User32

10 events across 1 channel

Event ID	Title	Channel
1073		System
1074		System
1075		System
1076		System
1077		System
2147484721	The attempt by user param2 to restart/shutdown computer param1 failed.	System
2147484722	The process param1 has initiated the ShutdownType of computer param2 on behalf …	System
2147484723	The last restart/shutdown request of computer param1 was aborted by user param2.	System
2147484724	The reason supplied by user param6 for the last unexpected shutdown of this …	System
2147484725	The attempt by user param2 to logoff computer param1 failed.	System

Event ID 1073 —

Provider: User32
Channel: System

Fields #

Name	Description
`param1` UnicodeString	—
`param2` UnicodeString	—

Event ID 1074 —

Provider: User32
Channel: System
Level: Informational
Collection Priority: Recommended (JSCU-NL)

Fields #

Name	Description
`param1` UnicodeString	—
`param2` UnicodeString	—
`param3` UnicodeString	—
`param4` UnicodeString	—
`param5` UnicodeString	—
`param6` UnicodeString	—
`param7` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "User32",
    "guid": "{b0aa8734-56f7-41cc-b2f4-de228e98b946}",
    "event_source_name": "User32",
    "event_id": 1074,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2023-11-06T06:23:40.035258+00:00",
    "event_record_id": 1620,
    "correlation": {},
    "execution": {
      "process_id": 580,
      "thread_id": 596
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "param1": "C:\\Windows\\system32\\winlogon.exe (WINDEVEVAL)",
    "param2": "WIN-91F0RT9CFIN",
    "param3": "Operating System: Upgrade (Planned)",
    "param4": "0x80020003",
    "param5": "restart",
    "param6": "",
    "param7": "NT AUTHORITY\\SYSTEM"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1075 —

Provider: User32
Channel: System

Fields #

Name	Description
`param1` UnicodeString	—
`param2` UnicodeString	—

Event ID 1076 —

Provider: User32
Channel: System
Level: Warning

Fields #

Name	Description
`param1` UnicodeString	—
`param2` UnicodeString	—
`param3` UnicodeString	—
`param4` UnicodeString	—
`param5` UnicodeString	—
`param6` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "User32",
    "guid": "{b0aa8734-56f7-41cc-b2f4-de228e98b946}",
    "event_source_name": "User32",
    "event_id": 1076,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9259400833873739776,
    "time_created": "2026-03-08T22:34:36.922571+00:00",
    "event_record_id": 10013,
    "correlation": {},
    "execution": {
      "process_id": 768,
      "thread_id": 876
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "param1": "Other (Unplanned)",
    "param2": "0xa000000",
    "param3": "",
    "param4": "",
    "param5": "\n",
    "param6": "ludus\\domainadmin"
  },
  "message": ""
}

Event ID 1077 —

Provider: User32
Channel: System

Fields #

Name	Description
`param1` UnicodeString	—
`param2` UnicodeString	—

Event ID 2147484721 — The attempt by user param2 to restart/shutdown computer param1 failed.

Provider: User32
Channel: System

Description

The attempt by user param2 to restart/shutdown computer param1 failed.

Message #

The attempt by user %2 to restart/shutdown computer %1 failed

Fields #

Name	Description
`param1` UnicodeString	—
`param2` UnicodeString	—

Event ID 2147484722 — The process param1 has initiated the ShutdownType of computer param2 on behalf of user param7 for the following reason: param3.

Provider: User32
Channel: System

Description

The process param1 has initiated the ShutdownType of computer param2 on behalf of user param7 for the following reason: param3.

Message #

The process %1 has initiated the %5 of computer %2 on behalf of user %7 for the following reason: %3
 Reason Code: %4
 Shutdown Type: %5
 Comment: %6

Fields #

Name	Description
`param1` UnicodeString	—
`param2` UnicodeString	—
`param3` UnicodeString	—
`param4` UnicodeString	—
`param5` UnicodeString	—
`param6` UnicodeString	—
`param7` UnicodeString	—

Event ID 2147484723 — The last restart/shutdown request of computer param1 was aborted by user param2.

Provider: User32
Channel: System

Description

The last restart/shutdown request of computer param1 was aborted by user param2.

Message #

The last restart/shutdown request of computer %1 was aborted by user %2

Fields #

Name	Description
`param1` UnicodeString	—
`param2` UnicodeString	—

Event ID 2147484724 — The reason supplied by user param6 for the last unexpected shutdown of this computer is: param1.

Provider: User32
Channel: System

Description

The reason supplied by user param6 for the last unexpected shutdown of this computer is: param1.

Message #

The reason supplied by user %6 for the last unexpected shutdown of this computer is: %1
 Reason Code: %2
 Problem ID: %3
 Bugcheck String: %4
 Comment: %5

Fields #

Name	Description
`param1` UnicodeString	—
`param2` UnicodeString	—
`param3` UnicodeString	—
`param4` UnicodeString	—
`param5` UnicodeString	—
`param6` UnicodeString	—

Event ID 2147484725 — The attempt by user param2 to logoff computer param1 failed.

Provider: User32
Channel: System

Description

The attempt by user param2 to logoff computer param1 failed.

Message #

The attempt by user %2 to logoff computer %1 failed

Fields #

Name	Description
`param1` UnicodeString	—
`param2` UnicodeString	—