Event Source: windows

Event Search

EventSentry
Real-Time Event Log Monitoring

Event ID:

Source:

OMA Windows 2003

Message:

An unknown error occurred while processing the current request: Exception of type Microsoft.Exchange.OMA.DataProviderInterface.ProviderException was thrown.

Stack trace:
at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)
at System.Web.SessionState.SessionStateModule.CompleteAcquireState()
at System.Web.SessionState.SessionStateModule.BeginAcquireState(Object source, EventArgs e, AsyncCallback cb, Object extraData)
at System.Web.AsyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Error: Exception has been thrown by the target of an invocation.

Stack trace:
at System.Reflection.RuntimeConstructorInfo.InternalInvoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean isBinderDefault)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)

Inner Error: The remote server returned an error: (403) Forbidden.

Stack trace:
at Microsoft.Exchange.OMA.ExchangeDataProvider.OmaWebRequest.GetRequestStream()
at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices.GetSpecialFolders()
at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices..ctor(UserInfo user)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

More information

Event ID:

Source:

Windows Update Agent

Message:

Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Flash Player (KB913433).

More information

Event ID:

Source:

Windows Update Agent

Category:

Installation

Message:

Installation Failure: Windows failed to install the following update with error 0x80070003: Security Update for Windows XP (KB873339).

More information

Event ID:

Source:

Windows Update Agent

Category:

Installation

Message:

Installation Failure: Windows failed to install the following update with error 0x80070643: Visual Studio 2005 Service Pack 1.

More information

Event ID:

Source:

Windows Update Agent

Message:

Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB928366)

More information

Event ID:

Source:

Windows Update Agent

Message:

Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB928366)
Installation Error: the installation of the following update has failed with error 0x80070643: Security Update for Microsoft .NET Framework Verion 1.1 Service Pack 1 (KB928366)

More information

Event ID:

Source:

Microsoft-Windows-ApplicationExperienceInfrastructure

Message:

The application (OfficeScan Client, from vendor Trend Micro, INC.) has the following problem: OfficeScan Client is incompatible with this version of Windows. For more information, contact Trend Micro, INC..

More information

Event ID:

1016

Source:

Microsoft-Windows-Perflib

Message:

The data buffer created for the "VMware" service in the "C:\Program Files\VMware\VMware Server\vmPerfmon.dll" library is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.

More information

Event ID:

Source:

Microsoft-Windows-Kerberos-Key-Distribution-Center

Message:

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

More information

Event ID:

Source:

Windows Update Agent

Category:

Installation

Message:

Installation Failure: Windows failed to install the following update with error 0x80070643: Update for .NET Framework 3.0: x86 (KB932471).

More information

Event ID:

1058

Source:

Microsoft-Windows-GroupPolicy

Message:

The processing of Group Policy failed. Windows attempted to read the file \\mydomain.local\SysVol\mydomain.local\Policies\D3610029-D721-41DA-ACE6-FD0CAF521432\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

More information

Event ID:

Source:

Microsoft-Windows-WMI

Message:

Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

More information

Event ID:

5032

Source:

Microsoft-Windows-Security-Auditing

Category:

Other System Events

Message:

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: 2

More information

Event ID:

6398

Source:

Windows SharePoint Services 3

Category:

Timer

Message:

The Execute method of job definition Microsoft.Office.Server.Administration.ApplicationServerAdministrationServiceJob (ID 693fe0b2-6c9f-47bf-9d1a-c6a2aa7cd3c3) threw an exception. More information is included below.

Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

More information

Event ID:

1112

Source:

Microsoft-Windows-GroupPolicy

Message:

The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.

More information

Event ID:

6398

Source:

Windows SharePoint Services 3

Message:

The Execute method of job definition Microsoft.Office.Server.Administration.ApplicationServerAdministrationServiceJob (ID a778c03a-b4d5-47ad-b0d5-6130b9c8ba14) threw an exception. More information is included below.

Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

More information

Event ID:

13042

Source:

Windows Server Update

Category:

Clients

Message:

Self-update is not working

More information

Event ID:

15300

Source:

Microsoft-Windows-WPD-MTPClassDriver

Category:

Driver Initilization.

Message:

MTP WPD Driver has failed to start. Error 0x8007001f.

More information

Event ID:

117

Source:

Report Server Windows Service (EVENTSENTRY)

Category:

Startup/Shutdown

Message:

The report server database is an invalid version.

More information

Event ID:

3031

Source:

Windows Search Service

Category:

Gatherer

Message:

A document ID cannot be allocated.
Context: Windows Application, SystemIndex Catalog
Details:
The content index server cannot update or access information because of a database error. Stop and restart the search service. If the problem persists, reset and recrawl the content index. In some cases it may be necessary to delete and recreate the content index. (0x8004117f)

More information

Event ID:

4634

Source:

Microsoft-Windows-Security-Auditing

Category:

Logoff

Message:

An account was logged off.

Subject:
Security ID: TESTGROUND\cacheduser
Account Name: cacheduser
Account Domain: TESTGROUND
Logon ID: 0xbed3f1

Logon Type: 2

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

More information

Event ID:

4647

Source:

Microsoft-Windows-Security-Auditing

Category:

Logoff

Message:

User initiated logoff:

Subject:
Security ID: TESTGROUND\cacheduser
Account Name: cacheduser
Account Domain: TESTGROUND
Logon ID: 0xbed3f1

This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed. No further user-initiated activity can occur. This event can be interpreted as a logoff event.

More information

Event ID:

13031

Source:

Windows Server Update Services

Category:

Clients

Message:

Some client computers have not reported back to the server in the last 30 days. 4 have been detected so far.

More information

Event ID:

513

Source:

Microsoft-Windows-CAPI2

Category:

Application

Message:

Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddCoreCsiFiles : BeginFileEnumeration() failed.
System Error:
Access is denied.
..

More information

Event ID:

4099

Source:

Windows Backup

Message:

File backup was cancelled by the user.

More information

Event ID:

510

Source:

Microsoft-Windows-Folder Redirection

Message:

Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect.

More information

Event ID:

4103

Source:

Windows Backup

Message:

The backup did not complete because of an error writing to the backup location B:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006).

More information

Event ID:

6281

Source:

Microsoft-Windows-Security-Auditing

Category:

System Integrity

Message:

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\l3codeca.acm

More information

Event ID:

517

Source:

Microsoft-Windows-Backup

Category:

Application

Message:

%%2147942405

More information

Event ID:

1104

Source:

Microsoft-Windows-Eventlog

Message:

The security log is now full.

More information

Event ID:

1105

Source:

Microsoft-Windows-Eventlog

Message:

Event log automatic backup
Log: Security
File: C:\Windows\System32\Winevt\Logs\Archive-Security-2010-11-05-11-20-26-007.evtx

More information

Event ID:

Source:

Microsoft-Windows-RPC-Events

Message:

Possible Memory Leak. Application ("C:\Windows\system32\mmc.exe" "C:\Windows\system32\dhcpmgmt.msc" ) (PID: 6320) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({6BFFD098-A112-3610-9833-46C3F874532D}), Method number (2). User Action: Contact your application vendor for an updated version of the application.

More information

Event ID:

Source:

Microsoft-Windows-WindowsUpdateClient

Category:

Windows Update Agent

Message:

Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for SQL Server 2008 R2 (KB2494088).

More information

Event ID:

6145

Source:

Microsoft-Windows-Security-Auditing

Category:

Other Policy Change Events

Message:

One or more errors occured while processing security policy in the group policy objects.

Error Code: 87
GPO List:
{F0DF8E32-7E0A-4B67-1234-9BD831BFE64C} Windows Audit & Event Log Settings
{AAC1786C-016F-11D2-9012-00C04fB984F9} Default Domain Controllers Policy
{91B2F340-016D-11D2-1234-00C04FB984F9} Default Domain Policy

More information

Event ID:

4107

Source:

Microsoft-Windows-CAPI2

Message:

Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

More information

Event ID:

2004

Source:

Microsoft-Windows-Resource-Exhaustion-Detector

Category:

Resource Exhaustion Diagnosis Events

Message:

Windows successfully diagnosed a low virtual memory condition. The following programs consumed the most virtual memory: SomeProcess.exe (848) consumed 372129792 bytes, Procmon64.exe (3616) consumed 209563648 bytes, and devenv.exe (6364) consumed 201162752 bytes.

