | Application |
| 8195 | System Restore has been disabled. | Application |
| 8196 | System Restore has been enabled. | Application |
| 8212 | Application | |
| 8216 | Skipping creation of restore point. | Application |
Event ID 8194 — Successfully created restore point.
#Fields #
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event #
{
"system": {
"provider": "System Restore",
"guid": "",
"event_source_name": "",
"event_id": 8194,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2025-12-31T19:34:02.772981+00:00",
"event_record_id": 32,
"correlation": {},
"execution": {
"process_id": 4524,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\\TiWorker.exe -Embedding",
"Windows Modules Installer"
],
"Binary": "AAAAAFkCAABLAgAAAAAAACLOKGd8bdp54owcAAAAAAAAAAAA"
},
"message": "Successfully created restore point (Process = C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\\TiWorker.exe -Embedding; Description = Windows Modules Installer)."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 8195 — System Restore has been disabled.
#Fields #
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event #
{
"system": {
"provider": "System Restore",
"guid": "",
"event_source_name": "",
"event_id": 8195,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-05T22:27:07.967517+00:00",
"event_record_id": 1452,
"correlation": {},
"execution": {
"process_id": 5140,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.2423_none_e946dbb842dfcc3f\\TiWorker.exe -Embedding"
],
"Binary": "AAAAAIkAAACDAAAAAAAAAEOGJSMHAAAAAAAAAAAAAAAAAAAA"
},
"message": "System Restore has been disabled (Process = C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.2423_none_e946dbb842dfcc3f\\TiWorker.exe -Embedding; Volume = [0 0 0 0 137 0 0 0 131 0 0 0 0 0 0 0 67 134 37 35 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0])."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 8196 — System Restore has been enabled.
#Fields #
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event #
{
"system": {
"provider": "System Restore",
"guid": "",
"event_source_name": "",
"event_id": 8196,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2025-12-31T19:33:51.507827+00:00",
"event_record_id": 31,
"correlation": {},
"execution": {
"process_id": 4524,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\\TiWorker.exe -Embedding"
],
"Binary": "AAAAAKcAAAChAAAAAAAAAC0sGS8HAAAAAAAAAAAAAAAAAAAA"
},
"message": "System Restore has been enabled (Process = C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\\TiWorker.exe -Embedding; Volume = [0 0 0 0 167 0 0 0 161 0 0 0 0 0 0 0 45 44 25 47 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0])."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 8212 —
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Binary | — |
Example Event #
{
"system": {
"provider": "System Restore",
"guid": "",
"event_source_name": "",
"event_id": 8212,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-09T02:30:55.026130+00:00",
"event_record_id": 34862,
"correlation": {},
"execution": {
"process_id": 4888,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-WIN11",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "",
"Binary": "0000000000000000AF01000000000000574C29CE5843BE27E26C1C000000000000000000"
},
"message": ""
}
Event ID 8216 — Skipping creation of restore point.
#Fields #
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event #
{
"system": {
"provider": "System Restore",
"guid": "",
"event_source_name": "",
"event_id": 8216,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2025-12-31T19:34:12.244576+00:00",
"event_record_id": 33,
"correlation": {},
"execution": {
"process_id": 4524,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\\TiWorker.exe -Embedding",
"Windows Modules Installer"
],
"Binary": "AAAAAFUCAABLAgAAAAAAACLOKGd8bdp54owcAAAAAAAAAAAA"
},
"message": "Skipping creation of restore point (Process = C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\\TiWorker.exe -Embedding; Description = Windows Modules Installer) as there is a restore point avaliable which is recent enough for System Restore."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline