VSS
7 events across 1 channel
Event ID 13 — Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started.
Fields
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event
system:
provider: VSS
guid: ''
event_source_name: ''
event_id: 13
version: 0
level: 2
task: 0
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T08:38:25.806584+00:00'
event_record_id: 179
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Application
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: ''
event_data:
Data:
- '{4e14fba2-2e22-11d1-9964-00c04fbbb345}'
- CEventSystem
- "0x8007045b, A system shutdown is in progress.\r\n"
Binary: LSBDb2RlOiBXUlRXUlRJQzAwMDA0OTIzLSBDYWxsOiBXUlRXUlRJQzAwMDA0OTE2LSBQSUQ6ICAwMDAwMjcxNi0gVElEOiAgMDAwMDM1ODAtIENNRDogIEM6XFdpbmRvd3Ncc3lzdGVtMzJcc3ZjaG9zdC5leGUgLWsgTmV0d29ya1NlcnZpY2UgLXAgLXMgQ3J5cHRTdmMtIFVzZXI6IE5hbWU6IE5UIEFVVEhPUklUWVxORVRXT1JLIFNFUlZJQ0UsIFNJRDpTLTEtNS0yMA==
message: "Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345}
and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.\r\n]\r\n[45
32 67 111 100 101 58 32 87 82 84 87 82 84 73 67 48 48 48 48 52 57 50 51 45 32 67
97 108 108 58 32 87 82 84 87 82 84 73 67 48 48 48 48 52 57 49 54 45 32 80 73 68
58 32 32 48 48 48 48 50 55 49 54 45 32 84 73 68 58 32 32 48 48 48 48 51 53 56 48
45 32 67 77 68 58 32 32 67 58 92 87 105 110 100 111 119 115 92 115 121 115 116 101
109 51 50 92 115 118 99 104 111 115 116 46 101 120 101 32 45 107 32 78 101 116 119
111 114 107 83 101 114 118 105 99 101 32 45 112 32 45 115 32 67 114 121 112 116
83 118 99 45 32 85 115 101 114 58 32 78 97 109 101 58 32 78 84 32 65 85 84 72 79
82 73 84 89 92 78 69 84 87 79 82 75 32 83 69 82 86 73 67 69 44 32 83 73 68 58 83
45 49 45 53 45 50 48]"
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8193 — Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.
Fields
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event
system:
provider: VSS
guid: ''
event_source_name: ''
event_id: 8193
version: 0
level: 2
task: 0
opcode: 0
keywords: 36028797018963968
time_created: '2022-04-07T08:38:25.806584+00:00'
event_record_id: 180
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Application
computer: WIN-FPV0DSIC9O6.sigma.fr
security:
user_id: ''
event_data:
Data:
- CoCreateInstance
- "0x8007045b, A system shutdown is in progress.\r\n"
Binary: LSBDb2RlOiBXUlRXUlRJQzAwMDA0OTMwLSBDYWxsOiBXUlRXUlRJQzAwMDA0OTE2LSBQSUQ6ICAwMDAwMjcxNi0gVElEOiAgMDAwMDM1ODAtIENNRDogIEM6XFdpbmRvd3Ncc3lzdGVtMzJcc3ZjaG9zdC5leGUgLWsgTmV0d29ya1NlcnZpY2UgLXAgLXMgQ3J5cHRTdmMtIFVzZXI6IE5hbWU6IE5UIEFVVEhPUklUWVxORVRXT1JLIFNFUlZJQ0UsIFNJRDpTLTEtNS0yMA==
message: "Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.
\ hr = 0x8007045b, A system shutdown is in progress.\r\n.\r\n[45 32 67 111 100 101
58 32 87 82 84 87 82 84 73 67 48 48 48 48 52 57 51 48 45 32 67 97 108 108 58 32
87 82 84 87 82 84 73 67 48 48 48 48 52 57 49 54 45 32 80 73 68 58 32 32 48 48 48
48 50 55 49 54 45 32 84 73 68 58 32 32 48 48 48 48 51 53 56 48 45 32 67 77 68 58
32 32 67 58 92 87 105 110 100 111 119 115 92 115 121 115 116 101 109 51 50 92 115
118 99 104 111 115 116 46 101 120 101 32 45 107 32 78 101 116 119 111 114 107 83
101 114 118 105 99 101 32 45 112 32 45 115 32 67 114 121 112 116 83 118 99 45 32
85 115 101 114 58 32 78 97 109 101 58 32 78 84 32 65 85 84 72 79 82 73 84 89 92
78 69 84 87 79 82 75 32 83 69 82 86 73 67 69 44 32 83 73 68 58 83 45 49 45 53 45
50 48]"
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8212 — Volume Shadow Copy Service: Writer with name Registry Writer and ID {afbab4a2-367d-4d15-a586-71dbb18f8485} attempted to subscribe during setup.
Fields
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event
system:
provider: VSS
guid: ''
event_source_name: ''
event_id: 8212
version: 0
level: 4
task: 0
opcode: 0
keywords: 36028797018963968
time_created: '2013-10-23T16:18:08+00:00'
event_record_id: 71
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Application
computer: 37L4247D28-05
security:
user_id: ''
event_data:
Data:
- Registry Writer
- '{afbab4a2-367d-4d15-a586-71dbb18f8485}'
- "\n\nOperation:\n Initializing Writer\n\nContext:\n Writer Class Id: {afbab4a2-367d-4d15-a586-71dbb18f8485}\n
\ Writer Name: Registry Writer"
Binary: LSBDb2RlOiBXUlRXUlRJQzAwMDAwODIzLSBDYWxsOiBXUlRXUlRJQzAwMDAwNzc0LSBQSUQ6ICAwMDAwMTUyOC0gVElEOiAgMDAwMDE1ODAtIENNRDogIEM6XFdpbmRvd3Ncc3lzdGVtMzJcdnNzdmMuZXhlICAgLSBVc2VyOiBOYW1lOiBOVCBBVVRIT1JJVFlcU1lTVEVNLCBTSUQ6Uy0xLTUtMTgg
message: "Volume Shadow Copy Service: Writer with name Registry Writer and ID {afbab4a2-367d-4d15-a586-71dbb18f8485}
attempted to subscribe during setup.\r\n\n\nOperation:\n Initializing Writer\n\nContext:\n
\ Writer Class Id: {afbab4a2-367d-4d15-a586-71dbb18f8485}\n Writer Name: Registry
Writer"
References
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 8219 — Ran out of time while expanding file specification \\?
