diff --git a/apps/Splunk_TA_windows/.DS_Store b/apps/Splunk_TA_windows/.DS_Store new file mode 100644 index 00000000..2e4e74e2 Binary files /dev/null and b/apps/Splunk_TA_windows/.DS_Store differ diff --git a/apps/Splunk_TA_windows/LICENSES/LicenseRef-Splunk-8-2021.txt b/apps/Splunk_TA_windows/LICENSES/LicenseRef-Splunk-8-2021.txt new file mode 100644 index 00000000..c4063024 --- /dev/null +++ b/apps/Splunk_TA_windows/LICENSES/LicenseRef-Splunk-8-2021.txt @@ -0,0 +1,400 @@ +SPLUNK GENERAL TERMS + +Last Updated: August 12, 2021 + +These Splunk General Terms (“General Terms”) between Splunk Inc., a Delaware corporation, with its principal place of business at 270 Brannan Street, San Francisco, California 94107, U.S.A (“Splunk” or “we” or “us” or “our”) and you (“Customer” or “you” or “your”) apply to the purchase of licenses and subscriptions for Splunk’s Offerings. By clicking on the appropriate button, or by downloading, installing, accessing or using the Offerings, you agree to these General Terms. If you are entering into these General Terms on behalf of Customer, you represent that you have the authority to bind Customer. If you do not agree to these General Terms, or if you are not authorized to accept the General Terms on behalf of the Customer, do not download, install, access, or use any of the Offerings. + +See the General Terms Definitions Exhibit attached for definitions of capitalized terms not defined herein. + +1. License Rights +(A) General Rights. You have the nonexclusive, worldwide, nontransferable and nonsublicensable right, subject to payment of applicable Fees and compliance with the terms of these General Terms, to use your Purchased Offerings for your Internal Business Purposes during the Term and up to the Capacity purchased. + +(B) Copies for On-Premises Products. You have the right to make a reasonable number of copies of On-Premises Products for archival and back-up purposes. + +(C) Splunk Extensions. You may use Splunk Extensions solely in connection with the applicable Purchased Offering subject to the same terms and conditions for that Offering (including with respect to Term) and payment of any Fees associated with the Splunk Extensions. Some Splunk Extensions may be made available under license terms that provide broader rights than the license rights you have to the applicable underlying Offering (e.g., if the Extension is Open Source Software). These broader rights will apply to that Splunk Extension. Splunk Extensions may be installed on Hosted Services pursuant to our instructions. + +(D) Trials, Evaluations, Beta and Free Licenses. +(i) Trials and Evaluations. Offerings provided for trials and evaluations are provided at no charge, and their use will be for a limited duration. + +(ii) Beta Licenses. Some Offerings and features may be available to you as a preview, or as an alpha, beta or other pre-release version (each, a “Beta Offering”). All rights for Beta Offerings are solely for internal testing and evaluation. Your use of a Beta Offering will be for the term specified by us, and if no term is specified, then for the earlier of one year from the start date of the Beta Offering or when that version of the Beta Offering becomes generally available. We may discontinue the Beta Offering at any time and may decide not to make any of the features and functionality generally available. + +(iii) Free Licenses. From time to time, we may make certain Offerings available for full use (i.e., not subject to limited evaluation purposes) at no charge. These free Offerings may have limited features, functions, and other technical limitations. + +(iv) Donated Offerings. Donated Offerings are free limited Offerings donated to qualifying Nonprofits under a Splunk donation program. By procuring and making use of a Donated Offering, you hereby represent and warrant that you are a lawfully organized Nonprofit, and you agree to provide verification of your nonprofit status to Splunk upon request. At Splunk’s request, you agree: (a) to publish a press release and case study on your use of the Donated Offering; and (b) to be interviewed for the production of a Splunk customer video that will accompany the press release and case study. Splunk will draft and edit all content in collaboration with you and will obtain your edits and written approval (email is sufficient) prior to publication, and such approval will not be unreasonably withheld. You will allow Splunk to reference your Nonprofit and leading spokespeople in press releases with your written approval (email is sufficient). Splunk may use your name and logo on sales presentations, websites, and other marketing collateral without your prior approval. + +(E) Test and Development Licenses. For Offerings identified as “Test and Development” Offerings on your Order, you only have the right to use those Offerings up to the applicable Capacity on a non-production system for non-production uses, including product migration testing or pre-production staging, or testing new data sources, types, or use cases. Test and Development Offerings may not be used for any revenue generation, commercial activity, or other productive business or purpose. + +(F) Limitations. Notwithstanding anything to the contrary in these General Terms, we do not provide maintenance and support, warranties, service level commitments, or indemnification for Test and Development Offerings, trials, evaluations, or free or Beta Offerings. + +2. Purchasing Through Authorized Resellers, Digital Marketplaces, and Splunk Affiliates +(A) Authorized Resellers and Digital Marketplaces. If you purchase Offerings through a Splunk authorized reseller or Digital Marketplace, these General Terms will govern those Offerings. Your payment obligations for the Purchased Offerings will be with the authorized reseller or Digital Marketplace, as applicable, not Splunk. You will have no direct Fee payment obligations to Splunk for those Offerings. However, in the event that you fail to pay the Digital Marketplace for your Purchased Offerings, Splunk retains the right to enforce your payment obligations and collect directly from you. + +Any terms agreed to between you and the authorized reseller that are in addition to these General Terms are solely between you and the authorized reseller and Digital Marketplace, as applicable. No agreement between you and an authorized reseller or Digital Marketplace is binding on Splunk or will have any force or effect with respect to the rights in, or the operation, use or provision of, the Offerings. + +(B) Splunk Affiliate Distributors. Splunk has appointed certain Splunk Affiliates as its non-exclusive distributors of the Offerings (each, a “Splunk Affiliate Distributor”). Each Splunk Affiliate Distributor is authorized by Splunk to negotiate and enter into Orders with Customers. Where a purchase from Splunk is offered by a Splunk Affiliate Distributor, Customer will issue Orders, and make payments, to the Splunk Affiliate Distributor which issued the quote for the Offering. Each Order will be deemed a separate contract between Customer and the relevant Splunk Affiliate Distributor and will be subject to these General Terms. For the avoidance of doubt, Customer agrees that: (i) the total liability of Splunk under these General Terms as set forth in Section 22 (Limitation of Liability) states the overall combined liability of Splunk and Splunk Affiliate Distributors; (ii) the entering into Orders by a Splunk Affiliate Distributor will not be deemed to expand Splunk and its Affiliates’ overall responsibilities or liability under these General Terms; and (iii) Customer will have no right to recover more than once from the same event. + +3. Your Contractors and Third-Party Providers +You may permit your authorized consultants, contractors, and agents (“Third-Party Providers”) to access and use your Purchased Offerings, but only on your behalf in connection with providing services to you, and subject to the terms and conditions of these General Terms. Any access or use by a Third-Party Provider will be subject to the same limitations and restrictions that apply to you under these General Terms, and you will be responsible for any Third-Party Provider’s actions relating to their use of the Offering. The aggregate use by you and all of your Third-Party Providers must not exceed the Capacity purchased, and nothing in this Section is intended to or will be deemed to increase such Capacity. + +4. Hosted Services and Specific Offering Terms +(A) Service Levels. When you purchase Hosted Services as a Purchased Offering, we will make the applicable Hosted Services available to you during the Term in accordance with these General Terms. The Service Level Schedules (as identified in the Specific Offering Terms referenced in Section 4(F) below) and associated remedies will apply to the availability and uptime of the applicable Hosted Service. If applicable, service credits will be available for downtime in accordance with the Service Level Schedule. + +(B) Connections. You are responsible for obtaining and maintaining all telecommunications, broadband and computer equipment and services needed to access and use Hosted Services, and for paying all associated charges. + +(C) Your Responsibility for Data Protection. You are responsible for: (i) selecting from the security configurations and security options made available by Splunk in connection with a Hosted Service; (ii) taking additional measures outside of the Hosted Service to the extent the Hosted Service Offering does not provide the controls that may be required or desired by you; and (iii) routine archiving and backing up of Customer Content. You agree to notify Splunk promptly if you believe that an unauthorized third party may be using your accounts or if your account information is lost or stolen. + +(D) Refund Upon Termination for Splunk’s Breach. If a Hosted Service is terminated by you for Splunk’s uncured material breach in accordance with these General Terms, Splunk will refund you any prepaid subscription fees covering the remainder of the Term after the effective date of termination. + +(E) Return of Customer Content. Customer Content may be retrieved by you and removed from the Hosted Services in accordance with the applicable Documentation. We will make the Customer Content available on the Hosted Services for thirty (30) days after termination of a subscription for your retrieval. After that thirty (30) day period, we will have no obligation to maintain the storage of your Customer Content, and you hereby authorize us thereafter to, and we will, unless legally prohibited, delete all remaining Customer Content. If you require assistance in connection with migration of your Customer Content, depending on the nature of the request, we may require a mutually agreed upon fee for assistance. + +(F) Specific Offering Terms. Specific security controls and certifications, data policies, service descriptions, Service Level Schedules and other terms specific to a Hosted Service and other Offerings (“Specific Offering Terms”) are set forth here: www.splunk.com/SpecificTerms, and will apply, and be deemed incorporated herein by reference. + +5. Support and Maintenance +The specific Support Program included with a Purchased Offering will be identified in the applicable Order. Splunk will provide the purchased level of support and maintenance services in accordance with the terms of the Support Exhibit attached to these General Terms. + +6. Configuration and Implementation Services +Splunk offers standard services to implement and configure your Purchased Offerings. These services are purchased under an Order and are subject to the payment of the Fees therein and the terms of the Configuration and Implementation Services Exhibit attached to these General Terms. + +7. Data Protection for Personal Data +Splunk will follow globally recognized data protection principles and industry-leading standards for the security of personal data. Splunk will comply with the requirements and obligations set forth in Splunk’s Data Protection Addendum (“DPA”), located at https://www.splunk.com/en_us/legal/splunk-dpa.html, which includes standard terms for the processing of personal data (including, as applicable, personal data in a Hosted Service). + +8. Security +(A) Security for Hosted Services: Standard Environment. Splunk will implement industry leading security safeguards for the protection of Customer Confidential Information, including Customer Content transferred to and stored within the Hosted Services. These safeguards include commercially reasonable administrative, technical, and organizational measures to protect Customer Content against destruction, loss, alteration, unauthorized disclosure, or unauthorized access, including such things as information security policies and procedures, security awareness training, threat and vulnerability management, incident response and breach notification, and vendor risk management. Splunk’s technical safeguards are further described in the Splunk Cloud Platform Security Addendum (“SC-SA”), located at https://www.splunk.com/en_us/legal/splunk-cloud-security-addendum.html, and the Observability Suite Security Addendum (“OS-SA”), located at https://www.splunk.com/en_us/legal/splunk-observability-security-addendum.html, as applicable, and are incorporated herein by reference. + +(B) Security for Hosted Services: Premium HIPAA Environment. For Hosted Services Offerings provisioned in Splunk Cloud Platform’s Premium HIPAA environment (as specified in an Order), in addition to the protections under the SC-SA and these General Terms, Splunk will comply with the requirements and obligations set forth in Splunk Business Associate Agreement found here: https://www.splunk.com/en_us/legal/splunk-baa.html. + +(C) Additional Security for Other Hosted Services. From time to time, Splunk may offer custom security safeguards for unique Hosted Services offerings. Any such security safeguards will be as set forth in the applicable Documentation and Specific Offering Terms. + +(D) Security for On Premises Offerings. Splunk will implement industry leading security safeguards for the protection of Splunk’s IT systems, products, facilities and assets, and any Customer Confidential Information accessed or processed therein, e.g., customer account information, support tickets (“Corporate Security Controls”). Splunk’s Corporate Security Controls include such things as information security policies and procedures, security awareness training, physical and environmental access controls, threat and vulnerability management, incident response and breach notification, and vendor risk management. Splunk’s Corporate Security Controls are further described in Splunk’s Information Security Addendum (“ISA”), located at https://www.splunk.com/en_us/legal/information-security-addendum.html and are incorporated herein by reference. + +(E) Product Development Security. Splunk will follow secure software development practices and applies an industry standard, risk-based approach to its software development lifecycle (“SDLC”), which includes, as applicable, such things as performing security architecture reviews, open source security scans, virus detection, dynamic application security testing, network vulnerability scans and external penetration testing in the development environment. Product-specific information about the SDLC in our Offerings is detailed more fully in the ISA. Splunk’s Product Security Portal, located at https://www.splunk.com/en_us/product-security.html, contains detailed information about Splunk’s program for managing and communicating product vulnerabilities. Splunk categorizes product vulnerabilities in accordance with the Common Vulnerability Scoring System (“Medium,” “High,” or “Critical”) and uses commercially reasonable efforts to remediate vulnerabilities depending on their severity level in accordance with industry standards. + +(F) Maintaining Protections. Notwithstanding anything to contrary in these General Terms, or any policy or terms referenced herein via hyperlink (or any update thereto), Splunk may not, during a Term materially diminish the security protections set forth in these General Terms, any Specific Offering Terms, or the applicable security addendum. + +9. Use Restrictions +Except as expressly permitted in an Order, these General Terms or our Documentation, you agree not to (nor allow any user or Third Party Provider to): (a) reverse engineer (except to the extent specifically permitted by statutory law), decompile, disassemble or otherwise attempt to discover source code or underlying structures, ideas or algorithms of any Offering; (b) modify, translate or create derivative works based on the Offerings; (c) use an Offering for service bureau purposes, or for any purpose other than your own Internal Business Purposes; (d) resell, transfer or distribute any Offering; (e) access or use any Offering in order to monitor its availability, performance, or functionality for competitive purposes; (f) attempt to disable or circumvent any license key or other technological mechanisms or measures intended to prevent, limit or control use or copying of, or access to, Offerings; (g) separately use any of the applicable features and functionalities of the Offerings with external applications or code not furnished by Splunk or any data not processed by the Offering; (h) exceed the Capacity purchased or (i) use any Offering in violation of all applicable laws and regulations (including but not limited to any applicable privacy and intellectual property laws). + +10. Our Ethics, Compliance and Corporate Responsibility +(A) Ethics and Corporate Responsibility. Splunk is committed to acting ethically and in compliance with applicable law, and we have policies and guidelines in place to provide awareness of, and compliance with, the laws and regulations that apply to our business globally. We are committed to ethical business conduct, and we use diligent efforts to perform in accordance with the highest global ethical principles, as described in the Splunk Code of Conduct and Ethics found here: https://investors.splunk.com/code-business-conduct-and-ethics-1. + +(B) Anti-Corruption. We implement and maintain programs for compliance with applicable anti-corruption and anti-bribery laws. Splunk policy prohibits the offering or soliciting of any illegal or improper bribe, kickback, payment, gift, or thing of value to or from any of your employees or agents in connection with these General Terms. If we learn of any violation of the above, we will use reasonable efforts to promptly notify you at the main contact address provided by you to Splunk. + +(C) Export. We certify that Splunk is not on any of the relevant U.S. or EU government lists of prohibited persons, including the Treasury Department’s List of Specially Designated Nationals and the Commerce Department’s List of Denied Persons or Entity List. Export information regarding our Offerings, including our export control classifications for our Offerings, is found here: https://www.splunk.com/en_us/legal/export-controls.html. + +11. Usage Data +From time to time, Splunk may collect Usage Data generated as a by-product of your use of Offerings (e.g., technical information about your operating environment and sessions, systems architecture, page loads and views, product versions, number and type of searches, number of users, source type and format). Usage Data does not include Customer Content. We collect Usage Data for a variety of reasons, such as to identify, understand, and anticipate performance issues and the factors that affect them, to provide updates and personalized experiences to customers, and to improve the Splunk Offerings. Details on Splunk’s Usage Data collection practices are set forth in Splunk's Privacy Policy found here: https://www.splunk.com/en_us/legal/privacy/privacy-policy.html. + +12. Capacity and Usage Verification +(A) Certification and Verification. At Splunk’s request, you will furnish Splunk a certification signed by your authorized representative verifying that your use of the Purchased Offering is in accordance with these General Terms and the applicable Order. For On-Premises Products, we may also ask you from time to time, but not more frequently than once per calendar period, to cooperate with us to verify usage and adherence to purchased Capacities. If Splunk requests a verification process, you agree to provide Splunk reasonable access to the On-Premises Product installed at your facility (or as hosted by your Third-Party Provider). If Splunk does any verification, it will be performed with as little interference as possible to your use of the On-Premises Product and your business operations. Splunk will comply with your (or your Third-Party Providers’) reasonable security procedures. + +(B) Overages. If a verification or usage report reveals that you have exceeded the purchased Capacity or usage rights for your Purchased Offering (e.g., used as a service bureau) during the period reviewed, then we will have the right to invoice you using the applicable Fees at list price then in effect, which will be payable in accordance with these General Terms. Without limiting Splunk’s foregoing rights, with respect to Hosted Services, Splunk may work with you to reduce usage so that it conforms to the applicable usage limit, and we will in good faith discuss options to right size your subscription as appropriate. Notwithstanding anything to the contrary herein, Splunk will have the right to directly invoice you for overages, regardless of whether you purchased the Purchased Offering from an authorized reseller or Digital Marketplace. See the Specific Offering Terms for any additional information related to overages for a Hosted Service. + +13. Our Use of Open Source +Certain Offerings may contain Open Source Software. Splunk makes available in the applicable Documentation a list of Open Source Software incorporated in our On-Premises Products as required by the respective Open Source Software licenses. Any Open Source Software that is delivered as part of your Offering and which may not be removed or used separately from the Offering is covered by the warranty, support and indemnification provisions applicable to the Offering. Some of the Open Source Software may have additional terms that apply to the use of the Offering (e.g., the obligation for us to provide attribution of the specific licensor), and those terms will be included in the Documentation; however, these terms will not (a) impose any additional restrictions on your use of the Offering, or (b) negate or amend any of our responsibilities with respect to the Offering. + +14. Splunk Developer Tools and Customer Extensions +Splunk makes Splunk Developer Tools available to you so you can develop Extensions for use with your Purchased Offerings (Extensions that you develop, “Customer Extensions”). + +You have a nonexclusive, worldwide, nontransferable, nonsublicensable right, subject to the terms of these General Terms, to use Splunk Developer Tools to develop your Customer Extensions, including to support interoperability between the Offering and your system or environment. Splunk proprietary legends or notices contained in the Splunk Developer Tools may not be removed or altered when used in or with your Customer Extension. You retain title to your Customer Extensions, subject to Splunk’s ownership in our Offerings and any materials and technology provided by Splunk in connection with the Splunk Developer Tools. You agree to assume full responsibility for the performance and distribution of Customer Extensions. + +15. Third Party Products, Third-Party Extensions, Third-Party Content and Unsupported Splunk Extensions +(A) Third-Party Extensions on Splunkbase. Splunk makes Extensions developed and/or made available by a third-party on Splunkbase (“Third-Party Extension”) available for download or access as a convenience to its customers. Splunk makes no promises or guarantees related to any Third-Party Extension, including the accuracy, integrity, quality, or security of the Third-Party Extension. Nothing in these General Terms or on Splunkbase will be deemed to be a representation or warranty by Splunk with respect to any Third-Party Extension, even if a particular Third-Party Extension is identified as “certified” or “validated” for use with an Offering. We may, in our reasonable discretion, block or disable access to any Third-Party Extension at any time. Your use of a Third-Party Extension is at your own risk and may be subject to any additional terms, conditions, and policies applicable to that Third-Party Extension (such as license terms, terms of service, or privacy policies of the providers of such Third-Party Extension). Third-Party Extensions may be installed on Hosted Services pursuant to our instructions. + +(B) Third-Party Content. Hosted Services may contain features or functions that enable interoperation with Third-Party Content that you, in your sole discretion, choose to add to a Hosted Service. You may be required to obtain access separately to such Third-Party Content from the respective providers, and you may be required to grant Splunk access to your accounts with such providers to the extent necessary for Splunk to allow the interoperation with the Hosted Service. By requesting or allowing Splunk to enable access to such Third-Party Content in connection with the Hosted Services, you certify that you are authorized under the provider’s terms to allow such access. If you install or enable (or direct or otherwise authorize Splunk to install or enable) Third-Party Content for use with a Hosted Service where the interoperation includes access by the third-party provider to your Customer Content, you hereby authorize Splunk to allow the provider of such Third-Party Content to access Customer Content as necessary for the interoperation. You agree that Splunk is not responsible or liable for disclosure, modification or deletion of Customer Content resulting from access to Customer Content by such Third-Party Content, nor is Splunk liable for any damages or downtime that you may incur or any impact on your experience of the Hosted Service, directly or indirectly, as a result of your use of and/or reliance upon, any Third-Party Content, sites or resources. + +(C) Splunk As a Reseller. When you purchase third party products ("Third Party Products") from Splunk as specified in an Order (which products shall include third party software, but not any support which Splunk itself has contracted to provide), the following provision applies. Splunk acts solely as a reseller of Third Party Products, which are fulfilled by the relevant third party vendor ("Third Party Vendor"), and the purchase and use of Third Party Products is subject solely to the terms, conditions and policies made available by such Third Party Vendor. Consequently, Splunk makes no representation or warranty of any kind regarding the Third Party Products, whether express, implied, statutory or otherwise, and specifically disclaims all implied terms, conditions and warranties (including as to quality, performance, availability, fitness for a particular purpose or non-infringement) to the maximum extent permitted by applicable law. You will bring any claim in relation to Third Party Products against the applicable Third Party Vendor directly. In no event will Splunk be liable to you for any claim, loss or damage arising out of the use, operation or availability of Third Party Product (whether such liability arises in contract, negligence, tort, or otherwise). + +(D) Unsupported Splunk Extensions. The Service Level Schedule commitments for any applicable Hosted Services will not apply to Splunk Extensions labeled on Splunkbase as “Not Supported.” You agree that Splunk is not responsible for any impact on your experience of a Hosted Service, as a result of your installation and/or use of any “Not Supported” Splunk Extensions, and that your sole remedy will be to remove the “Not Supported” Splunk Extension from the applicable Hosted Service. Further, some Splunk Extensions may not be compatible or certified for use with that Hosted Service (e.g., only specific Splunk Extensions are validated for our FedRAMP authorized environment for Splunk Cloud Platform). Please refer to the applicable Documentation for more information related to the Splunk Extensions compatible with your specific Purchased Offering. + +16. Your Compliance +(A) Lawful Use of Offerings. When you access and use an Offering, you are responsible for complying with all laws, rules, and regulations applicable to your access and use. This includes being responsible for your Customer Content and users, for your users’ compliance with these General Terms, and the accuracy, lawful use of, and the means by which you acquired your Customer Content. You may not transmit and/or store PHI Data, PCI Data or ITAR Data within a Hosted Services unless you have specifically purchased a Purchased Offering for that applicable regulated Hosted Services environment (as identified in an Order). + +(B) Registration. You agree to provide accurate and complete information when you register for and use any Offering and agree to keep this information current. Each person who uses any Offering must have a separate username and password. For Hosted Services, you must provide a valid email address for each person authorized to use your Hosted Services, and you may only have one person per username and password. Splunk may reasonably require additional information in connection with certain Offerings (e.g., technical information necessary for your connection to a Hosted Service), and you will provide this information as reasonably requested by Splunk. You are responsible for securing, protecting, and maintaining the confidentiality of your account usernames, passwords and access tokens. + +(C) Export Compliance. You will comply with all applicable export laws and regulations of the United States and any other country (“Export Laws”) where your users use any of the Offerings. You certify that you are not on any of the relevant U.S. government lists of prohibited persons, including the Treasury Department’s List of Specially Designated Nationals and the Commerce Department’s List of Denied Persons or Entity List. You will not export, re-export, ship, transfer or otherwise use the Offerings in any country subject to an embargo or other sanction by the United States, including, without limitation, Iran, Syria, Cuba, the Crimea Region of Ukraine, Sudan and North Korea, and you will not use any Offering for any purpose prohibited by the Export Laws. + +(D) GovCloud Services. If you access or use any Hosted Services in the specially isolated Amazon Web Services (“AWS”) GovCloud (US) region (including without limitation any Hosted Services that are provisioned in a FedRAMP authorized environment), you represent and warrant that users will only access the Hosted Services in the AWS GovCloud (US) region if users: (i) are “US Person(s)” as defined under ITAR (see 22 CFR part 120.15); (ii) have and will maintain a valid Directorate of Defense Trade Controls registration, if required by ITAR; (iii) are not subject to export control restrictions under US export control laws and regulations (i.e., users are not denied or debarred parties or otherwise subject to sanctions); and (iv) maintain an effective compliance program to ensure compliance with applicable US export control laws and regulations, including ITAR, as applicable. If you access or use any Hosted Services in an IL5 authorized environment, you further represent and warrant that only users who are US citizens will access the Hosted Services. You are responsible for verifying that any user accessing Customer Content in the Hosted Services in the AWS GovCloud (US) region is eligible to access such Customer Content. The Hosted Services in the AWS GovCloud (US) region may not be used to process or store classified data. You will be responsible for all sanitization costs incurred by Splunk if users introduce classified data into the Hosted Services in the AWS GovCloud (US) region. For selected FedRAMP authorized regions, you may be required to execute additional addendums to this agreement prior to provisioning of Hosted Services. + +(E) Acceptable Use. Without limiting any terms under these General Terms, you will also abide by our Hosted Services acceptable use policy: https://www.splunk.com/view/SP-CAAAMB6. + +17. Confidentiality +(A) Confidential Information. Each party will protect the Confidential Information of the other. Accordingly, Receiving Party agrees to: (i) protect the Disclosing Party’s Confidential Information using the same degree of care (but in no event less than reasonable care) that it uses to protect its own Confidential Information of a similar nature; (ii) limit use of Disclosing Party’s Confidential Information for purposes consistent with these General Terms, and (iii) use commercially reasonable efforts to limit access to Disclosing Party’s Confidential Information to its employees, contractors and agents or those of its Affiliates who have a bona fide need to access such Confidential Information for purposes consistent with these General Terms and who are subject to confidentiality obligations no less stringent than those herein. + +(B) Compelled Disclosure of Confidential Information. Notwithstanding the foregoing terms, the Receiving Party may disclose Confidential Information of the Disclosing Party if it is compelled by law enforcement agencies or regulators to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a Party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to such Confidential Information. + +18. Payment +The payment terms below only apply when you purchase Offerings directly from Splunk. When you purchase from an authorized reseller or Digital Marketplace, the payment terms are between you and the authorized reseller or Digital Marketplace. However, a breach of your payment obligations for an Offering with a Digital Marketplace will be deemed a breach of this Section 18. + +(A) Fees. You agree to pay all Fees specified in the Orders. Fees are non-cancelable and non-refundable, except as otherwise expressly set forth in these General Terms. Without limiting any of our other rights or remedies herein, overdue charges may accrue interest monthly at the rate of 1.5% of the then-outstanding unpaid balance, or the maximum rate permitted by law, whichever is lower. Fees are due and payable either within 30 days from the date of Splunk’s invoice or as otherwise stated in the Order. + +(B) Credit Cards. If you pay by credit, or debit card you: (i) will provide Splunk or its designated third-party payment processor with valid credit or debit card information; and (i) hereby authorize Splunk or its designated third-party payment processor to charge such credit or debit card for all items listed in the applicable Order. Such charges must be paid in advance or in accordance with any different billing frequency stated in the applicable Order. You are responsible for providing complete and accurate billing and contact information and notifying Splunk in a timely manner of any changes to such information. + +(C) Taxes. All Fees quoted are exclusive of applicable taxes and duties, including any applicable sales and use tax. You are responsible for paying any taxes or similar government assessments (including, without limitation, value-added, sales, use or withholding taxes). We will be solely responsible for taxes assessable against us based on our net income, property, and employees. + +19. Splunk’s Warranties +(A) Relationship to Applicable Law. We will not seek to limit our liability, or any of your warranties, rights and remedies, to the extent the limits are not permitted by applicable law (e.g., warranties, remedies or liabilities that cannot be excluded by applicable law). + +(B) General Corporate Warranty. Splunk warrants that it has the legal power and authority to enter into these General Terms. + +(C) Hosted Services Warranty. Splunk warrants that during the applicable Term: (i) Splunk will not materially decrease the overall functionality of the Hosted Services; and (ii) the Hosted Services will perform materially in accordance with the applicable Documentation. Our sole and exclusive liability, and your sole and exclusive remedy for any breach of these warranties, will be your right to terminate the applicable Hosted Services Purchased Offering, and we will refund to you any prepaid but unused Fees for the remainder of the Term. + +(D) On-Premises Product Warranty. Splunk warrants that for a period of ninety (90) days from the Delivery of an On-Premises Product, the On-Premises Product will substantially perform the material functions described in the applicable Documentation for such On-Premises Product, when used in accordance with the applicable Documentation. Splunk’s sole liability, and your sole remedy, for any failure of the On-Premises Product to conform to the foregoing warranty, is for Splunk to do one of the following (at Splunk’s sole option and discretion) (i) modify, or provide an Enhancement for, the On-Premises Product so that it conforms to the foregoing warranty, (ii) replace your copy of the On-Premises Product with a copy that conforms to the foregoing warranty, or (iii) terminate the Purchased Offering with respect to the non-conforming On-Premises Product and refund the Fees paid by you for such non-conforming On-Premises Product. + +(E) Disclaimer of Implied Warranties. Except as expressly set forth above, the Offerings are provided “as is” with no warranties or representations whatsoever express or implied. Splunk and its suppliers and licensors disclaim all warranties and representations, including any implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, noninfringement, or quiet enjoyment, and any warranties arising out of course of dealing or trade usage. Splunk does not warrant that use of Offerings will be uninterrupted, error free or secure, or that all defects will be corrected. + +20. Ownership +(A) Offerings. As between you and Splunk, Splunk owns and reserves all right, title, and interest in and to the Offerings, developer tools and other Splunk materials, including all intellectual property rights therein. We retain rights in anything delivered or developed by us or on our behalf under these General Terms. No rights are granted to you other than as expressly set forth in these General Terms. + +(B) Customer Content. You own and reserve all right, title and interest in your Customer Content. By sending Customer Content to a Hosted Service, you grant us a worldwide, royalty free, non-exclusive license to access and use the Customer Content for purposes of providing you the Hosted Service. + +(C) Feedback. You have no obligation to provide us with ideas for improvement, suggestions, or other feedback (collectively, “Feedback”) in connection with an Offering, unless otherwise expressly set forth in the applicable Order. If, however, you provide any Feedback, you hereby grant to Splunk a non-exclusive, transferable, irrevocable, worldwide, royalty-free license (with rights to sublicense) to make, use, sell, offer to sell, reproduce, modify, distribute, make available, publicly display and perform, disclose and otherwise commercially exploit the Feedback. + +21. Term and Termination +(A) Term and Renewal. These General Terms will commence upon the Effective Date and will remain in effect until the expiration of all applicable Purchased Offerings, unless earlier terminated pursuant to this Section. Termination of a specific Purchased Offering will not affect the Term of any other Purchased Offering. Termination of these General Terms will have the effect of terminating all Purchased Offerings. Grounds for terminating a Purchased Offering (e.g., for non-payment), that are specific to the Purchased Offering, will not be grounds to terminate Purchased Offerings where no breach exists. Unless indicated otherwise in an Order, the Term of a Purchased Offering (and these General Terms) will automatically renew for an additional period of time equal to the length of the preceding Term, unless one party notifies the other of its intent not to renew at least one (1) day in advance of the expiration of the Term or then-current renewal period. + +(B) Termination. Either party may terminate these General Terms, or any Purchased Offering, by written notice to the other party in the event of a material breach of these General Terms, or the specific terms associated with that Purchased Offering, that is not cured within thirty (30) days of receipt of the notice. Upon any expiration or termination of a Purchased Offering, the rights and licenses granted to you for that Purchased Offering will automatically terminate, and you agree to immediately (i) cease using and accessing the Offering, (ii) return or destroy all copies of any On-Premises Products and other Splunk materials and Splunk Confidential Information in your possession or control, and (iii) upon our request, certify in writing the completion of such return or destruction. Upon termination of these General Terms or any Purchased Offering, Splunk will have no obligation to refund any Fees or other amounts received from you during the Term. Notwithstanding any early termination above, except for your termination for our uncured material breach, you will still be required to pay all Fees payable under an Order. + +(C) Survival. The termination or expiration of these General Terms will not affect any provisions herein which by their nature survive termination or expiration, including the provisions that deal with the following subject matters: definitions, ownership of intellectual property, confidentiality, payment obligations, effect of termination, limitation of liability, privacy, and the “Miscellaneous” section in these General Terms. + +(D) Suspension of Service. In the event of a material breach or threatened material breach of this Agreement, Splunk may, without limiting its other rights and remedies, suspend your use of the Hosted Service until such breach is cured or Splunk reasonably believes there is no longer a threat, provided that, we will give you at least five (5) days’ prior notice before suspension. Suspension of a Hosted Service will have no impact on the duration of the Term of the Purchased Offering, or the associated Fees owed. + +22. Limitation of Liability +In no event will the aggregate liability of either party, together with any of its Affiliates, arising out of or related to any Purchased Offering exceed the total amount paid by you for that Purchased Offering in the twelve (12) months preceding the first incident out of which the liability arose. However, the foregoing limitation will not limit your obligations under the “Payment” section above and will not be deemed to limit your rights to any service level credits under any applicable Service Level Schedule. Furthermore, the cap above will not be deemed to limit Splunk’s right to recover amounts for your use of an Offering in excess of the Capacity purchased or use outside of Internal Business Purposes. + +In no event will either party or its Affiliates have any liability arising out of or related to these General Terms for any lost profits, revenues, goodwill, or indirect, special, incidental, consequential, cover, business interruption or punitive damages. + +The foregoing limitations will apply whether the action is in contract or tort and regardless of the theory of liability, even if a party or its Affiliates have been advised of the possibility of such damages or if a party’s or its Affiliates’ remedy otherwise fails of its essential purpose. + +The limitation of liability herein will not apply to a party’s infringement of the other party’s intellectual property rights, indemnification obligations, or the fraud, gross negligence or willful misconduct of a party. + +The foregoing disclaimers of damages will also not apply to the extent prohibited by law. Some jurisdictions do not allow the exclusion or limitation of certain damages. To the extent such a law applies to you, some or all of the exclusions or limitations set forth above may not apply to you, and you may have additional rights. + +23. Indemnity +(A) Our Indemnification to You. Splunk will defend and indemnify you, and pay all damages (including attorneys’ fees and costs) awarded against you, or that are agreed to in a settlement, to the extent a claim, demand, suit or proceeding is made or brought against you or your Affiliates by a third party (including those brought by a government entity) alleging that a Purchased Offering infringes or misappropriates such third party’s patent, copyright, trademark or trade secret (a “Customer Claim”). Splunk will have no obligation under the foregoing provision to the extent a Customer Claim arises from your breach of these General Terms, your Customer Content, Third-Party Extension, or the combination of the Offering with: (i) Customer Content; (ii) Third-Party Extensions; (iii) any software other than software provided by Splunk; or (iv) any hardware or equipment. However, Splunk will indemnify against combination claims to the extent (y) the combined software is necessary for the normal operation of the Purchased Offering (e.g., an operating system), or (z) the Purchased Offering provides substantially all the essential elements of the asserted infringement or misappropriation claim. Splunk may in its sole discretion and at no cost to you: (1) modify any Purchased Offering so that it no longer infringes or misappropriates a third party right, (2) obtain a license for your continued use of the Purchased Offering, in accordance with these General Terms, or (3) terminate the Purchased Offering and refund to you any prepaid fees covering the unexpired Term. + +(B) Your Indemnification to Us. Unless expressly prohibited by applicable law, you will defend and indemnify us, and pay all damages (including attorneys’ fees and costs) awarded against Splunk, or that are agreed to in a settlement, to the extent a claim, demand, suit or proceeding is made or brought against Splunk or its Affiliates by a third party (including those brought by a government entity) that: (i) alleges that your Customer Content or Customer Extensions infringes or misappropriates such third party’s patent, copyright, trademark or trade secret, or violates another right of a third party; or (ii) alleges that your Customer Content or your use of any Offering violates applicable law or regulation. + +(C) Mutual Indemnity. Each party will defend, indemnify and pay all damages (including attorneys’ fees and costs) awarded against the other party, or that are agreed to in a settlement to the extent that an action brought against the other party by a third party is based upon a claim for bodily injury (including death) to any person, or damage to tangible property resulting from the negligent acts or willful misconduct of the indemnifying party or its personnel hereunder, and will pay any reasonable, direct, out-of-pocket costs, damages and reasonable attorneys’ fees attributable to such claim that are awarded against the indemnified party (or are payable in settlement by the indemnified party). + +(D) Process for Indemnification. The indemnification obligations above are subject to the party seeking indemnification to: (i) provide the other party with prompt written notice of the specific claim; (ii) give the indemnifying party sole control of the defense and settlement of the claim (except that the indemnifying party may not settle any claim that requires any action or forbearance on the indemnified party’s part without their prior consent, which will not unreasonably withhold or delay); and (iii) gives the indemnifying party all reasonable assistance, at such party’s expense. + +24. Updates to Offerings +Our Offerings and policies may be updated over the course of our relationship. From time to time, Splunk may update or modify an Offering and our policies, provided that: (a) the change and modification applies to all customers generally, and are not targeted to any particular customer; (b) no such change or modification will impose additional fees on you during the applicable Term or additional restrictions on your use of the Offering, (c) no such change will override or supersede the allocation of risk between us under these General Terms, including without limitation the terms under Sections 22 (Limitation of Liability) and 23 (Indemnity); (d) no such change or modification will materially reduce the security protections or overall functionality of the applicable Offering; and (e) any such change or modification will apply only prospectively, and will not apply to any breach or dispute that arose between the parties prior to the effective date of the change or modification. In the event of any conflict between these General Terms and the policies incorporated herein by reference, these General Terms will control. + +25. Governing Law +These General Terms will be governed by and construed in accordance with the laws of the State of California, as if performed wholly within the state and without giving effect to the principles of conflict of law. Any legal action or proceeding arising under these General Terms will be brought exclusively in the federal or state courts located in the Northern District of California and the parties hereby consent to personal jurisdiction and venue therein. Splunk may seek injunctive or other relief in any state, federal, or national court of competent jurisdiction for any actual or alleged infringement of intellectual property or other proprietary rights of Splunk, its Affiliates, or any third party. + +Neither the Uniform Computer Information Transactions Act nor the United Nations Convention for the International Sale of Goods will apply to these General Terms. + +26. Use of Customer Name +You agree that we may add your name to our customer list and identify you as a Splunk customer on Splunk’s websites. Any further public use of your name in connection with Splunk marketing activities (e.g., press releases) will require your prior approval. + +27. Miscellaneous +(A) Different Terms. Splunk expressly rejects terms or conditions in any Customer purchase order or other similar document that are different from or additional to the terms and conditions set forth in these General Terms. Such different or additional terms and conditions will not become a part of the agreement between the parties notwithstanding any subsequent acknowledgement, invoice or license key that Splunk may issue. + +(B) No Future Functionality. You agree that your purchase of any Offering is not contingent on the delivery of any future functionality or features, or dependent on any oral or written statements made by Splunk regarding future functionality or features. + +(C) Notices. Except as otherwise specified in these General Terms, all notices related to these General Terms will be sent in writing to the addresses set forth in the applicable Order, or to such other address as may be specified by either party to the other party, and will be effective upon (i) personal delivery, (ii) the second business day after mailing, or (c), except for notices of termination or an indemnifiable claim (“Legal Notices”), which shall clearly be identifiable as Legal Notices, the day of sending by email. Billing-related notices to Customer will be addressed to the relevant billing contact designated by Customer. All other notices to Customer will be addressed to the relevant system administrator designated by Customer. + +(D) Assignment. Neither party may assign, delegate, or transfer these General Terms, in whole or in part, by agreement, operation of law or otherwise without the prior written consent of the other party, however Splunk may assign these General Terms in whole or in part to an Affiliate or in connection with an internal reorganization or a merger, acquisition, or sale of all or substantially all of Splunk’s assets to which these General Terms relates. Any attempt to assign these General Terms other than as permitted herein will be null and void. Subject to the foregoing, these General Terms will bind and inure to the benefit of the parties’ permitted successors and assigns. + +(E) U.S. Government Use Terms. Splunk provides Offerings for U.S. federal government end use solely in accordance with the following: Government technical data and rights related to Offerings include only those rights customarily provided to the public as defined in these General Terms. This customary commercial license is provided in accordance with FAR 12.211 (Technical Data) and FAR 12.212 (Computer Software) and, for Department of Defense transactions, DFARS 252.227-7015 (Technical Data–Commercial Items) and DFARS 227.7202-3 (Rights in Commercial Computer Software or Commercial Computer Software Documentation). If a government agency has a need for rights not conveyed under these terms, it must negotiate with Splunk to determine if there are acceptable terms for transferring such rights, and a mutually acceptable written addendum specifically conveying such rights must be included in any applicable contract or agreement. + +(F) Waiver; Severability. The waiver by either party of a breach of or a default under these General Terms will not be effective unless in writing. The failure by either party to enforce any provisions of these General Terms will not constitute a waiver of any other right hereunder or of any subsequent enforcement of that or any other provisions. If a court of competent jurisdiction holds any provision of these General Terms invalid or unenforceable, the remaining provisions of these General Terms will remain in full force and effect, and the provision affected will be construed so as to be enforceable to the maximum extent permissible by law. + +(G) Integration; Entire Agreement. These General Terms along with any additional terms incorporated herein by reference, constitute the complete and exclusive understanding and agreement between the parties and supersedes any and all prior or contemporaneous agreements, communications and understandings, written or oral, relating to their subject matter. Except as otherwise expressly set forth herein, any waiver, modification, or amendment of any provision of these General Terms will be effective only if in writing and signed by duly authorized representatives of both parties. + +(H) Force Majeure. Neither party or its Affiliates, subsidiaries, officers, directors, employees, agents, partners and licensors will (except for the obligation to make any payments) be liable for any delay or failure to perform any obligation under these General Terms where the delay or failure results from any cause beyond their reasonable control, including, without limitation, acts of God, labor disputes or other industrial disturbances, electrical, telecommunications, or other utility failures, earthquake, storms or other elements of nature, blockades, embargoes, riots, acts or orders of government, acts of terrorism, or war. + +(I) Independent Contractors; No Third-Party Beneficiaries. The parties are independent contractors. These General Terms do not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties. There are no third-party beneficiaries of these General Terms. Neither party has the authority to bind or act on behalf of the other party in any capacity or circumstance whether by contract or otherwise. + +General Terms Definitions Exhibit + +“Affiliates” means a corporation, partnership or other entity controlling, controlled by or under common control with such party, but only so long as such control continues to exist. For purposes of this definition, “control” means ownership, directly or indirectly, of greater than fifty percent (50%) of the voting rights in such entity (or, in the case of a noncorporate entity, equivalent rights). + +“Capacity” means the measurement of usage of an Offering (e.g., aggregate daily volume of data indexed, specific source type rights, number of search and compute units, number of monitored accounts, virtual CPUs, user seats, use cases, storage capacity, etc.) that is purchased for an Offering, as set forth in the applicable Order. The Capacities for each of our Offerings can be found here: https://www.splunk.com/en_us/legal/licensed-capacity.html. + +“CCPA” means the California Consumer Privacy Act of 2018. + +“Confidential Information” means all nonpublic information disclosed by a party ("Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as “confidential” or that, given the nature of the information or circumstances surrounding its disclosure, should reasonably be understood to be confidential. Notwithstanding the foregoing, “Confidential Information” does not include any information that: (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party. + +“Content Subscription” means the right of Customer to receive content applicable to an Offering (e.g., models, templates, searches, playbooks, rules and configurations, as described in the relevant Documentation) on a periodic basis over the applicable Term. Content Subscriptions are purchased as an add-on service and are identified in an Order. + +“Customer Content” means any data that is ingested by or on behalf of you into an Offering from your internal data sources. + +“Delivery” means the date of Splunk’s initial delivery of the license key for the applicable Offering or, for Hosted Services, the date Splunk makes the applicable Offering available to you for access and use. + +“Digital Marketplace” means an online or electronic marketplace operated or controlled by a third party where Splunk has authorized the marketing and distribution of its Offerings. + +“Documentation” means the online user guides, documentation and help and training materials published on Splunk’s website (such as at https://docs.splunk.com/Documentation) or accessible through the applicable Offering, as may be updated by Splunk from time to time. + +“Enhancements” means any updates, upgrades, releases, fixes, enhancements, or modifications to a Purchased Offering made generally commercially available by Splunk to its customers under the terms and conditions in the Support Exhibit. + +“Extension” means any separately downloadable or accessible suite, configuration file, add-on, technical add-on, plug-in, example module, command, function, playbook, content or application that extends the features or functionality of the applicable Offering. + +“Fees” means the fees that are applicable to an Offering, as identified in the Order. + +“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) as updated, amended or replaced from time to time. + +“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended, and supplemented by the Health Information Technology for Economic and Clinical Health Act. + +“Hosted Service” means a technology service hosted by or on behalf of Splunk and provided to you. + +“Internal Business Purpose” means your use of an Offering for your own internal business operations, based on the analysis, monitoring or processing of your data from your systems, networks, and devices. Such use does not include use on a service bureau basis or otherwise to provide services to, or process data for, any third party, or otherwise use to monitor or service the systems, networks and devices of third parties. + +“ITAR Data” means information protected by the International Traffic in Arms Regulations. +“Nonprofit” means a U.S. Federal 501(c)(3), tax-exempt, nonprofit corporation or association (or other nonprofit entity organized in accordance with the laws of where your nonprofit entity is registered) that has qualified for a free, donated Offering in connection with a Splunk donation program. + +“Offerings” means the products, services, and other offerings that Splunk makes generally available, including without limitation On-Premises Products, Hosted Services, Support Programs, Content Subscriptions and Configuration and Implementation Services. + +“On-Premises Product” means the Splunk software that is delivered to you and deployed and operated by you or on your behalf on hardware designated by you, and any Enhancements made available to you by Splunk. + +“Open Source Software” means software that is licensed under a license approved by the Open Source Initiative or similar freeware license, with terms requiring that such software code be (i) disclosed or distributed in source code or object code form, (ii) licensed for the purpose of making derivative works, and/or (iii) redistributed under the same license terms. + +“Orders” means Splunk’s quote or ordering document (including online order form) accepted by you via your purchase order or other ordering document submitted to Splunk (directly or indirectly through an authorized reseller or Digital Marketplace) to order Offerings, which references the Offering, Capacity, pricing and other applicable terms set forth in an applicable Splunk quote or ordering document. Orders do not include the terms of any preprinted terms on your purchase order or other terms on a purchase order that are additional or inconsistent with the terms of these General Terms. + +“PCI Data” means credit card information within the scope of the Payment Card Industry Data Security Standard. + +“PHI Data” means any protected health data, as defined under HIPAA. + +“Purchased Offerings” means the services, subscriptions and licenses to Offerings that are acquired by you under Orders, whether directly or through an authorized reseller or Digital Marketplace. + +“Service Level Schedule” means a Splunk policy that applies to the availability and uptime of a Hosted Service and which, if applicable, offers service credits as set forth therein. + +“Splunkbase” means Splunk’s online directory of or platform for Extensions, currently located at https://splunkbase.splunk.com and any and all successors, replacements, new versions, derivatives, updates and upgrades and any other similar platform(s) owned and/or controlled by Splunk. + +“Splunk Developer Tool” means the standard application programming interface, configurations, software development kits, libraries, command line interface tools, other tooling (including scaffolding and data generation tools), integrated development environment plug-ins or extensions, code examples, tutorials, reference guides and other related materials identified and provided by Splunk to facilitate or enable the creation of Extensions or otherwise support interoperability between the Software and your system or environment. + +“Splunk Extensions” means Extensions made available through Splunkbase that are identified on Splunkbase as built by Splunk (and not by any third party). + +“Support Programs” are the Support Programs offered by Splunk and identified here: https://www.splunk.com/en_us/support-and-services/support-programs.html. + +“Term” means the duration of your subscription or license to the applicable Offering that starts and ends on the date listed on the applicable Order. If no start date is specified in an Order, the start date will be the Delivery date of the Offering. + +“Third-Party Content” means information, data, technology, or materials made available to you by any third party that you license and add to a Hosted Service or direct Splunk to install in connection with a Hosted Service. Third-Party Content includes but is not limited to, Third-Party Extensions, web-based or offline software applications, data service or content that are provided by third parties. + +“Usage Data” means data generated from the usage, configuration, deployment, access, and performance of an Offering. For example, this may include such things as information about your operating environment, such as your network and systems architecture, or sessions, such as page loads and session views, duration, or interactions, errors, number of searches, source types and format (e.g., json, xml, csv), ingest volume, number of active and licensed users, or search concurrency. Usage Data does not include Customer Content. + +Support Exhibit to Splunk General Terms + +This Support Exhibit forms a part of the Splunk General Terms and governs your purchase, and Splunk’s provision of Support Services. + +1. Support Programs +Support Programs purchased as part of a Purchased Offering will be identified in your applicable Order. Splunk will provide you the level of Support Services described under the purchased Support Program, subject to your payment of applicable Fees. “Support Programs” are the Support Programs offered by Splunk and identified here: https://www.splunk.com/en_us/support-and-services/support-programs.html. + +2. Support Services +“Support Services” include technical support for your Purchased Offerings, and, when available, the provision of Enhancements for your Purchased Offerings, subject to the Support Policy described below. Technical support under a Support Program is available via web portal, and certain Support Programs also make support available via telephone. Support Services will be delivered by a member of Splunk’s technical support team during the regional hours of operation applicable under the Support Program. Support Services are delivered in English unless you are in a location where we have made localized Support Services available. + +3. Support Policy +Our Support Policy, provided here: https://www.splunk.com/en_us/legal/splunk-software-support-policy.html (“Support Policy”) describes the duration of our Support Services for certain Splunk On-Premises Products and other policies associated with our Support Services. + +As we release new versions for our Offerings, we discontinue Support Services for certain older versions. Our Support Policy sets forth the schedule for the duration of support, and end of support, for Offering versions. The current versions of our Offerings that are supported under our Support Policy and will be our “Supported Versions” herein. The Support Policy may not apply to Hosted Services, and the product and services version we make available as our Hosted Services will be deemed Supported Versions herein. + +4. Case Priority +Each Support Program offers different support levels for your case priority levels. When submitting a case, you will select the priority for initial response by logging the case online, in accordance with the priority guidelines set forth under your Support Program. When the case is received, we may in good faith change the priority if the issue does not conform to the criteria for the selected priority. When that happens, we will provide you with notice (electronic or otherwise) of such change. + +5. Exclusions +We will have no obligation to provide support for issues caused by any of the following (each, a “Customer Generated Error”): (i) modifications to an Offering not made by Splunk; (ii) use of an Offering other than as authorized in the General Terms or as provided in the applicable Documentation; (iii) damage to the machine on which an On-Premises Product is installed; (iv) use of a version of an Offering other than the Supported Version; (vi) third-party products that are not expressly noted in the Documentation as supported by Splunk; or (vi) conflicts related to replacing or installing hardware, drivers, and software that are not expressly supported by Splunk and described in the applicable Documentation. If we determine that support requested by you is for an issue caused by a Customer Generated Error, we will notify you of that fact as soon as reasonably possible under the circumstances. If you agree that we should provide support for the Customer Generated Error via a confirming email, then we will have the right to invoice you at our then-current time and materials rates for any such support provided by us. + +6. Support for Splunk Extensions +Only Splunk Extensions that are labeled as “Splunk Supported” on Splunkbase, or other Splunk-branded marketplace, are eligible for support, and this support is limited. For those labeled Splunk Supported, we will provide an initial response and acknowledgement in accordance with the P3 terms that are applicable in the applicable Support Program, and Enhancements may be made available. No other terms of a Support Program will apply to a Splunk Application. For those labeled as “Not Supported,” Splunk will have no support obligations. + +7. Authorized Support Contacts +You are entitled to have a certain number of Support Contacts under each Support Program. “Support Contacts” means the individual(s) specified by you that are authorized to submit support cases. + +The number of Support Contacts will be based on the Capacity of the Offering purchased, and the applicable Support Program. The number of Support Contacts will be set forth in customer’s entitlement information on the Splunk support portal. + +We only take support requests from, and communicate with, your Support Contacts in connection with support cases. We strongly recommend that your Support Contact(s) are trained on the applicable Offering. In order to designate Support Contacts, you must provide the individual’s primary email address and Splunk.com login ID. + +8. Defect Resolution +Should we determine that an Offering has a defect, we will, at our sole option, repair the defect in the version of the Offering that you are then currently using or instruct you to install a newer version of the Offering with that defect repaired. We reserve the right to provide you with a workaround in lieu of fixing a defect should we in our sole judgment determine that it is more effective to do so. + +9. Your Assistance +Should you report a purported defect or error in an Offering, we may require you to provide us with the following information: (a) a general description of your operating environment; (b) a list of all hardware components, operating systems and networks; (c) a reproducible test case; and (d) any log files, trace and systems files. Your failure to provide this information may prevent us from identifying and fixing that purported defect. + +10. Changes to Support Programs +You acknowledge that, subject to the Support Policy, and subject to any commitment we have during the Term, we have the right to discontinue the manufacture, development, sale or support of any Offering, at any time, in our sole discretion. We further reserve the right to alter Support Programs from time to time, using reasonable discretion, but in no event will such alterations, during the Term of any Order, result in diminished Support Services from the level of your applicable purchased Support Program. + +Configuration and Implementation Services +Exhibit to Splunk General Terms + +This Configuration and Implementation Services Exhibit forms a part of the Splunk General Terms and governs your purchase, and Splunk’s provision of Configuration and Implementation Services. + +Capitalized terms below are defined in the General Terms, this Exhibit or in the Definition Exhibit attached to this Exhibit. + +1. Services and Statements of Work +We will perform the C&I Services for you that are set forth in the applicable Statements of Work. You will pay the Fees under each Statement of Work in accordance with these General Terms, or otherwise as we may expressly agree in the applicable Statement of Work. + +In each Statement of Work, we will designate our primary point of contact for you for all matters relating to the applicable C&I Services (which we may change from time to time upon notice). + +2. Our Personnel +(A) Qualifications. The Personnel we assign to perform the C&I Services will be qualified, skilled, experienced and otherwise fit for the performance of the C&I Services. If you, in your reasonable judgement, determine that Personnel assigned to your project are unfit, we will in good faith discuss alternatives, and we will replace Personnel as reasonably necessary. You acknowledge that any replacement may cause delay in the performance of the C&I Services. + +(B) Personnel Conduct. Our Personnel are subject to our Splunk Code of Conduct and Ethics https://investors.splunk.com/code-business-conduct-and-ethics-1, which includes, without limitation, an obligation to comply with our policies on protecting customer information, prohibitions on illegal drugs and any impaired job performance, avoiding conflicts of interest, and acting ethically at all times. We also background check our employees, per the Section below. + +(C) Use of Subcontractors. We reserve the right to use subcontractors in performance of the C&I Services, provided: (a) any subcontractor we use meets the requirements herein and conditions of these General Terms and the Statement of Work; (b) we will be responsible for the subcontractor’s compliance with the terms herein and the Statement of Work; and (c) upon your request or inquiry, we will identify any subcontractor that we are using, or plan to use, for C&I Services, and will cooperate in good faith to provide you with all relevant information regarding such subcontractors. + +(D) No Employee Benefits. We acknowledge and agree that our Personnel are not eligible for or entitled to receive any compensation, benefits, or other incidents of employment that you make available to your employees. We are solely responsible for all employment related taxes, expenses, withholdings, and other similar statutory obligations arising out of the relationship between us and our Personnel and the performance of C&I Services by such Personnel. + +3. Our Background Checks, Security and Compliance Obligations +(A) Compliance with Your Security Program. While on your premises, our Personnel will comply with your security practices and procedures generally prescribed by you for onsite visitors and service providers. However, any requirement that is in addition to the compliance requirements set forth in this Schedule (e.g., background checks that are different from the background checks described herein) must be expressly set forth in a Statement of Work. We agree to discuss in good faith any condition or requirement you may have for our Personnel that are different from standard policies, however any additional requirement may delay C&I Services and must be vetted and implemented by mutual agreement of the parties and expressly set forth in a Statement of Work. Splunk does not guarantee that it will be able to meet any additional requested requirements. + +(B) Our Security Practices. We implement and follow an enterprise security program, with the policies, plans, and procedures set forth here www.splunk.com/prof-serv-isa. Our Personnel will be subject to the data protection and confidentiality obligations set forth in these General Terms with respect to any of your data that we may have access to in connection with the C&I Services. + +(C) Background Checks. For U.S.-based projects, we will not assign an employee to perform C&I Services under a Statement of Work unless we have run the following background check on the employee: Criminal Felony & Misdemeanor; SSN Validation; Federal Criminal; SSN Trace; Employment Report – Three (3) Employers; Education Report – One (1) Institution; Global Sanctions & Enforcement; Prohibited Parties; Widescreen Plus National Criminal Search. + +(D) Permissions for Access. In the event you require any Personnel to sign any waivers, releases, or other documents as a condition to gain access to your premises for performance of the C&I Services (“Access Documents”), you agree: (a) that Personnel who will be required to sign Access Documents will sign on behalf of Splunk; (b) that any additional or conflicting terms in Access Documents with these General Terms will have no effect; and (c) you will pursue any claims for breach of any terms in the Access Documents against Splunk and not the individual signing. + +4. Your Materials +We will have no rights in or to any Customer Materials, however you grant us the right to use Customer Materials in order to provide the C&I Services. Nothing in these General Terms will deemed to transfer to us any ownership of Customer Materials. + +5. C&I Services Materials and Customizations Unique to You +(A) C&I Services Materials. The C&I Services we perform (e.g., configuration of our Offerings), and the C&I Services Materials we offer, create, and deliver to you in connection with the C&I Services, are generally applicable to our business, and therefore we require the right to be able to re-use the C&I Services Materials we create for one customer in connection with all of our customers. For the avoidance of doubt, our use of the C&I Services Materials created for you in connection with C&I Services will comply with our ongoing obligations and restrictions with respect to your Customer Materials and your Confidential Information, and we will not identify you in any way in connection with our further use of such C&I Services Materials. + +(B) Customer Owned Work Product. However, in the unlikely event that the parties agree that C&I Services Materials for a project are custom work product unique to your business, and not applicable to other customers generally, we will transfer ownership to those agreed C&I Services Materials to you under the applicable Statement of Work. C&I Services Materials must be expressly identified as “Customer Owned Work Product” under a Statement of Work for ownership to pass to you. Subject to payment of applicable Fees under the Statement of Work, we hereby assign to you all rights, title and interest (including all Intellectual Property Rights therein) in and to all C&I Services Materials identified as Customer Owned Work Product (but excluding all Splunk Preexisting IP incorporated into the Customer Owned Work Product). At your request and expense, we will assist and cooperate with you in all reasonable respects and will execute documents and take such further acts reasonably requested by you to enable you to acquire, transfer, maintain, perfect, and enforce your ownership rights in such Customer Owned Work Product. + +(C) Our Ownership. Subject to your ownership rights in Customer Owned Work Product and Customer Materials, we will own all rights in and to all C&I Services Materials. + +(D) License Rights. For those C&I Services Materials that are not Customer Owned Work Product, you will have the right to access and use those C&I Services Materials in connection with your applicable Offerings, and those rights will be of the same scope and duration as your rights to the underlying Offering. + +6. C&I Services Warranty +We warrant that the C&I Services will be performed in a good and workmanlike manner consistent with applicable industry standards. This warranty will be in effect for a period of thirty (30) days from the completion of any C&I Services. As your sole and exclusive remedy and our entire liability for any breach of the foregoing warranty, we will, at our option and expense, promptly re-perform any C&I Services that fail to meet this warranty or refund to you the fees paid for the non-conforming C&I Services. + +7. Your Cooperation +You acknowledge that your timely provision of (and our access to) your facilities, equipment, assistance, cooperation, data, information and materials from your officers, agents, and employees (the “Cooperation”) is essential to Splunk’s performance of the C&I Services. We will not be liable for any delay or deficiency in performing the C&I Services if you do not provide the necessary Cooperation. As part of the Cooperation, you will (1) designate a project manager or technical lead to liaise with us while we perform the C&I Services; (2) allocate and engage additional resources as may be required to assist us in performing the C&I Services; and (3) making available to us any data, information and any other materials reasonably required by us to perform the C&I Services, including any data, information or materials specifically identified in the Statement of Work. + +8. Insurance +Throughout any period of C&I Services we perform for you, we will maintain insurance policies in the types and amounts described below at our own expense: + +(i) Commercial General Liability Insurance with a limit of not less than $1,000,000 per occurrence and a general aggregate limit of not less than $2,000,000. +(ii) Business Auto Insurance with a limit of not less than $1,000,000 combined single limit. Such Insurance will cover liability arising out of “hired and non-owned” automobiles. +(iii) Worker’s Compensation Insurance as required by workers’ compensation, occupational disease and occupational health and safety laws, statutes, and regulations. +(iv) Technology Errors & Omissions Insurance with a limit of not less than $3,000,000 per occurrence and general aggregate. +(v) Umbrella/Excess Insurance with a limit of not less than $3,000,000 per occurrence and general aggregate. + +9. Change Order Process +You may submit written requests to us to change the scope of C&I Services described in a Statement of Work (each such request, a “Change Order Request”). If we elect to consider a Change Order Request, then we will promptly notify you if we believe that the Change Order Request requires an adjustment to the fees or to the schedule for the performance of the C&I Services. In such event, the parties will negotiate in good faith a reasonable and equitable adjustment to the fees and/or schedule, as applicable. We will continue to perform C&I Services pursuant to the existing Statement of Work and will have no obligation to perform any Change Order Request unless and until the parties have agreed in writing to such an equitable adjustment. + +10. Expenses +Unless otherwise specified in the Statement of Work, we will not charge you for our expenses we incur in connection with a Statement of Work. Our daily C&I Services rates are inclusive of any expenses. In the event the parties agree that expenses are reimbursable under a Statement of Work, we will mutually agree on any travel policy and any required documentation for reimbursement. + +11. Prepaid C&I Services +Unless otherwise expressly stated in a Statement of Work, all prepaid C&I Services must be redeemed within twelve (12) months from the date of purchase/invoice. At the end of the twelve (12) month term, any remaining pre-paid unused C&I Services will expire; no refunds will be provided for any remaining pre-paid unused C&I Services. Unless otherwise specifically stated in a Statement of Work, Education is invoiced and payable in advance. + +Configuration and Implementation Services Definitions Exhibit + +“C&I Services” means the services outlined in the Statement of Work. + +“C&I Services Materials” means the materials and other deliverables that are provided to you as part of the C&I Services, and any materials, technology, know-how and other innovations of any kind that we or our Personnel may create or reduce to practice in the course of performing the C&I Services, including without limitation all improvements or modifications to our proprietary technology, and all Intellectual Property Rights therein. + +“Customer Materials” means the data, information, and materials you provide to us in connection with your use of the C&I Services. + +“Fees” means the fees that are applicable to the C&I Services, as identified in the Statement of Work. + +“Intellectual Property Rights” means all worldwide intellectual property rights, including copyrights and other rights in works of authorship; rights in trademarks, trade names, and other designations of source or origin; rights in trade secrets and confidential information; and patents and patent applications. + +“Personnel” means any employee, consultant, contractor, or subcontractor of Splunk. + +“Splunk Preexisting IP” means, with respect to any C&I Services Materials, all associated Splunk technology and all Intellectual Property Rights created or acquired: (a) prior to the date of the Statement of Work that includes such C&I Services Materials, or (b) after the date of such Statement of Work but independently of the C&I Services provided under such Statement of Work. + +“Statement of Work” means the statements of work and/or any and all applicable Orders, that describe the specific services to be performed by Splunk, including any materials and deliverables to be delivered by Splunk. diff --git a/apps/Splunk_TA_windows/README.txt b/apps/Splunk_TA_windows/README.txt new file mode 100644 index 00000000..4cc3eab0 --- /dev/null +++ b/apps/Splunk_TA_windows/README.txt @@ -0,0 +1,4 @@ +Splunk Add-on for Microsoft Windows +Copyright (C) 2021 Splunk Inc. All Rights Reserved. + +For documentation, see: http://docs.splunk.com/Documentation/WindowsAddOn/latest diff --git a/apps/Splunk_TA_windows/README/transforms.conf.spec b/apps/Splunk_TA_windows/README/transforms.conf.spec new file mode 100644 index 00000000..8ddba4e7 --- /dev/null +++ b/apps/Splunk_TA_windows/README/transforms.conf.spec @@ -0,0 +1,6 @@ +[user_account_control_property] +python.version = {default|python|python2|python3} +* For Splunk 8.0.x and Python scripts only, selects which Python version to use. +* Either "default" or "python" select the system-wide default Python version. +* Optional. +* Default: not set; uses the system-wide Python version. diff --git a/apps/Splunk_TA_windows/THIRDPARTY b/apps/Splunk_TA_windows/THIRDPARTY new file mode 100644 index 00000000..26247ede --- /dev/null +++ b/apps/Splunk_TA_windows/THIRDPARTY @@ -0,0 +1,68 @@ +================================================================================ +================================================================================ + + Third-Party Software for splunk-add-on-for-microsoft-windows + +-------------------------------------------------------------------------------- + +The following 3rd-party software packages may be used by or distributed with splunk-add-on-for-microsoft-windows. Any information relevant to third-party vendors listed below are collected using common, reasonable means. + +Date generated: 2024-11-11 + +Revision ID: af23640882c3878b5f97c496e22f7c68f31eedba + +================================================================================ +================================================================================ + + + + +================================================================================ + + Declared License + +================================================================================ + +No declared license found for splunk-add-on-for-microsoft-windows + + + + +================================================================================ + + First Party Licenses + +================================================================================ + +No licenses found + + + + + +================================================================================ + + Dependencies + +================================================================================ + + + + +================================================================================ + License + +================================================================================ + + +================================================================================ + + Copyrights + +================================================================================ + + +-------------------------------------------------------------------------------- +-------------------------------------------------------------------------------- + +Report Generated by FOSSA on 2024-11-11 diff --git a/apps/Splunk_TA_windows/VERSION b/apps/Splunk_TA_windows/VERSION new file mode 100644 index 00000000..0532eeeb --- /dev/null +++ b/apps/Splunk_TA_windows/VERSION @@ -0,0 +1,2 @@ +9.0.1 +9.0.1 \ No newline at end of file diff --git a/apps/Splunk_TA_windows/app.manifest b/apps/Splunk_TA_windows/app.manifest new file mode 100644 index 00000000..4f242719 --- /dev/null +++ b/apps/Splunk_TA_windows/app.manifest @@ -0,0 +1,75 @@ +{ + "dependencies": null, + "incompatibleApps": { + "Splunk_TA_microsoft_ad": "<=1.0.0", + "Splunk_TA_microsoft_dns": "<=1.0.1" + }, + "info": { + "author": [ + { + "name": "Splunk, Inc.", + "email": null, + "company": null + } + ], + "classification": { + "categories": [ + "IT Operations", + "Utilities", + "Security, Fraud & Compliance" + ], + "developmentStatus": "Production/Stable", + "intendedAudience": "IT Professionals" + }, + "commonInformationModels": { + "Application_State": "==4.15.0", + "Authentication": "==4.18.0", + "Change": "==4.18.0", + "Change_Analysis": "==4.15.0", + "Compute_Inventory": "==4.15.0", + "Endpoint": "==4.18.0", + "Event_Signatures": "==4.18.0", + "Network_Sessions": "==4.15.0", + "Performance": "==4.15.0", + "Updates": "==4.15.0", + "Vulnerabilities": "==4.15.0" + }, + "description": "Splunk Add-on for Microsoft Windows", + "id": { + "group": null, + "name": "Splunk_TA_windows", + "version": "9.0.1" + }, + "license": { + "name": null, + "text": "LICENSES/LicenseRef-Splunk-8-2021.txt", + "uri": null + }, + "privacyPolicy": { + "name": null, + "text": null, + "uri": null + }, + "releaseDate": null, + "releaseNotes": { + "name": "README", + "text": "./README.txt", + "uri": "http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes" + }, + "title": "Splunk Add-on for Microsoft Windows" + }, + "inputGroups": null, + "platformRequirements": null, + "schemaVersion": "2.0.0", + "supportedDeployments": [ + "_standalone", + "_distributed", + "_search_head_clustering" + ], + "targetWorkloads": [ + "_search_heads", + "_forwarders", + "_indexers" + ], + "tasks": null +} \ No newline at end of file diff --git a/apps/Splunk_TA_windows/appserver/static/appIcon.png b/apps/Splunk_TA_windows/appserver/static/appIcon.png new file mode 100644 index 00000000..88f67e72 Binary files /dev/null and b/apps/Splunk_TA_windows/appserver/static/appIcon.png differ diff --git a/apps/Splunk_TA_windows/appserver/static/appLogo.png b/apps/Splunk_TA_windows/appserver/static/appLogo.png new file mode 100644 index 00000000..3ba5de6b Binary files /dev/null and b/apps/Splunk_TA_windows/appserver/static/appLogo.png differ diff --git a/apps/Splunk_TA_windows/bin/Invoke-MonitoredScript.ps1 b/apps/Splunk_TA_windows/bin/Invoke-MonitoredScript.ps1 new file mode 100644 index 00000000..002ac5b4 --- /dev/null +++ b/apps/Splunk_TA_windows/bin/Invoke-MonitoredScript.ps1 @@ -0,0 +1,89 @@ +<# + .SYNOPSIS + & .\Invoke-MonitoredScript.ps1 "MyScript.ps1" + + .DESCRIPTION + Outputs additional Splunk events related to the running and + errors in the script. +#> +[CmdletBinding()] +param( + #Command to execute. + [Parameter(Position=0, Mandatory=$true)] + [ValidateNotNullOrEmpty()] + [string] $Command, + + # Splunk Sourcetype Prefix for generated events + [Parameter()] + [ValidateNotNull()] + [string] $SourceTypePrefix="Powershell:", + + # Maximum number of errors to convert into events + [Parameter()] + [ValidateRange(0, 100)] + [int] $MaxErrorCount +) + +$WrappedScriptExecutionSummary= New-Object -TypeName PSObject -Property ( + [ordered]@{ + SplunkSourceType="$($SourceTypePrefix)ScriptExecutionSummary"; + Identity=[guid]::NewGuid().ToString(); + InvocationLine=$MyInvocation.Line; + TerminatingError=$false; ErrorCount=0; Elapsed="" + }) +$originalLocation = Get-Location + +try +{ + Set-Location (Split-Path -Parent $MyInvocation.MyCommand.Definition) + $ScriptStopWatch = [System.Diagnostics.Stopwatch]::StartNew() + $Error.Clear() + Invoke-Expression $Command +} +catch +{ + $WrappedScriptExecutionSummary.TerminatingError = $true; +} +finally +{ + Set-Location $originalLocation + $WrappedScriptExecutionSummary.Elapsed = $ScriptStopWatch.Elapsed.ToString("hh\:mm\:ss\.fff") + $WrappedScriptExecutionSummary.ErrorCount = $Error.Count + + if ($Error.Count -gt 0) { + $ei = $Error.Count - 1 + if ($PSBoundParameters.ContainsKey('MaxErrorCount')) { + if ($MaxErrorCount -lt $Error.Count) { + $ei = $MaxErrorCount - 1 + } + # Always emit terminating errors + if ($ei -eq -1 -and $WrappedScriptExecutionSummary.TerminatingError) { + $ei = 1 + } + } + + for(; $ei -ge 0; $ei--) { + $errorRecord = New-Object -TypeName PSObject -Property ( + [ordered]@{ + SplunkSourceType="$($SourceTypePrefix)ScriptExecutionErrorRecord"; + ParentIdentity=$WrappedScriptExecutionSummary.Identity; + ErrorIndex=$ei; + ErrorMessage=$Error[$ei].ToString(); + PositionMessage=$Error[$ei].InvocationInfo.PositionMessage; + CategoryInfo=$Error[$ei].CategoryInfo.ToString(); + FullyQualifiedErrorId=$Error[$ei].FullyQualifiedErrorId + }) + + if ($Error[$ei].Exception -ne $null) { + Add-Member -InputObject $errorRecord -MemberType NoteProperty -Name Exception -Value $Error[$ei].Exception.ToString() + if ($Error[$ei].Exception.InnerException -ne $null) { + Add-Member -InputObject $errorRecord -MemberType NoteProperty -Name InnerException -Value $Error[$ei].Exception.InnerException.ToString() + } + } + + Write-Output $errorRecord + } + } + + Write-Output $WrappedScriptExecutionSummary +} diff --git a/apps/Splunk_TA_windows/bin/log.py b/apps/Splunk_TA_windows/bin/log.py new file mode 100644 index 00000000..de5c5482 --- /dev/null +++ b/apps/Splunk_TA_windows/bin/log.py @@ -0,0 +1,120 @@ +# +# SPDX-FileCopyrightText: 2024 Splunk, Inc. +# SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +# +# +import logging +import logging.handlers as handlers +import os +import os.path as op +import time + +try: + from splunk.clilib.bundle_paths import make_splunkhome_path +except ImportError: + from splunk.appserver.mrsparkle.lib.util import make_splunkhome_path + +logging.Formatter.converter = time.gmtime + +__LOG_FORMAT__ = ( + "%(asctime)s +0000 log_level=%(levelname)s, pid=%(process)d, " + "tid=%(threadName)s, file=%(filename)s, " + "func_name=%(funcName)s, code_line_no=%(lineno)d | %(message)s" +) + + +class Log(object): + def __init__(self, namespace=None, default_level=logging.INFO): + self._loggers = {} + self._default_level = default_level + if namespace is None: + namespace = self._get_appname_from_path(op.abspath(__file__)) + + if namespace: + namespace = namespace.lower() + self._namespace = namespace + + def get_logger(self, name, level=None, maxBytes=25000000, backupCount=5): + """ + Set up a default logger. + + :param name: The log file name. + :param level: The logging level. + :param maxBytes: The maximum log file size before rollover. + :param backupCount: The number of log files to retain. + """ + + # Strip ".py" from the log file name if auto-generated by a script. + if level is None: + level = self._default_level + + name = self._get_log_name(name) + if name in self._loggers: + return self._loggers[name] + + logger = logging.getLogger(name) + + logfile = make_splunkhome_path(["var", "log", "splunk", name]) + handler_exists = any( + [True for h in logger.handlers if h.baseFilename == logfile] + ) + if not handler_exists: + file_handler = handlers.RotatingFileHandler( + logfile, mode="a", maxBytes=maxBytes, backupCount=backupCount + ) + formatter = logging.Formatter(__LOG_FORMAT__) + file_handler.setFormatter(formatter) + logger.addHandler(file_handler) + logger.setLevel(level) + logger.propagate = False + + self._loggers[name] = logger + return logger + + def set_level(self, level, name=None): + """ + Change the log level of the logging + + :param level: the level of the logging to be setLevel + :param name: the name of the logging to set, in case it is not set, + all the loggers will be affected + """ + + if name is not None: + name = self._get_log_name(name) + logger = self._loggers.get(name) + if logger is not None: + logger.setLevel(level) + else: + self._default_level = level + for logger in self._loggers.values(): + logger.setLevel(level) + + def _get_log_name(self, name): + if name.endswith(".py"): + name = name.replace(".py", "") + + if self._namespace: + name = "{}_{}.log".format(self._namespace, name) + else: + name = "{}.log".format(name) + return name + + def _get_appname_from_path(self, absolute_path): + absolute_path = op.normpath(absolute_path) + parts = absolute_path.split(os.path.sep) + parts.reverse() + for key in ("apps", "slave-apps", "master-apps"): + try: # nosemgrep: gitlab.bandit.B112 + idx = parts.index(key) + except ValueError: + continue + else: + try: # nosemgrep: gitlab.bandit.B110 + if parts[idx + 1] == "etc": + return parts[idx - 1] + except IndexError: + pass + continue + # return None + return "-" diff --git a/apps/Splunk_TA_windows/bin/netsh_address.bat b/apps/Splunk_TA_windows/bin/netsh_address.bat new file mode 100644 index 00000000..3860296f --- /dev/null +++ b/apps/Splunk_TA_windows/bin/netsh_address.bat @@ -0,0 +1,5 @@ +@echo off +REM -------------------------------------------------------- +REM Copyright (C) 2021 Splunk Inc. All Rights Reserved. +REM -------------------------------------------------------- +netsh interface ip show address diff --git a/apps/Splunk_TA_windows/bin/powershell/2012r2-health.ps1 b/apps/Splunk_TA_windows/bin/powershell/2012r2-health.ps1 new file mode 100644 index 00000000..e3859654 --- /dev/null +++ b/apps/Splunk_TA_windows/bin/powershell/2012r2-health.ps1 @@ -0,0 +1,58 @@ +Import-Module ActiveDirectory -ErrorAction SilentlyContinue + +$ServerName = $env:ComputerName + +$DomainController = Get-ADDomainController -Identity $ServerName +$Domain = Get-ADDomain -Identity $DomainController.Domain +$Forest = Get-ADForest -Identity $DomainController.Forest +$ReplicationSite = Get-ADReplicationSite -Identity $DomainController.Site +$Computer = Get-ADComputer -Identity $ServerName -Properties * +$RootDSE = Get-ADRootDSE -Server $ServerName +$RequiredServices = @( "ntfrs", "dfsr", "netlogon", "kdc", "w32time", "ismserv" ) + +$ISTG = ($DomainController.NTDSSettingsObjectDN -eq $ReplicationSite.InterSiteTopologyGenerator) +$SYSVOL = (Get-SMBShare SYSVOL -ErrorAction SilentlyContinue) +Try { + $DnsRegister = [System.Net.Dns]::GetHostByName($DomainController.HostName) +} Catch { + # The Catch will set $DnsRegister = $null if the GetHostByName fails for some reason +} +$SchemaVersion= Get-ADObject -Filter * -SearchScope Base -Properties objectVersion ` + -SearchBase $RootDSE.schemaNamingContext +$DCWeight = (Get-Item "HKLM:System\CurrentControlSet\Services\Netlogon\Parameters").GetValue("LdapSrvWeight", $null) +if (!$DCWeight -or $DCWeight -eq $null -or $DCWeight -eq "") { + $DCWeight = 100 +} +$FSMORoles = ($DomainController | Select -Expand OperationMasterRoles | %{ $_.ToString().Replace("Master","") } ) + +$SvcRunning = @(Get-Service $RequiredServices | ? Status -eq "Running" | select -expand Name) +$SvcStopped = @(Get-Service $RequiredServices | ? Status -ne "Running" | select -expand Name) +$ProcsOK = (($SvcStopped.Count -eq 0) -or ($SvcStopped.Count -eq 1 -and ($SvcStopped[0] -eq "ntfrs" -or $SvcStopped[0] -eq "dfsr"))) + +New-Object PSObject -Property @{ + Server = $DomainController.Name + DomainDNSName = $DomainController.Domain + DomainNetBIOSName = $Domain.NetBIOSName + DomainLevel = $Domain.DomainMode + Site = $DomainController.Site + ForestName = $DomainController.Forest + ForestLevel = $Forest.ForestMode + Created = $Computer.whenCreated + Changed = $Computer.whenChanged + GlobalCatalog = $DomainController.IsGlobalCatalog + RODC = $DomainController.IsReadOnly + Enabled = $DomainController.Enabled + HighestUSN = $RootDSE.highestCommittedUSN + SchemaVersion = $SchemaVersion.objectVersion + DCWeight = $DCWeight + IsIntersiteTopologyGenerator = $ISTG + OperatingSystem = $DomainController.OperatingSystem + ServicePack = $DomainController.OperatingSystemServicePack + OSVersion = $DomainController.OperatingSystemVersion + FSMORoles = $FSMORoles -join " " + ServicesRunning = $SvcRunning -join "," + ServicesNotRunning = $SvcStopped -join "," + ProcsOK = $ProcsOK + SYSVOLShare = ($SYSVOL -ne $null) + DNSRegister = ($DnsRegister -ne $null) +} diff --git a/apps/Splunk_TA_windows/bin/powershell/2012r2-repl-stats.ps1 b/apps/Splunk_TA_windows/bin/powershell/2012r2-repl-stats.ps1 new file mode 100644 index 00000000..d6d92815 --- /dev/null +++ b/apps/Splunk_TA_windows/bin/powershell/2012r2-repl-stats.ps1 @@ -0,0 +1,17 @@ +Import-Module ActiveDirectory -ErrorAction SilentlyContinue + +Get-ADReplicationPartnerMetaData -Target $env:ComputerName -PartnerType Inbound -Partition * | %{ + $src_host = Get-ADObject -Filter * -SearchBase $_.Partner.Replace("CN=NTDS Settings,","") ` + -SearchScope Base -Properties dNSHostName + + New-Object PSObject -Property @{ + LastAttemptedSync = $_.LastReplicationAttempt + LastSuccessfulSync = $_.LastReplicationSuccess + type = "ReplicationEvent" + usn = $_.LastChangeUsn + src_host = $src_host.dNSHostName + Result = $_.LastReplicationResult + transport = $_.IntersiteTransportType + naming_context = $_.Partition + } +} diff --git a/apps/Splunk_TA_windows/bin/powershell/2012r2-siteinfo.ps1 b/apps/Splunk_TA_windows/bin/powershell/2012r2-siteinfo.ps1 new file mode 100644 index 00000000..d1310811 --- /dev/null +++ b/apps/Splunk_TA_windows/bin/powershell/2012r2-siteinfo.ps1 @@ -0,0 +1,74 @@ +Import-Module ActiveDirectory -ErrorAction SilentlyContinue +# +# Get the Information about this site +# +$ServerName = $env:ComputerName + +$DC = Get-ADDomainController -Identity $ServerName +$Site = Get-ADReplicationSite -Identity $DC.Site +$Object = Get-ADObject -Filter * -SearchScope base -Properties * ` + -SearchBase $Site.DistinguishedName + +$Location = if ($Object.location -eq $null) { "" } else { $Object.location } +$ISTG = Get-ADDomainController -Filter ` + 'NTDSSettingsObjectDN -eq $Site.IntersiteTopologyGenerator' +$SiteLinks = Get-ADReplicationSiteLink -Filter 'SitesIncluded -eq $Site' -Properties * +$AdjacentSites = ($SiteLinks | Select -Expand SitesIncluded | ` + Where-Object { $_ -ne $Site.DistinguishedName } | ` + Sort-Object | Get-Unique | ` + Foreach-Object { Get-ADReplicationSite $_ } ) +$Subnets = Get-ADReplicationSubnet -Filter 'Site -eq $Site' + +######################################################################## +# +# SITE +# +$SiteInfo = @( + "Type=`"Site`"" + "ForestName=`"$($DC.Forest)`"" + "Site=`"$($Object.CN)`"" + "Location=`"$Location`"" + "IntersiteTopologyGenerator=`"$($ISTG.HostName)`"" +) +$AdjacentSites | %{ $SiteLink += "AdjacentSite=`"$($_.Name)`"" } +$SiteLinks | %{ $SiteInfo += "SiteLink=`"$($_.Name)`"" } +$Subnets | %{ $SiteInfo += "Subnet=`"$($_.Name)`"" } +Write-Output ($SiteInfo -join " ") +# +######################################################################## +# +# SITELINK +# +$SiteLinks | %{ + # These values are not stored in the object unless you change them + $cost = if ($_.Cost -eq $null) { 100 } else { $_.Cost } + $options = if ($_.options -eq $null) { 0 } else { $_.options } + $replInterval = if ($_.replInterval -eq $null) { 180 * 60 } else { $_.replInterval * 60 } + $notifications = if ($options -band 0x01) { "True" } else { "False" } + $reciprocal = if ($options -band 0x02) { "True" } else { "False" } + $compression = if ($options -band 0x04) { "False" } else { "True" } + + $SiteLink = @( + "Type=`"SiteLink`"" + "ForestName=`"$($DC.Forest)`"" + "Name=`"$($_.Name)`"" + "Cost=`"$($_.Cost)`"" + "DataCompressionEnabled=$compression" + "NotificationEnabled=$notifications" + "ReciprocalReplicationEnabled=$reciprocal" + "TransportType=$($_.InterSiteTransportProtocol)" + "ReplicationIntervalSecs=$replInterval" + ) + Write-Output ($SiteLink -join " ") +} + +$Subnets | Foreach-Object { + $Subnet = @( + "Type=`"Subnet`"" + "ForestName=`"$($DC.Forest)`"" + "Name=`"$($_.Name)`"" + "Site=`"$($Site.Name)`"" + "Location=`"$($_.Location)`"" + ) + Write-Output ($Subnet -join " ") +} diff --git a/apps/Splunk_TA_windows/bin/powershell/dns-health.ps1 b/apps/Splunk_TA_windows/bin/powershell/dns-health.ps1 new file mode 100644 index 00000000..a996c57b --- /dev/null +++ b/apps/Splunk_TA_windows/bin/powershell/dns-health.ps1 @@ -0,0 +1,114 @@ +# +# Determine the health and statistics of this Microsoft DNS Server +# +$Output = New-Object System.Collections.ArrayList +$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz' +write-host -NoNewline ""$Date + +# Name of Server +$ServerName = $env:ComputerName +write-host -NoNewline ""Server=`"$ServerName`" + +# +# Windows Version and Build # +# +$WindowsInfo = Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion" +$OS = $WindowsInfo.GetValue("ProductName") +$OSSP = $WindowsInfo.GetValue("CSDVersion") +$WinVer = $WindowsInfo.GetValue("CurrentVersion") +$WinBuild = $WindowsInfo.GetValue("CurrentBuildNumber") +$OSVER = "$WinVer ($WinBuild)" + +write-host -NoNewline ""OperatingSystem=`"$OS`" +write-host -NoNewline ""ServicePack=`"$OSSP`" +write-host -NoNewline ""OSVersion=`"$OSVER`" + +# +# Required Processes Running +# DNS Dnscache w32time +# +$RequiredServices = @( "DNS", "Dnscache", "w32time" ) +$srvr = @() +$srvnr = @() +foreach ($srv in $RequiredServices) { + $status = (Get-Service $srv).Status + if ($status -eq "Running") { + $srvr += $srv + } else { + $srvnr += $srv + } +} + +$ProcsOK = "False" +if ($srvnr.Count -eq 0) { + $ProcsOK = "True" +} + +$ServicesRunning = [string]::join(',', $srvr) +$ServicesNotRunning = [string]::join(',', $srvnr) +write-host -NoNewline ""ServicesRunning=`"$ServicesRunning`" ServicesNotRunning=`"$ServicesNotRunning`" ProcsOK=`"$ProcsOK`" + +# +# Settings for this DNS Server +# +$dnsInfo = Get-WmiObject -Namespace "root\MicrosoftDNS" -Class MicrosoftDNS_Server -ComputerName $ServerName + +# See http://msdn.microsoft.com/en-us/library/windows/desktop/ms682725(v=vs.85).aspx for details +write-host -NoNewline "" Name=`"$($dnsInfo.Name)`" +write-host -NoNewline "" Version=`"$($dnsInfo.Version)`" +write-host -NoNewline "" LogLevel=`"$($dnsInfo.LogLevel)`" +write-host -NoNewline "" LogFilePath=`"$($dnsInfo.LogFilePath)`" +write-host -NoNewline "" LogFileMaxSize=`"$($dnsInfo.LogFileMaxSize)`" +write-host -NoNewline "" LogIPFilterList=`"$($dnsInfo.LogIPFilterList)`" +write-host -NoNewline "" EventLogLevel=`"$($dnsInfo.EventLogLevel)`" +write-host -NoNewline "" RpcProtocol=`"$($dnsInfo.RpcProtocol)`" +write-host -NoNewline "" NameCheckFlag=`"$NameCheckFlag`" +write-host -NoNewline "" AddressAnswerLimit=`"$($dnsInfo.AddressAnswerLimit)`" +write-host -NoNewline "" RecursionRetry=`"$($dnsInfo.RecursionRetry)`" +write-host -NoNewline "" RecursionTimeout=`"$($dnsInfo.RecursionTimeout)`" +write-host -NoNewline "" DsPollingInterval=`"$($dnsInfo.DsPollingInterval)`" +write-host -NoNewline "" DsTombstoneInteval=`"$($dnsInfo.DsTombstoneInteval)`" +write-host -NoNewline "" MaxCacheTTL=`"$($dnsInfo.MaxCacheTTL)`" +write-host -NoNewline "" MaxNegativeCacheTTL=`"$($dnsInfo.MaxNegativeCacheTTL)`" +write-host -NoNewline "" SendPort=`"$($dnsInfo.SendPort)`" +write-host -NoNewline "" XfrConnectTimeout=`"$($dnsInfo.XfrConnectTimeout)`" +write-host -NoNewline "" BootMethod=`"$($dnsInfo.BootMethod)`" +write-host -NoNewline "" AllowUpdate=`"$($dnsInfo.AllowUpdate)`" +write-host -NoNewline "" UpdateOptions=`"$($dnsInfo.UpdateOptions)`" +write-host -NoNewline "" DsAvailable=`"$($dnsInfo.DsAvailable)`" +write-host -NoNewline "" DisableAutoReverseZones=`"$($dnsInfo.DisableAutoReverseZones)`" +write-host -NoNewline "" AutoCacheUpdate=`"$($dnsInfo.AutoCacheUpdate)`" +write-host -NoNewline "" NoRecursion=`"$($dnsInfo.NoRecursion)`" +write-host -NoNewline "" RoundRobin=`"$($dnsInfo.RoundRobin)`" +write-host -NoNewline "" LocalNetPriority=`"$($dnsInfo.LocalNetPriority)`" +write-host -NoNewline "" StrictFileParsing=`"$($dnsInfo.StrictFileParsing)`" +write-host -NoNewline "" LooseWildcarding=`"$($dnsInfo.LooseWildcarding)`" +write-host -NoNewline "" BindSecondaries=`"$($dnsInfo.BindSecondaries)`" +write-host -NoNewline "" WriteAuthorityNS=`"$($dnsInfo.WriteAuthorityNS)`" +write-host -NoNewline "" ForwardDelegations=`"$($dnsInfo.ForwardDelegations)`" +write-host -NoNewline "" SecureResponses=`"$($dnsInfo.SecureResponses)`" +write-host -NoNewline "" DisjointNets=`"$($dnsInfo.DisjointNets)`" +write-host -NoNewline "" AutoConfigFileZones=`"$($dnsInfo.AutoConfigFileZones)`" +write-host -NoNewline "" ScavengingInterval=`"$($dnsInfo.ScavengingInterval)`" +write-host -NoNewline "" DefaultRefreshInterval=`"$($dnsInfo.DefaultRefreshInterval)`" +write-host -NoNewline "" DefaultNoRefreshInterval=`"$($dnsInfo.DefaultNoRefreshInterval)`" +write-host -NoNewline "" DefaultAgingState=`"$($dnsInfo.DefaultAgingState)`" +write-host -NoNewline "" EDnsCacheTimeout=`"$($dnsInfo.EDnsCacheTimeout)`" +write-host -NoNewline "" EnableEDnsProbes=`"$($dnsInfo.EnableEDnsProbes)`" +write-host -NoNewline "" EnableDnsSec=`"$($dnsInfo.EnableDnsSec)`" +write-host -NoNewline "" ForwardingTimeout=`"$($dnsInfo.ForwardingTimeout)`" +write-host -NoNewline "" IsSlave=`"$($dnsInfo.IsSlave)`" +write-host -NoNewline "" EnableDirectoryPartitions=`"$($dnsInfo.EnableDirectoryPartitions)`" +write-host -NoNewline "" Started=`"$($dnsInfo.Started)`" +write-host -NoNewline "" StartMode=`"$($dnsInfo.StartMode)`" +write-host -NoNewline "" Status=`"$($dnsInfo.Status)`" + +foreach ($ip in $dnsInfo.Forwarders) { + write-host -NoNewline "" Forwarder=`"$ip`" +} +foreach ($ip in $dnsInfo.ServerAddresses) { + write-host -NoNewline "" ServerAddress=`"$ip`" +} +foreach ($ip in $dnsInfo.ListenAddresses) { + write-host "" ListenAddress=`"$ip`" +} diff --git a/apps/Splunk_TA_windows/bin/powershell/dns-zoneinfo.ps1 b/apps/Splunk_TA_windows/bin/powershell/dns-zoneinfo.ps1 new file mode 100644 index 00000000..5beadae3 --- /dev/null +++ b/apps/Splunk_TA_windows/bin/powershell/dns-zoneinfo.ps1 @@ -0,0 +1,79 @@ +# +# DNS Zone Information +# +function Get-WmiCount($a) { + if ($a -eq $Null) { + $cnt = 0 + } elseif ($a.GetType().Name -eq "ManagementObject") { + $cnt = 1 + } else { + $cnt = $a.Length + } + + $cnt +} + +function Output-Zoneinfo($Zone) { + #$Output = New-Object System.Collections.ArrayList + $Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz' + write-host -NoNewline $Date Zone=`"$($Zone.Name)`" Aging=`"$($Zone.Aging)`" AllowUpdate=`"$($Zone.AllowUpdate)`" AutoCreated=`"$($Zone.AutoCreated)`" AvailForScavengeTime=`"$($Zone.AvailForScavengeTime)`" Caption=`"$($Zone.Caption)`" ContainerName=`"$($Zone.ContainerName)`" DataFile=`"$($Zone.DataFile)`" DnsServerName=`"$($Zone.DnsServerName)`" DsIntegrated=`"$($Zone.DsIntegrated)`" ForwarderSlave=`"$($Zone.ForwarderSlave)`" ForwarderTimeout=`"$($Zone.ForwarderTimeout)`" LastSuccessfulSoaCheck=`"$($Zone.LastSuccessfulSoaCheck)`" LastSuccessfulXfr=`"$($Zone.LastSuccessfulXfr)`" NoRefreshInterval=`"$($Zone.NoRefreshInterval)`" Notify=`"$($Zone.Notify)`" Paused=`"$($Zone.Paused)`" RefreshInterval=`"$($Zone.RefreshInterval)`" Reverse=`"$($Zone.Reverse)`" SecureSecondaries=`"$($Zone.SecureSecondaries)`" Shutdown=`"$($Zone.Shutdown)`" Status=`"$($Zone.Status)`" UseWins=`"$($Zone.UseWins)`" ZoneType=`"$($Zone.ZoneType)`" + + # Some information on the zone itself - # record by type and total + $ZoneName = $Zone.Name + + $SOA = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_SOAType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'" + $SOAlen = Get-WmiCount($SOA) + write-host -NoNewline ""SOA=$SOAlen + + $NS = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_NSType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'" + $NSlen = Get-WmiCount($NS) + write-host -NoNewline ""NS=$NSlen + + $A = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_AType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'" + $Alen = Get-WmiCount($A) + write-host -NoNewline ""A=$Alen + + $AAAA = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_AAAAType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'" + $AAAAlen = Get-WmiCount($AAAA) + write-host -NoNewline ""AAAA=$AAAAlen + + $CNAME= Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_CNAMEType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'" + $CNAMElen = Get-WmiCount($CNAME) + write-host -NoNewline ""CNAME=$CNAMElen + + $MX = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_MXType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'" + $MXlen = Get-WmiCount($MX) + write-host -NoNewline ""MX=$MXlen + + $SRV = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_SRVType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'" + $SRVlen = Get-WmiCount($SRV) + write-host -NoNewline ""SRV=$SRVlen + + $HINFO= Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_HINFOType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'" + $HINFOlen = Get-WmiCount($HINFO) + write-host -NoNewline ""HINFO=$HINFOlen + + $TXT = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_TXTType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'" + $TXTlen = Get-WmiCount($TXT) + write-host -NoNewline ""TXT=$TXTlen + + $RR = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_ResourceRecord -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'" + $TotalRecords = Get-WmiCount($RR) + write-host ""TotalRecords=$TotalRecords + +} + +# +# Main Program +# +$ServerName = $env:ComputerName +$Scope = New-Object Management.ManagementScope("\\$ServerName\root\MicrosoftDNS") +$Path = New-Object Management.ManagementPath("MicrosoftDNS_Zone") +$Options = New-Object Management.ObjectGetOptions($Null, [System.TimeSpan]::MaxValue, $True) + +$ZoneClass = New-Object Management.ManagementClass($Scope, $Path, $Options) +$Zones = Get-WMIObject -Computer $ServerName -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone" +$OutputEncoding = [Text.Encoding]::UTF8 +Foreach ($Zone in $Zones) { + Output-ZoneInfo($Zone) +} diff --git a/apps/Splunk_TA_windows/bin/powershell/generate_windows_update_logs.ps1 b/apps/Splunk_TA_windows/bin/powershell/generate_windows_update_logs.ps1 new file mode 100644 index 00000000..2e998f27 --- /dev/null +++ b/apps/Splunk_TA_windows/bin/powershell/generate_windows_update_logs.ps1 @@ -0,0 +1,62 @@ +# ## This script generates WindowsUpdate.Log using Get-WindowsUpdateLog in $SplunkHome\var\log\Splunk_TA_windows\WindowsUpdate +# ## It monitors the WindowsUpdate.log from $SplunkHome\var\log\Splunk_TA_windows\ + +Set-Variable -Name "LogFolder" -Value "$SplunkHome\var\log\Splunk_TA_windows\WindowsUpdate" +Set-Variable -Name "MonitoredLogFile" -Value "$SplunkHome\var\log\Splunk_TA_windows\WindowsUpdate.log" + +if (!(Test-Path -Path $LogFolder )) { + New-Item -ItemType directory -Path $LogFolder +} + +Get-WindowsUpdateLog -LogPath $LogFolder\WindowsUpdate.log + +if (Test-Path $MonitoredLogFile) { + try{ + $currentLastLogLine = Get-Content $MonitoredLogFile | Select-Object -Last 1 + if ($currentLastLogLine -match '\d{4}[-\/]\d{2}[-\/]\d{2} \d{2}:\d{2}:\d{2}\.\d{7}') { + try{ + $currentLastTimestamp = [datetime]::ParseExact($matches[0], 'yyyy-MM-dd HH:mm:ss.fffffff', $null) + $is_timeformate_contain_slash = $false + }catch { + $currentLastTimestamp = [datetime]::ParseExact($matches[0], 'yyyy/MM/dd HH:mm:ss.fffffff', $null) + $is_timeformate_contain_slash = $true + } + if($is_timeformate_contain_slash){ + $newLogs = Get-Content "$LogFolder\WindowsUpdate.log" | Where-Object { $_ -match '\d{4}[-\/]\d{2}[-\/]\d{2} \d{2}:\d{2}:\d{2}\.\d{7}' } | ForEach-Object { + $logTimestamp = [datetime]::ParseExact($matches[0], 'yyyy/MM/dd HH:mm:ss.fffffff', $null) + if ($logTimestamp -gt $currentLastTimestamp) { + $_ + } + } + } + else{ + $newLogs = Get-Content "$LogFolder\WindowsUpdate.log" | Where-Object { $_ -match '\d{4}[-\/]\d{2}[-\/]\d{2} \d{2}:\d{2}:\d{2}\.\d{7}' } | ForEach-Object { + $logTimestamp = [datetime]::ParseExact($matches[0], 'yyyy-MM-dd HH:mm:ss.fffffff', $null) + if ($logTimestamp -gt $currentLastTimestamp) { + $_ + } + } + } + if ($newLogs) { + $newLogs | Set-Content -Path $MonitoredLogFile + # Write-Output "New logs appended to $MonitoredLogFile." + }else { + # Write-Output "No new logs found to append." + exit + } + }else { + # Write-Output "No timestamp matched in the current log file, hence copied file content." + Copy-Item -Path "$LogFolder\WindowsUpdate.log" -Destination "$MonitoredLogFile" + } + } + catch { + # Write-Output "Something went wrong, hence copying the entire log file" + Copy-Item -Path "$LogFolder\WindowsUpdate.log" -Destination "$MonitoredLogFile" + } +} +else { + # Write-Output "File does not exist, hence copied file content." + Copy-Item -Path "$LogFolder\WindowsUpdate.log" -Destination "$MonitoredLogFile" +} + +exit diff --git a/apps/Splunk_TA_windows/bin/powershell/nt6-health.ps1 b/apps/Splunk_TA_windows/bin/powershell/nt6-health.ps1 new file mode 100644 index 00000000..fc450e52 --- /dev/null +++ b/apps/Splunk_TA_windows/bin/powershell/nt6-health.ps1 @@ -0,0 +1,170 @@ +# +# Determine the health and statistics of this Active Directory Controller +# +$Output = New-Object System.Collections.ArrayList +$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz' +[void]$Output.Add($Date) + +# Name of Server +$ServerName = $env:ComputerName +[void]$Output.Add("Server=""$ServerName""") +$BSSN = "\\" + $ServerName + +# Domain Information + +$S_DS_AD_DOM = [System.DirectoryServices.ActiveDirectory.Domain]::getComputerDomain() +$WMI_CS = (Get-WmiObject Win32_ComputerSystem) +$WMI_DOMAIN = Get-WmiObject Win32_NTDomain | Where-Object {$_.DomainControllerName -eq $BSSN} + +$DomainDNSName = $WMI_CS.Domain +$DomainNetBIOSName = $WMI_DOMAIN.DomainName +$DomainLevel = $S_DS_AD_DOM.DomainMode +[void]$Output.Add("DomainDNSName=`"$DomainDNSName`""); +[void]$Output.Add("DomainNetBIOSName=`"$DomainNetBIOSName`""); +[void]$Output.Add("DomainLevel=`"$DomainLevel`""); + +# Site Information +$SiteName = $WMI_DOMAIN.ClientSiteName +[void]$Output.Add("Site=`"$SiteName`""); + +# Forest Information +$ForestName = $S_DS_AD_DOM.Forest.Name +$ForestLevel = $S_DS_AD_DOM.Forest.ForestMode +[void]$Output.Add("ForestName=`"$ForestName`""); +[void]$Output.Add("ForestLevel=`"$ForestLevel`""); + +# Domain Controller Flags +$IsRO = "False" +$IsEnabled = "False" +$IsGC = "False" +$USN = "Unknown" +$MyName = ($env:ComputerName + "." + $DomainDNSName).ToLower() +if ($WMI_DOMAIN.Status -eq "OK") { + $MyDC = $S_DS_AD_DOM.DomainControllers | Where-Object { $_.Name.ToLower() -eq $MyName.ToLower() } + if ($MyDC) { + if ($MyDC.IsGlobalCatalog()) { + $IsGC = "True" + } + $USN = $MyDC.HighestCommittedUsn + $IsEnabled = "True" + + $entry = $MyDC.getDirectoryEntry() + [void]$Output.Add("Created=`"$($entry.whenCreated)`"") + [void]$Output.Add("Changed=`"$($entry.whenChanged)`"") + + $DN = $entry.Path + $ServerEntry = [ADSI]"$DN" + $ServerEntry.GetInfoEx(@("msDS-IsRODC"),0) + $IsRO = $ServerEntry."msDS-IsRODC" + } +} +[void]$Output.Add("GlobalCatalog=`"$IsGC`"") +[void]$Output.Add("RODC=`"$IsRO`"") +[void]$Output.Add("Enabled=`"$IsEnabled`"") +[void]$Output.Add("HighestUSN=`"$USN`"") + +$SchemaInfo = Get-Item "HKLM:System\CurrentControlSet\Services\NTDS\Parameters" +$SchemaVersion = $SchemaInfo.GetValue("Schema Version") +[void]$Output.Add("SchemaVersion=$SchemaVersion") + +$NetLogonParams = Get-Item "HKLM:System\CurrentControlSet\Services\Netlogon\Parameters" +$DCWeight = $NetLogonParams.GetValue("LdapSrvWeight", $null) +if (!$DCWeight -or $DCWeight -eq $null -or $DCWeight -eq "") { + $DCWeight = 100 # This is the default value +} +[void]$Output.Add("DCWeight=$DCWeight") + +$SiteInfoObj = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Sites | Where-Object { $_.Name -eq $SiteName } + +# Is this host a BridgeHead Server? +# Field BridgeheadServer (Collection of DirectoryServer objects - check to see if we are listed and set IsBridgeHeadServer=True/False accordingly) + +# Is this host a Intersite Topology Generator +if ($SiteInfoObj.IntersiteTopologyGenerator.Name -and ($SiteInfoObj.IntersiteTopologyGenerator.Name -eq $ServerName -or $SiteInfoObj.IntersiteTopologyGenerator.Name.ToLower() -eq $MyName)) { + [void]$Output.Add("IsIntersiteTopologyGenerator=`"True`"") +} else { + [void]$Output.Add("IsIntersiteTopologyGenerator=`"False`"") +} + + +# +# Windows Version and Build # +# +$WindowsInfo = Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion" +$OS = $WindowsInfo.GetValue("ProductName") +$OSSP = $WindowsInfo.GetValue("CSDVersion") +$WinVer = $WindowsInfo.GetValue("CurrentVersion") +$WinBuild = $WindowsInfo.GetValue("CurrentBuildNumber") +$OSVER = "$WinVer ($WinBuild)" + +[void]$Output.Add("OperatingSystem=""$OS""") +[void]$Output.Add("ServicePack=""$OSSP""") +[void]$Output.Add("OSVersion=""$OSVER""") + +# +# FSMO Roles (Schema, DomainNaming, Infrastructure, RIDMaster, PDC) +# +$aFSMO = @() +if ($MyDC -and $MyDC.Roles) { + foreach ($role in $MyDC.Roles) { + switch ($role) { + "SchemaRole" { $aFSMO += "Schema" } + "NamingRole" { $aFSMO += "DomainNaming" } + "InfrastructureRole" { $aFSMO += "Infrastructure" } + "PdcRole" { $aFSMO += "PDCEmulator" } + "RidRole" { $aFSMO += "RIDMaster" } + } + } +} +$FSMORoles = [string]::join(' ', $aFSMO) +[void]$Output.Add("FSMORoles=""$FSMORoles""") + +# +# Required Processes Running +# FRS, DFS-R, Net Logon, KDC, W32Time, ISMSERV +# +$RequiredServices = @( "ntfrs", "dfsr", "netlogon", "kdc", "w32time", "ismserv" ) +$srvr = @() +$srvnr = @() +foreach ($srv in $RequiredServices) { + $status = (Get-Service $srv).Status + if ($status -eq "Running") { + $srvr += $srv + } else { + $srvnr += $srv + } +} +# Note that the only case that ProcsOK == True is when there is ONE service +# that isn't running - You need one replication services (ntfrs or dfsr) but +# not both +$ProcsOK = "False" +if (($srvnr.Count -eq 0) -or ($srvnr.Count -eq 1 -and ($srvnr[0] -eq "ntfrs" -or $srvnr[0] -eq "dfsr"))) { + $ProcsOK = "True" +} +$ServicesRunning = [string]::join(',', $srvr) +$ServicesNotRunning = [string]::join(',', $srvnr) +[void]$Output.Add("ServicesRunning=""$ServicesRunning""") +[void]$Output.Add("ServicesNotRunning=""$ServicesNotRunning""") +[void]$Output.Add("ProcsOK=""$ProcsOK""") + +# +# Look for Common Problems +# SYSVOL is shared out +# DC is registered in DNS +# +$SysvolShare = (Get-WmiObject Win32_Share|Where-Object { $_.Name -eq "SYSVOL" }) +if ($SysvolShare) { + [void]$Output.Add("SYSVOLShare=""True""") +} else { + [void]$Output.Add("SYSVOLShare=""False""") +} + +$DNSEntry = ([System.Net.DNS]::GetHostEntry($ServerName)) +if ($DNSEntry) { + [void]$Output.Add("DNSRegister=""True""") +} else { + [void]$Output.Add("DNSRegister=""False""") +} + +# Output the final string +Write-Host ($output -join " ") diff --git a/apps/Splunk_TA_windows/bin/powershell/nt6-repl-stat.ps1 b/apps/Splunk_TA_windows/bin/powershell/nt6-repl-stat.ps1 new file mode 100644 index 00000000..54e90897 --- /dev/null +++ b/apps/Splunk_TA_windows/bin/powershell/nt6-repl-stat.ps1 @@ -0,0 +1 @@ +## Global Variables ## $DomainControllerName = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().FindDomainController().Name ## Functions ## function Get-ADSite { [CmdletBinding( ConfirmImpact="Low", DefaultParameterSetName="Name" )] Param ( [Parameter(Mandatory=$true,Position=0,ValueFromPipeline=$true,ParameterSetName="Name")] [ValidateNotNullOrEmpty()] [string] $Name, [Parameter(Mandatory=$true,ParameterSetName="All")] [switch] $All, [Parameter(Mandatory=$true,ParameterSetName="Current")] [switch] $Current, [Parameter(Mandatory=$true,ParameterSetName="ByIPAddress")] [System.Net.IPAddress] $IPAddress, [Parameter(Mandatory=$false)] [ValidateScript({ if (-not $_.Contains(".")) { throw "The Name must be a FQDN" } return $true })] [string] $Server ) begin { $script:ctx = $null try { if (-not $Server) { $script:Server = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().FindDomainController().Name $script:ctx = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer", $script:Server) } else { $script:Server = $Server $script:ctx = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer", $script:Server) } } catch [Exception] { Write-Error $_ return } } process { $site = $null try { switch ($pscmdlet.ParameterSetName) { "name" { [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::FindByName($script:ctx, $name) } } } catch [Exception] { Write-Error -Exception $_.Exception -Message "Could not get the site / sites" } } end { } } function GetSingleDomainController { param( [Parameter(Mandatory=$true)] [ValidateScript({ if (-not $_.Contains(".")) { throw "The Name must be a FQDN" } return $true })] [string] $DomainControllerName ) $rootDSE = [adsi]"LDAP://$script:server/rootDSE" $ds = New-Object System.DirectoryServices.DirectorySearcher $ds.SearchRoot = "LDAP://$script:server/CN=Sites,$($rootDSE.configurationNamingContext)" $ds.Filter = "(&(objectclass=server)(dNSHostName=$DomainControllerName))" try { $serverDn = $ds.FindOne().GetDirectoryEntry().DistinguishedName.Value $siteDn = $serverDn.Substring($serverDn.IndexOf("CN=Servers") + 11, $serverDn.IndexOf("CN=Sites") - ($serverDn.IndexOf("CN=Servers") + 12)) $siteName = $siteDn.Substring(3) } catch [Exception] { throw "Could not find domain controller in $($ds.SearchRoot.DistinguishedName): $($_.Exception.Message)" } try { $dc = (Get-ADSite -Name $siteName -Server $script:Server).Servers | Where-Object { $_.Name -eq $DomainControllerName } if (-not $dc) { throw "The server $DomainControllerName cannot be found" } $dc } catch [Exception] { throw "Cannot read servers from site $siteName : ($_.Exception.Message)" } } function Get-Type { param( [Parameter(Position=0,Mandatory=$true)] [string] $GenericType, [Parameter(Position=1,Mandatory=$true)] [string[]] $T ) $Types = $T -as [type[]] try { $generic = [type]($GenericType + '`' + $Types.Count) $generic.MakeGenericType($Types) } catch [Exception] { throw New-Object System.Exception("Cannot create generic type", $_.Exception) } } function Get-ADReplicationLink { [CmdletBinding()] param( [Parameter(Mandatory=$true,ParameterSetName="AllDCsInSite",ValueFromPipelineByPropertyName=$true)] [string] $SiteName, [Parameter(Mandatory=$true,ParameterSetName="AllDCsInForest")] [switch] $AllDCsInForest, [Parameter(Mandatory=$true,ParameterSetName="AllDCsInDomain")] [switch] $AllDCsInDomain, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)] [ValidateScript({ if (-not $_.Contains(".")) { throw "The Name must be a FQDN" } return $true })] [string] $DomainName, [Parameter(Position=0,Mandatory=$false,ValueFromPipelineByPropertyName=$true,ParameterSetName="DcByName")] [ValidateScript({ if (-not $_.Contains(".")) { throw "The Name must be a FQDN" } return $true })] [Alias("DCName")] [string[]] $DomainControllerName, [Parameter(Position=0,Mandatory=$false,ValueFromPipelineByPropertyName=$true)] [Alias("NC")] [string] $NamingContext, [Parameter(Mandatory=$false)] [switch] $ErrorsOnly, [Parameter(Mandatory=$false)] [string] $Server ) begin { $global:tempDestinationServer = $null $script:ctx = $null try { if (-not $Server) { $script:Server = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().FindDomainController().Name $script:ctx = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer", $script:Server) $script:serverObject = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().FindDomainController() } else { $script:Server = $Server $script:ctx = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer", $script:Server) $script:serverObject = GetSingleDomainController -DomainControllerName $Server } } catch [Exception] { Write-Error $_ return } } process { $dcList = New-Object System.Collections.ArrayList foreach ($DomainController in $DomainControllerName) { [Void]$dcList.Add((GetSingleDomainController -DomainControllerName $DomainController)) } foreach ($dc in $dcList) { foreach ($partition in $dc.Partitions) { $repNeighbors = $dc.GetReplicationNeighbors($partition) if ($ErrorsOnly) { $repNeighbors = $repNeighbors | Where-Object { $_.LastSyncResult -ne 0 } } foreach ($repNeighbor in $repNeighbors) { $repInfo = New-Object (Get-Type -GenericType System.Collections.Generic.List -T System.Management.Automation.PSObject) $repNeighbor = $repNeighbor | Add-Member -MemberType NoteProperty -Name DestinationServer -Value $dc.Name -PassThru $repInfo.Add([psobject]$repNeighbor) $repInfo | ForEach-Object { $repl = new-object System.Collections.ArrayList $currtime = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz' $repltime = get-date -format "yyyy-MM-dd HH:mm:ss zzz" -date $($_.LastAttemptedSync) [void]$repl.add($currtime); [void]$repl.add("LastAttemptedSync=`"$repltime`"") [void]$repl.add("type=`"ReplicationEvent`"") [void]$repl.add("usn=$($_.UsnLastObjectChangeSynced)") [void]$repl.add("src_host=`"$($_.SourceServer)`"") [void]$repl.add("Result=`"$($_.LastSyncResult)`"") [void]$repl.add("transport=`"$($_.TransportType)`"") [void]$repl.add("naming_context=`"$($repNeighbor.PartitionName)`"") Write-Host ($repl -join " ") } } } } } end { } } ## Call The functions ## Get-ADReplicationlink $DomainControllerName diff --git a/apps/Splunk_TA_windows/bin/powershell/nt6-siteinfo.ps1 b/apps/Splunk_TA_windows/bin/powershell/nt6-siteinfo.ps1 new file mode 100644 index 00000000..1bb0f5b9 --- /dev/null +++ b/apps/Splunk_TA_windows/bin/powershell/nt6-siteinfo.ps1 @@ -0,0 +1,41 @@ +# +# Determine and output information about the Site the server is a member of +# + +$ServerName = $env:ComputerName +$BSSN = "\\" + $ServerName +$WMI_DOMAIN = Get-WmiObject Win32_NTDomain | Where-Object {$_.DomainControllerName -eq $BSSN} +$SiteName = $WMI_DOMAIN.ClientSiteName +$ForestName = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Name + +$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz' +$SiteInfoObj = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Sites | Where-Object { $_.Name -eq $SiteName } +$ISTG = $SiteInfoObj.IntersiteTopologyGenerator.Name + + +write-host $Date Type=`"Site`" ForestName=`"$ForestName`" Site=`"$SiteName`" Location=`"$($SiteInfoObj.Location)`" -NoNewline +$SiteInfoObj.AdjacentSites | Foreach-Object { write-host AdjacentSite=`"$($_.Name)`" -NoNewline } +write-host IntersiteTopologyGenerator=`"$ISTG`" -NoNewline +$SiteInfoObj.SiteLinks | Foreach-Object { write-host "" SiteLink=`"$($_.Name)`" -NoNewline } +$SiteInfoObj.Subnets | Foreach-Object { write-host "" Subnet=`"$($_.Name)`" -nonewline } + +write-host #Needed to print a newline for next object + +# +# Output Information about Site Links in this site +# +$SiteInfoObj.SiteLinks | Foreach-Object { + write-host $Date Type=`"SiteLink`" ForestName=`"$ForestName`" Name=`"$($_.Name)`" Cost=$($_.Cost) DataCompressionEnabled=$($_.DataCompressionEnabled) NotificationEnabled=$($_.NotificationEnabled) ReciprocalReplicationEnabled=$($_.ReciprocalReplicationEnabled) TransportType=$($_.TransportType) ReplicationIntervalSecs=$($_.ReplicationInterval.TotalSeconds) -NoNewLine + foreach ($site in $_.Sites) { + write-host ""Site=`"$($site.Name)`" -NoNewLine + } +} +Write-Host #similar to above + +# +# Output Information about Subnets in this site +# + +$SiteInfoObj.Subnets | Foreach-Object { + write-Host $Date Type=`"Subnet`" ForestName=`"$ForestName`" Name=`"$($_.Name)`" Site=`"$SiteName`" Location=`"$($_.Location)`" +} diff --git a/apps/Splunk_TA_windows/bin/powershell/windows_bios_data.ps1 b/apps/Splunk_TA_windows/bin/powershell/windows_bios_data.ps1 new file mode 100644 index 00000000..f92ad9ae --- /dev/null +++ b/apps/Splunk_TA_windows/bin/powershell/windows_bios_data.ps1 @@ -0,0 +1,5 @@ +## This script fetches the Windows machine BIOS data using Get-WmiObject cmdlet + +$bios_data = Get-WmiObject -class win32_bios | format-list -property * | Out-String +$bios_data = $bios_data.Trim() +$bios_data -replace '(.*?)\s:(.*)', '$1 = $2' diff --git a/apps/Splunk_TA_windows/bin/runpowershell.cmd b/apps/Splunk_TA_windows/bin/runpowershell.cmd new file mode 100644 index 00000000..2118a5d9 --- /dev/null +++ b/apps/Splunk_TA_windows/bin/runpowershell.cmd @@ -0,0 +1,14 @@ +@ECHO OFF + +:: ###################################################### +:: # +:: # Splunk for Microsoft Windows +:: # +:: # Copyright (C) 2021 Splunk, Inc. +:: # All Rights Reserved +:: # +:: ###################################################### + +set SplunkApp=Splunk_TA_windows + +%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -executionPolicy RemoteSigned -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%1'" diff --git a/apps/Splunk_TA_windows/bin/user_account_control_property.py b/apps/Splunk_TA_windows/bin/user_account_control_property.py new file mode 100644 index 00000000..0a891c5e --- /dev/null +++ b/apps/Splunk_TA_windows/bin/user_account_control_property.py @@ -0,0 +1,112 @@ +# +# SPDX-FileCopyrightText: 2024 Splunk, Inc. +# SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +# +# +import csv +import sys +import log +import logging + +# Map for possible property flags +property_flags = { + "1": "SCRIPT", + "2": "ACCOUNTDISABLE", + "8": "HOMEDIR_REQUIRED", + "16": "LOCKOUT", + "32": "PASSWD_NOTREQD", + "64": "PASSWD_CANT_CHANGE", + "128": "ENCRYPTED_TEXT_PWD_ALLOWED", + "256": "TEMP_DUPLICATE_ACCOUNT", + "512": "NORMAL_ACCOUNT", + "2048": "INTERDOMAIN_TRUST_ACCOUNT", + "4096": "WORKSTATION_TRUST_ACCOUNT", + "8192": "SERVER_TRUST_ACCOUNT", + "65536": "DONT_EXPIRE_PASSWORD", + "131072": "MNS_LOGON_ACCOUNT", + "262144": "SMARTCARD_REQUIRED", + "524288": "TRUSTED_FOR_DELEGATION", + "1048576": "NOT_DELEGATED", + "2097152": "USE_DES_KEY_ONLY", + "4194304": "DONT_REQ_PREAUTH", + "8388608": "PASSWORD_EXPIRED", + "16777216": "TRUSTED_TO_AUTH_FOR_DELEGATION", + "67108864": "PARTIAL_SECRETS_ACCOUNT", +} + + +def main(): + + logger = log.Log().get_logger("user_account_control_property") + logger.info("Lookup script started executing..") + + # prints usage of the lookup script if wrong number of arguments provided + if len(sys.argv) != 3: + logger.debug( + "Usage: python user_account_control_property.py [userAccountControl] [userAccountPropertyFlag]" + ) + logger.debug("Lookup script stopped..") + sys.exit(1) + + # Lookup Field names + userAccountControl = sys.argv[1] + userAccountPropertyFlag = sys.argv[2] + + infile = sys.stdin + outfile = sys.stdout + + r = csv.DictReader(infile) + + w = csv.DictWriter(outfile, fieldnames=r.fieldnames) + + w.writeheader() + + # Decode flags for every 'userAccountControl' attribute value present in a search result + for result in r: + try: + if result[userAccountControl].isdigit(): + attribute_value = int(result[userAccountControl]) + bit_cnt = 0 + incorrect_result_flag = False + flags = list() + + # Prepare flag list by decoding 'userAccountcontrol' decimal value + # As 'userAccountControl' is decimal value, For each bit set to '1' a property flag can be denoted by using 'property_flags' map given above + while attribute_value != 0: + if attribute_value & 1 == 1: + flags.append(str(1 << bit_cnt)) + attribute_value = attribute_value >> 1 + bit_cnt += 1 + + # If flag not present in 'property_flags' map, The 'userAccountPropertyFlag' won't be populated in search result + for flag in flags: + if flag not in list(property_flags.keys()): + logger.debug( + "'userAccountControl' attribute can not be decoded for value: {}".format( + result[userAccountControl] + ) + ) + incorrect_result_flag = True + break + if incorrect_result_flag: + continue + else: + for flag in flags: + result[userAccountPropertyFlag] = property_flags[flag] + w.writerow(result) + else: + logger.debug( + "'userAccountControl' attribute can not be decoded for value: {}".format( + result[userAccountControl] + ) + ) + except: + logger.debug( + "No results for 'userAccountControl' attribute value :{}".format( + result[userAccountControl] + ) + ) + + +if __name__ == "__main__": + main() diff --git a/apps/Splunk_TA_windows/bin/win_installed_apps.bat b/apps/Splunk_TA_windows/bin/win_installed_apps.bat new file mode 100644 index 00000000..2a233ea4 --- /dev/null +++ b/apps/Splunk_TA_windows/bin/win_installed_apps.bat @@ -0,0 +1,67 @@ +@echo off +REM -------------------------------------------------------- +REM Copyright (C) 2021 Splunk Inc. All Rights Reserved. +REM -------------------------------------------------------- + +setlocal EnableDelayedExpansion + +REM For each app key, print out the name of the app and any parameters under the entry +for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 72) + +REM Do the same as above but with 32-bit apps, first checking if the key exists +reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" >nul 2>&1 +if %ERRORLEVEL% EQU 0 ( + for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 84) +) + +goto :eof + +:output_reg + + + REM Echo an empty line to indicate that this is a new entry + @echo. + + REM Get the current date and time into into a variable + for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j + set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6% + + REM Print out the date & time + @echo %date_time% + + REM Add the enumerated key + @echo Installed application enumerated from %1 + + REM Get the name of the app from the last segment in the registry path + set app_name=%1 + + REM Strips out the first x characters (from input) of the path in order to get just the app name + set "app_name=!app_name:~%2%,150!" + + REM Strip the last quote + set "app_name=!app_name:~0,-1!" + + REM Store a count value so that we can avoid printing the first entry + set count=0 + + REM This variable determines if the display name was found + set display_name_found=0 + + REM Now get the sub-keys + for /F "tokens=1,2*" %%A in ('reg query %1') do ( + set /a count+=1 + + REM Skip the entry if it just repeats the name we are querying for or if it is blank or if is "nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j +set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6% + +REM Get the Tasklist command output and store array with pid and processname +for /f "tokens=1,2 delims=," %%T in ('tasklist /nh /fo csv') do ( + set topic[%%~U]=%%~T +) + +REM Get the list of open ports by running netstat and filtering the results to those that contain actual ports (dropping the header) +for /f "tokens=*" %%A in ('netstat -nao ^| findstr /r "LISTENING"') do ( + set "line=%%A" + REM Replace % with %% + set "line=!line:%%=%%%%!" + call :output_ports "!line!" +) +goto :eof + +:output_ports + REM Parse the ports list + for /f "tokens=1,2,4,5 delims= " %%A in (%1) do ( + set protocol=%%A + set dest=%%B + set status=%%C + set pid=%%D + set appname=!topic[%%D]! + ) + + REM Skip the header + if "!protocol!"=="Proto" goto :eof + if "!protocol!"=="Active" goto :eof + + REM Condition to ckeck IPv6 address + if "!dest:~0,1!"=="[" ( + for /f "tokens=1,2 delims=]" %%Q in ("!dest!") do ( + set full_ipv6=%%Q + set full_ipv6=!full_ipv6:~1! + set dest_ip=[!full_ipv6!] + set dest_port_temp=%%R + REM Below block is to remove leading ':' from dest_port_temp + for /f "tokens=1* delims=:" %%X in ("!dest_port_temp!") do ( + set dest_port=%%X + ) + ) + ) else ( + for /f "tokens=1,2 delims=:" %%F in ("!dest!") do ( + set dest_ip=%%F + set dest_port=%%G + ) + ) + + REM Replace the dest IP with the empty IP range if necessary + if "!dest_ip!"=="[" set dest_ip=[::] + + REM Print out the result + echo %date_time% transport=%protocol% dest_ip=%dest_ip% dest_port=%dest_port% pid=!pid! appname=%appname% diff --git a/apps/Splunk_TA_windows/bin/win_timesync_configuration.bat b/apps/Splunk_TA_windows/bin/win_timesync_configuration.bat new file mode 100644 index 00000000..f9c901e3 --- /dev/null +++ b/apps/Splunk_TA_windows/bin/win_timesync_configuration.bat @@ -0,0 +1,21 @@ +@echo off +REM -------------------------------------------------------- +REM Copyright (C) 2021 Splunk Inc. All Rights Reserved. +REM -------------------------------------------------------- + +setlocal EnableDelayedExpansion + +REM Get the time service configuration and timezone. + +REM Get the date & time +for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j +set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6% + +REM Print the date and time. This will be the timestamp of the event. +echo Current time: %date_time% + +REM Print the Windows time service configuration +w32tm /query /configuration /verbose + +REM Print the Windows time zone information +w32tm /tz diff --git a/apps/Splunk_TA_windows/bin/win_timesync_status.bat b/apps/Splunk_TA_windows/bin/win_timesync_status.bat new file mode 100644 index 00000000..76c214a5 --- /dev/null +++ b/apps/Splunk_TA_windows/bin/win_timesync_status.bat @@ -0,0 +1,28 @@ +@echo off +REM -------------------------------------------------------- +REM Copyright (C) 2021 Splunk Inc. All Rights Reserved. +REM -------------------------------------------------------- + +setlocal EnableDelayedExpansion + +REM Get the last current time synchronization status +REM +REM Example: +REM +REM Successful sync: +REM Last Successful Sync Time: 1/22/2014 12:06:43 PM +REM Unsuccessful sync: +REM Last Successful Sync Time: unspecified + +REM Get the date & time +for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j +set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6% + +REM Print the date and time. This will be the timestamp of the event. +echo Current time: %date_time% + +REM Print the Windows time service status +w32tm /query /status /verbose + +REM Print the time zone +w32tm /tz diff --git a/apps/Splunk_TA_windows/default/app.conf b/apps/Splunk_TA_windows/default/app.conf new file mode 100644 index 00000000..245d68c3 --- /dev/null +++ b/apps/Splunk_TA_windows/default/app.conf @@ -0,0 +1,29 @@ +## +## SPDX-FileCopyrightText: 2024 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +[install] +is_configured = false +state = enabled +build = 1731337684 + +[ui] +is_visible = false +label = Splunk Add-on for Microsoft Windows +docs_section_override = AddOns:released + +[launcher] +author = Splunk, Inc. +version = 9.0.1 +description = Splunk Add-on for Microsoft Windows + +[package] +id = Splunk_TA_windows +check_for_updates = true + +[id] +name = Splunk_TA_windows +version = 9.0.1 + diff --git a/apps/Splunk_TA_windows/default/data/ui/views/microsoft_windows_dashboard.xml b/apps/Splunk_TA_windows/default/data/ui/views/microsoft_windows_dashboard.xml new file mode 100644 index 00000000..b0223ec4 --- /dev/null +++ b/apps/Splunk_TA_windows/default/data/ui/views/microsoft_windows_dashboard.xml @@ -0,0 +1,221 @@ + + +
+ +
+ + + + -4h@m + now + + + + + index + index + + | eventcount summarize=false index=* | dedup index | table index + -24h@h + now + + main + + + + All + * + host + host + + | tstats count where index=$index_name$ by host + | table host + 0 + + + + + + All + * + sourcetype + sourcetype + + | tstats count where index=$index_name$ AND host IN ($host_name$) AND + sourcetype IN ("PerfmonMk:*", "Perfmon:*", "MSAD:*", "WindowsUpdateLog", "WMI:*","WinEventLog","Script:NetworkConfiguration", "Script:TimesyncConfiguration", "ActiveDirectory", "WinHostMon", "WinRegistry", "Script:InstalledApps", "DhcpSrvLog", "wmi", "Script:ListeningPorts", "XmlWinEventLog:*", "host::WinEventLogForwardHost", "WinEventLog:*", "Script:TimesyncStatus", "XmlWinEventLog","powershell", "WinRegMon", "admon", "WinNetMon", "WinPrintMon", "win:bios") AND NOT sourcetype IN ("winEventLog:*", "xmlWinEventLog:*") by sourcetype + | table sourcetype + 0 + + + + + + All + * + source + source + + | tstats values(source) where index=$index_name$ AND sourcetype IN ($sourcetype_token$) AND host IN ($host_name$) AND source IN ("WinEventLog:*", "WMI*", "WinEventLog*", "XmlWinEventLog:*", "*WindowsUpdate.Log", "WMI:WinEventLog*", "Powershell", "service", "processor", "process", "printer", "port","outbound","networkadapter","operatingsystem","inbound", "driver","disk","computer", "roles","WinRegistry", "PerfmonMk:*", "*win_timesync_status.bat","*win_timesync_configuration.bat","*win_listening_ports.bat", "*win_installed_apps.bat", "*netsh_address.bat", "*DHCP" ,"*netlogon.log","*dns.log") by source + | table source + 0 + + + + +
+ + + Windows TA version + + + | rest services/apps/local/Splunk_TA_windows splunk_server=local| fields version + -15m + now + + + + + + + Total number of events + + + index=$index_name$ sourcetype IN ($sourcetype_token$) source IN ($source_token$) host IN ($host_name$) eventtype=windows_ta_data | stats count + $log_time.earliest$ + $log_time.latest$ + + + + + + + + + Event count per time span + + + 1 second + 10 seconds + 1 minute + 15 minutes + 30 minutes + 1 hour + 12 hours + 24 hours + 12h + + + + index=$index_name$ sourcetype IN ($sourcetype_token$) source IN ($source_token$) host IN ($host_name$) eventtype=windows_ta_data| timechart span=$span_time$ count as "Event count" + $log_time.earliest$ + $log_time.latest$ + 5m + delay + + + + + + + + + + Events by Sourcetypes + + + index=$index_name$ sourcetype IN ($sourcetype_token$) source IN ($source_token$) host IN ($host_name$) eventtype=windows_ta_data| stats count by sourcetype + $log_time.earliest$ + $log_time.latest$ + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Events by Sources + + + index=$index_name$ sourcetype IN ($sourcetype_token$) source IN ($source_token$) host IN ($host_name$) eventtype=windows_ta_data| stats count by source + $log_time.earliest$ + $log_time.latest$ + + + + + + + + + + + + + + Trends of events by sourcetypes + + + index=$index_name$ sourcetype IN ($sourcetype_token$) source IN ($source_token$) host IN ($host_name$) eventtype=windows_ta_data| chart sparkline(count) AS "Sourcetypes Trend" count AS Total BY sourcetype + $log_time.earliest$ + $log_time.latest$ + 1 + + + + + + + + + +
+ + + CIM Supported Events + + Total events mapped with tags + + index=$index_name$ sourcetype IN ($sourcetype_token$) source IN ($source_token$) host IN ($host_name$) eventtype=windows_ta_data| stats count As TotalEvents by tag | table tag, TotalEvents + $log_time.earliest$ + $log_time.latest$ + + + +
+ + +
diff --git a/apps/Splunk_TA_windows/default/eventtypes.conf b/apps/Splunk_TA_windows/default/eventtypes.conf new file mode 100644 index 00000000..322b91d2 --- /dev/null +++ b/apps/Splunk_TA_windows/default/eventtypes.conf @@ -0,0 +1,765 @@ +## +## SPDX-FileCopyrightText: 2024 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## DO NOT EDIT THIS FILE! +## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. +## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default +## into ../local and edit there. +## + +###### Global Windows Eventtype ###### + +[windows_event_signature] +search = sourcetype=WinEventLog OR sourcetype=XmlWinEventLog OR sourcetype=WMI:WinEventLog:System OR sourcetype=WMI:WinEventLog:Security OR sourcetype=WMI:WinEventLog:Application OR sourcetype=wineventlog OR sourcetype=xmlwineventlog +#tags = track_event_signatures + +[wineventlog_windows] +search = eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security OR eventtype=wineventlog-ds OR eventtype=wineventlog-dfs OR eventtype=wineventlog-keymanagement OR eventtype=wineventlog-filereplication OR eventtype=wineventlog-dns +#tags = os windows + +[wineventlog_application] +search = source=WinEventLog:Application OR source=WMI:WinEventLog:Application OR source=XmlWinEventLog:Application +#tags = os windows + +[wineventlog_system] +search = source=WinEventLog:System OR source=WMI:WinEventLog:System OR source=XmlWinEventLog:System +#tags = os windows + +[wineventlog_security] +search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security +#tags = os windows + +[perfmon_windows] +search = sourcetype=Perfmon:* OR sourcetype=PerfmonMk:* OR sourcetype=WMI:Perfmon* +#tags = os windows + +[hostmon_windows] +search = sourcetype=WinHostMon +#tags = os windows + +[hostmon_os] +search = sourcetype=WinHostMon Type=OperatingSystem +#tags = os windows memory performance + +[hostmon_inventory] +search = sourcetype=WinHostMon (Type=OperatingSystem OR Type=Processor) +#tags = os inventory cpu memory + +[hostmon_disk] +search = sourcetype=WinHostMon (Type=Disk) +#tags = inventory performance storage + +[netmon_windows] +search = sourcetype=WinNetMon +#tags = os windows + +[printmon_windows] +search = sourcetype=WinPrintMon +#tags = os windows + +[script_windows] +search = sourcetype=Script:* source=*.bat +#tags = os windows + +[wmi_windows] +search = sourcetype=WMI:* +#tags = os windows + +[windowsupdatelog_windows] +search = sourcetype=WindowsUpdateLog +#tags = os windows + +[winregistry_windows] +search = sourcetype=WinRegistry +#tags = os windows endpoint change registry + +[winapp] +search = eventtype=wineventlog_application + +[winsec] +search = eventtype=wineventlog_security +#tags = security + +[winsystem] +search = eventtype=wineventlog_system + + +###### DHCP ###### +[msdhcp] +search = sourcetype=msdhcp +#tags = dhcp network session windows + +[msdhcp_start] +search = sourcetype=msdhcp (msdhcp_id=10 OR msdhcp_id=11 OR msdhcp_id=13) +#tags = start + +[msdhcp_end] +search = sourcetype=msdhcp (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17) +#tags = end + +[DhcpSrvLog] +search = sourcetype=DhcpSrvLog +#tags = windows + +[DhcpSrvLog_dhcp] +search = sourcetype=DhcpSrvLog (msdhcp_id=13 OR msdhcp_id=14 OR msdhcp_id=15) +#tags = dhcp network session + +[DhcpSrvLog_start] +search = sourcetype=DhcpSrvLog (msdhcp_id=10 OR msdhcp_id=11) +#tags = dhcp network session start + +[DhcpSrvLog_end] +search = sourcetype=DhcpSrvLog (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17 OR msdhcp_id=18) +#tags = dhcp network session end + + +###### Security: Account Logon ###### + +## Authentication Ticket Granted/Failed +## EventCodes 4768, 4772, 672, 676 +[windows_auth_ticket_granted] +search = eventtype=wineventlog_security (EventCode=4768 OR EventCode=672 OR EventCode=676) +#tags = authentication + +## Service Ticket Granted/Failed +## EventCodes 4769, 4773, 673, 677 +[windows_service_ticket_granted] +search = eventtype=wineventlog_security (EventCode=4769 OR EventCode=4773 OR EventCode=673 OR EventCode=677) +#tags = authentication + +## Ticket Granted Renewed +## EventCodes 4770, 674 +[windows_ticket_renewed] +search = eventtype=wineventlog_security (EventCode=4770 OR EventCode=674) +## tags intentionally left blank +#tags = + +## Pre-authentication failed +## EventCodes 4771, 675 +[windows_pre_auth_failed] +search = eventtype=wineventlog_security (EventCode=4771 OR EventCode=675) +#tags = authentication + +## Account Mapped for Logon by +## EventCodes 4774, 678 +[windows_account_mapped] +search = eventtype=wineventlog_security (EventCode=4774 OR EventCode=678) +## tags intentionally left blank +#tags = authentication + +## The name: %2 could not be mapped for logon by: %1 +## EventCodes 4775, 679 +[windows_account_notmapped] +search = eventtype=wineventlog_security (EventCode=4775 OR EventCode=679) +#tags = authentication + +## Account Used for Logon by +## The domain controller attempted/failed to validate the credentials for an account +## The logon to account: %2 by: %1 from workstation: %3 failed. +## EventCodes 4776, 4777, 680, 681 +[windows_account_used4logon] +search = eventtype=wineventlog_security (EventCode=4776 OR EventCode=4777 OR EventCode=680 OR EventCode=681) +#tags = authentication + +## Session reconnected to winstation +## EventCodes 4778, 682 +[windows_session_reconnected] +search = eventtype=wineventlog_security (EventCode=4778 OR EventCode=682) +## tags intentionally left blank +#tags = + +## Session disconnected from winstation +## EventCodes 4779, 683 +[windows_session_disconnected] +search = eventtype=wineventlog_security (EventCode=4779 OR EventCode=683) +#tags = access stop logoff + + +###### Security: Account Management ###### +[windows_account_management] +search = eventtype=wineventlog_security (ta_windows_security_CategoryString="Account Management" OR (TaskCategory="User Account Management" AND source!=XmlWinEventLog:Security) ) +#tags = account change management + +## User/Computer Account Created +## EventCodes 4720, 4741, 624, 645 +[windows_account_created] +search = eventtype=wineventlog_security (EventCode=4720 OR EventCode=4741 OR EventCode=624 OR EventCode=645) +#tags = add account change + + +## User Account Enabled +## EventCodes 4722, 626 +[windows_account_enabled] +search = eventtype=wineventlog_security (EventCode=4722 OR EventCode=626) +#tags = enable account change + +## Change Password Attempt +## EventCodes 4723, 627 +[windows_account_password_change] +search = eventtype=wineventlog_security (EventCode=4723 OR EventCode=627) +#tags = password modify account change + +## User Account password set +## EventCodes 4724, 628 +[windows_account_password_set] +search = eventtype=wineventlog_security (EventCode=4724 OR EventCode=628) +#tags = password modify account change + +## User Account Disabled +## EventCodes 4725, 629 +[windows_account_disabled] +search = eventtype=wineventlog_security (EventCode=4725 OR EventCode=629) +#tags = disable account change + +## User/Computer Account Deleted +## EventCodes 4726, 4743, 630, 647 +[windows_account_deleted] +search = eventtype=wineventlog_security (EventCode=4726 OR EventCode=4743 OR EventCode=630 OR EventCode=647) +#tags = delete account change + +## User/Computer Account Changed +## EventCodes 4738, 4742, 642, 646, 625 +[windows_account_modified] +search = eventtype=wineventlog_security (EventCode=4738 OR EventCode=4742 OR EventCode=642 OR EventCode=646 OR EventCode=625) +#tags = modify account change + +## User Account Locked Out +## EventCodes 4740, 644 +[windows_account_lockout] +search = eventtype=wineventlog_security (EventCode=4740 OR EventCode=644) +#tags = lock lockout account change + +## User Account Unlocked +## EventCodes 4767, 671 +[windows_account_unlocked] +search = eventtype=wineventlog_security (EventCode=4767 OR EventCode=671) +#tags = modify account change + + +###### Security: Audit (Event Log) ###### + +## The event logging service has shut down +## EventCode 1100 +[windows_audit_log_stopped] +search = eventtype=wineventlog_security EventCode=1100 +#tags = stop stopped watchlist + +## Audit events have been dropped by the transport. +## The security Log is now full +## The event logging service encountered an error +## EventCodes 1101, 1104, 1108 +[windows_audit_errors] +search = eventtype=wineventlog_security (EventCode=1101 OR EventCode=1104 OR EventCode=1108) +#tags = audit error + +## The audit log was cleared +## EventCodes 1102, 517 +[windows_audit_log_cleared] +search = eventtype=wineventlog_security (EventCode=1102 OR EventCode=517) +#tags = audit change delete cleared watchlist + +## Event log automatic backup +## EventCode 1105 +[windows_audit_backup] +search = eventtype=wineventlog_security EventCode=1105 +#tags = audit backup change + +## Logon/Logoff audit logs +## EventCode 4625 +[windows_audit_log_logon] +search = eventtype=wineventlog_security EventCode=4625 (ta_windows_status=0xC0000064 OR ta_windows_status=0xC000006A OR ta_windows_status=0xC000006F OR ta_windows_status=0xC0000070 OR ta_windows_status=0xC0000071 OR ta_windows_status=0xC0000072 OR ta_windows_status=0XC000018C OR ta_windows_status=0XC0000192 OR ta_windows_status=0xC0000193 OR ta_windows_status=0xC0000234 OR ta_windows_status=0XC00002EE OR ta_windows_status=0XC0000413) +#tags = audit change + + +###### Security: Logon/Logoff ###### + +## User Logoff/User initiated logoff +## EventCodes 4634, 4647, 538, 551 +[windows_logoff] +search = eventtype=wineventlog_security (EventCode=4634 OR EventCode=4647 OR EventCode=538 OR EventCode=551) +#tags = access stop logoff + +## A logon was attempted using explicit credentials +## EventCodes 4648, 552 +[windows_logon_explicit] +search = eventtype=wineventlog_security (EventCode=4648 OR EventCode=552) +#tags = authentication privileged + +## An account failed to log on +## EventCodes 4625, 529, 530, 531, 532, 533, 534, 535, 536, 537, 539 +[windows_logon_failure] +search = eventtype=wineventlog_security ((EventCode=4625 AND ta_windows_action!=error) OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) +#tags = authentication + +## An account was successfully logged on +## EventCodes 4624, 528, 540 +[windows_logon_success] +search = eventtype=wineventlog_security (EventCode=4624 OR EventCode=528 OR EventCode=540) +#tags = authentication + + +###### Security: Object Access ###### + +## Object Open +## EventCodes 4656, 560 +[windows_object_open] +search = eventtype=wineventlog_security (EventCode=4656 OR EventCode=560) +#tags = resource file access start + +## Handle Closed +## EventCodes 4658, 562 +[windows_handle_closed] +search = eventtype=wineventlog_security (EventCode=4658 OR EventCode=562) +#tags = resource file access stop + + +###### Security: Policy Change ###### + +## Audit Policy Change/The audit policy (SACL) on an object was changed +## EventCodes 4715, 4719, 612 +[windows_audit_policy_change] +search = eventtype=wineventlog_security (EventCode=4715 OR EventCode=4719 OR EventCode=612) +#tags = policy configuration modify audit change + +## System security access was granted to an account +## EventCodes 4717, 621 +[windows_security_access_granted] +search = eventtype=wineventlog_security (EventCode=4717 OR EventCode=621) +#tags = access authorization add change account + +## System security access was removed from an account +## EventCodes 4718, 622 +[windows_security_access_removed] +search = eventtype=wineventlog_security (EventCode=4718 OR EventCode=622) +#tags = access authorization delete change account + +## Per User Audit Policy was changed +## EventCodes 4912, 807 +[windows_audit_policy_changed] +search = eventtype=wineventlog_security (EventCode=4912 OR EventCode=807) +#tags = policy configuration modify audit change + +## The following policy was active when the Windows Firewall started +## EventCodes 848, 849, 850 +[windows_firewall_policy_active] +search = eventtype=wineventlog_security (EventCode=848 OR EventCode=849 OR EventCode=850) +#tags = application firewall configuration report + +## A change has been made to Windows Firewall +## EventCodes 4946, 4947, 4948, 851, 852 +[windows_firewall_policy_change] +search = eventtype=wineventlog_security (EventCode=4946 OR EventCode=4947 OR EventCode=4948 OR EventCode=851 OR EventCode=852) +#tags = application firewall configuration modify + +## The Windows Firewall has detected an application listening for incoming traffic +## EventCodes 4957, 861 +[windows_firewall_port_listening] +search = eventtype=wineventlog_security (EventCode=4957 OR EventCode=861) +#tags = application firewall port listening report + + +###### Security: Privilege Use ###### + +## Special privileges assigned to new logon +## EventCodes 4672, 576 +[windows_special_privileges] +search = eventtype=wineventlog_security (EventCode=4672 OR EventCode=576) +#tags = authentication privileged + +## Privileged Service Called +## EventCodes 4673, 577 +[windows_privileged_service_call] +search = eventtype=wineventlog_security (EventCode=4673 OR EventCode=577) +#tags = process execute start privileged + +## Privileged object operation +## EventCodes 4674, 578 +[windows_privileged_object_operation] +search = eventtype=wineventlog_security (EventCode=4674 OR EventCode=578) +#tags = resource execute start privileged + + +###### Security: Process Tracking ###### + +## A new process has been created +## EventCodes 4688, 592 +[windows_process_new] +search = eventtype=wineventlog_security (EventCode=4688 OR EventCode=592) +#tags = process execute start + +## A process has exited +## EventCodes 4689, 593 +[windows_process_exit] +search = eventtype=wineventlog_security (EventCode=4689 OR EventCode=593) +#tags = process execute stop + +## A process was assigned a primary token +## EventCodes 4696, 600 +[windows_process_token] +search = eventtype=wineventlog_security (EventCode=4696 OR EventCode=600) +#tags = process execute start privileged + + +###### Security: System ###### + +## An authentication package has been loaded by the Local Security Authority +## EventCodes 4610, 514 +[windows_auth_package] +search = eventtype=wineventlog_security (EventCode=4610 OR EventCode=514) +#tags = process execute start + +## A trusted logon process has registered with the Local Security Authority +## EventCodes 4611, 515 +[windows_logon_process] +search = eventtype=wineventlog_security (EventCode=4611 OR EventCode=515) +#tags = process authorization add + +## A notification package has been loaded by the Security Account Manager +## EventCodes 4614, 518 +[windows_notification_package] +search = eventtype=wineventlog_security (EventCode=4614 OR EventCode=518) +#tags = process execute start + + +###### Security: Vulnerability ###### +## System security domain policy was changed +## EventCode 4739 +[windows_security_misconfiguration_password_minimum_length] +search = eventtype=wineventlog_security EventCode="4739" (Min__Password_Length<7 OR Mixed_Domain_Mode<7) +#tags = misconfiguration password policy vulnerability report audit change + + +###### System: Time ###### + +## EventCode 35, 37 +[windows_time_sync] +search = (eventtype=wineventlog_system (SourceName=W32Time OR SourceName=Microsoft-Windows-Time-Service) (EventCode=35 OR EventCode=37)) OR (sourcetype=Script:TimesyncStatus windows_action=success) +#tags = report time synchronize success performance + +## EventCodes 17, 29, 36, 38 +[windows_time_failure] +search = (eventtype=wineventlog_system (SourceName=W32Time OR Microsoft-Windows-Time-Service) (EventCode=17 OR EventCode=29 OR EventCode=36 OR EventCode=38)) OR (sourcetype=Script:TimesyncStatus windows_action=failure) +#tags = report time synchronize failure performance + + +###### System: Update ###### +[windows_system_update] +search = eventtype=wineventlog_system "Microsoft-Windows-WindowsUpdateClient" +#tags = system update + +## EventCodes 17, 18, 19 +[windows_system_update_status] +search = eventtype=wineventlog_system "Microsoft-Windows-WindowsUpdateClient" (EventCode=17 OR EventCode=18 OR EventCode=19) +#tags = status + +[windows_updatelog] +search = sourcetype=WindowsUpdateLog +#tags = system update + +[windows_updatelog_status] +search = sourcetype=WindowsUpdateLog "Content Install" NOT "Download Succeeded" NOT "Reboot Completed" NOT "Hide Update" +#tags = status + +## WMI:Update +[wmi_installed_packages] +search = sourcetype=WMI:InstalledUpdates +#tags = system update status + + +###### Splunk WMI ###### + +## ComputerSystem +[wmi_computersystem] +search = sourcetype=WMI:ComputerSystem +#tags = performance memory + +## CPUTime +[perfmon_cputime] +search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime) +#tags = performance cpu report + +[perfmon_cputime_anomalous] +search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime) windows_cpu_load_percent>90 +#tags = anomalous + +[wmi_cputime] +search = sourcetype=WMI:CPUTime +#tags = performance cpu report + +[wmi_cputime_anomalous] +search = sourcetype=WMI:CPUTime windows_percent_processor_time>90 +#tags = anomalous + +## System +[perfmon_system] +search = sourcetype=Perfmon:System OR sourcetype=PerfmonMk:System +#tags = performance cpu report + +## Disk +[perfmon_freediskspace] +search = sourcetype=Perfmon:FreeDiskSpace +#tags = performance storage disk report + +[perfmon_freediskspace_anomalous] +search = sourcetype=Perfmon:FreeDiskSpace windows_storage_free_percent<10 +#tags = anomalous + +[perfmon_logicaldisk] +search = sourcetype=Perfmon:LogicalDisk OR sourcetype=PerfmonMk:LogicalDisk +#tags = performance storage disk + +##ProcessorInformation +[perfmon_processorinformation] +search = (sourcetype=Perfmon:ProcessorInformation OR sourcetype=PerfmonMk:ProcessorInformation) +#tags = performance cpu report process + +[wmi_freediskspace] +search = sourcetype=WMI:FreeDiskSpace +#tags = performance storage disk report + +[wmi_freediskspace_anomalous] +search = sourcetype=WMI:FreeDiskSpace windows_storage_free_percent<10 +#tags = anomalous + +[wmi_logicaldisk] +search = sourcetype=WMI:LogicalDisk +#tags = performance storage disk + +## Listening Ports +[script_listeningports] +search = sourcetype=Script:ListeningPorts +#tags = port listening report + +## Local Processes +[wmi_localprocesses] +search = sourcetype=WMI:LocalProcesses +#tags = process report + +[wmi_localprocesses_anomalous] +search = sourcetype=WMI:LocalProcesses (windows_cpu_load_percent>50) NOT windows_app=*Total +#tags = anomalous + +## Memory +[perfmon_memory] +search = sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory +#tags = performance memory report + +[perfmon_memory_anomalous] +search = (sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory) windows_mem_free<104857600 +#tags = anomalous + +[wmi_memory] +search = sourcetype=WMI:Memory +#tags = performance memory report + +[wmi_memory_anomalous] +search = sourcetype=WMI:Memory windows_mem_free<104857600 +#tags = anomalous + +## Service +[wmi_service] +search = sourcetype=WMI:Service +#tags = service report + +[wmi_service_status_anomalous] +search = sourcetype=WMI:Service Status=* NOT Status=OK +#tags = anomalous + +[wmi_service_state_anomalous] +search = sourcetype=WMI:Service windows_start_mode=Auto windows_state=* NOT windows_state=Running +#tags = anomalous + +## Network +[perfmon_network] +search = sourcetype=Perfmon:Network OR sourcetype=PerfmonMk:Network +#tags = performance network + +[perfmon_network_throughput] +search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Bytes Total/sec" OR Bytes_Total/sec = *) +#tags = performance network + +[perfmon_network_bandwidth] +search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Current Bandwidth" OR Current_Bandwidth=*) +#tags = performance network + +[wmi_network_throughput] +search = sourcetype=WMI:LocalNetwork BytesTotalPersec=* +#tags = performance network + +[wmi_network_bandwidth] +search = sourcetype=WMI:LocalNetwork CurrentBandwidth=* +#tags = performance network + +## Process +[perfmon_process] +search = sourcetype=Perfmon:Process OR sourcetype=PerfmonMk:Process +#tags = performance process report + +## Uptime +[wmi_uptime] +search = sourcetype=WMI:Uptime +#tags = performance uptime report + +[wmi_uptime_anomalous] +search = sourcetype=WMI:Uptime windows_uptime>2592000 +#tags = anomalous + +## User Accounts +[wmi_useraccounts] +search = sourcetype=WMI:UserAccounts +#tags = account report inventory user + +## Version +[wmi_version] +search = sourcetype=WMI:Version +#tags = system version report inventory + +[microsoft_windows_hostmon_process] +search = sourcetype=WinHostMon source=process +#tags = process report + +[microsoft_windows_hostmon_service] +search = sourcetype=WinHostMon source=service +#tags = service report + +[microsoft_windows_hostmon_service_time] +search = sourcetype=WinHostMon source=service Name=W32Time +#tags = time synchronize os performance + + +### AD/DNS eventtypes### + +[wineventlog-ds] +search = source="WinEventLog:Directory Service" OR source="XmlWinEventLog:Directory Service" + +[powershell] +search = source=Powershell + +[msad-dc-health] +search = eventtype=powershell sourcetype="MSAD:*:Health" + +[msad-rep-health] +search = eventtype=powershell sourcetype="MSAD:*:Replication" + +[msad-site] +search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" + +[msad-subnetinfo] +search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Subnet" + +[msad-sitelinkinfo] +search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="SiteLink" + +[msad-siteinfo] +search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Site" + +[msad-subnet-affinity] +search = sourcetype="MSAD:*:Netlogon" msad_affinity=NO_CLIENT_SITE + +[admon-gpo] +search = eventtype=admon objectCategory="*CN=Group-Policy-Container*" + +[admon-group] +search = eventtype=admon objectCategory="*CN=Group*" + +[admon-computer] +search = eventtype=admon objectCategory="*CN=Computer*" + +[admon-user] +search = eventtype=admon objectCategory="*CN=Person*" + +[admon] +search = sourcetype=ActiveDirectory + +[perfmon] +search = sourcetype="Perfmon:*" OR sourcetype="PerfmonMk:*" + +[ad-files] +search = sourcetype=MSAD:NT6:Replication OR sourcetype=MSAD:NT6:Health OR sourcetype=MSAD:NT6:SiteInfo OR sourcetype=MSAD:NT6:Netlogon OR sourcetype=ActiveDirectory OR sourcetype=MSAD:NT6:DNS-Health OR sourcetype=MSAD:NT6:DNS-Zone-Information OR sourcetype=MSAD:NT6:DNS + +[perfmon-ntds] +search = eventtype=perfmon (sourcetype="Perfmon:NTDS" OR sourcetype="PerfmonMk:NTDS") + +[nt6-dns-events] +search = sourcetype=MSAD:NT6:DNS + +[wineventlog-dns] +search = source="WinEventLog:DNS Server" OR source="XmlWinEventLog:DNS Server" + +[msad-dns-zoneinfo] +search = eventtype=powershell sourcetype="MSAD:*:DNS-Zone-Information" + +[msad-dns-health] +search = eventtype=powershell sourcetype="MSAD:*:DNS-Health" + +[msad-dns-debuglog] +search = eventtype=ad-files sourcetype="MSAD:*:DNS" + +[perfmon-dns] +search = eventtype=perfmon (sourcetype="Perfmon:DNS" OR sourcetype="PerfmonMk:DNS") + +[wineventlog-dfs] +search = source="WinEventLog:DFS Replication" OR source="XmlWinEventLog:DFS Replication" + +[wineventlog-filereplication] +search = source="WinEventLog:File Replication Service" OR source="XmlWinEventLog:File Replication Service" + +[wineventlog-keymanagement] +search = source="WinEventLog:Key Management Service" OR source="XmlWinEventLog:Key Management Service" + +[endpoint_services_processes] +search = source="WMI:WinEventLog:Security" OR sourcetype="WinEventLog" OR sourcetype="XmlWinEventLog" + +## Endpoint Processes +[windows_endpoint_processes] +search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security") (EventCode=4688 OR EventCode=4689 OR EventCode=4696 OR EventCode=4673 OR EventCode=4674) +#tags = process report + +## Endpoint Services +[windows_endpoint_services] +search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:System" OR source="XmlWinEventLog:System") (EventCode=1100 OR EventCode=4697 OR EventCode=5024 OR EventCode=5025 OR EventCode=5030 OR EventCode=5033 OR EventCode=5034 OR EventCode=5035 OR EventCode=5478 OR EventCode=7036 OR EventCode=7040 OR EventCode=7045) +#tags = service report + +## Security-CIM Mappings + +## Endpoint Registry +[windows_security_endpoint_registry] +search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4657 OR (EventCode=4670 AND (Object_Type="Registry" OR ObjectType="Registry"))) +#tags = endpoint registry + +## Endpoint Port +[windows_security_endpoint_port] +search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5158) +#tags = listening port + +## Change Audit +[windows_security_change_audit] +search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=1101 OR EventCode=1108 OR EventCode=4719 OR EventCode=1102) +#tags = change audit + +## Change +[windows_security_change] +search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5461 OR EventCode=4698 OR EventCode=4700 OR EventCode=4701 OR EventCode=4702 OR EventCode=4706 OR EventCode=4713 OR EventCode=4744 OR EventCode=4749 OR EventCode=4750 OR EventCode=4759 OR EventCode=4799 OR EventCode=4876) +#tags = change + +## Authentication +[windows_security_authentication] +search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4624 OR EventCode=4625 OR EventCode=4672) +#tags = authentication + +## Change Account - ADDON-42191 +[windows_security_change_account] +search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) AND EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4732,4738,4740,4767,4781,4800,4801,4798,4794) +#tags = change account + +## System-CIM Mapping + +# Change Audit - ADDON-48489 +[windows_system_change_audit] +search = (source=WinEventLog:System OR source=XmlWinEventLog:System) (EventCode=104) +#tags = change audit + +# Monitoring dashboard - ADDON-75689 +[windows_ta_data] +search = sourcetype IN ("PerfmonMk:*", "Perfmon:*", "MSAD:*", "WindowsUpdateLog", "WMI:*","WinEventLog","Script:NetworkConfiguration", "Script:TimesyncConfiguration", "ActiveDirectory", "WinHostMon", "WinRegistry", "Script:InstalledApps", "DhcpSrvLog", "wmi", "Script:ListeningPorts", "XmlWinEventLog:*", "host::WinEventLogForwardHost", "WinEventLog:*", "Script:TimesyncStatus", "XmlWinEventLog","powershell", "WinRegMon", "admon", "WinNetMon", "WinPrintMon", "win:bios") OR source IN ("WinEventLog:*", "WMI*", "WinEventLog*", "XmlWinEventLog:*", "*WindowsUpdate.Log", "WMI:WinEventLog*", "Powershell", "service", "processor", "process", "printer", "port","outbound","networkadapter","operatingsystem","inbound", "driver","disk","computer", "roles","WinRegistry", "PerfmonMk:*", "*win_timesync_status.bat","*win_timesync_configuration.bat","*win_listening_ports.bat", "*win_installed_apps.bat", "*netsh_address.bat", "*DHCP" ,"*netlogon.log","*dns.log") diff --git a/apps/Splunk_TA_windows/default/inputs.conf b/apps/Splunk_TA_windows/default/inputs.conf new file mode 100644 index 00000000..0ba1a248 --- /dev/null +++ b/apps/Splunk_TA_windows/default/inputs.conf @@ -0,0 +1,442 @@ +## +## SPDX-FileCopyrightText: 2024 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## DO NOT EDIT THIS FILE! +## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. +## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default +## into ../local and edit there. +## + + + +###### OS Logs ###### +[WinEventLog://Application] +disabled = 1 +start_from = oldest +current_only = 0 +checkpointInterval = 5 +renderXml=true + +[WinEventLog://Security] +disabled = 1 +start_from = oldest +current_only = 0 +evt_resolve_ad_obj = 1 +checkpointInterval = 5 +blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" +blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" +renderXml=true + +[WinEventLog://System] +disabled = 1 +start_from = oldest +current_only = 0 +checkpointInterval = 5 +renderXml=true + + +###### Forwarded WinEventLogs (WEF) ###### +[WinEventLog://ForwardedEvents] +disabled = 1 +start_from = oldest +current_only = 0 +checkpointInterval = 5 +## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false. +renderXml=true +host=WinEventLogForwardHost + + +###### WinEventLog Inputs for Active Directory ###### + +## Application and Services Logs - DFS Replication +[WinEventLog://DFS Replication] +disabled = 1 +renderXml=true + +## Application and Services Logs - Directory Service +[WinEventLog://Directory Service] +disabled = 1 +renderXml=true + +## Application and Services Logs - File Replication Service +[WinEventLog://File Replication Service] +disabled = 1 +renderXml=true + +## Application and Services Logs - Key Management Service +[WinEventLog://Key Management Service] +disabled = 1 +renderXml=true + + +###### WinEventLog Inputs for DNS ###### +[WinEventLog://DNS Server] +disabled=1 +renderXml=true + + +###### DHCP ###### +[monitor://$WINDIR\System32\DHCP] +disabled = 1 +whitelist = DhcpSrvLog* +crcSalt = +sourcetype = DhcpSrvLog + + +###### Windows Update Log ###### +## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2 +[monitor://$WINDIR\WindowsUpdate.log] +disabled = 1 +sourcetype = WindowsUpdateLog + +## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016 +## Below stanza will automatically generate WindowsUpdate.log daily +[powershell://generate_windows_update_logs] +script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1" +schedule = 0 */24 * * * +disabled = 1 + +## Below stanza will monitor the generated WindowsUpdate.log in Windows 10 and Server 2016 +[monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log] +disabled = 1 +sourcetype = WindowsUpdateLog + + +###### Monitor Inputs for Active Directory ###### +[monitor://$WINDIR\debug\netlogon.log] +sourcetype=MSAD:NT6:Netlogon +disabled=1 + + +###### Monitor Inputs for DNS ###### +[MonitorNoHandle://$WINDIR\System32\Dns\dns.log] +sourcetype=MSAD:NT6:DNS +disabled=1 + + +###### Scripted Input (See also wmi.conf) +[script://.\bin\win_listening_ports.bat] +disabled = 1 +## Run once per hour +interval = 3600 +sourcetype = Script:ListeningPorts + +[script://.\bin\win_installed_apps.bat] +disabled = 1 +## Run once per day +interval = 86400 +sourcetype = Script:InstalledApps + +[script://.\bin\win_timesync_status.bat] +disabled = 1 +## Run once per hour +interval = 3600 +sourcetype = Script:TimesyncStatus + +[script://.\bin\win_timesync_configuration.bat] +disabled = 1 +## Run once per hour +interval = 3600 +sourcetype = Script:TimesyncConfiguration + +[script://.\bin\netsh_address.bat] +disabled = 1 +## Run once per day +interval = 86400 +sourcetype = Script:NetworkConfiguration + +###### Scripted/Powershell Mod inputs Active Directory ###### + +## Replication Information NT6 +[script://.\bin\runpowershell.cmd nt6-repl-stat.ps1] +source=Powershell +sourcetype=MSAD:NT6:Replication +interval=300 +disabled=1 + +## Replication Information 2012r2 and 2016 +[powershell://Replication-Stats] +script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-repl-stats.ps1" +schedule = 0 */5 * ? * * +source = Powershell +sourcetype=MSAD:NT6:Replication +disabled=1 + +## Health and Topology Information NT6 +[script://.\bin\runpowershell.cmd nt6-health.ps1] +source=Powershell +sourcetype=MSAD:NT6:Health +interval=300 +disabled=1 + +## Health and Topology Information 2012r2 and 2016 +[powershell://AD-Health] +script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1" +schedule = 0 */5 * ? * * +source=Powershell +sourcetype=MSAD:NT6:Health +disabled=1 + + +## Site, Site Link and Subnet Information NT6 +[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1] +source=Powershell +sourcetype=MSAD:NT6:SiteInfo +interval=3600 +disabled=1 + +## Site, Site Link and Subnet Information 2012r2 and 2016 +[powershell://Siteinfo] +script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-siteinfo.ps1" +schedule = 0 15 * ? * * +source = Powershell +sourcetype=MSAD:NT6:SiteInfo +disabled=1 + + +##### Scripted Inputs for DNS ##### + +## DNS Zone Information Collection +[script://.\bin\runpowershell.cmd dns-zoneinfo.ps1] +source=Powershell +sourcetype=MSAD:NT6:DNS-Zone-Information +interval=3600 +disabled=1 + +## DNS Health Information Collection +[script://.\bin\runpowershell.cmd dns-health.ps1] +source=Powershell +sourcetype=MSAD:NT6:DNS-Health +interval=3600 +disabled=1 + + +###### Host monitoring ###### +[WinHostMon://Computer] +interval = 600 +disabled = 1 +type = Computer + +[WinHostMon://Process] +interval = 600 +disabled = 1 +type = Process + +[WinHostMon://Processor] +interval = 600 +disabled = 1 +type = Processor + +[WinHostMon://NetworkAdapter] +interval = 600 +disabled = 1 +type = NetworkAdapter + +[WinHostMon://Service] +interval = 600 +disabled = 1 +type = Service + +[WinHostMon://OperatingSystem] +interval = 600 +disabled = 1 +type = OperatingSystem + +[WinHostMon://Disk] +interval = 600 +disabled = 1 +type = Disk + +[WinHostMon://Driver] +interval = 600 +disabled = 1 +type = Driver + +[WinHostMon://Roles] +interval = 600 +disabled = 1 +type = Roles + +###### Print monitoring ###### +[WinPrintMon://printer] +type = printer +interval = 600 +baseline = 1 +disabled = 1 + +[WinPrintMon://driver] +type = driver +interval = 600 +baseline = 1 +disabled = 1 + +[WinPrintMon://port] +type = port +interval = 600 +baseline = 1 +disabled = 1 + +###### Network monitoring ###### +[WinNetMon://inbound] +direction = inbound +disabled = 1 + +[WinNetMon://outbound] +direction = outbound +disabled = 1 + +###### Splunk 5.0+ Performance Counters ###### +## CPU +[perfmon://CPU] +counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec +disabled = 1 +instances = * +interval = 10 +mode = multikv +object = Processor +useEnglishOnly=true + +## Logical Disk +[perfmon://LogicalDisk] +counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec +disabled = 1 +instances = * +interval = 10 +mode = multikv +object = LogicalDisk +useEnglishOnly=true + +## Physical Disk +[perfmon://PhysicalDisk] +counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec +disabled = 1 +instances = * +interval = 10 +mode = multikv +object = PhysicalDisk +useEnglishOnly=true + +## Memory +[perfmon://Memory] +counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s) +disabled = 1 +interval = 10 +mode = multikv +object = Memory +useEnglishOnly=true + +## Network +[perfmon://Network] +counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size +disabled = 1 +instances = * +interval = 10 +mode = multikv +object = Network Interface +useEnglishOnly=true + +## Process +[perfmon://Process] +counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private +disabled = 1 +instances = * +interval = 10 +mode = multikv +object = Process +useEnglishOnly=true + +## ProcessInformation +[perfmon://ProcessorInformation] +counters = % Processor Time; Processor Frequency +disabled = 1 +instances = * +interval = 10 +mode = multikv +object = Processor Information +useEnglishOnly=true + +## System +[perfmon://System] +counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use +disabled = 1 +instances = * +interval = 10 +mode = multikv +object = System +useEnglishOnly=true + + +###### Perfmon Inputs from TA-AD/TA-DNS ###### +[perfmon://Processor] +object = Processor +counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec +instances = * +interval = 10 +disabled = 1 +mode = multikv +useEnglishOnly=true + +[perfmon://Network_Interface] +object = Network Interface +counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size +instances = * +interval = 10 +disabled = 1 +mode = multikv +useEnglishOnly=true + +[perfmon://DFS_Replicated_Folders] +object = DFS Replicated Folders +counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated +instances = * +interval = 30 +disabled = 1 +mode = multikv +useEnglishOnly=true + +[perfmon://NTDS] +object = NTDS +counters = DRA Inbound Properties Total/sec; AB Browses/sec; DRA Inbound Objects Applied/sec; DS Threads in Use; AB Client Sessions; DRA Pending Replication Synchronizations; DRA Inbound Object Updates Remaining in Packet; DS Security Descriptor sub-operations/sec; DS Security Descriptor Propagations Events; LDAP Client Sessions; LDAP Active Threads; LDAP Writes/sec; LDAP Searches/sec; DRA Outbound Objects/sec; DRA Outbound Properties/sec; DRA Inbound Values Total/sec; DRA Sync Requests Made; DRA Sync Requests Successful; DRA Sync Failures on Schema Mismatch; DRA Inbound Objects/sec; DRA Inbound Properties Applied/sec; DRA Inbound Properties Filtered/sec; DS Monitor List Size; DS Notify Queue Size; LDAP UDP operations/sec; DS Search sub-operations/sec; DS Name Cache hit rate; DRA Highest USN Issued (Low part); DRA Highest USN Issued (High part); DRA Highest USN Committed (Low part); DRA Highest USN Committed (High part); DS % Writes from SAM; DS % Writes from DRA; DS % Writes from LDAP; DS % Writes from LSA; DS % Writes from KCC; DS % Writes from NSPI; DS % Writes Other; DS Directory Writes/sec; DS % Searches from SAM; DS % Searches from DRA; DS % Searches from LDAP; DS % Searches from LSA; DS % Searches from KCC; DS % Searches from NSPI; DS % Searches Other; DS Directory Searches/sec; DS % Reads from SAM; DS % Reads from DRA; DRA Inbound Values (DNs only)/sec; DRA Inbound Objects Filtered/sec; DS % Reads from LSA; DS % Reads from KCC; DS % Reads from NSPI; DS % Reads Other; DS Directory Reads/sec; LDAP Successful Binds/sec; LDAP Bind Time; SAM Successful Computer Creations/sec: Includes all requests; SAM Machine Creation Attempts/sec; SAM Successful User Creations/sec; SAM User Creation Attempts/sec; SAM Password Changes/sec; SAM Membership Changes/sec; SAM Display Information Queries/sec; SAM Enumerations/sec; SAM Transitive Membership Evaluations/sec; SAM Non-Transitive Membership Evaluations/sec; SAM Domain Local Group Membership Evaluations/sec; SAM Universal Group Membership Evaluations/sec; SAM Global Group Membership Evaluations/sec; SAM GC Evaluations/sec; DRA Inbound Full Sync Objects Remaining; DRA Inbound Bytes Total/sec; DRA Inbound Bytes Not Compressed (Within Site)/sec; DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec; DRA Outbound Bytes Total/sec; DRA Outbound Bytes Not Compressed (Within Site)/sec; DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec; DS Client Binds/sec; DS Server Binds/sec; DS Client Name Translations/sec; DS Server Name Translations/sec; DS Security Descriptor Propagator Runtime Queue; DS Security Descriptor Propagator Average Exclusion Time; DRA Outbound Objects Filtered/sec; DRA Outbound Values Total/sec; DRA Outbound Values (DNs only)/sec; AB ANR/sec; AB Property Reads/sec; AB Searches/sec; AB Matches/sec; AB Proxy Lookups/sec; ATQ Threads Total; ATQ Threads LDAP; ATQ Threads Other; DRA Inbound Bytes Total Since Boot; DRA Inbound Bytes Not Compressed (Within Site) Since Boot; DRA Inbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Inbound Bytes Compressed (Between Sites, After Compression) Since Boot; DRA Outbound Bytes Total Since Boot; DRA Outbound Bytes Not Compressed (Within Site) Since Boot; DRA Outbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Outbound Bytes Compressed (Between Sites, After Compression) Since Boot; LDAP New Connections/sec; LDAP Closed Connections/sec; LDAP New SSL Connections/sec; DRA Pending Replication Operations; DRA Threads Getting NC Changes; DRA Threads Getting NC Changes Holding Semaphore; DRA Inbound Link Value Updates Remaining in Packet; DRA Inbound Total Updates Remaining in Packet; DS % Writes from NTDSAPI; DS % Searches from NTDSAPI; DS % Reads from NTDSAPI; SAM Account Group Evaluation Latency; SAM Resource Group Evaluation Latency; ATQ Outstanding Queued Requests; ATQ Request Latency; ATQ Estimated Queue Delay; Tombstones Garbage Collected/sec; Phantoms Cleaned/sec; Link Values Cleaned/sec; Tombstones Visited/sec; Phantoms Visited/sec; NTLM Binds/sec; Negotiated Binds/sec; Digest Binds/sec; Simple Binds/sec; External Binds/sec; Fast Binds/sec; Base searches/sec; Subtree searches/sec; Onelevel searches/sec; Database adds/sec; Database modifys/sec; Database deletes/sec; Database recycles/sec; Approximate highest DNT; Transitive operations/sec; Transitive suboperations/sec; Transitive operations milliseconds run +interval = 10 +disabled = 1 +mode = multikv +useEnglishOnly=true + +[perfmon://DNS] +object = DNS +counters = Total Query Received; Total Query Received/sec; UDP Query Received; UDP Query Received/sec; TCP Query Received; TCP Query Received/sec; Total Response Sent; Total Response Sent/sec; UDP Response Sent; UDP Response Sent/sec; TCP Response Sent; TCP Response Sent/sec; Recursive Queries; Recursive Queries/sec; Recursive Send TimeOuts; Recursive TimeOut/sec; Recursive Query Failure; Recursive Query Failure/sec; Notify Sent; Zone Transfer Request Received; Zone Transfer Success; Zone Transfer Failure; AXFR Request Received; AXFR Success Sent; IXFR Request Received; IXFR Success Sent; Notify Received; Zone Transfer SOA Request Sent; AXFR Request Sent; AXFR Response Received; AXFR Success Received; IXFR Request Sent; IXFR Response Received; IXFR Success Received; IXFR UDP Success Received; IXFR TCP Success Received; WINS Lookup Received; WINS Lookup Received/sec; WINS Response Sent; WINS Response Sent/sec; WINS Reverse Lookup Received; WINS Reverse Lookup Received/sec; WINS Reverse Response Sent; WINS Reverse Response Sent/sec; Dynamic Update Received; Dynamic Update Received/sec; Dynamic Update NoOperation; Dynamic Update NoOperation/sec; Dynamic Update Written to Database; Dynamic Update Written to Database/sec; Dynamic Update Rejected; Dynamic Update TimeOuts; Dynamic Update Queued; Secure Update Received; Secure Update Received/sec; Secure Update Failure; Database Node Memory; Record Flow Memory; Caching Memory; UDP Message Memory; TCP Message Memory; Nbstat Memory; Unmatched Responses Received +interval = 10 +disabled = 1 +mode = multikv +useEnglishOnly=true + + +[admon://default] +disabled = 1 +monitorSubtree = 1 + + +[WinRegMon://default] +disabled = 1 +hive = .* +proc = .* +type = rename|set|delete|create + +[WinRegMon://hkcu_run] +disabled = 1 +hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.* +proc = .* +type = set|create|delete|rename + +[WinRegMon://hklm_run] +disabled = 1 +hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.* +proc = .* +type = set|create|delete|rename + +[powershell://windows_bios_data] +script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\windows_bios_data.ps1" +schedule = 0 */24 * * * +source = Powershell +sourcetype = win:bios +disabled = 1 diff --git a/apps/Splunk_TA_windows/default/macros.conf b/apps/Splunk_TA_windows/default/macros.conf new file mode 100644 index 00000000..428366d7 --- /dev/null +++ b/apps/Splunk_TA_windows/default/macros.conf @@ -0,0 +1,38 @@ +## +## SPDX-FileCopyrightText: 2024 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## +[events-search(6)] +args = LogName, EventHost, TaskCategory, SourceName, EventCode, Type +definition = eventtype="wineventlog_windows" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$" + +[compute-ingestion-stats] +# The below post-process can be used to compute generic statistics about event ingestion +# The search computes event rate (count and size) in 5 minute chunks by assigning each event a weight of 1/300.0 and then computing the sum. This is the best way to get this into a sparkline. +definition = eval temp=1/300.0, event_size=len(_raw) | eval event_size_temp=len(_raw)/300.0 | stats sparkline(sum(temp), 5m) as "Events per second", sparkline(sum(event_size_temp), 5m) as "Event throughput (kbps)", sum(event_size) as TotalBytes, sum(temp) as tempsum by sourcetype | eval "Total MB"=round(TotalBytes/1024.0/1024.0,2) | addinfo | eval APS=tempsum/(info_max_time-info_min_time) | eval "Average events per second"=round(APS*300.0,2) | fields sourcetype "Events per second" "Event throughput (kbps)" "Average events per second" "Total MB" + +[netmon-hosts-search] +definition = eventtype=netmon_windows | stats count by host | sort +host + +[event-hosts-search] +definition = eventtype=wineventlog_windows | stats count by host | sort +host + +[log-names-search] +definition = eventtype=wineventlog_windows | stats count by LogName | sort +LogName + +[source-names-search(1)] +args = LogName +definition = eventtype=wineventlog_windows LogName="$LogName$" | stats count by SourceName | sort +SourceName + +[task-categories-search(2)] +args = LogName, SourceName +definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" | stats count by TaskCategory | sort +TaskCategory + +[event-codes-search(3)] +args = LogName, SourceName, TaskCategory +definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" TaskCategory="$TaskCategory$" | stats count by EventCode | sort +EventCode + +[event-types-search(4)] +args = LogName, SourceName, TaskCategory, EventCode +definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" TaskCategory="$TaskCategory$" EventCode="$EventCode$" | stats count by Type | sort +Type diff --git a/apps/Splunk_TA_windows/default/props.conf b/apps/Splunk_TA_windows/default/props.conf new file mode 100644 index 00000000..4328a415 --- /dev/null +++ b/apps/Splunk_TA_windows/default/props.conf @@ -0,0 +1,1935 @@ +## +## SPDX-FileCopyrightText: 2024 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## DO NOT EDIT THIS FILE! +## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. +## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default +## into ../local and edit there. +## +########################### +## Active Directory +########################### + +[ActiveDirectory] +LOOKUP-user_account_control_property = user_account_control_property userAccountControl OUTPUT userAccountPropertyFlag + + +########################### +## DHCP +########################### + +[DhcpSrvLog] +SHOULD_LINEMERGE = false +MAX_TIMESTAMP_LOOKAHEAD = 20 +EVENT_BREAKER_ENABLE = true +TRANSFORMS-0dhcp_discard_headers = dhcp_discard_headers +REPORT-0auto_kv_for_microsoft_dhcp = auto_kv_for_microsoft_dhcp +REPORT_1microsoft_dhcp_dest_dns = microsoft_dhcp_dest_dns +LOOKUP-signature_for_microsoft_dhcp = msdhcp_signature_lookup msdhcp_id OUTPUTNEW signature +FIELDALIAS-windows-dhcp = ip AS dest_ip, mac AS raw_mac, nt_host AS dest_nt_host +FIELDALIAS-win-sign-id = msdhcp_id AS signature_id +FIELDALIAS-dhcp-user = msdhcp_user AS user + +EVAL-vendor = "Microsoft" +EVAL-product = "DHCP" +EVAL-vendor_product = "Microsoft DHCP" +EVAL-dest_mac = lower(case(match(raw_mac, "^\w{12,}$"), replace(raw_mac, "^.*(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})$", "\1:\2:\3:\4:\5:\6"), true(), replace(raw_mac, "-|\.|\s", ":"))) +EVAL-dest = coalesce(if(nt_host!="BAD_ADDRESS", nt_host, null()), ip, lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "(\w{2})", "\1:"), ":"), true(), replace(raw_mac, "-|\.|\s", ":")))) +EVAL-quarantine_info = case(qresult == 0, "NoQuarantine", qresult == 1, "Quarantine", qresult == 2, "Drop Packet", qresult == 3, "Probation", qresult == 6, "No Quarantine Information", true(), qresult) +EVAL-action = case(msdhcp_id IN (13,15,12,16,18), "blocked", msdhcp_id IN (10,11), "added") +EVAL-dest_nt_host = case(nt_host!="BAD_ADDRESS", nt_host) +EVAL-reason = case(nt_host=="BAD_ADDRESS", nt_host) + + +########################### +## Splunk Windows Event Log +########################### + +## Host override for WinEventLog events collected using WEF +[host::WinEventLogForwardHost] +TRANSFORMS-change_host_for_windows_wef = WinEventHostOverride +TRANSFORMS-change_xml_host_for_windows_wef = WinEventXmlHostOverride + +## consistent sourcetypes for common extractions XmlWinEventLog or WinEventLog +## format source using sourcetype value, so we know whether its XML or not +## this stanza will ensure the new extractions are backwards compatible; we will know what to do regardless of what source/sourcetype +## the mod input sets and new sources will be accommodated as well +[(?::){0}WinEventLog:*\S+] +TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype + +[(?::){0}XmlWinEventLog:*\S+] +TRANSFORMS-XmlFixup = ta-windows-fix-xml-source,ta-windows-fix-sourcetype + + +## Fields common to all WinEventLogs +[WinEventLog] +LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result +FIELDALIAS-category_for_windows = TaskCategory as category +FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc +FIELDALIAS-event_id_for_windows = RecordNumber AS event_id +LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity +FIELDALIAS-severity_id_for_windows = EventType AS severity_id +FIELDALIAS-id_for_windows = RecordNumber AS id +REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows + +## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) +LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject + +## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values +EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) + +FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id + +## Field Mapping for Endpoint Data Model +## For Services, Processes and Filesystem Datasets +FIELDALIAS-service_id_for_windows = Service_ID AS service_id +FIELDALIAS-service_for_windows = Service_Name AS service, Service_Name AS service_name +FIELDALIAS-process_for_windows = Process AS process +EVAL-process_name = if(EventCode==4688, New_Process_Name, Process_Name) +FIELDALIAS-parent_process_for_windows = Creator_Process_Name AS parent_process +FIELDALIAS-user_id_for_windows = User_ID AS user_id +EVAL-vendor_product = "Microsoft Windows" + +[XmlWinEventLog] +KV_MODE = none +SHOULD_LINEMERGE = false +LINE_BREAKER=([\r\n]+)signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) +LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject + +## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values +EVAL-signature_id = if(match(Name,"Microsoft-Windows-WindowsUpdateClient"),signature_id,EventCode) + +FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id + +## Field Mapping for Endpoint Data Model +## For Services, Processes and Filesystem Datasets +FIELDALIAS-service_for_windows = ServiceName AS service, ServiceName AS service_name +FIELDALIAS-service_id_for_windows = ServiceSid AS service_id +EVAL-process_name = if(EventCode==4688, NewProcessName, ProcessName) +FIELDALIAS-parent_process_for_windows = ParentProcessName ASNEW parent_process +FIELDALIAS-user_id_for_windows = UserID AS user_id +EVAL-vendor_product = "Microsoft Windows" + +FIELDALIAS-sourcename_for_windows = ProviderName AS SourceName + +##Below fields extractions have been moved from [source::WinEventLog:System], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] and [source::*:System] +## windows system sub-sourcetyping +[source::WinEventLog:System] +TRANSFORMS-force_source_system_ias_for_wineventlog = force_source_system_ias_for_wineventlog + +REPORT-bestmatch_for_windows_system = ComputerName_as_dest +REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update +REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2 +REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog +LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status +EVAL-file_name = case(EventCode IN (17, 18), signature_message, EventCode == 19, signature, true(), null()) +REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user +FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body + +REPORT-1service_name_eventcode_7036 = service_name_eventcode_7036 +REPORT-1service_name_eventcode_7040 = service_name_eventcode_7040 +EVAL-service_path = case(EventCode==7045,Service_File_Name) +EVAL-status = case(EventCode=="7036" AND status=="running","started",EventCode=="7036" AND status=="stopped","stopped",EventCode=="104","success",EventCode==7045,"installed") + +LOOKUP-0start_mode_for_eventcode_7040_service_windows = windows_start_mode_lookup StartType AS start_type2 OUTPUTNEW start_mode +LOOKUP-1start_mode_for_eventcode_7045_service_windows = windows_start_mode_lookup StartType AS Service_Start_Type OUTPUTNEW start_mode + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" + +# Legacy field aliases to support ES 2.0.2, Winfra +FIELDALIAS-package_for_windows = signature_id AS package +FIELDALIAS-package_title_for_windows = signature AS package_title + + +## Below Extractions are for XmlWinEventLog:System and have been kept for backward compatibility +# Extractions to add fields used by generic system extraction +REPORT-signature_message_from_xml = updatelist_from_user_data +REPORT-signature_from_xml = updatetitle_from_user_data +FIELDALIAS-updateTitle_as_signature = updateTitle ASNEW signature + +EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-") +# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status +# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status +LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status + +REPORT-bestmatch_for_windows_system_xml = Computer_as_dest + + +## Below Extractions are for WinEventLog:System:IAS and have been kept for backward compatibility +REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias + +EVAL-user = case(EventCode==7040,case(user!="-",user),EventCode==7045,case(user!="-",if(user="NOT_TRANSLATED",Sid,user)),true(),user) +EVAL-user_name = if(EventCode==104, User, user_name) +EVAL-result = if(EventCode==104, "log file was cleared", result) +EVAL-object_category = if(EventCode==104, "audit log", object_category) +EVAL-action = if(EventCode==104, "cleared", action) +EVAL-change_type = case(EventCode==104, "audit", true(), change_type) +EVAL-app = if(SourceName="IAS","ias",null()) + +EXTRACT-object_for_windows_system = (?ms)EventCode=104(?:\n|\r).*(?:Message=The\s(?.+)\sfile) + +##### Explanation for SEDCMD Extractions ##### +## clean_info_text_from_winsystem_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing + + +##### SEDCMD Extractions ##### +#SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g + +## Apply the following properties to all WinEventLog events +## In addition to WinEventLog properties located in $SPLUNK_HOME/etc/system/default/props.conf +[source::(WMI:WinEventLog|WinEventLog)...] + +## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence +REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv +REPORT-MESSAGE = + +########################### +## Windows XML Event Log +########################### +##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*],[source::*:System], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] +[source::XmlWinEventLog:System] + +# Extractions to add fields used by generic system extraction +REPORT-signature_message_from_xml = updatelist_from_user_data +REPORT-signature_from_xml = updatetitle_from_user_data,updatetitle_from_event_data +FIELDALIAS-updateTitle_as_signature = updateTitle ASNEW signature + +EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-") +# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status +# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status +LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status + + +REPORT-bestmatch_for_windows_system_xml = Computer_as_dest +EXTRACT-signature_message_for_windows_security_from_xml = (17|18)<\/EventID>.*(?P[\s\S]*?)<\/updatelist> +REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2 +REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog +EVAL-file_name = case(EventCode IN (17, 18), signature_message, EventCode == 19, signature, true(), null()) +LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status +REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user +EVAL-body = coalesce('signature_message','Message') + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" + +# Legacy field aliases to support ES 2.0.2, Winfra +FIELDALIAS-package_title_for_windows = signature AS package_title +FIELDALIAS-package_for_windows = signature_id AS package + +REPORT-service_name = ServiceName_as_service_name +EVAL-service_path = case(EventCode==7045,ImagePath) +EVAL-status = case(EventCode=="7036" AND param2=="running","started",EventCode=="7036" AND param2=="stopped","stopped", EventCode==104, "success", EventCode==7045, "installed") + +LOOKUP-0start_mode_for_eventcode_7045_service_windows_xml = windows_start_mode_lookup StartType OUTPUTNEW start_mode +LOOKUP-1start_mode_for_eventcode_7040_service_windows_xml = windows_start_mode_lookup StartType AS param3 OUTPUTNEW start_mode + +EVAL-action = case(EventCode==104, "cleared") +EVAL-object_category = case(EventCode==104, "audit log") +EVAL-result = case(EventCode==104, "log file was cleared") +EVAL-change_type = case(EventCode==104, "audit", true(), change_type) + +REPORT-channel_from_user_data = channel_from_user_data +EVAL-object = case(EventCode==104, user_data_channel + " log") + +EXTRACT-user_from_SubjectUserName = 104<\/EventID>.*(?.*?)<\/SubjectUserName> +EXTRACT-user_name_from_SubjectUserName = 104<\/EventID>.*(?.*?)<\/SubjectUserName> + +##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*],[source::*:Security], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] +[source::XmlWinEventLog:Security] + +REPORT-logfilecleared_block_extract = logfilecleared_xml_block +REPORT-logfilecleareddata_for_xml = LogFileClearedData_from_user_data + +## privilege +REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege + +# Extractions to add fields used by generic security extraction +REPORT-Source_Port_from_xml = IpPort_as_Source_Port +REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type +REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name +REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type +REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID +REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain +REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain +REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name +REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name +REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation + +EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-") +# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status +# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status +LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status +LOOKUP-CategoryString_for_windows_xml_security = windows_signature_lookup signature_id OUTPUTNEW CategoryString as ta_windows_security_CategoryString, command + +## action, status +## Override action to allow audit log changes to correspond to Change Analysis data model +LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category +LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status +LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status +LOOKUP-object_for_windows3_security = xmlsecurity_change_audit_and_account_management_lookup EventCode OUTPUTNEW object_attrs,result + +## privilege +REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security +REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security +LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege + +FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port +REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" + +FIELDALIAS-body_for_windows_security = Message AS body +FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status +EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure") + +## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type +LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app +LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app +LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app +LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app +LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app + +## Set the following fields based on order of operations +REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id +REPORT-dest_for_windows_security = Target_Server_Name_as_dest,Computer_as_dest +REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain,SubjectDomainName_as_dest_nt_domain +REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host +REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src +REPORT-Subject_User_ID_as_src = Subject_User_ID_as_src +REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip +REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain +REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host +REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user +REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user +EVAL-user_group = coalesce(TargetUserName,New_Account_Name,Target_Account_Name) +REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id +REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn +REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain +REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4 +REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6 +LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass +EVAL-dest_nt_domain = case(EventCode==4672, Computer, true(), nullif(dest_nt_domain,"-")) +REPORT-member_user_name = special_user_from_member_name +REPORT-caller_command = command_from_Caller_Process_Name + +LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity + +##Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" ) +LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject + +EXTRACT-dest_port_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-object_attrs_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-1IpAddress_for_windows_security_from_xml =\(?!\:\:1)(?!127\.0\.0\.1)(?[^\<]+)\<\/Data\> +EXTRACT-process_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-new_process_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-parent_process_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-new_process_id_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-process_id_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-process_command_line_for_xml = (?[^<]+)<\/Data> + +EVAL-authentication_method = case(EventCode IN (4624, 4625), AuthenticationPackageName, true(), authentication_method) + +## XML Security-CIM Mappings +REPORT-parent_process_name_windows_xml = extract_parent_process_name_for_windows_xml +REPORT-new_process_name_windows_xml = extract_new_process_name_for_windows_xml +REPORT-target_process_name_windows_xml = extract_target_process_name_for_windows_xml +REPORT-caller_user_name_from_user_data_xml = SubjectUserName_from_user_data +REPORT-file_name_and_path = object_file_name_and_path_from_ObjectName_for_xml,file_name_and_path_from_FileName_for_xml,file_name_and_path_from_KeyFilePath_for_xml +REPORT-process_command_line_process_and_arguments = process_command_line_process_and_arguments + +EVAL-Keywords = case(Keywords=="0x8020000000000000", "Audit Success", Keywords=="0x8010000000000000", "Audit Failure", true(), Keywords) +EVAL-object_attrs = if(EventCode==4706,"domain trust",if(EventCode==4750,"security-disabled global group",if(EventCode==4713,"Kerberos policy",if(EventCode==4876,"Certificate Services",if(EventCode==4759,"security-disabled universal group",if(EventCode==4749,"security-disabled global group",if(EventCode==4744,"security-disabled local group",if(EventCode IN (4720,4738), null(),if(EventCode=4717, AccessGranted, (if(EventCode==4718, AccessRemoved, (if(isnotnull(SamAccountName) AND NOT EventCode IN (4727,4730,4731,4734,4735,4737,4744,4754,4755,4758,4764,4799), SamAccountName, if(EventCode IN (4728,4729,4732,4733,4756,4757), TargetUserName, if(EventCode IN (4698,4700,4701), TaskContent, if(EventCode==4702, TaskContentNew, if(EventCode==4719, "Category="+CategoryId+",Subcategory="+SubcategoryId+",Subcategory GUID="+SubcategoryGuid+",Changes="+AuditPolicyChanges,object_attrs))))))))))))))))) +EVAL-registry_path = if(EventCode==4657,ObjectName,registry_path) +EVAL-registry_value_name = if(EventCode==4657,ObjectValueName,registry_value_name) +EVAL-registry_value_type = if(EventCode==4657,NewValueType,registry_value_type) +EVAL-src = case(EventCode == 4798, Caller_Domain, EventCode IN (4727,4728,4729,4730,4731,4733,4734,4735,4737,4754,4755,4756,4757,4758,4764,4799), dest, EventCode==4778, ClientAddress, EventCode == 4624, IpAddress, EventCode==4625, WorkstationName, EventCode IN (5156,5157), SourceAddress, EventCode IN (4672,4706,4713,4744,4749,4750,4759,4876), src_subject_user_id, true(), src) +EVAL-file_name = coalesce(file_name,if(ObjectType=="File",object_file_name,null()),ShareName) +EVAL-file_path = coalesce(file_path,if(ObjectType=="File",object_file_path,null()),ShareLocalPath) +EVAL-src_port = if(EventCode IN (5156,5157,5158), SourcePort, src_port) +EVAL-process = case(EventCode==4688, coalesce(if(match(process_command_line_process,"(\\\)"), Process_Command_Line, (if(match(NewProcessName,"\s"), "\"" + NewProcessName + "\"", NewProcessName)) + " " + process_command_line_arguments), NewProcessName) , EventCode==4696, TargetProcessName, true(), coalesce(process, Process, ProcessName)) +EVAL-process_path = case(EventCode==4688, new_process, EventCode==4696, TargetProcessName, true(), coalesce(process, Process, ProcessName)) +EVAL-process_id = case(EventCode==4688, new_process_id, EventCode==4696, TargetProcessId, true(), process_id) +EVAL-service = if(isnotnull(service),service, Service) + +EVAL-parent_process = case(EventCode==4696,ProcessName,true(),parent_process) +EVAL-parent_process_id = case(EventCode==4688 OR EventCode==4696,ProcessId) +EVAL-parent_process_name = case(EventCode==4696,replace(ProcessName,"(?:.*\\\)?(.*)","\1"),true(),parent_process_name) +EVAL-parent_process_path = case(EventCode==4688,parent_process,EventCode==4696,ProcessName) +EVAL-process_exec = case(EventCode==4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(ProcessName,"(?:.*\\\)?(.*)","\1")) +EVAL-process_name = case(EventCode==4798,replace(CallerProcessName,"(?:.*\\\)?(.*)","\1"),EventCode=4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(ProcessName,"(?:.*\\\)?(.*)","\1"),true(),ProcessName) + +EVAL-user = case(EventCode==4794,"DSRM administrator",EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764),null(),EventCode==4688,if(user=="-" OR isnull(user),src_user,user),EventCode IN (1102,4672,4673,4674,4689,4697,4698,4700,4701,4702,4706,4713,4719,4744,4749,4750,4759,4799,4876), case(SubjectUserName!="-",SubjectUserName),EventCode==4696,case(user!="-",user),EventCode IN (4703,4704,4705,4720,4722,4723,4724,4725,4726,4738,4767,4798), TargetUserName, EventCode==4781, NewTargetUserName, EventCode IN (4728, 4729, 4732, 4733, 4756, 4757), if(like(MemberSid, "%\%"), mvindex(split(MemberSid, "\\"),-1), if(like(member_user_name, "%\%"), null(), member_user_name)), EventCode IN (5156,5157), RemoteMachineID, true(), user) +EVAL-user_name = case(EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4738,4740,4767,4800,4801,4798), TargetUserName, EventCode==4781, NewTargetUserName, EventCode IN (1102,4719,4698,4700,4701,4702,4799), SubjectUserName, EventCode IN (4728, 4729, 4732, 4733, 4756, 4757), if(like(MemberSid, "%\%"), mvindex(split(MemberSid, "\\"),-1), if(like(member_user_name, "%\%"), null(), member_user_name)), true(), user_name) +EVAL-src_user = case(EventCode==4672, SubjectUserName, EventCode IN (4624,4625,4703,4704,4705,4720,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4733,4734,4735,4737,4738,4754,4755,4756,4757,4758,4764,4767,4781,4798), case(SubjectUserName!="-",SubjectUserName), EventCode IN (4634,4800,4801), TargetUserName, true(),src_user) +EVAL-src_user_name = case(EventCode IN (4703,4704,4705,4720,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4738,4740,4754,4755,4756,4757,4758,4764,4767,4781,4798), SubjectUserName, EventCode IN (4634,4800,4801), TargetUserName, true(),src_user_name) +EVAL-src_nt_domain = case(EventCode==4672, SubjectDomainName, EventCode IN (4634,4800,4801), TargetDomainName, EventCode IN (4727,4728,4729,4730,4731,4733,4734,4735,4737,4754,4755,4756,4757,4758,4764,4798), SubjectDomainName, true(), src_nt_domain) +EVAL-src_user_id = case(EventCode==4672, SubjectUserSid, true(), src_user_id) +EXTRACT-dest_for_windows_security_4798 = 4798<\/EventID>.*(?[^<]+)<\/Data> +EVAL-object = case(EventCode==4794,"DSRM administrator",EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4727,4730,4731,4734,4735,4737,4738,4740,4744,4749,4750,4754,4755,4758,4759,4764,4767,4799,4798), TargetUserName, EventCode==4781, NewTargetUserName, EventCode IN (4728,4729,4732,4733,4756,4757), if(like(MemberSid, "%\%"), mvindex(split(MemberSid, "\\"), -1), if(like(member_user_name, "%\%"), null(), member_user_name)), EventCode IN (4800,4801), Computer, EventCode IN (4698,4700,4701,4702),TaskName, EventCode==1102, "audit log", EventCode==4719, "Windows Security Audit Policy", EventCode==4876, "Certification Authorities Database", EventCode IN (4713, 4706), "Active Directory", true(), object) +EVAL-object_id = case(EventCode IN (4704, 4705, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4730, 4731, 4734, 4735, 4737, 4738, 4744, 4749, 4750, 4754, 4755, 4758, 4759, 4764, 4767, 4781, 4799, 4798), TargetSid, EventCode IN (4634,4703), TargetUserSid, EventCode IN (4728,4729,4732,4733,4756,4757), MemberSid, EventCode==4876, "Certification Authorities Database", true(), object_id) +EVAL-user_id = case(EventCode==4672, SubjectUserSid, true(), user_id) + +EVAL-action = case(EventCode=="4688" AND Keywords=="0x8020000000000000","allowed") + +## Assigning Group_Name based on EventCodes as not all EventCodes have GroupName same as TargetUserName and GroupDomain same as TargetDomainName +EVAL-Group_Name=case(isnotnull(TargetUserName) AND ((EventCode>=4727 AND EventCode<=4735) OR EventCode==4737 OR (EventCode>=4744 AND EventCode<=4764) OR EventCode==4799), TargetUserName, 1=1, Group_Name) +EVAL-Group_Domain=case(isnotnull(TargetDomainName) AND ((EventCode>=4727 AND EventCode<=4735) OR EventCode==4737 OR (EventCode>=4744 AND EventCode<=4764) OR EventCode==4799), TargetDomainName, 1=1, Group_Domain) + +EVAL-user_type= case(EventCode==4794, "administrator", EventCode IN (4741, 4742, 4743), "computer", EventCode==4713, "service account") + +## Field Mapping for Network Data Model +EXTRACT-app_for_windows_security_from_xml = (5156|5157)<\/EventID>.*(?[^<]+)<\/Data> +EVAL-direction = case(EventCode IN (5156,5157) AND Direction="%%14592","inbound",EventCode IN (5156,5157) AND Direction="%%14593","outbound") + +EXTRACT-dest_for_windows_security_from_xml = (5156|5157)<\/EventID>.*(?(?[^<]+))<\/Data> + +EXTRACT-src_ip_for_windows_security_from_xml = (5156|5157)<\/EventID>.*(?[^<]+)<\/Data> + +EXTRACT-rule_for_windows_security_from_xml = (5156|5157)<\/EventID>.*(?[^<]+)<\/Data> +EVAL-protocol = case(EventCode IN (5156,5157),if(Protocol==1,"icmp","ip")) +EVAL-protocol_version = if(EventCode IN (5156,5157), if(isnull(dest_ip), null(), if(match(coalesce(dest_ip, src_ip), ":"), "ipv6", "ipv4")), null()) + +LOOKUP-start_mode_for_windows_xml = windows_endpoint_service_service_type_lookup Service_Start_Type AS ServiceStartType OUTPUTNEW start_mode +LOOKUP-service_name = windows_endpoint_service_service_name_lookup EventCode OUTPUTNEW service, service_name +LOOKUP-transport_for_endpoint_pot = windows_endpoint_port_transport_lookup Protocol OUTPUTNEW transport +LOOKUP-action_for_windows00_security = windows_wineventlog_change_action_lookup EventCode OUTPUTNEW action, status + +##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*] +[source::XmlWinEventLog:Application] +EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-") +# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status +# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status +LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status + +FIELDALIAS-dest_for_xmlwineventlog_application = Computer AS dest + +[source::XmlWinEventLog:Microsoft-Windows-PowerShell/Operational] +REPORT-dest_for_microsoft_windows_powershell = Computer_as_dest +EVAL-signature = case(EventCode==4103,"Microsoft-Windows-PowerShell Executing Pipeline",EventCode==4104,"Microsoft-Windows-PowerShell Execute a Remote Command") + +[source::WinEventLog:Microsoft-Windows-PowerShell/Operational] +REPORT-dest_for_microsoft_windows_powershell = ComputerName_as_dest +EVAL-signature = case(EventCode==4103,"Microsoft-Windows-PowerShell Executing Pipeline",EventCode==4104,"Microsoft-Windows-PowerShell Execute a Remote Command") + +###### All Windows Event Log ###### + +###### Windows Application Event Log ###### + +## All Windows Application + +##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] +[source::WinEventLog:Application] +EVAL-dest = coalesce('ComputerName','Computer') + +## Below Extractions are for XmlWinEventLog:Application and have been kept for backward compatibility +EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-") +# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status +# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status +LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status + + + +##Below fields extractions have been moved from [source::*:Security] and [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] +[source::WinEventLog:Security] + +LOOKUP-CategoryString_for_windows_legacy_security = windows_signature_lookup signature_id OUTPUTNEW CategoryString as ta_windows_security_CategoryString, command +LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity + +## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" ) +LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject + + +## action, status + +## Security-CIM Mappings +LOOKUP-action_for_windows00_security = windows_wineventlog_change_action_lookup EventCode OUTPUTNEW action, status + +## Override action to allow audit log changes to correspond to Change Analysis data model +LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category +LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status +LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status + +## privilege +REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security +REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security +LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege + +FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port +REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" + +FIELDALIAS-body_for_windows_security = Message AS body +FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status +EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure") + +## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type +LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app +LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app +LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app +LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app +LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app + +## Set the following fields based on order of operations +REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id +REPORT-dest_for_windows_security = Target_Server_Name_as_dest,ComputerName_as_dest +REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain +REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host + +REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src +REPORT-Subject_Security_ID_as_src = Subject_Security_ID_as_src +REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip +REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,New_Security_ID_as_src_nt_domain,Security_ID_as_src_nt_domain +REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host +REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user +REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Special_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user +EVAL-user_group = coalesce(Group_Name,New_Account_Name,Target_Account_Name) +REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id +REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn +REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain +REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4 +REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6 +LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass +EVAL-dest_nt_domain = nullif(dest_nt_domain,"-") + +REPORT-subject_fields = subject_fields_extraction +REPORT-target_fields = target_fields_extraction +REPORT-user_fields = user_fields_extraction +REPORT-group_fields = group_fields_extraction +REPORT-new_account_fields = new_account_fields_extraction +REPORT-member_fields = member_fields_extraction +REPORT-account_locked_out_fields = account_locked_out_fields_extraction +REPORT-task_fields = task_fields_extraction +REPORT-new_task_fields = new_task_fields_extraction +REPORT-command = process_command_extraction + +EVAL-user = case(EventCode==4794,"DSRM administrator",EventCode==4799,Subject_Account_Name,EventCode==4798,User_Account_Name,EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764),null(),EventCode==4688,if(user=="-" OR isnull(user),src_user,user),EventCode IN (4689,4696,4673,4674,4697),case(user!="-",user), EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767), Target_Account_Name, EventCode==4781, Target_New_Account_Name, EventCode IN (4728,4729,4732,4733,4756,4757), if(like(Member_Security_ID, "%\%"), mvindex(split(Member_Security_ID, "\\"),-1), if(like(user, "%\%") OR user=="-", null(), user)), true(),user) +EVAL-user_name = case(EventCode==4798,User_Account_Name,EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767), Target_Account_Name, EventCode==4781, Target_New_Account_Name, EventCode==4720, New_Account_Account_Name, EventCode==4740, Account_Locked_Out_Name, EventCode IN (1102,4634,4698,4700,4701,4702,4719,4799,4800,4801), Subject_Account_Name, EventCode==104, User, EventCode IN (4728,4729,4732,4733,4756,4757), if(like(Member_Security_ID, "%\%"), mvindex(split(Member_Security_ID, "\\"),-1), if(like(user, "%\%")OR user=="-", null(), user)), true(),user_name) +EVAL-src_user = case(EventCode IN (4634,4672,4703,4704,4705,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4733,4734,4735,4737,4738,4754,4755,4756,4757,4758,4764,4767,4781,4794,4798,4800,4801), Subject_Account_Name, true(),src_user) +EVAL-src_user_name = case(EventCode IN (4730,4727,4755,4754,4758,4764,4735,4737,4731,4734,4728,4729,4733,4756,4757,4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4732,4738,4740,4767,4781,4798,4800,4801), Subject_Account_Name, true(),src_user_name) +EVAL-object = case(EventCode==4794,"DSRM administrator",EventCode==4798,User_Account_Name,EventCode IN (4727,4730,4731,4734,4735,4737,4750,4754,4755,4758,4764,4799,4744,4749,4759), Group_Name, EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767), Target_Account_Name, EventCode==4781, Target_New_Account_Name, EventCode==4720, New_Account_Account_Name, EventCode==4740, Account_Locked_Out_Name, EventCode IN (4800,4801), ComputerName, EventCode==4634, Subject_Account_Name, EventCode IN (4698,4700,4701,4702), Task_Name, EventCode==1102, "audit log", EventCode==4719, "Windows Security Audit Policy", EventCode IN (4732,4729,4757,4756,4728,4733), if(like(Member_Security_ID, "%\%"), mvindex(split(Member_Security_ID, "\\"),-1), if(like(user, "%\%") OR user=="-", null(), user)), EventCode==4876, "Certification Authorities Database", EventCode IN (4706, 4713), "Active Directory", true(),object) +EVAL-object_id = case(EventCode==4798,User_Security_ID,EventCode IN (4728,4729,4733,4756,4757),Member_Security_ID, EventCode IN (4727,4730,4731,4734,4735,4737,4744,4749,4750,4754,4755,4758,4759,4764,4799), Group_Security_ID, EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767,4781), Target_Security_ID, EventCode==4720, New_Account_Security_ID, EventCode==4732, Member_Security_ID, EventCode==4740, Account_Locked_Out_Security_ID, EventCode==4634, Subject_Security_ID, EventCode==4876, "Certification Authorities Database", true(), object_id) +EVAL-authentication_method = case(EventCode IN (4624,4625), Authentication_Package, true(), authentication_method) +EVAL-src_nt_domain = case(EventCode IN (4634,4672,4720,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4740,4754,4755,4756,4757,4758,4764,4798,4800,4801), Subject_Account_Domain, true(), src_nt_domain) +EVAL-src = case(EventCode==4794,Caller_Workstation,EventCode==4798,Subject_Account_Domain,EventCode IN (4729,4799,4730,4727,4755,4754,4758,4764,4735,4737,4731,4734,4757,4756,4728,4733,4876), ComputerName, EventCode IN (4672,4706,4713,4744,4749,4750,4759), src_subject_security_id, true(), src) +EVAL-src_user_id = case(EventCode==4672, Subject_Security_ID, true(), src_user_id) +EVAL-user_id = case(EventCode==4672, Subject_Security_ID, true(), user_id) +EXTRACT-dest_for_windows_security_4798 = (?ms)EventCode=4798(?:\n|\r).*User:\s*.*\n\s*Account\sName:\s*.*\n\s*Account\sDomain:\s*(?[^\n\r]+) + +EXTRACT-dest_port_for_windows_security = (?s)Network Information:.*?Destination Port:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-object_attrs_for_windows_security = Rule Name:\s+(?[^$]+)$ +EXTRACT-process_for_windows_security = (?s)Application Information:.*?Process Name:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-0process_id_for_windows_security = (?s)Application Information:.*?Process ID:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-process_id_for_windows_security = (?s)Process Information:.*?Process ID:\s+(?\S+).*?(?:(?:\r*\n){2}) +EXTRACT-group_change_groupname = (?ms)EventCode=4756(?:\n|\r).*Group:(?:\n|\r).*Security ID:\s*(?.*)\\(?[^\n\r]+) + +## Below Extractions are for XmlWinEventLog:Security and have been kept for backward compatibility +## privilege +REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege + +# Extractions to add fields used by generic security extraction +REPORT-Source_Port_from_xml = IpPort_as_Source_Port +REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type +REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name +REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type +REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID +REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain +REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain +REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name +REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name +REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation + +EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-") + +# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status +# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status +LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status +EVAL-action = case(EventCode=="4688" AND Keywords=="Audit Success","allowed",EventCode=="4688" AND Keywords=="Audit Failure","blocked", EventCode==4672, if(isnull(action), "success", action)) + +REPORT-dest_for_windows_xml_security = Target_Server_Name_as_dest,Computer_as_dest + +EXTRACT-dest_port_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-object_attrs_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-1IpAddress_for_windows_security_from_xml =\(?!\:\:1)(?!127\.0\.0\.1)(?[^\<]+)\<\/Data\> +EXTRACT-process_for_windows_security_from_xml = (?[^<]+)<\/Data> +EXTRACT-process_id_for_windows_security_from_xml = 0<\/Data> to <\/Data> in XmlWinEventLog:Security +## cleanxmlsrcip: This will replace all values like ::1<\/Data> or 127.0.0.1<\/Data> to <\/Data> in XmlWinEventLog:Security + + +##### SEDCMD Extractions ##### +#SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g +#SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g +#SEDCMD-cleansrcip = s/(Source Network Address:\s*(\:\:1|127\.0\.0\.1))/Source Network Address:/ +#SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/ +#SEDCMD-remove_ffff = s/::ffff://g +#SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g +#SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g +#SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g + +## For XmlWinEventLog:Security +#SEDCMD-cleanxmlsrcport = s/0<\/Data>/<\/Data>/ +#SEDCMD-cleanxmlsrcip = s/(\:\:1|127\.0\.0\.1)<\/Data>/<\/Data>/ + +## Field Mapping for Network Data Model +EXTRACT-app_for_windows_security = (?ms)EventCode=(5156|5157)(?:\n|\r).*Application Name:\s*(?[^\n\r]+) +EVAL-direction = lower(Direction) +EXTRACT-dest_for_windows_security = (?ms)EventCode=(5156|5157)(?:\n|\r).*Destination Address:\s*(?(?[^\n\r]+)) + +EXTRACT-src_for_windows_security = (?ms)EventCode=(5156|5157)(?:\n|\r).*Source Address:\s*(?(?[^\n\r]+)) +EXTRACT-rule_for_windows_security = (?ms)EventCode=(5156|5157)(?:\n|\r).*Filter Run-Time ID:\s*(?[^\n\r]+) + +EVAL-protocol_version = if(EventCode IN (5156,5157), if(isnull(dest_ip), null(), if(match(coalesce(dest_ip, src_ip), ":"), "ipv6", "ipv4")), null()) +EVAL-protocol = case(EventCode IN (5156,5157),if(Protocol==1,"icmp","ip")) +EXTRACT-user_for_windows_security = (?ms)EventCode=(5156|5157)(?:\n|\r).*Remote User ID:\s*(?[^\n\r]+) + +## Security-CIM Mappings +REPORT-parent_process_name = extract_parent_process_name +REPORT-new_process_name = extract_new_process_name +REPORT-target_process_name = extract_target_process_name +REPORT-process_command_line_process_and_arguments = process_command_line_process_and_arguments +REPORT-file_name_and_path = object_name_and_path_from_object_name,file_name_and_path_from_file_name,file_name_and_path_from_file_path + +EVAL-process = case(EventCode==4688, coalesce(if(match(process_command_line_process,"(\\\)"), Process_Command_Line, (if(match(New_Process_Name,"\s"), "\"" + New_Process_Name + "\"", New_Process_Name)) + " " + process_command_line_arguments), New_Process_Name), EventCode==4696, Target_Process_Name , true(), coalesce(Process, process, Process_Name)) +EVAL-registry_path = if(EventCode==4657 OR EventCode==4670,Object_Name,registry_path) +EVAL-registry_value_name = if(EventCode==4657, Object_Value_Name, registry_value_name) +EVAL-registry_value_type = if(EventCode==4657, New_Value_Type, registry_value_type) +EVAL-object_attrs = if(EventCode==4717 OR EventCode==4718,Access_Right,if(isnotnull(Group_Name) AND NOT EventCode IN (4727,4730,4731,4734,4735,4737,4744,4749,4750,4754,4755,4758,4759,4764,4799),Group_Name,if(EventCode IN (4698,4700,4701),TaskContent,if(EventCode==4702,TaskNewContent,if(EventCode==4719, "Category="+Category+",Subcategory="+Subcategory+",Subcategory GUID="+Subcategory_GUID+",Changes="+Changes,object_attrs))))) +EVAL-file_name = if(Object_Type=="File" AND isnotnull(object_file_name),object_file_name,if(isnotnull(Share_Name),Share_Name,file_name)) +EVAL-file_path = if(Object_Type=="File" AND isnotnull(object_file_path),object_file_path,if(isnotnull(Share_Path),Share_Path,file_path)) + +EVAL-parent_process = case(EventCode==4696,Process_Name,true(),parent_process) +EVAL-parent_process_id = case(EventCode==4688,Creator_Process_ID,EventCode==4696,Process_ID) +EVAL-parent_process_name = case(EventCode==4696,replace(Process_Name,"(?:.*\\\)?(.*)","\1"),true(),parent_process_name) +EVAL-process_path = case(EventCode==4688,New_Process_Name,EventCode==4696,Target_Process_Name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,Process_Name) +EVAL-parent_process_path = case(EventCode==4688,Creator_Process_Name,EventCode==4696,Process_Name) +EVAL-process_exec = case(EventCode==4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(Process_Name,"(?:.*\\\)?(.*)","\1")) +EVAL-process_name = case(EventCode==4688,new_process_name,EventCode==4696,target_process_name,EventCode IN (4689,4674,4673,4798),replace(Process_Name,"(?:.*\\\)?(.*)","\1"),true(),Process_Name) +EVAL-process_id = case(EventCode==4696,Target_Process_ID, EventCode==4689 OR EventCode==4673, Process_ID, true(), process_id) + +EVAL-user_type= case(EventCode==4794, "administrator", EventCode IN (4741, 4742, 4743), "computer", EventCode==4713, "service account") + +LOOKUP-service_name_for_endpoint_service = windows_endpoint_service_service_name_lookup EventCode OUTPUTNEW service,service_name +LOOKUP-service_type_for_endpoint_service = windows_endpoint_service_service_type_lookup Service_Start_Type OUTPUTNEW start_mode +LOOKUP-transpot_for_endpoint_pot = windows_endpoint_port_transport_lookup Protocol OUTPUTNEW transport +LOOKUP-wineventlog-change-object-fields = windows_wineventlog_change_object_fields_lookup EventCode OUTPUTNEW change_type,object_attrs,object_category,result + + +## IAS (Currently WinEventLog Support Only) +[source::WinEventLog:System:IAS] +REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias + +EVAL-app = "ias" + + +[source::WinEventLog:ForwardedEvents] +##### Explanation for SEDCMD Extractions ##### +## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues +## cleanxmlsrcport: This will replace all values like 0<\/Data> to <\/Data> in XmlWinEventLog:Security +## cleanxmlsrcip: This will replace all values like ::1<\/Data> or 127.0.0.1<\/Data> to <\/Data> in XmlWinEventLog:Security +## clean_rendering_info_block: This will eliminate the entire extra block from all the events that indexes when using WEF before indexing + + +##### SEDCMD Extractions ##### +#SEDCMD-remove_ffff = s/::ffff://g +#SEDCMD-cleansrcipxml = s/(\:\:1|127\.0\.0\.1)<\/Data>/<\/Data>/ +#SEDCMD-cleansrcportxml=s/0<\/Data>/<\/Data>/ +#SEDCMD-clean_rendering_info_block = s/(?s)(.*)<\/RenderingInfo>// + + +###### WindowsUpdateLog ###### +[source::...WindowsUpdate.Log] +sourcetype = WindowsUpdateLog + +[WindowsUpdateLog] +SHOULD_LINEMERGE = false +EVENT_BREAKER_ENABLE = true +FIELDALIAS-dest_for_windowsupdatelog = host AS dest +REPORT-0signature_message_for_windowsupdatelog = signature_message_for_windowsupdatelog +REPORT-1signature_for_windowsupdatelog = signature_for_windowsupdatelog,signature_for_windowsupdatelog_restartrequired,signature_for_windowsupdatelog_signature_message +REPORT-signature_id_for_windowsupdatelog = signature_id_for_windowsupdatelog +REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog +LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" + +FIELDALIAS-process_id_for_windowsupdatelog = pid as process_id + +# Legacy field aliases to support ES 2.0.2, Winfra +FIELDALIAS-package_for_windows = signature_id AS package +FIELDALIAS-package_title_for_windows = signature AS package_title + +[WinRegistry] + +## Registry Extractions + +## registry_path, registry_key_name, registry_value_name +REPORT-registry_path_parser = registry_key_for_WinRegistry,registry_key-registry_value_for_WinRegistry +REPORT-registry_value_data = registry_value_data_for_WinRegistry +FIELDALIAS-registry_value_type = data_type AS registry_value_type + +## Endpoint Change Extractions +## Required fields: action,dest,object,object_category,object_path,status,user +## Optional fields: object_id,object_attrs,user_type,msg,data,severity +FIELDALIAS-vendor_action_for_WinRegistry = registry_type AS vendor_action +LOOKUP-action_for_WinRegistry = endpoint_change_vendor_action_lookup vendor_action OUTPUT action +FIELDALIAS-dest_for_WinRegistry = host AS dest +REPORT-object_for_WinRegistry = object_as_registry_key_for_WinRegistry,object_as_registry_value_for_WinRegistry +LOOKUP-object_category_for_WinRegistry = endpoint_change_object_category_lookup object as sourcetype OUTPUT object_category +REPORT-vendor_status_msg_for_WinRegistry = vendor_status_msg_for_WinRegistry +LOOKUP-status_for_WinRegistry = endpoint_change_status_lookup vendor_status OUTPUT status +REPORT-user_for_WinRegistry = user_for_WinRegistry +LOOKUP-user_type_for_WinRegistry = endpoint_change_user_type_lookup sourcetype OUTPUT user_type +FIELDALIAS-src_for_WinRegistry = host AS src + +## Field Mapping for Endpoint Data Model +## For Registry Dataset +FIELDALIAS-process_id_for_WinRegistry = pid AS process_id +EVAL-vendor_product = "Microsoft Windows" + +##################### +## Splunk Perfmon/WMI +##################### + +## Apply the following properties to all WMI events +[source::WMI...] +## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence +REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv +REPORT-MESSAGE = + +[wmi] +LINE_BREAKER = ([\r\n]---splunk-wmi-end-of-event---[\r\n]+) +## Override default TRANSFORMS-FIELDS with TRANSFORMS-0FIELDS to force alphanumeric precedence +## Override default wmi-host, wmi-source, wmi-sourcetype with the following transforms to strip "WinEventLog" +TRANSFORMS-0FIELDS = wmi-host, wmi-override-host, wmi-source, wmi-wineventlog-source, wmi-sourcetype, wmi-wineventlog-sourcetype +TRANSFORMS-FIELDS = + +###### ComputerSystem ###### +[WMI:ComputerSystem] +FIELDALIAS-mem_for_wmi_computersystem = TotalPhysicalMemory AS mem + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + + +[Perfmon:Processor] +EVAL-cpu_user_percent = if(counter=="% User Time",Value,null()) +EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null()) +FIELDALIAS-cpu_instance = instance AS cpu_instance +EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null()) + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:Processor] +FIELDALIAS-cpu_user_percent = %_User_Time AS cpu_user_percent +EVAL-cpu_interrupts = if(instance=="_Total", 'Interrupts/sec', null()) +FIELDALIAS-cpu_instance = instance AS cpu_instance +FIELDALIAS-cpu_load_percent = %_Processor_Time AS cpu_load_percent + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +FIELDALIAS-windows_cpu_load_percent = %_Processor_Time AS windows_cpu_load_percent + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[Perfmon:Network_Interface] +EVAL-bytes = if(counter=="Bytes Total/sec",Value,null()) +EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null()) +EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null()) +EVAL-packets = if(counter=="Packets/sec",Value,null()) +EVAL-packets_in = if(counter=="Packets Received/sec",Value,null()) +EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null()) +EVAL-thruput = if(counter=="Bytes Total/sec",Value,null()) +EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:Network_Interface] +FIELDALIAS-bytes = Bytes_Total/sec as bytes +FIELDALIAS-bytes_in = Bytes_Received/sec as bytes_in +FIELDALIAS-bytes_out = Bytes_Sent/sec as bytes_out +FIELDALIAS-packets = Packets/sec as packets +FIELDALIAS-packets_in = Packets_Received/sec as packets_in +FIELDALIAS-packets_out = Packets_Sent/sec as packets_out +FIELDALIAS-thruput = Bytes_Total/sec as thruput +FIELDALIAS-thruput_max = Current_Bandwidth as thruput_max + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[Perfmon:DFS_Replicated_Folders] +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[Perfmon:NTDS] +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[Perfmon:DNS] +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[Perfmon:CPU] +EVAL-cpu_user_percent = if(counter=="% User Time",Value,null()) +EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null()) +FIELDALIAS-cpu_instance = instance AS cpu_instance +EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null()) + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:CPU] +FIELDALIAS-cpu_user_percent = %_User_Time AS cpu_user_percent +EVAL-cpu_interrupts = if(instance=="_Total", 'Interrupts/sec', null()) +FIELDALIAS-cpu_instance = instance AS cpu_instance +FIELDALIAS-cpu_load_percent = %_Processor_Time AS cpu_load_percent + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +FIELDALIAS-windows_cpu_load_percent = %_Processor_Time AS windows_cpu_load_percent + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[Perfmon:System] +EVAL-wait_threads_count = if(counter=="Processor Queue Length",Value,null()) +EVAL-system_threads_count = if(counter=="Threads",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:System] +FIELDALIAS-wait_threads_count = Processor_Queue_Length as wait_threads_count +FIELDALIAS-system_threads_count = Threads as system_threads_count + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[Perfmon:ProcessorInformation] +SEDCMD-instance_replace_for_perfmon_processorInformation = y/,/_/ +EVAL-cpu_load_mhz = if(counter=="Processor Frequency" AND instance=="_Total",Value,null()) +EVAL-cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null()) +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +## Field Mapping for Endpoint Data Model +## For Processes Dataset +EVAL-vendor_product = "Microsoft Windows" + +[PerfmonMk:ProcessorInformation] +EVAL-cpu_load_mhz = if(instance=="_Total", 'Processor_Frequency', null()) +EVAL-cpu_load_percent = if(instance=="_Total", '%_Processor_Time', null()) +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +## Field Mapping for Endpoint Data Model +## For Processes Dataset +EVAL-vendor_product = "Microsoft Windows" + +[WMI:CPUTime] +REPORT-report_field_extract_wmi_cputime_anomalous = field_extract_wmi_cputime_anomalous + +FIELDALIAS-cpu_load_percent = PercentProcessorTime AS cpu_load_percent +FIELDALIAS-cpu_user_percent = PercentUserTime AS cpu_user_percent +FIELDALIAS-cpu_instance = Name AS cpu_instance + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +###### Disk ###### +[Perfmon:LogicalDisk] +EVAL-mount = if(instance=="_Total", null(), instance) +# Keeping this field in ms +EVAL-latency = if(counter=="Avg. Disk sec/Transfer",Value*1000,null()) +EVAL-read_latency = if(counter=="Avg. Disk sec/Read",Value*1000,null()) +EVAL-write_latency = if(counter=="Avg. Disk sec/Write",Value*1000,null()) +EVAL-storage_free_percent = if(counter=="% Free Space",Value,null()) +EVAL-read_ops = if(counter=="Disk Reads/sec",Value,null()) +EVAL-write_ops = if(counter=="Disk Writes/sec",Value,null()) +EVAL-total_ops = if(counter=="Disk Transfers/sec",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:LogicalDisk] +EVAL-mount = if(instance=="_Total", null(), instance) +# Keeping this field in ms +EVAL-latency = 'Avg._Disk_sec/Transfer' * 1000 +EVAL-read_latency = 'Avg._Disk_sec/Read' * 1000 +EVAL-write_latency = 'Avg._Disk_sec/Write' * 1000 +FIELDALIAS-storage_free_percent = %_Free_Space as storage_free_percent +FIELDALIAS-read_ops = Disk_Reads/sec as read_ops +FIELDALIAS-write_ops = Disk_Writes/sec as write_ops +FIELDALIAS-total_ops = Disk_Transfers/sec as total_ops + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +FIELDALIAS-storage_free = Free_Megabytes as storage_free +EVAL-storage=((100*Free_Megabytes)/storage_free_percent) +EVAL-storage_used=(((100-storage_free_percent)*Free_Megabytes)/storage_free_percent) +EVAL-storage_used_percent=(100-storage_free_percent) + +[Perfmon:PhysicalDisk] +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:PhysicalDisk] +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[WMI:FreeDiskSpace] +REPORT-report_field_extract_wmi_freediskspace_anomalous = field_extract_wmi_freediskspace_anomalous + +FIELDALIAS-mount_for_wmi_freediskspace = Name AS mount +EVAL-storage = if(isnotnull(FreeMBytes) AND isnotnull(PercentFreeSpace),(FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)),null()) +EVAL-storage_free = if(isnotnull(FreeMegabytes),FreeMegabytes*1048576,null()) +FIELDALIAS-storage_free_percent = PercentFreeSpace AS storage_free_percent +EVAL-storage_used = if(isnotnull(FreeMegabytes) AND isnotnull(PercentFreeSpace),((FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)))-FreeMegabytes,null()) +EVAL-storage_used_percent = if(isnotnull(PercentFreeSpace),100-PercentFreeSpace,null()) + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + + +[WMI:LogicalDisk] +FIELDALIAS-for_wmi_latency = AvgDisksecPerTransfer AS latency +FIELDALIAS-for_wmi_read_latency = AvgDisksecPerRead AS read_latency +FIELDALIAS-for_wmi_write_latency = AvgDisksecPerWrite AS write_latency +FIELDALIAS-for_wmi_read_ops = DiskReadsPersec AS read_ops +FIELDALIAS-for_wmi_write_ops = DiskWritesPersec AS write_ops + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +[WMI:LocalPhysicalDisk] +REPORT-report_field_extract_name = field_extract_wmi_localphysicaldisk_name +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-src_for_wmi = host AS src + +###### Network ###### +[WMI:LocalNetwork] +FIELDALIAS-bytestotalpersec_as_thruput = BytesTotalPersec AS thruput +FIELDALIAS-currentbandwidth_as_thruput_max = CurrentBandwidth AS thruput_max + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +###### Process ###### +[Perfmon:Process] +EVAL-process_name = if(instance!="_Total" AND instance!="Idle",instance,null()) +EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle" AND counter=="% Processor Time", Value, null()) +EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +## Field Mapping for Endpoint Data Model +## For Processes Dataset +EVAL-mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null()) +EVAL-vendor_product = "Microsoft Windows" + +[PerfmonMk:Process] +EVAL-process_name = if(instance!="_Total" AND instance!="Idle", instance,null()) +EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle", '%_Processor_Time', null()) +EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle", 'Working_Set_-_Private', null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +## Field Mapping for Endpoint Data Model +## For Processes Dataset +FIELDALIAS-process_id_for_perfmon = ID_Process AS process_id +EVAL-mem_used = if(instance!="_Total" AND instance!="Idle", 'Working_Set_-_Private', null()) +EVAL-vendor_product = "Microsoft Windows" + +###### Installed Apps ###### +[Script:InstalledApps] +SHOULD_LINEMERGE = false +TRUNCATE = 0 +LINE_BREAKER = ([\r\n]+)\d{4}\-\d{2}\-\d{2}\s+\d{1,2}:\d{2}:\d{2}.\d{3} + +KV_MODE = none + +REPORT-AuthorizedCDFPrefix_for_win_installed_apps = AuthorizedCDFPrefix_for_win_installed_apps +REPORT-Comments_for_win_installed_apps = Comments_for_win_installed_apps +REPORT-Contact_for_win_installed_apps = Contact_for_win_installed_apps +REPORT-DisplayVersion_for_win_installed_apps = DisplayVersion_for_win_installed_apps +REPORT-HelpLink_for_win_installed_apps = HelpLink_for_win_installed_apps +REPORT-HelpTelephone_for_win_installed_apps = HelpTelephone_for_win_installed_apps +REPORT-InstallDate_for_win_installed_apps = InstallDate_for_win_installed_apps +REPORT-InstallLocation_for_win_installed_apps = InstallLocation_for_win_installed_apps +REPORT-InstallSource_for_win_installed_apps = InstallSource_for_win_installed_apps +REPORT-ModifyPath_for_win_installed_apps = ModifyPath_for_win_installed_apps +REPORT-NoModify_for_win_installed_apps = NoModify_for_win_installed_apps +REPORT-NoRepair_for_win_installed_apps = NoRepair_for_win_installed_apps +REPORT-Publisher_for_win_installed_apps = Publisher_for_win_installed_apps +REPORT-Readme_for_win_installed_apps = Readme_for_win_installed_apps +REPORT-Size_for_win_installed_apps = Size_for_win_installed_apps +REPORT-EstimatedSize_for_win_installed_apps = EstimatedSize_for_win_installed_apps +REPORT-UninstallString_for_win_installed_apps = UninstallString_for_win_installed_apps +REPORT-URLInfoAbout_for_win_installed_apps = URLInfoAbout_for_win_installed_apps +REPORT-URLUpdateInfo_for_win_installed_apps = URLUpdateInfo_for_win_installed_apps +REPORT-VersionMajor_for_win_installed_apps = VersionMajor_for_win_installed_apps +REPORT-VersionMinor_for_win_installed_apps = VersionMinor_for_win_installed_apps +REPORT-WindowsInstaller_for_win_installed_apps = WindowsInstaller_for_win_installed_apps +REPORT-Version_for_win_installed_apps = Version_for_win_installed_apps +REPORT-Language_for_win_installed_apps = Language_for_win_installed_apps +REPORT-DisplayName_for_win_installed_apps = DisplayName_for_win_installed_apps + +###### Installed Updates ###### +[WMI:InstalledUpdates] +REPORT-00Description_for_installedupdates = Description_for_installedupdates +FIELDALIAS-signature_id_for_installedupdates = HotFixID AS signature_id +EVAL-signature = case(isnotnull(Description) AND isnotnull(HotFixID),Description." (".HotFixID.")",isnotnull(Description),Description,isnotnull(HotFixID),HotFixID,1=1,null()) +LOOKUP-status_for_installedupdates = windows_update_status_lookup sourcetype OUTPUTNEW status + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +###### Listening Ports ###### +[Script:ListeningPorts] +SHOULD_LINEMERGE = false + +KV_MODE = None +REPORT-0dest_ip_for_listeningports = dest_ip_for_listeningports +REPORT-1kv_for_listeningports = kv_for_listeningports +FIELDALIAS-dest_for_listeningports = dest_ip AS dest +FIELDALIAS-process_id_for_listeningports = pid AS process_id + +## Field Mapping for Endpoint Data Model +## For Ports Dataset +EVAL-transport_dest_port = transport."/".dest_port +EVAL-vendor_product = "Microsoft Windows" + +###### Local Processes ###### +[WMI:LocalProcesses] +REPORT-rep_field_extract_wmi_localprocesses_anomalous = field_extract_wmi_localprocesses_anomalous + +FIELDALIAS-cpu_load_percent_for_wmi_localprocesses = PercentProcessorTime AS cpu_load_percent +FIELDALIAS-mem_used_for_wmi_localprocesses = PrivateBytes AS UsedBytes +FIELDALIAS-process_for_wmi_localprocesses = windows_app AS Name, windows_app AS app, windows_app AS process +FIELDALIAS-process_id_for_wmi_localprocesses = IDProcess AS process_id + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +## Field Mapping for Endpoint Data Model +## For Processes Dataset +EVAL-vendor_product = "Microsoft Windows" + +###### Memory ###### +## Used memory unavailable in Perfmon Memory object and WMI Win32_PerfFormattedData_PerfOS_Memory +## Total memory available in WMI:ComputerSystem +[Perfmon:Memory] +EVAL-mem_committed = if(counter=="Committed Bytes",Value,null()) +EVAL-mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null()) +EVAL-swap_free = if(counter=="Pool Nonpaged Bytes",Value,null()) +EVAL-swap_used = if(counter=="Pool Paged Bytes",Value,null()) +EVAL-mem_page_ops = if(counter=="Pages/sec",Value,null()) +EVAL-mem_page_in = if(counter=="Pages Input/sec",Value,null()) +EVAL-mem_page_out = if(counter=="Pages Output/sec",Value,null()) + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +EVAL-windows_mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:Memory] +FIELDALIAS-mem_committed = Committed_Bytes as mem_committed +FIELDALIAS-mem_free = Available_MBytes as mem_free +FIELDALIAS-swap_free = Pool_Nonpaged_Bytes as swap_free +FIELDALIAS-swap_used = Pool_Paged_Bytes as swap_used +FIELDALIAS-mem_page_ops = Pages/sec as mem_page_ops +EVAL-swap_percent = (swap_used/(swap_used+swap_free))*100 + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +FIELDALIAS-windows_mem_free = Available_MBytes as windows_mem_free + +FIELDALIAS-mem_page_in = Pages_Input/sec as mem_page_in +FIELDALIAS-mem_page_out = Pages_Output/sec as mem_page_out +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[Perfmon:Network] +EVAL-bytes = if(counter=="Bytes Total/sec",Value,null()) +EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null()) +EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null()) +EVAL-packets = if(counter=="Packets/sec",Value,null()) +EVAL-packets_in = if(counter=="Packets Received/sec",Value,null()) +EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null()) +EVAL-thruput = if(counter=="Bytes Total/sec",Value,null()) +EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store +TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store +TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store +TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store +TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store +EVAL-metric_type = "gauge" + +[PerfmonMk:Network] +FIELDALIAS-bytes = Bytes_Total/sec as bytes +FIELDALIAS-bytes_in = Bytes_Received/sec as bytes_in +FIELDALIAS-bytes_out = Bytes_Sent/sec as bytes_out +FIELDALIAS-packets = Packets/sec as packets +FIELDALIAS-packets_in = Packets_Received/sec as packets_in +FIELDALIAS-packets_out = Packets_Sent/sec as packets_out +FIELDALIAS-thruput = Bytes_Total/sec as thruput +FIELDALIAS-thruput_max = Current_Bandwidth as thruput_max + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +[WMI:Memory] +REPORT-report_field_extract_wmi_memory_anomalous = field_extract_wmi_memory_anomalous + +FIELDALIAS-mem_committed_for_wmi_memory = CommittedBytes AS mem_committed +FIELDALIAS-swap_free = PoolNonpagedBytes AS swap_free +FIELDALIAS-swap_used = PoolPagedBytes AS swap_used +EVAL-swap_percent = (swap_used/(swap_used+swap_free))*100 +FIELDALIAS-mem_page_in = PagesInputPersec AS mem_page_in +FIELDALIAS-mem_page_out = PagesOutputPersec AS mem_page_out +FIELDALIAS-mem_page_ops = PagesPersec AS mem_page_ops + + +EVAL-mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null()) +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +EVAL-windows_mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null()) + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +###### Service ###### +[WMI:Service] +REPORT-report_field_extract_wmi_service_state_anomalous = field_extract_wmi_service_state_anomalous +REPORT-report_field_extract_wmi_service_state_full = field_extract_wmi_service_caption_description_pathname + +FIELDALIAS-file_path_for_wmi_service = service_path AS file_path +FIELDALIAS-service_for_wmi_service = Name AS app,Name AS service +FIELDALIAS-start_mode_for_wmi_service = StartMode AS start_mode +FIELDALIAS-status_for_wmi_service = State AS status + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +## Field Mapping for Endpoint Data Model +## For Services Dataset +REPORT-report_field_extract_wmi_service_path_and_exec_name = field_extract_wmi_service_path, field_extract_wmi_service_exec +FIELDALIAS-description_for_wmi = Description AS description +FIELDALIAS-process_id_for_wmi = IDProcess AS process_id +FIELDALIAS-service_name_for_wmi = Name AS service, Name AS service_name +EVAL-vendor_product = "Microsoft Windows" + +###### Time Configuration ###### +[Script:TimesyncConfiguration] +DATETIME_CONFIG = CURRENT +LINE_BREAKER = ([\r\n]+)Current time: + +KV_MODE = None + +REPORT-Current_time_for_win_timesync_configuration = Current_time_for_win_timesync +REPORT-EventLogFlags_for_win_timesync_configuration = EventLogFlags_for_win_timesync_configuration +REPORT-AnnounceFlags_for_win_timesync_configuration = AnnounceFlags_for_win_timesync_configuration +REPORT-TimeJumpAuditOffset_for_win_timesync_configuration = TimeJumpAuditOffset_for_win_timesync_configuration +REPORT-MinPollInterval_for_win_timesync_configuration = MinPollInterval_for_win_timesync_configuration +REPORT-MaxPollInterval_for_win_timesync_configuration = MaxPollInterval_for_win_timesync_configuration +REPORT-MaxNegPhaseCorrection_for_win_timesync_configuration = MaxNegPhaseCorrection_for_win_timesync_configuration +REPORT-MaxPosPhaseCorrection_for_win_timesync_configuration = MaxPosPhaseCorrection_for_win_timesync_configuration +REPORT-MaxAllowedPhaseOffset_for_win_timesync_configuration = MaxAllowedPhaseOffset_for_win_timesync_configuration +REPORT-FrequencyCorrectRate_for_win_timesync_configuration = FrequencyCorrectRate_for_win_timesync_configuration +REPORT-PollAdjustFactor_for_win_timesync_configuration = PollAdjustFactor_for_win_timesync_configuration +REPORT-LargePhaseOffset_for_win_timesync_configuration = LargePhaseOffset_for_win_timesync_configuration +REPORT-SpikeWatchPeriod_for_win_timesync_configuration = SpikeWatchPeriod_for_win_timesync_configuration +REPORT-LocalClockDispersion_for_win_timesync_configuration = LocalClockDispersion_for_win_timesync_configuration +REPORT-HoldPeriod_for_win_timesync_configuration = HoldPeriod_for_win_timesync_configuration +REPORT-PhaseCorrectRate_for_win_timesync_configuration = PhaseCorrectRate_for_win_timesync_configuration +REPORT-UpdateInterval_for_win_timesync_configuration = UpdateInterval_for_win_timesync_configuration +REPORT-FileLogName_for_win_timesync_configuration = FileLogName_for_win_timesync_configuration +REPORT-FileLogEntries_for_win_timesync_configuration = FileLogEntries_for_win_timesync_configuration +REPORT-FileLogSize_for_win_timesync_configuration = FileLogSize_for_win_timesync_configuration +REPORT-FileLogFlags_for_win_timesync_configuration = FileLogFlags_for_win_timesync_configuration +REPORT-Time_zone_for_win_timesync_configuration = Time_zone_for_win_timesync + +###### Time Synchronization ###### +[Script:TimesyncStatus] +DATETIME_CONFIG = CURRENT +LINE_BREAKER = ([\r\n]+)Current time: + +KV_MODE = None + +REPORT-Current_time_for_win_timesync_status = Current_time_for_win_timesync +REPORT-Leap_Indicator_for_win_timesync_status = Leap_Indicator_for_win_timesync_status +REPORT-Stratum_for_win_timesync_status = Stratum_for_win_timesync_status +REPORT-Precision_for_win_timesync_status = Precision_for_win_timesync_status +REPORT-Root_Delay_for_win_timesync_status = Root_Delay_for_win_timesync_status +REPORT-Root_Dispersion_for_win_timesync_status = Root_Dispersion_for_win_timesync_status +REPORT-ReferenceId_for_win_timesync_status = ReferenceId_for_win_timesync_status +REPORT-Last_Successful_Sync_Time_for_win_timesync_status = Last_Successful_Sync_Time_for_win_timesync_status +REPORT-Source_for_win_timesync_status = Source_for_win_timesync_status +REPORT-Poll_Interval_for_win_timesync_status = Poll_Interval_for_win_timesync_status +REPORT-Phase_Offset_for_win_timesync_status = Phase_Offset_for_win_timesync_status +REPORT-ClockRate_for_win_timesync_status = ClockRate_for_win_timesync_status +REPORT-State_Machine_for_win_timesync_status = State_Machine_for_win_timesync_status +REPORT-Time_Source_Flags_for_win_timesync_status = Time_Source_Flags_for_win_timesync_status +REPORT-Server_Role_for_win_timesync_status = Server_Role_for_win_timesync_status +REPORT-Last_Sync_Error_for_win_timesync_status = Last_Sync_Error_for_win_timesync_status +REPORT-Time_since_Last_Good_Sync_Time_for_win_timesync_status = Time_since_Last_Good_Sync_Time_for_win_timesync_status +REPORT-Time_zone_for_win_timesync_status = Time_zone_for_win_timesync + +LOOKUP-action_for_win_timesync_status = windows_timesync_action_lookup Last_Sync_Error OUTPUT windows_action, windows_action AS action +EVAL-last_sync_time = coalesce(strptime(Last_Successful_Sync_Time, "%m/%d/%Y %H:%M:%S %p"),strptime(Last_Successful_Sync_Time, "%m/%d/%Y %H:%M:%S"),strptime(Last_Successful_Sync_Time, "%d-%m-%Y %H:%M:%S")) + +FIELDALIAS-dest = host as dest +EVAL-resource_type = "system" + +###### Uptime ###### +[WMI:Uptime] +REPORT-report_field_extract_wmi_uptime_anomalous = field_extract_wmi_uptime_anomalous + +FIELDALIAS-uptime_for_wmi_uptime = SystemUpTime AS uptime + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +TRANSFORMS-_value_for_wmi_uptime_metrics_store = value_for_wmi_uptime_metrics_store +TRANSFORMS-metric_name_for_wmi_uptime_metrics_store = metric_name_for_wmi_uptime_metrics_store +EVAL-metric_type = "gauge" + +###### User Accounts ###### +[WMI:UserAccounts] +REPORT-report_field_extract_description = field_extract_wmi_useraccounts_caption_description_name +FIELDALIAS-dest_nt_domain_for_wmi_useraccounts = Domain AS dest_nt_domain +FIELDALIAS-status_for_wmi_useraccounts = Status AS status +FIELDALIAS-user_for_wmi_useraccounts = Name AS user +FIELDALIAS-user_id_for_wmi_useraccounts = SID AS user_id +LOOKUP-action_for_wmi_user_account_status = wmi_user_account_status_lookup status OUTPUTNEW enabled +FIELDALIAS-description_for_wmi_user_account_status = Description AS description + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +###### Version ###### +[WMI:Version] +REPORT-0Caption_for_wmi_version = Caption_for_wmi_version +LOOKUP-range_for_wmi_version = wmi_version_range_lookup sourcetype OUTPUTNEW range +FIELDALIAS-os_name_for_wmi_version = Caption AS os_name,Caption AS family +FIELDALIAS-os_version_for_wmi_version = Version AS kernel_release,Version AS os_release,Version AS version +EVAL-os = if(isnotnull(Caption) AND isnotnull(Version),Caption." ".Version,null()) +FIELDALIAS-description = Caption as description + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid +FIELDALIAS-src_for_wmi = host AS src + +###### Scheduled Jobs ###### +[WMI:ScheduledJobs] +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-src_for_wmi = host AS src + +###### Host Inventory ###### +[WinHostMon] +EVAL-mem_free_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), FreePhysicalMemoryKB/TotalPhysicalMemoryKB * 100)), null()) +EVAL-mem_used = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/1024)), null()) +EVAL-mem_used_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/TotalPhysicalMemoryKB * 100)), null()) +EVAL-os = if(Type=="OperatingSystem", OS, null()) +EVAL-family = if(Type=="Processor", Architecture, null()) +EVAL-version = if(Type=="OperatingSystem", Version, null()) +EVAL-cpu_cores = if(Type=="Processor", NumberOfCores, null()) +EVAL-cpu_count = if(Type=="Processor", NumberOfProcessors, null()) +EVAL-cpu_mhz = if(Type=="Processor", ClockSpeedMHz, null()) +EVAL-mem = if(Type=="OperatingSystem", TotalPhysicalMemoryKB/1024, null()) +EVAL-vendor_product = if(Type=="OperatingSystem", OS, null()) +EVAL-mount = if (Type=="Disk", Name, null()) +EVAL-storage = if (Type=="Disk", TotalSpaceKB/1024, null()) +EVAL-storage_free = if (Type=="Disk", FreeSpaceKB/1024, null()) +EVAL-storage_used = if (Type=="Disk", (TotalSpaceKB-FreeSpaceKB)/1024, null()) +EVAL-storage_free_percent = if (Type=="Disk", (FreeSpaceKB*100)/TotalSpaceKB, null()) +EVAL-storage_used_percent = if (Type=="Disk", ((TotalSpaceKB-FreeSpaceKB)*100)/TotalSpaceKB, null()) +EVAL-status = case(Type=="OperatingSystem", Status, Type=="Service", State, 1=1, null()) +EVAL-serial = if(Type=="OperatingSystem", SerialNumber, null()) +EVAL-description = if(Type=="Processor", Name, null()) +EVAL-mem_free = if(Type=="OperatingSystem",if(isNull(FreePhysicalMemoryKB), null(), (FreePhysicalMemoryKB)/1024), null()) +EVAL-cpu_architecture = if(Type=="Processor", Architecture, null()) +REPORT-System_Type_for_WinHostMon_computer = System_Type_for_WinHostMon_computer +REPORT-Processor_Id_for_WinHostMon_processor = Processor_Id_for_WinHostMon_processor +REPORT-Path_for_WinHostMon_service = Path_for_WinHostMon_service + +FIELDALIAS-dest_for_winhostmon = host as dest +EXTRACT-process_for_winhostmon = Type=Process.*?Name="(?[^"}}\{\{]+)" +EXTRACT-service_for_winhostmon = DisplayName="(?[^"}}\{\{]+)" +EVAL-start_mode = lower(StartMode) + +## Field Mapping for Endpoint Data Model +## For Services Dataset +REPORT-service_exec_for_WinHostMon_service_path_and_exec_name = service_exec_for_WinHostMon_service_path, service_exec_for_WinHostMon_service_exec +FIELDALIAS-process_id_for_winhostmon = ProcessId AS process_id +EXTRACT-service_name_for_winhostmon = DisplayName="(?[^"}}\{\{]+)" + +####WMI:WinEventLog#### +##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...],[source::*:System] +[WMI:WinEventLog:System] +LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result +FIELDALIAS-category_for_windows = TaskCategory as category +FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc +FIELDALIAS-event_id_for_windows = RecordNumber AS event_id +LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity +LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity +FIELDALIAS-severity_id_for_windows = EventType AS severity_id +FIELDALIAS-id_for_windows = RecordNumber AS id +REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows + +## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) +LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject + +## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values +EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) + +FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id + +FIELDALIAS-pid_for_wmi = IDProcess AS pid + +REPORT-bestmatch_for_windows_system = ComputerName_as_dest +REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update +REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2 +REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog +LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status +REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" + +FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body + +# Legacy field aliases to support ES 2.0.2, Winfra +FIELDALIAS-package_for_windows = signature_id AS package +FIELDALIAS-package_title_for_windows = signature AS package_title + +## Field Mapping for Endpoint Data Model +## For Filesystem Dataset +FIELDALIAS-process_id_for_wmi = IDProcess AS process_id +EVAL-vendor_product = "Microsoft Windows" + +##### Explanation for SEDCMD Extractions ##### +## clean_info_text_from_winsystem_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing + + +##### SEDCMD Extractions ##### +#SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g + +##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...],[source::*:Security] +[WMI:WinEventLog:Security] +LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result,CategoryString as ta_windows_security_CategoryString +FIELDALIAS-category_for_windows = TaskCategory as category +FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc +FIELDALIAS-event_id_for_windows = RecordNumber AS event_id +LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity +LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity +FIELDALIAS-severity_id_for_windows = EventType AS severity_id +FIELDALIAS-id_for_windows = RecordNumber AS id +REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows +EXTRACT-group_change_groupname = (?ms)EventCode=4756(?:\n|\r).*Group:(?:\n|\r).*Account Name:\s*(?.*)(?:\n|\r).*Account Domain:\s*(?