More information

Event ID:

4104

Source:

Windows Backup

Message:

The backup was not successful. The error is: There is not enough space on this drive to save the backup. Free up space by deleting older backups and unnecessary data or change your backup settings. (0x81000005).

More information

Event ID:

4951

Source:

Microsoft-Windows-Security-Auditing

Category:

MPSSVC Rule-Level Policy Change

Message:

Windows Firewall ignored a rule because its major version number is not recognized.

Profile: All

Ignored Rule:
ID: clr_optimization_v4.0.30319_32-1
Name: -

More information

Event ID:

Source:

Microsoft-Windows-Service Pack Installer

Message:

There is not enough free disk space to install the Service Pack. Required=4834 MB.

More information

Event ID:

4375

Source:

Microsoft-Windows-Servicing

Message:

Windows Servicing failed to complete the process of setting package KB967723 (Security Update) into Installed(Installed) state

More information

Event ID:

18500

Source:

Microsoft-Windows-Hyper-V-Worker-Admin

Message:

'VM-SRV-001' started successfully. (Virtual machine ID D8EB8812-63FE-468A-9545-1E2028EC1F5F)

More information

Event ID:

6281

Source:

Microsoft Windows security

Category:

System Integrity

Message:

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
File Name: \Device\HarddiskVolume3\Windows\System32\sysfer.dll

More information

Event ID:

1065

Source:

Microsoft-Windows-GroupPolicy

Message:

The processing of Group Policy failed. Windows could not evaluate the Windows Management Instrumentation (WMI) filter for the Group Policy object cn={D3610029-DDDD-4141-AAAA-FDFFFFCCBB22},cn=policies,cn=system,DC=yourdomain,DC=local. This could be caused by RSOP being disabled or Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI service is started and the startup type is set to automatic. New Group Policy objects or settings will not process until this event has been resolved.

More information

Event ID:

4634

Source:

Microsoft-Windows-Security-Auditing

Category:

Logoff

Message:

An account was logged off.

Subject:
Security ID: Domain\ad2user
Account Name: ad1user
Account Domain: Domain
Logon ID: 0xbb55b23

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

More information

Event ID:

Source:

Microsoft-Windows-CertificateServicesClient-AutoEnrollment

Message:

Certificate for %1 with Thumbprint %2 is about to expire or has already expired.

More information

Event ID:

14332

Source:

Windows Media Player Network Sharing Service

Message:

Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.

More information

Event ID:

4656

Source:

Microsoft-Windows-Security-Auditing

Category:

File System

Message:

A handle to an object was requested.

Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: COMPUTER$
Account Domain: DOMAIN
Logon ID: 0x3E7

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.9200.16384_none_8325ae6a331660a6\GdiPlus.dll
Handle ID: 0x0
Resource Attributes: -

Process Information:
Process ID: 0x354
Process Name: C:\Windows\System32\svchost.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes

Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA)
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA)
ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BA)
ReadEA: Granted by D:(A;;0x1200a9;;;BA)
ReadAttributes: Granted by ACE on parent folder D:(A;;0x1200a9;;;BA)
WriteAttributes: Not granted

Access Mask: 0x120189
Privileges Used for Access Check: -
Restricted SID Count: 0

More information

Event ID:

5120

Source:

Microsoft-Windows-FailoverClustering

Message:

Cluster Shared Volume 'Volume2' ('ClusterStorage Volume 2') is no longer available on this node because of 'STATUS_CLUSTER_CSV_AUTO_PAUSE_ERROR(c0130021)'. All I/O will temporarily be queued until a path to the volume is reestablished.

More information

Event ID:

1129

Source:

Microsoft-Windows-GroupPolicy

Message:

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

More information

Event ID:

101

Source:

Microsoft-Windows-TaskScheduler/Operational

Category:

Task Start Failed

Message:

Task Scheduler failed to start "\Some Important Task" task for user "MYDOMAIN\EventMonitor". Additional Data: Error Value: 2147942402.

