Event ID 1001 — Fault bucket , type.

Provider: Windows Error Reporting
Channel: Application
Level: Informational
Collection Priority: Recommended (ASD)

Description

Fault bucket , type.

Message #

Fault bucket %1, type %2
Event Name: %3
Response: %4
Cab Id: %5

Problem signature:
P1: %6
P2: %7
P3: %8
P4: %9
P5: %10
P6: %11
P7: %12
P8: %13
P9: %14
P10: %15

Attached files:%16

These files may be available here:
%17

Analysis symbol: %18
Rechecking for solution: %19
Report Id: %20
Report Status: %21
Hashed bucket: %22
Cab Guid: %23

Fields #

Name	Description
`Data`	—

Example Event #

{
  "system": {
    "provider": "Windows Error Reporting",
    "guid": "",
    "event_source_name": "",
    "event_id": 1001,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T16:57:43.146445+00:00",
    "event_record_id": 40,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "",
      "0",
      "crashpad_log",
      "Not available",
      "0",
      "MicrosoftEdgeUpdate.exe",
      "1.3.135.41",
      "InstallError",
      "0x80040801",
      "",
      "",
      "",
      "",
      "",
      "",
      "",
      "\\\\?\\C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\NonCritical_MicrosoftEdgeUpd_cdca63462e6d61d11e7ef74fbb3859979d55_00000000_b116c47d-48e9-4cf6-a84b-ec895efdf585",
      "",
      "0",
      "b116c47d-48e9-4cf6-a84b-ec895efdf585",
      "6",
      "",
      "0"
    ]
  },
  "message": "Fault bucket , type 0\nEvent Name: crashpad_log\nResponse: Not available\nCab Id: 0\n\nProblem signature:\nP1: MicrosoftEdgeUpdate.exe\nP2: 1.3.135.41\nP3: InstallError\nP4: 0x80040801\nP5: \nP6: \nP7: \nP8: \nP9: \nP10: \n\nAttached files:\n\nThese files may be available here:\n\\\\?\\C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\NonCritical_MicrosoftEdgeUpd_cdca63462e6d61d11e7ef74fbb3859979d55_00000000_b116c47d-48e9-4cf6-a84b-ec895efdf585\n\nAnalysis symbol: \nRechecking for solution: 0\nReport Id: b116c47d-48e9-4cf6-a84b-ec895efdf585\nReport Status: 6\nHashed bucket: \nCab Guid: 0"
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Microsoft Malware Protection Engine Crash - WER source high: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
Crash Dump Created By Operating System source medium: Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/deployment/upgrade/windows-error-reporting
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx