USER32

10 events across 1 channel

Event ID	Title	Channel
1073		System
1074		System
1075		System
1076		System
1077		System
2147484721	The attempt by user %2 to restart/shutdown computer %1 failed.	System
2147484722	The process %1 has initiated the %5 of computer %2 on behalf of user %7 for the …	System
2147484723	The last restart/shutdown request of computer %1 was aborted by user %2.	System
2147484724	The reason supplied by user %6 for the last unexpected shutdown of this computer …	System
2147484725	The attempt by user %2 to logoff computer %1 failed.	System

Event ID 1073 —

Provider: User32
Channel: System

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 1074 —

Provider: User32
Channel: System
Level: 4
Samples: 1

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Example Event

system:
  provider: User32
  guid: '{b0aa8734-56f7-41cc-b2f4-de228e98b946}'
  event_source_name: User32
  event_id: 1074
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9259400833873739776
  time_created: '2023-11-06T06:23:40.035258+00:00'
  event_record_id: 1620
  correlation: {}
  execution:
    process_id: 580
    thread_id: 596
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  param1: C:\Windows\system32\winlogon.exe (WINDEVEVAL)
  param2: WIN-91F0RT9CFIN
  param3: 'Operating System: Upgrade (Planned)'
  param4: '0x80020003'
  param5: restart
  param6: ''
  param7: NT AUTHORITY\SYSTEM
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1075 —

Provider: User32
Channel: System

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 1076 —

Provider: User32
Channel: System

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—

Event ID 1077 —

Provider: User32
Channel: System

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 2147484721 — The attempt by user %2 to restart/shutdown computer %1 failed.

Provider: User32
Channel: System

Message

The attempt by user %2 to restart/shutdown computer %1 failed

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 2147484722 — The process %1 has initiated the %5 of computer %2 on behalf of user %7 for the following reason: %3 Reason Code: %4 Shutdown Type: %5 Comment: %6.

Provider: User32
Channel: System

Message

The process %1 has initiated the %5 of computer %2 on behalf of user %7 for the following reason: %3
 Reason Code: %4
 Shutdown Type: %5
 Comment: %6

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Event ID 2147484723 — The last restart/shutdown request of computer %1 was aborted by user %2.

Provider: User32
Channel: System

Message

The last restart/shutdown request of computer %1 was aborted by user %2

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 2147484724 — The reason supplied by user %6 for the last unexpected shutdown of this computer is: %1 Reason Code: %2 Problem ID: %3 Bugcheck String: %4 Comment:...

Provider: User32
Channel: System

Message

The reason supplied by user %6 for the last unexpected shutdown of this computer is: %1
 Reason Code: %2
 Problem ID: %3
 Bugcheck String: %4
 Comment: %5

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—

Event ID 2147484725 — The attempt by user %2 to logoff computer %1 failed.

Provider: User32
Channel: System

Message

The attempt by user %2 to logoff computer %1 failed

Fields

Name	Description
`param1`	—
`param2`	—