More information

Event ID:

23014

Source:

Microsoft-Windows-Hyper-V-Worker

Message:

Device 'Microsoft Synthetic Display Controller' in 'SERVER01' is loaded but has a different version from the server. Server version 3.0 Client version 3.2 (Virtual machine ID 8D6415C4-6E44-78FC-6BB8-34CCA67ACF48). The device will work, but this is an unsupported configuration. This means that technical support will not be provided until this problem is resolved. To fix this problem, upgrade the integration services. To upgrade, connect to the virtual machine and select Insert Integration Services Setup Disk from the Action menu.

More information

Event ID:

Source:

Microsoft-Windows-CertificateServicesClient-CertEnroll

Message:

Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from testsql.domain.local\TESTCA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

More information

Event ID:

2001

Source:

Microsoft-Windows-IIS-W3SVC-PerfCounters

Message:

It has taken too long to refresh the W3SVC counters, the stale counters are being used instead.

More information

Event ID:

Source:

RPC (Microsoft-Windows-RPC-Events)

Message:

Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 980) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3f31c91e-2545-4b7b-9311-9529e8bffef6}), Method number (10). User Action: Contact your application vendor for an updated version of the application.

Detailed XML View

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-RPC-Events" Guid="{F4AED7C7-A898-4627-B053-44A7CAA12FCD}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-07-21T09:20:57.835029200Z" />
<EventRecordID>136</EventRecordID>
<Correlation />
<Execution ProcessID="980" ThreadID="112" />
<Channel>Application</Channel>
<Computer>Pochi-01</Computer>
<Security UserID="S-1-5-19" />
</System>
- <EventData>
<Data Name="ApplicationName">C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted</Data>
<Data Name="ProcessId">980</Data>
<Data Name="InterfaceId">{3F31C91E-2545-4B7B-9311-9529E8BFFEF6}</Data>
<Data Name="Method">10</Data>
</EventData>
</Event>

More information

Event ID:

129

Source:

Microsoft-Windows-Time-Service

Message:

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

More information

Event ID:

13051

Source:

Windows Server Update Services

Category:

Clients

Message:

No client computers have ever contacted the server.

More information

Event ID:

1838

Source:

Microsoft-Windows-CAPI2

Message:

Reached crypt32 threshold of 50 events and will suspend logging for 60 minutes.

More information

Event ID:

513

Source:

Microsoft-Windows-CAPI2

Message:

Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
System Error:
Access is denied.

More information

Event ID:

Source:

RPC (Microsoft-Windows-RPC-Events)

Category:

none

Message:

Log Name: Application
Source: Microsoft-Windows-RPC-Events
Date: 22/07/2015 13:43:53
Event ID: 11
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: UNDERTHEBED7-PC
Description:
Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 940) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3f31c91e-2545-4b7b-9311-9529e8bffef6}), Method number (20). User Action: Contact your application vendor for an updated version of the application.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-RPC-Events" Guid="{F4AED7C7-A898-4627-B053-44A7CAA12FCD}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2015-07-22T12:43:53.117673400Z" />
<EventRecordID>138</EventRecordID>
<Correlation />
<Execution ProcessID="940" ThreadID="1592" />
<Channel>Application</Channel>
<Computer>UNDERTHEBED7-PC</Computer>
<Security UserID="S-1-5-19" />
</System>
<EventData>
<Data Name="ApplicationName">C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted</Data>
<Data Name="ProcessId">940</Data>
<Data Name="InterfaceId">{3F31C91E-2545-4B7B-9311-9529E8BFFEF6}</Data>
<Data Name="Method">20</Data>
</EventData>
</Event>

More information

Event ID:

Source:

RPC (Microsoft-Windows-RPC-Events)

Category:

none

Message:

More information

Event ID:

1001

Source:

Microsoft-Windows-WER-SystemErrorReporting

Message:

The computer has rebooted from a bugcheck. The bugcheck was: 0x00000116 (0xffffe0008b64c4c0, 0xfffff8003e9d4650, 0x0000000000000000, 0x000000000000000d). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: 10281589-8be9-d71c-c713-e024f5515a45.

More information

Event ID:

5612

Source:

Microsoft-Windows-WMI

Message:

Windows Management Instrumentation has stopped WMIPRVSE.EXE because a quota reached a warning value. Quota: HandleCount Value: %2 Maximum value: 4096 WMIPRVSE PID: %4 Providers hosted in this process: %systemroot%\system32\wbem\cimwin32.dll

More information

Event ID:

257

Source:

Microsoft-Windows-Defrag

Message:

The volume WINRE_DRV was not optimized because an error was encountered: The parameter is incorrect. (0x80070057)

More information

Event ID:

10021

Source:

Windows Server Update Services

Category:

Core

Message:

The catalog was last synchronized successfully 1 or more days ago.

More information

Event ID:

6527

Source:

Microsoft-Windows-DNS-Server-Service

Message:

Zone somedomain.local expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down.

More information

Event ID:

4100

Source:

Microsoft-Windows-PowerShell

Category:

Executing Pipeline

Message:

Error Message = File C:\Users\wizard\test.ps1 cannot be loaded. The file C:\Users\wizard\test.ps1 is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
Fully Qualified Error ID = UnauthorizedAccess
Recommended Action =
Context:
Severity = Warning
Host Name = ConsoleHost
Host Version = 5.1.14393.1944
Host ID = babd41a2-db0f-45d0-ac50-e34b71dd9ac0
Host Application = powershell . .\test.ps1
Engine Version = 5.1.14393.1944
Runspace ID = 0155307c-603a-440d-a22c-85b5c9cbffff
Pipeline ID = 1
Command Name =
Command Type =
Script Name =
Command Path =
Sequence Number = 15
User = DOMAIN\user
Connected User =
Shell ID = Microsoft.PowerShell
User Data:

More information

Event ID:

4103

Source:

Microsoft-Windows-PowerShell

Category:

Executing Pipeline

Message:

CommandInvocation(Write-Host): "Write-Host"
ParameterBinding(Write-Host): name="Object"; value="TestPowerShellV5"

Context:
Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.14393.1944
Host ID = e44f3df1-0f65-48dc-814a-01219d11a426
Host Application = powershell Write-Host TestPowerShellV5
Engine Version = 5.1.14393.1944
Runspace ID = 0b4180d7-55ca-476a-9712-26e61d5c3be1
Pipeline ID = 1
Command Name = Write-Host
Command Type = Cmdlet
Script Name =
Command Path =
Sequence Number = 16
User = DOMAIN\username
Connected User =
Shell ID = Microsoft.PowerShell

User Data:

More information

Event ID:

40961

Source:

Microsoft-Windows-PowerShell

Category:

PowerShell Console Startup

Message:

PowerShell console is starting up

More information

Event ID:

40962

Source:

Microsoft-Windows-PowerShell

Category:

PowerShell Console Startup

Message:

PowerShell console is ready for user input

More information

Event ID:

4104

Source:

Microsoft-Windows-PowerShell

Category:

Execute a Remote Command

Message:

Creating Scriptblock text (1 of 1):
Write-Host PowerShellV5ScriptBlockLogging

ScriptBlock ID: 6d90e0bb-e381-4834-8fe2-5e076ad267b3
Path:

More information

Event ID:

4779

Source:

Microsoft-Windows-Security-Auditing

Category:

Other Logon/Logoff Events

Message:

A session was disconnected from a Window Station.

Subject:
Account Name: some.user
Account Domain: SOMEDOMAIN
Logon ID: 0x2335b249

Session:
Session Name: RDP-Tcp#0

Additional Information:
Client Name: wksclient04.lo
Client Address: 192.168.1.6

More information

Event ID:

4689

Source:

Microsoft-Windows-Security-Auditing

Category:

Process Termination

Message:

A process has exited.