Fields
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event
system:
provider: VSS
guid: ''
event_source_name: ''
event_id: 8219
version: 0
level: 4
task: 0
opcode: 0
keywords: 36028797018963968
time_created: '2013-10-23T18:30:04+00:00'
event_record_id: 257
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Application
computer: IE8Win7
security:
user_id: ''
event_data:
Data:
- \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\Windows\softwaredistribution\Download\0dcbdf0cd3181da68ea1a0cad87fcd81
- '*.*'
- WUA
- "\n\nOperation:\n OnPostSnapshot event\n PostSnapshot Event\n\nContext:\n
\ Execution Context: Shadow Copy Optimization Writer\n Execution Context: Writer\n
\ Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}\n Writer Name: Shadow
Copy Optimization Writer\n Writer Instance ID: {6809ef26-b200-48dd-bab3-75979ed0a47c}"
Binary: LSBDb2RlOiBXUlRERUxFVDAwMDAwODA4LSBDYWxsOiBXUlRERUxFVDAwMDAwNzY2LSBQSUQ6ICAwMDAwMDYwOC0gVElEOiAgMDAwMDMyMDQtIENNRDogIEM6XFdpbmRvd3Ncc3lzdGVtMzJcdnNzdmMuZXhlICAgLSBVc2VyOiBOYW1lOiBOVCBBVVRIT1JJVFlcU1lTVEVNLCBTSUQ6Uy0xLTUtMTgg
message: "Ran out of time while expanding file specification \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy6\\Windows\\softwaredistribution\\Download\\0dcbdf0cd3181da68ea1a0cad87fcd81\\*.*.
\ This was being done\r\nfor the WUA subscriber.\r\n\n\nOperation:\n OnPostSnapshot
event\n PostSnapshot Event\n\nContext:\n Execution Context: Shadow Copy Optimization
Writer\n Execution Context: Writer\n Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}\n
\ Writer Name: Shadow Copy Optimization Writer\n Writer Instance ID: {6809ef26-b200-48dd-bab3-75979ed0a47c}"
References
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 8220 —
Example Event
system:
provider: VSS
guid: ''
event_source_name: ''
event_id: 8220
version: 0
level: 4
task: 0
opcode: 0
keywords: 36028797018963968
time_created: '2013-10-23T20:13:50.000000Z'
event_record_id: 627
correlation: {}
execution:
process_id: 0
thread_id: 0
channel: Application
computer: IE8Win7
security:
user_id: ''
event_data: {}
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8224 — The VSS service is shutting down due to idle timeout.
Fields
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event
system:
provider: VSS
guid: ''
event_source_name: ''
event_id: 8224
version: 0
level: 4
task: 0
opcode: 0
keywords: 36028797018963968
time_created: '2023-11-05T22:45:42.112210+00:00'
event_record_id: 1597
correlation: {}
execution:
process_id: 6092
thread_id: 0
channel: Application
computer: WinDev2310Eval
security:
user_id: ''
event_data:
Data:
- ''
Binary: LSBDb2RlOiAgQ09SU1ZDQzAwMDAwNzcyLSBDYWxsOiAgQ09SU1ZDQzAwMDAwNzU0LSBQSUQ6ICAwMDAwNjA5Mi0gVElEOiAgMDAwMDQxMjAtIENNRDogIEM6XFdpbmRvd3Ncc3lzdGVtMzJcdnNzdmMuZXhlICAgLSBVc2VyOiBOYW1lOiBOVCBBVVRIT1JJVFlcU1lTVEVNLCBTSUQ6Uy0xLTUtMTgg
message: "The VSS service is shutting down due to idle timeout.\r\n"
References
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 8225 — The VSS service is shutting down due to shutdown event from the Service Control Manager.
Fields
| Name | Description |
|---|---|
Data | — |
Binary | — |
Example Event
system:
provider: VSS
guid: ''
event_source_name: ''
event_id: 8225
version: 0
level: 4
task: 0
opcode: 0
keywords: 36028797018963968
time_created: '2023-11-05T22:27:41.758957+00:00'
event_record_id: 1467
correlation: {}
execution:
process_id: 4992
thread_id: 0
channel: Application
computer: WinDev2310Eval
security:
user_id: ''
event_data:
Data:
- ''
Binary: LSBDb2RlOiAgQ09SU1ZDQzAwMDAwNzcwLSBDYWxsOiAgQ09SU1ZDQzAwMDAwNzU0LSBQSUQ6ICAwMDAwNDk5Mi0gVElEOiAgMDAwMDM5MzItIENNRDogIEM6XFdpbmRvd3Ncc3lzdGVtMzJcdnNzdmMuZXhlICAgLSBVc2VyOiBOYW1lOiBOVCBBVVRIT1JJVFlcU1lTVEVNLCBTSUQ6Uy0xLTUtMTgg
message: "The VSS service is shutting down due to shutdown event from the Service
Control Manager.\r\n"
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline