System Restore › Event 8196
- Provider
- System Restore
- Channel
- Application
- Level
- Informational
Example Event #
{
"system": {
"provider": "System Restore",
"guid": "",
"event_source_name": "",
"event_id": 8196,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2025-12-31T19:33:51.507827+00:00",
"event_record_id": 31,
"correlation": {},
"execution": {
"process_id": 4524,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\\TiWorker.exe -Embedding"
],
"Binary": "AAAAAKcAAAChAAAAAAAAAC0sGS8HAAAAAAAAAAAAAAAAAAAA"
},
"message": "System Restore has been enabled (Process = C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22621.378_none_6b5c1260907d1384\\TiWorker.exe -Embedding; Volume = [0 0 0 0 167 0 0 0 161 0 0 0 0 0 0 0 45 44 25 47 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0])."
}