Subject:
Security ID: MYDOMAIN\some.user
Account Name: some.user
Account Domain: MYDOMAIN
Logon ID: 0x5E006051

Process Information:
Process ID: 0x5ec4
Process Name: C:\Windows\System32\dllhost.exe
Exit Status: 0x0

More information

Event ID:

2002

Source:

Microsoft-Windows-PerfProc

Message:

Warning JAMESON-PC\jcamp

More information

Event ID:

3051

Source:

Microsoft-Windows-ActiveDirectory_DomainService

Category:

Security

Message:

The directory has been configured to not enforce per-attribute authorization during LDAP add operations. Warning events will be logged, but no requests will be blocked. This setting is not secure and should only be used as a temporary troubleshooting step. Please review the suggested mitigations in the link below.

https://go.microsoft.com/fwlink/?linkid=2174032

More information

Event ID:

Source:

Windows Update Agent

Category:

Software Sync

Message:

Unable to connect: Windows is unable to connect to the Automatic Updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

More information

Event ID:

5156

Source:

Microsoft Windows security auditing.

Message:

The Windows Filtering Platform has permitted a connection.

Application Information:
Process ID: 4320
Application Name: \device\harddiskvolume2\windows\system32\svchost.exe

Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 167.196.121.75
Destination Port: 60070
Protocol: 17

Filter Information:
Filter Run-Time ID: 83103
Layer Name: Receive/Accept
Layer Run-Time ID: 44

More information

Event ID:

4720

Source:

Microsoft Windows security

Category:

User Account Management

Message:

A user account was created.

More information

Event ID:

Source:

WindowsUpdateClient

Category:

Windows Update Agent

Message:

Windows Update failed to check for updates with error 0x80072EE2

More information

Event ID:

Source:

WindowsUpdateClient

Category:

Windows Update Agent

Message:

Installation Failure: Windows failed to install the following update with error 0x80004002: 2022-03 Security Only Quality Update for Windows Server 2008 R2 for x64-based Systems (KB5011529).

More information

Event ID:

4725

Source:

Microsoft Windows security auditing

Message:

LogName=Security
EventCode=4725
EventType=0
ComputerName=domain.domain.local
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=2311231312
Keywords=Audit Success
TaskCategory=User Account Management
OpCode=Info
Message=A user account was disabled.

Subject:
Security ID: S-1-5-21-5232424-4342331231-1232132131-1605
Account Name: doamin
Account Domain: local
Logon ID: 0x1dasdwD

Target Account:
Security ID: S-1-5-21-5232424-4342331231-1232132131-1605
Account Name: ws-APP$
Account Domain: local

More information

Event ID:

16980

Source:

Microsoft-Windows-Directory-Services-SAM

Message:

There is no message from the SIEM logs I'm seeing from. Fields unique to this Event ID (Kibana Discover):

winlog.event_data.AccountDN
winlog.event_data.AccountSID
winlog.event_data.KeyHash

More information

Event ID:

8002

Source:

Microsoft-Windows-AppLocker

Message:

<UserData xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <RuleAndFileData xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0"> <PolicyNameLength>3</PolicyNameLength> <PolicyName>EXE</PolicyName> <RuleId>{5028efad-7497-4ac0-84ce-00bee63f3951}</RuleId> <RuleNameLength>24</RuleNameLength> <RuleName>(Default Rule) All Exe's</RuleName> <RuleSddlLength>48</RuleSddlLength> <RuleSddl>D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains "*"))</RuleSddl> <TargetUser>S-1-5-18</TargetUser> <TargetProcessId>9796</TargetProcessId> <FilePathLength>31</FilePathLength> <FilePath>%SYSTEM32%\SEARCHFILTERHOST.EXE</FilePath> <FileHashLength>32</FileHashLength> <FileHash>92DF47871C9BC9F0A2FF1BBCCCE7427499524FB9976DCEEA4C8171EDF2BD381A</FileHash> <FqbnLength>106</FqbnLength> <Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS® SEARCH\SEARCHFILTERHOST.EXE\7.0.17763.3232</Fqbn> <TargetLogonId>0x3e7</TargetLogonId> <FullFilePathLength>40</FullFilePathLength> <FullFilePath>C:\WINDOWS\system32\SearchFilterHost.exe</FullFilePath> </RuleAndFileData> </UserData>

More information

Found 82 records