[^\n\r]+) + +## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" ) +LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject + +## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) +LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject + +## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values +EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) + +FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id + +FIELDALIAS-dest_for_wmi = host AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid + +## action, status +## Override action to allow audit log changes to correspond to Change Analysis data model +LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW action,change_type,object_category +LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status +LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status + +## privilege +REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security +REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security +LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege + +FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port +REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security + +EVAL-vendor = "Microsoft" +EVAL-product = "Windows" + +FIELDALIAS-body_for_windows_security = Message AS body +FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status +EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure") + +## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type +LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app +LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app +LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app +LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app +LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app + +## Set the following fields based on order of operations +REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id +REPORT-dest_for_windows_security = Target_Server_Name_as_dest,ComputerName_as_dest +REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain +REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host +REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src +REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip +REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain +REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host +REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user +REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user +EVAL-user_group = coalesce(Group_Name,New_Account_Name,Target_Account_Name) +REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id +REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn +REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain +REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4 +REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6 +LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass +EVAL-dest_nt_domain = nullif(dest_nt_domain,"-") + +## Field Mapping for Endpoint Data Model +## For Ports, Services and Processes Datasets +FIELDALIAS-dest_port_for_windows_security = Port AS dest_port +FIELDALIAS-service_id_for_windows_security = Service_ID AS service_id +FIELDALIAS-service_for_windows_security = Service_Name AS service, Service_Name AS service_name +FIELDALIAS-process_name_for_windows_security = Process_Name AS process_name +FIELDALIAS-user_id_for_windows_security = User_ID AS user_id +EVAL-process_id = coalesce('IDProcess','Process_ID') +EVAL-vendor_product = "Microsoft Windows" + +##### Explanation for SEDCMD Extractions ##### +## windows_security_event_formater: This will replace all values like "Account Name:-" to "Account Name:" +## windows_security_event_formater_null_sid_id: This will replace all values like "Security ID:NULL SID" to "Security ID:" and all values like "Logon ID:0x0" to "Logon ID:" +## cleansrcip: This will replace all values like "Source Network Address: ::1" or "Source Network Address:127.0.0.1" to "Source Network Address:" +## cleansrcport: This will replace all values like "Source Port:0" to "Source Port:" +## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues +## clean_info_text_from_winsecurity_events_certificate_information: This will delete all the infomation text at the end of event starting from "Certificate information is..." before indexing +## clean_info_text_from_winsecurity_events_token_elevation_type: This will delete all the infomation text at the end of event starting from "Token Elevation Type indicates..." before indexing +## clean_info_text_from_winsecurity_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing + + +##### SEDCMD Extractions ##### +#SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g +#SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g +#SEDCMD-cleansrcip = s/(Source Network Address:\s*(\:\:1|127\.0\.0\.1))/Source Network Address:/ +#SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/ +#SEDCMD-remove_ffff = s/::ffff://g +#SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g +#SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g +#SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g + +##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...] +[WMI:WinEventLog:Application] +LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result +FIELDALIAS-category_for_windows = TaskCategory as category +FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc +FIELDALIAS-event_id_for_windows = RecordNumber AS event_id +LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity +LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity +FIELDALIAS-severity_id_for_windows = EventType AS severity_id +FIELDALIAS-id_for_windows = RecordNumber AS id +REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows + + +## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) +LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject + +## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values +EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode) + +FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id + +FIELDALIAS-dest_for_wmi = ComputerName AS dest +FIELDALIAS-pid_for_wmi = IDProcess AS pid + +## Field Mapping for Endpoint Data Model +## For Filesystem Dataset +FIELDALIAS-process_id_for_wmi = IDProcess AS process_id +FIELDALIAS-user_for_wmi = User AS user +EVAL-vendor_product = "Microsoft Windows" + +###### Backward Compatibility ###### + +## Perfmon Disk Space +# "Perfmon:FreeDiskSpace" sourcetype is created from perfmon.conf. +# The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated. +# The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less than 4.8.0. +[Perfmon:FreeDiskSpace] +FIELDALIAS-mount_for_perfmon_freediskspace = instance AS mount +EVAL-storage_free = if(counter=="Free Megabytes",Value*1048576,null()) +EVAL-storage_used_percent = if(counter=="% Free Space",100-Value,null()) +EVAL-storage_free_percent = if(counter=="% Free Space",Value,null()) + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +EVAL-windows_storage_free_percent = if(counter=="% Free Space",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + +## Perfmon CPUTime +# "Perfmon:CPUTime" sourcetype is created from perfmon.conf. +# The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated. +# The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less 4.8.0. +[Perfmon:CPUTime] +EVAL-cpu_load_mhz = if(counter=="Processor Frequency",Value,null()) +EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null()) +EVAL-cpu_user_percent = if(counter=="% User Time",Value,null()) +EVAL-cpu_interrupts = if(counter=="Interrupts/sec",Value,null()) + +## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972 +EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + + +## Perfmon LocalNetwork +# "Perfmon:LocalNetwork" sourcetype is created from perfmon.conf. +# The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated. +# The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less than 4.8.0. +[Perfmon:LocalNetwork] +EVAL-thruput = if(counter=="Bytes Total/sec",Value,null()) +EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null()) + +FIELDALIAS-dest_for_perfmon = host AS dest +FIELDALIAS-src_for_perfmon = host AS src + + +## To provide backward compatibility for WinEventLog and XmlWinEventLog data +## These will be deprecated in future +[WinEventLog:Security] +rename = WinEventLog + +[WinEventLog:Application] +rename = WinEventLog + +[WinEventLog:System] +rename = WinEventLog + +[WinEventLog:System:IAS] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-AppLocker/MSI and Script] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-DNS-Client/Operational] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational] +rename = WinEventLog + +[WinEventLog:Setup] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-Application-Experience/Program-Inventory] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-CAPI2/Operational] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-CodeIntegrity/Operational] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-Defender/Operational] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-LSA/Operational] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-NetworkProfile/Operational] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-WLAN-Autoconfig/Operational] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-Kernel-PnP/Device Configuration] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-PowerShell/Operational] +rename = WinEventLog + +[WinEventLog:Windows PowerShell] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-PrintService/Operational] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-WinRM/Operational] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-SmartCard-Audit/Authentication] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-SMBClient/Operational] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-TaskScheduler/Operational] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Admin] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational] +rename = WinEventLog + +[WinEventLog:Microsoft-Windows-Windows Defender/Operational] +rename = WinEventLog + +[XmlWinEventLog:Security] +rename = XmlWinEventLog + +[XmlWinEventLog:Application] +rename = XmlWinEventLog + +[XmlWinEventLog:System] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-AppLocker/MSI and Script] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-DNS-Client/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Setup] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-Application-Experience/Program-Inventory] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-CAPI2/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-CodeIntegrity/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-Defender/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-LSA/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-NetworkProfile/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-WLAN-Autoconfig/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-Kernel-PnP/Device Configuration] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-PowerShell/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Windows PowerShell] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-PrintService/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-WinRM/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-SmartCard-Audit/Authentication] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-SMBClient/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-TaskScheduler/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Admin] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational] +rename = XmlWinEventLog + +[XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational] +rename = XmlWinEventLog + + +###### Rename stanzas for TA-AD WinEventLog sourcetypes ###### +[WinEventLog:DFS-Replication] +rename = WinEventLog + +[WinEventLog:Directory-Service] +rename = WinEventLog + +[WinEventLog:File-Replication-Service] +rename = WinEventLog + +[WinEventLog:Key-Management-Service] +rename = WinEventLog + + +###### Rename stanzas for TA-DNS WinEventLog sourcetypes ###### +[WinEventLog:DNS-Server] +rename = WinEventLog + +## Scripted input for collecting local ip config +[Script:NetworkConfiguration] +SHOULD_LINEMERGE = false +LINE_BREAKER = ([\r\n]+)(Configuration for interface ) +KV_MODE = none +TRUNCATE = 0 + +EXTRACT-netshaddressif=Configuration for interface \"(?[^\"]+) +EXTRACT-netshaddressdhcp=DHCP enabled\:\s+(?(Yes|No)) +EXTRACT-netshaddressip=IP Address\:\s+(?[\d\.]+) +EXTRACT-netshaddresscidr=Subnet Prefix\:\s+(?[^\s]+) +EXTRACT-netshaddressmask=mask (?[^\)]+) +EXTRACT-netshaddressgw=Gateway\:\s+(?[\d\.]+) +EXTRACT-netshaddressmetric=InterfaceMetric\:\s+(?\d+) + + +###### Extractions moved from TA-AD ###### +[MSAD:NT6:Health] +SHOULD_LINEMERGE = false +CHECK_FOR_HEADER = false + +[MSAD:NT6:SiteInfo] +SHOULD_LINEMERGE = false +CHECK_FOR_HEADER = false +REPORT-extractions = MSAD-SiteInfo-AdjacentSites, MSAD-SiteInfo-Sites, MSAD-SiteInfo-SiteLinks, MSAD-SiteInfo-Subnets + +[MSAD:NT6:Replication] +SHOULD_LINEMERGE = false +CHECK_FOR_HEADER = false + +[MSAD:NT6:Netlogon] +SHOULD_LINEMERGE = false +CHECK_FOR_HEADER = false +LINE_BREAKER = ([\r\n]+(?=\d{2}\/\d{2} \d{2}:\d{2}:\d{2} \[)) +EXTRACT-subnetaffinity = \s(?[^:]+): (?NO_CLIENT_SITE): (?[^\s]+) (?[0-9A-Fa-f:\.]+) + +[MSAD:SubnetAffinity] +EXTRACT-subnetaffinity = (?\w+): NO_CLIENT_SITE: (?\w+) (?[0-9\.]+) + + +###### Extractions moved from TA-DNS ###### +[MSAD:NT6:DNS-Zone-Information] +SHOULD_LINEMERGE = false +CHECK_FOR_HEADER = false + +[MSAD:NT6:DNS-Health] +SHOULD_LINEMERGE = false +CHECK_FOR_HEADER = false +TRUNCATE = 0 +REPORT-mvcheck = DNSHealth_ServerAddress_MV, DNSHealth_ListenAddress_MV, DNSHealth_Forwarder_MV, DNSHealth_LogIPFilterList_MV + +[MSAD:NT6:DNS] +KV_MODE = none +LINE_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2}) +# Load balancing on UF +EVENT_BREAKER_ENABLE = true +EVENT_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2}) +SHOULD_LINEMERGE = false +CHECK_FOR_HEADER = false +EXTRACT-singleLine = (?[0-9A-Fa-f]+)\s+(?PACKET)\s+(?[0-9A-Fa-f]*) (?UDP|TCP) (?\w+) (?[0-9A-Fa-f\.\:]+)\s+(?[0-9A-Fa-f]+)\s+(?[ R]) (?.) \[(?[0-9A-Fa-f]+) (?....) (?[^\]]+)\]\s+(?:QTYPE\s+)?(?\w+)\s+(?:QCLASS\s+\d+\s+)?(:?\(\d+\))?(?[^\n]*)\(0\) +EXTRACT-answer = (ANSWER\s+SECTION|UPDATE\s+SECTION):(?.*?)(AUTHORITY\s+SECTION|ADDITIONAL\s+SECTION) +EVAL-query = replace(questionname,"(?:\(\d+\))",".") +FIELDALIAS-record_type = questiontype AS record_type +FIELDALIAS-query = questionname AS query +FIELDALIAS-src = src_ip AS src +FIELDALIAS-dest = host AS dest +FIELDALIAS-transaction_id = packetid AS transaction_id +FIELDALIAS-transport = protocol AS transport +FIELDALIAS-vendor_query_type = opcode AS vendor_query_type +EVAL-message_type = if(operation=="R","Response", "Query") +EVAL-name = if(operation=="R","R","")+opcode+"_"+response+"_"+questiontype +EVAL-answer = mvmap(answer, replace(replace(answer,"\(\d+\)","."),"\\[\\w+\\]","")) +EVAL-vendor_product = "Microsoft Windows" +REPORT-Multi_answer = Answer_multi_value +REPORT-KV_for_microsoft_dns_web = KV_for_port,KV_for_Domain,KV_for_microsoftdns_action,KV_for_Record_type,KV_for_Record_Class,KV_for_Answer_Section_Count,KV_for_Update_Section_Count +LOOKUP-windows_dns_query_type_lookup = windows_dns_query_type_lookup opcode OUTPUT query_type +LOOKUP-windows_dns_action_lookup = windows_dns_action_lookup message_type,vendor_dns_action OUTPUT action,reply_code,reply_code_id +LOOKUP-dns_recordclass_lookup = dns_recordclass_lookup record_class_number OUTPUT record_class diff --git a/apps/Splunk_TA_windows/default/tags.conf b/apps/Splunk_TA_windows/default/tags.conf new file mode 100644 index 00000000..567e9869 --- /dev/null +++ b/apps/Splunk_TA_windows/default/tags.conf @@ -0,0 +1,674 @@ +## +## SPDX-FileCopyrightText: 2024 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## DO NOT EDIT THIS FILE! +## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. +## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default +## into ../local and edit there. + +###### Global Windows Eventtype ###### + +[eventtype=windows_event_signature] +track_event_signatures = enabled + +[eventtype=wineventlog_windows] +os = enabled +windows = enabled + +[eventtype=wineventlog_application] +os = enabled +windows = enabled + +[eventtype=wineventlog_system] +os = enabled +windows = enabled + +[eventtype=wineventlog_security] +os = enabled +windows = enabled + +[eventtype=perfmon_windows] +os = enabled +windows = enabled + +[eventtype=perfmon_processorinformation] +process = enabled +report = enabled +performance = enabled +cpu = enabled + +[eventtype=hostmon_windows] +os = enabled +windows = enabled + +[eventtype=hostmon_os] +os = enabled +windows = enabled +memory = enabled +performance = enabled +oshost = enabled + +[eventtype=hostmon_inventory] +os = enabled +inventory = enabled +cpu = enabled +memory = enabled +oshost = enabled + +[eventtype=hostmon_disk] +performance = enabled +inventory = enabled +storage = enabled +oshost = enabled + +[eventtype=netmon_windows] +os = enabled +windows = enabled + +[eventtype=printmon_windows] +os = enabled +windows = enabled + +[eventtype=script_windows] +os = enabled +windows = enabled + +[eventtype=wmi_windows] +os = enabled +windows = enabled + +[eventtype=windowsupdatelog_windows] +os = enabled +windows = enabled + +[eventtype=winregistry_windows] +os = enabled +windows = enabled +endpoint = enabled +change = enabled +registry = enabled + +[eventtype=winsec] +security = enabled + + +###### DHCP ###### +[eventtype=msdhcp] +dhcp = enabled +network = enabled +session = enabled +windows = enabled + +[eventtype=msdhcp_start] +start = enabled + +[eventtype=msdhcp_end] +end = disabled + +[eventtype=DhcpSrvLog] +windows = enabled + +[eventtype=DhcpSrvLog_dhcp] +dhcp = enabled +network = enabled +session = enabled + +[eventtype=DhcpSrvLog_start] +dhcp = enabled +network = enabled +session = enabled +start = enabled + +[eventtype=DhcpSrvLog_end] +dhcp = enabled +network = enabled +session = enabled +end = enabled + + +###### Security: Account Logon ###### +[eventtype=windows_auth_ticket_granted] +authentication = enabled + +[eventtype=windows_service_ticket_granted] +authentication = enabled + +[eventtype=windows_pre_auth_failed] +authentication = enabled + +[eventtype=windows_account_used4logon] +authentication = enabled + +[eventtype=windows_session_disconnected] +access = enabled +stop = enabled +logoff = enabled + + +###### Security: Account Management ###### +[eventtype=windows_account_management] +account = enabled +change = enabled +management = enabled + +[eventtype=windows_account_created] +add = enabled +account = enabled +change = enabled + +[eventtype=windows_account_enabled] +enable = enabled +account = enabled +change = enabled + +[eventtype=windows_account_password_change] +password = enabled +modify = enabled +account = enabled +change = enabled + +[eventtype=windows_account_password_set] +password = enabled +modify = enabled +account = enabled +change = enabled + +[Service_Name=kadmin%2Fchangepw] +account = enabled +change = enabled +password = enabled +modify = enabled + +[eventtype=windows_account_disabled] +disable = enabled +account = enabled +change = enabled + +[eventtype=windows_account_deleted] +delete = enabled +account = enabled +change = enabled + +[eventtype=windows_account_modified] +modify = enabled +account = enabled +change = enabled + +[eventtype=windows_account_lockout] +lock = enabled +lockout = enabled +account = enabled +change = enabled + +[eventtype=windows_account_unlocked] +modify = enabled +account = enabled +change = enabled + +###### Security: Audit (Event Log) ###### +[eventtype=windows_audit_log_stopped] +stop = enabled +stopped = enabled +watchlist = enabled + +[eventtype=windows_audit_errors] +audit = enabled +error = enabled + +[eventtype=windows_audit_log_cleared] +audit = enabled +change = enabled +delete = enabled +cleared = enabled +watchlist = enabled + +[eventtype=windows_audit_backup] +audit = enabled +backup = enabled +change = enabled + +[eventtype=windows_audit_log_logon] +audit = enabled +change = enabled + +[privilege_id=SeAuditPrivilege] +audit = enabled + +[privilege_id=SeSecurityPrivilege] +audit = enabled + + +###### Security: Logon/Logoff ###### +[eventtype=windows_logoff] +access = enabled +stop = enabled +logoff = enabled + +[eventtype=windows_logon_explicit] +authentication = enabled +privileged = enabled + +[eventtype=windows_logon_failure] +authentication = enabled + +[app=win%3Alocal] +local = enabled + +[app=win%3Aremote] +remote = enabled + +[eventtype=windows_logon_success] +authentication = enabled + +[Logon_Type=8] +cleartext = enabled + + +###### Security: Object Access ###### +[eventtype=windows_object_open] +resource = enabled +file = enabled +access = enabled +start = enabled + +[eventtype=windows_handle_closed] +resource = enabled +file = enabled +access = enabled +stop = enabled + + +###### Security: Policy Change ###### +[eventtype=windows_audit_policy_change] +policy = enabled +configuration = enabled +modify = enabled +audit = enabled +change = enabled + +[eventtype=windows_security_access_granted] +access = enabled +authorization = enabled +add = enabled +change = enabled +account = enabled + +[eventtype=windows_security_access_removed] +access = enabled +authorization = enabled +delete = enabled +change = enabled +account = enabled + +[eventtype=windows_audit_policy_changed] +policy = enabled +configuration = enabled +modify = enabled +audit = enabled +change = enabled + +[eventtype=windows_firewall_policy_active] +application = enabled +firewall = enabled +configuration = enabled +report = enabled + +[eventtype=windows_firewall_policy_change] +application = enabled +firewall = enabled +configuration = enabled +modify = enabled + +[eventtype=windows_firewall_port_listening] +application = enabled +firewall = enabled +port = enabled +listening = enabled +report = enabled + + +###### Security: Privilege Use ###### +[eventtype=windows_special_privileges] +authentication = enabled +privileged = enabled + +[eventtype=windows_privileged_service_call] +process = enabled +execute = enabled +start = enabled +privileged = enabled + +[eventtype=windows_privileged_object_operation] +resource = enabled +execute = enabled +start = enabled +privileged = enabled + + +###### Security: Process Tracking ###### +[eventtype=windows_process_new] +process = enabled +execute = enabled +start = enabled + +[eventtype=windows_process_exit] +process = enabled +execute = enabled +stop = enabled + +[eventtype=windows_process_token] +process = enabled +execute = enabled +start = enabled +privileged = enabled + +[Token_Elevation_Type_id=2] +privileged = enabled + + +###### Security: System ###### +[eventtype=windows_auth_package] +process = enabled +execute = enabled +start = enabled + +[eventtype=windows_logon_process] +process = enabled +authorization = enabled +add = enabled + +[eventtype=windows_notification_package] +process = enabled +execute = enabled +start = enabled + + +###### Security: Vulnerability ###### +[eventtype=windows_security_misconfiguration_password_minimum_length] +misconfiguration = enabled +password = enabled +policy = enabled +vulnerability = enabled +report = enabled +audit = enabled +change = enabled + + +###### System: Time ###### +[eventtype=windows_time_sync] +report = enabled +time = enabled +synchronize = enabled +success = enabled +performance = enabled + +[eventtype=windows_time_failure] +report = enabled +time = enabled +synchronize = enabled +failure = enabled +performance = enabled + + +###### System: Update ###### +[eventtype=windows_system_update] +system = enabled +update = enabled + +[eventtype=windows_system_update_status] +status = enabled + +[eventtype=windows_updatelog] +system = enabled +update = enabled + +[eventtype=windows_updatelog_status] +status = enabled + +## WMI:Update +[eventtype=wmi_installed_packages] +system = enabled +update = enabled +status = enabled + + +###### Splunk WMI ###### + +## ComputerSystem +[eventtype=wmi_computersystem] +performance = enabled +memory = enabled + +## CPUTime +[eventtype=perfmon_cputime] +cpu = enabled +report = enabled +performance = enabled +oshost = enabled + +[eventtype=perfmon_cputime_anomalous] +anomalous = enabled + +[eventtype=wmi_cputime] +cpu = enabled +report = enabled +performance = enabled + +[eventtype=wmi_cputime_anomalous] +anomalous = enabled + +## System +[eventtype=perfmon_system] +cpu = enabled +report = enabled +performance = enabled +oshost = enabled + +## Disk +[eventtype=perfmon_freediskspace] +disk = enabled +report = enabled +performance = enabled +storage = enabled +oshost = enabled + +[eventtype=perfmon_freediskspace_anomalous] +anomalous = enabled + +[eventtype=wmi_freediskspace] +disk = enabled +report = enabled +performance = enabled +storage = enabled + +[eventtype=wmi_freediskspace_anomalous] +anomalous = enabled + +[eventtype=perfmon_logicaldisk] +disk = enabled +performance = enabled +storage = enabled +oshost = enabled + +[eventtype=wmi_logicaldisk] +disk = enabled +performance = enabled +storage = enabled + +## Network +[eventtype=perfmon_network] +network = enabled +performance = enabled +oshost = enabled + +[eventtype=perfmon_network_throughput] +network = enabled +performance = enabled +oshost = enabled + +[eventtype=perfmon_network_bandwidth] +network = enabled +performance = enabled +oshost = enabled + +[eventtype=wmi_network_throughput] +network = enabled +performance = enabled + +[eventtype=wmi_network_bandwidth] +network = enabled +performance = enabled + +## Process +[eventtype=perfmon_process] +performance = enabled +process = enabled +oshost = enabled +report = enabled + +## Listening Ports +[eventtype=script_listeningports] +port = enabled +listening = enabled +report = enabled + +## Local Processes +[eventtype=wmi_localprocesses] +process = enabled +report = enabled + +[eventtype=wmi_localprocesses_anomalous] +anomalous = enabled + +## Memory +[eventtype=perfmon_memory] +memory = enabled +report = enabled +performance = enabled +oshost = enabled + +[eventtype=perfmon_memory_anomalous] +anomalous = enabled + +[eventtype=wmi_memory] +memory = enabled +report = enabled +performance = enabled + +[eventtype=wmi_memory_anomalous] +anomalous = enabled + +## Service +[eventtype=wmi_service] +service = enabled +report = enabled + +[eventtype=wmi_service_status_anomalous] +anomalous = enabled + +[eventtype=wmi_service_state_anomalous] +anomalous = enabled + +[app=W32Time] +time = enabled +synchronize = enabled + +[app=wuauserv] +automatic = enabled +update = enabled + +## Uptime +[eventtype=wmi_uptime] +uptime = enabled +report = enabled +performance = enabled + +[eventtype=wmi_uptime_anomalous] +anomalous = enabled + +## User Accounts +[eventtype=wmi_useraccounts] +account = enabled +report = enabled + +inventory = enabled +user = enabled + +## Version +[eventtype=wmi_version] +system = enabled +version = enabled +report = enabled + +inventory = enabled + + +[eventtype=windows_account_mapped] +authentication = enabled + +[eventtype=windows_account_notmapped] +authentication = enabled + +[eventtype=microsoft_windows_hostmon_process] +process = enabled +report = enabled + +[eventtype=microsoft_windows_hostmon_service] +service = enabled +report = enabled + +[eventtype=microsoft_windows_hostmon_service_time] +time = enabled +synchronize = enabled +os = enabled +performance = enabled + +## Endpoint.processes Data Model +[eventtype=windows_endpoint_processes] +process = enabled +report = enabled + +## Endpoint.services Data Model +[eventtype=windows_endpoint_services] +service = enabled +report = enabled + +## Security-CIM Mappings + +## Endpoint Registry Data Model +[eventtype=windows_security_endpoint_registry] +endpoint = enabled +registry = enabled + +## Endpoint Port Data Model +[eventtype=windows_security_endpoint_port] +listening = enabled +port = enabled + +## Change Audit Data Model +[eventtype=windows_security_change_audit] +change = enabled +audit = enabled + +## Change Data Model +[eventtype=windows_security_change] +change = enabled + +# Authentication Data Model +[eventtype=windows_security_authentication] +authentication = enabled + +[eventtype=windows_security_change_account] +change = enabled +account = enabled + +# Change Audit DM for Windows System +[eventtype=windows_system_change_audit] +change = enabled +audit = enabled + +# Network resolution (dns) DM for DNS events. +[eventtype=nt6-dns-events] +network = enabled +resolution = enabled +dns = enabled diff --git a/apps/Splunk_TA_windows/default/transforms.conf b/apps/Splunk_TA_windows/default/transforms.conf new file mode 100644 index 00000000..df2538b8 --- /dev/null +++ b/apps/Splunk_TA_windows/default/transforms.conf @@ -0,0 +1,1482 @@ +## +## SPDX-FileCopyrightText: 2024 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## DO NOT EDIT THIS FILE! +## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. +## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default +## into ../local and edit there. +## + +###### Active Directory ###### +[user_account_control_property] +external_cmd = user_account_control_property.py userAccountControl userAccountPropertyFlag +external_type = python +fields_list = userAccountControl,userAccountPropertyFlag +python.version = python3 + + + + +###### DHCP ###### +[dhcp_discard_headers] +REGEX = ^(?:[^\d]+|\d+[^\d,]) +DEST_KEY = queue +FORMAT = nullQueue + +[auto_kv_for_microsoft_dhcp] +DELIMS = "," +FIELDS = msdhcp_id,date,time,description,ip,nt_host,mac,msdhcp_user,transaction_id,qresult,probation_time,correlation_id,dhc_id,vendorclass_hex,vendorclass_ascii,userclass_hex,userclass_ascii,relay_agent_information,dns_reg_error + +[microsoft_dhcp_dest_dns] +SOURCE_KEY = nt_host +REGEX = (?[^\.]+\.\w+)$ + +[msdhcp_signature_lookup] +filename = msdhcp_signatures.csv + +## IAS (Currently WinEventLog Support Only) +[force_source_system_ias_for_wineventlog] +DEST_KEY = MetaData:Source +REGEX = SourceName\=IAS +FORMAT = source::WinEventLog:System:IAS + + +###### All Windows Event Log ###### + +## Lookups +[windows_severity_lookup] +filename = windows_severities.csv +case_sensitive_match = false + +[xmlwindows_severity_lookup] +filename = xmlwindows_severities.csv +case_sensitive_match = false + +[xmlwindows_task_category_lookup] +filename = xmlwindows_task_category.csv +case_sensitive_match = false + +[windows_signature_lookup] +filename = windows_signatures_900.csv + +[windows_signature_lookup2] +filename = windows_signatures_substatus_850.csv + +[windows_eventtype_lookup] +filename = windows_eventtypes.csv + +## REPORT +[file_path-file_name_for_windows] +SOURCE_KEY = Image_File_Name +REGEX = ^(.*[\\/]+)*(.*)$ +FORMAT = file_path::$1 file_name::$2 + + +####### Windows Security Event Log ###### + +## Lookups +[windows_action_lookup] +filename = windows_actions.csv + +[windows_app_lookup] +filename = windows_apps.csv + +[windows_audit_changes_lookup] +filename = windows_audit_changes_900.csv + +[windows_privilege_lookup] +filename = windows_privileges.csv + +[MSADGroupType] +filename=msad_group_type.csv +max_matches=1 + +[xmlsecurity_eventcode_action_lookup] +filename = xmlsecurity_eventcode_action.csv + +[xmlsecurity_eventcode_action_lookup_multiinput] +filename = xmlsecurity_eventcode_action_multiinput.csv +case_sensitive_match = false + +[xmlsecurity_eventcode_errorcode_action_lookup] +filename = xmlsecurity_eventcode_errorcode_action.csv +case_sensitive_match = false + +## REPORT +[vendor_privilege_sv_for_windows_security] +SOURCE_KEY = Message +REGEX = (?s)^\s*(?:Privileges|Assigned):?\s+(.*?)(?:^[^:]+:) +FORMAT = vendor_privilege::$1 + +[vendor_privilege_mv_for_windows_security] +SOURCE_KEY = Message +REGEX = (?s)^\s*(?:Privileges|Assigned):\s+(.*) +FORMAT = vendor_privilege::$1 + +[privilege_id_for_windows_security] +SOURCE_KEY = vendor_privilege +REGEX = ^([^\r\n]+) +FORMAT = privilege_id::$1 +MV_ADD = True + +[Token_Elevation_Type_id_for_windows_security] +SOURCE_KEY = Token_Elevation_Type +REGEX = ^[^\d]+(\d+) +FORMAT = Token_Elevation_Type_id::$1 + +## Aliases +[Logon_ID_as_session_id] +SOURCE_KEY = Logon_ID +REGEX = (?:(?:[^\n]+)\n)?(.*) +FORMAT = session_id::"$1" + +[Client_Logon_ID_as_session_id] +SOURCE_KEY = Client_Logon_ID +REGEX = (.+) +FORMAT = session_id::"$1" + +[Caller_Logon_ID_as_session_id] +SOURCE_KEY = Caller_Logon_ID +REGEX = (.+) +FORMAT = session_id::"$1" + +[Target_Server_Name_as_dest] +SOURCE_KEY = Target_Server_Name +REGEX = (?:[\\]+)?([^-].*) +FORMAT = dest::"$1" + +[ComputerName_as_dest] +SOURCE_KEY = ComputerName +REGEX = (?:[\\]+)?([^-].*) +FORMAT = dest::"$1" + +[Computer_as_dest] +REGEX = ([^<]+)<\/Computer> +FORMAT = dest::$1 + +[Computer_as_src] +REGEX = ([^<]+)<\/Computer> +FORMAT = src::$1 + +[Target_Server_Name_as_dest_nt_host] +SOURCE_KEY = Target_Server_Name +REGEX = (?:[\\]+)?([^-].*) +FORMAT = dest_nt_host::"$1" + +[ComputerName_as_dest_nt_host] +SOURCE_KEY = ComputerName +REGEX = (?:[\\]+)?([^-].*) +FORMAT = dest_nt_host::"$1" + +[SubjectDomainName_as_dest_nt_domain] +SOURCE_KEY = SubjectDomainName +REGEX = (.+) +FORMAT = dest_nt_domain::$1 + +[Target_Domain_as_dest_nt_domain] +SOURCE_KEY = Target_Domain +REGEX = (?:(?:[^\n]+)\n)?(.+) +FORMAT = dest_nt_domain::"$1" + +[Primary_Domain_as_dest_nt_domain] +SOURCE_KEY = Primary_Domain +REGEX = (?:(?:[^\n]+)\n)?(.+) +FORMAT = dest_nt_domain::"$1" + +[Group_Domain_as_dest_nt_domain] +SOURCE_KEY = Group_Domain +REGEX = (?:(?:[^\n]+)\n)?(.+) +FORMAT = dest_nt_domain::"$1" + +[Account_Domain_as_dest_nt_domain] +SOURCE_KEY = Account_Domain +REGEX = (?:(?:[^\n]+)\n)?(.+) +FORMAT = dest_nt_domain::"$1" + +[New_Domain_as_dest_nt_domain] +SOURCE_KEY = New_Domain +REGEX = (?:(?:[^\n]+)\n)?(.+) +FORMAT = dest_nt_domain::"$1" + +[Domain_as_dest_nt_domain] +SOURCE_KEY = Domain +REGEX = (?:(?:[^\n]+)\n)?(.+) +FORMAT = dest_nt_domain::"$1" + +[User_ID_as_dest_nt_domain] +SOURCE_KEY = User_ID +REGEX = (.+)[\\] +FORMAT = dest_nt_domain::"$1" + +[Security_ID_as_dest_nt_domain] +SOURCE_KEY = Security_ID +REGEX = (.+)[\\] +FORMAT = dest_nt_domain::"$1" + +[Supplied_Realm_Name_as_dest_nt_domain] +SOURCE_KEY = Supplied_Realm_Name +REGEX = (.+) +FORMAT = dest_nt_domain::"$1" + +[Target_Account_ID_as_dest_nt_domain] +SOURCE_KEY = Target_Account_ID +REGEX = (.+)[\\] +FORMAT = dest_nt_domain::"$1" + +[Workstation_Name_as_src] +SOURCE_KEY = Workstation_Name +REGEX = (?:[\\]+)?([^-].*) +FORMAT = src::"$1" + +[Caller_Machine_Name_as_src] +SOURCE_KEY = Caller_Machine_Name +REGEX = (?:[\\]+)?([^-].*) +FORMAT = src::"$1" + +[Client_Machine_Name_as_src] +SOURCE_KEY = Client_Machine_Name +REGEX = (?:[\\]+)?([^-].*) +FORMAT = src::"$1" + +[Source_Network_Address_as_src] +SOURCE_KEY = Source_Network_Address +REGEX = (?:[\\]+)?([^-].*) +FORMAT = src::"$1" + +[Client_Address_as_src] +SOURCE_KEY = Client_Address +REGEX = (?:[\\]+)?([^-].*) +FORMAT = src::"$1" + +[Source_Workstation_as_src] +SOURCE_KEY = Source_Workstation +REGEX = (?:[\\]+)?([^-].*) +FORMAT = src::"$1" + +[Subject_Security_ID_as_src] +REGEX = (?s)(?:Subject)\s*:.*?Security\sID:[ \t]*(.*?)[\\|\n] +FORMAT = src_subject_security_id::"$1" + +[Subject_User_ID_as_src] +SOURCE_KEY = SubjectUserSid +REGEX = (?!^-$)(.+)[\\] +FORMAT = src_subject_user_id::"$1" + +[Source_Network_Address_as_src_ip] +SOURCE_KEY = Source_Network_Address +REGEX = (?:[\\]+)?([^-].*) +FORMAT = src_ip::"$1" + +[Client_Address_as_src_ip] +SOURCE_KEY = Client_Address +REGEX = (?:[\\]+)?([^-].*) +FORMAT = src_ip::"$1" + +[Caller_Domain_as_src_nt_domain] +SOURCE_KEY = Caller_Domain +REGEX = (?!^-$)(.+) +FORMAT = src_nt_domain::"$1" + +[Client_Domain_as_src_nt_domain] +SOURCE_KEY = Client_Domain +REGEX = (?!^-$)(.+) +FORMAT = src_nt_domain::"$1" + +[Account_Domain_as_src_nt_domain] +SOURCE_KEY = Account_Domain +REGEX = (?!^-$)([^\n]+)\n +FORMAT = src_nt_domain::"$1" + +[Domain_as_src_nt_domain] +SOURCE_KEY = Domain +REGEX = (?!^-$)(.+) +FORMAT = src_nt_domain::"$1" + +[New_Security_ID_as_src_nt_domain] +REGEX = (?s)(?:Subject|User|Account\sInformation)\s*:.*?Security\sID:[ \t]*(.*?)[\\|\n] +FORMAT = src_nt_domain::"$1" + +[Security_ID_as_src_nt_domain] +SOURCE_KEY = Security_ID +REGEX = (?!^-$)(.+)[\\] +FORMAT = src_nt_domain::"$1" + +[Workstation_Name_as_src_nt_host] +SOURCE_KEY = Workstation_Name +REGEX = (?:[\\]+)?([^-].*) +FORMAT = src_nt_host::"$1" + +[Caller_Machine_Name_as_src_nt_host] +SOURCE_KEY = Caller_Machine_Name +REGEX = (?:[\\]+)?([^-].*) +FORMAT = src_nt_host::"$1" + +[Client_Machine_Name_as_src_nt_host] +SOURCE_KEY = Client_Machine_Name +REGEX = (?:[\\]+)?([^-].*) +FORMAT = src_nt_host::"$1" + +[Caller_Computer_Name_as_src_nt_host] +SOURCE_KEY = Caller_Computer_Name +REGEX = (?:[\\]+)?([^-].*) +FORMAT = src_nt_host::"$1" + +[Source_Workstation_as_src_nt_host] +SOURCE_KEY = Source_Workstation +REGEX = (?:[\\]+)?([^-].*) +FORMAT = src_nt_host::"$1" + +[Caller_User_Name_as_src_user] +SOURCE_KEY = Caller_User_Name +REGEX = (?!^-$)(.+) +FORMAT = src_user::"$1" + +[Client_User_Name_as_src_user] +SOURCE_KEY = Client_User_Name +REGEX = (?!^-$)(.+) +FORMAT = src_user::"$1" + +[Account_Name_as_src_user] +SOURCE_KEY = Account_Name +REGEX = (?!^-$)([^\n]+)\n +FORMAT = src_user::"$1" + +[User_Name_as_src_user] +SOURCE_KEY = User_Name +REGEX = (?!^-$)(.+) +FORMAT = src_user::"$1" + +[Target_User_Name_as_user] +SOURCE_KEY = Target_User_Name +REGEX = (.+) +FORMAT = user::"$1" + +[Primary_User_Name_as_user] +SOURCE_KEY = Primary_User_Name +REGEX = (.+) +FORMAT = user::"$1" + +[Target_Account_Name_as_user] +SOURCE_KEY = Target_Account_Name +REGEX = (.+) +FORMAT = user::"$1" + +[New_Account_Name_as_user] +SOURCE_KEY = New_Account_Name +REGEX = (.+) +FORMAT = user::"$1" + +[User_Name_as_user] +SOURCE_KEY = User_Name +REGEX = (.+) +FORMAT = user::"$1" + +[Account_Name_as_user] +SOURCE_KEY = Account_Name +REGEX = (?:(?:[^\n]*)\n)?([^\n]*) +FORMAT = user::"$1" + +## Security-CIM Mappings + +[Special_Account_Name_as_user] +SOURCE_KEY = Account_Name +REGEX = (?:(?:[^\n]*)\n)?(?:(?:CN|cn)=)?([^\n]*?),.* +FORMAT = user::"$1" + +## End Security-CIM Mappings + +[User_as_user] +SOURCE_KEY = User +REGEX = (?:[^\\]+\\)?(.+) +FORMAT = user::"$1" + +# Event Code 4776 (and possibly others) +# See also: [Logon_account_as_user] +[Logon_Account_as_user] +SOURCE_KEY = Logon_Account +REGEX = (?:[^\\]+\\)?(.+) +FORMAT = user::"$1" + +# Event Code 680 (and possibly others) +# See also: [Logon_Account_as_user] +[Logon_account_as_user] +SOURCE_KEY = Logon_account +REGEX = (?:[^\\]+\\)?(.+) +FORMAT = user::"$1" + +[Security_ID_as_user] +SOURCE_KEY = Security_ID +REGEX = (?:[^\\]+\\)?(.+) +FORMAT = user::"$1" + +[Member_ID_as_member_id] +SOURCE_KEY = Member_ID +REGEX = (?:[^\\]+\\)?(.+) +FORMAT = member_id::"$1" + +[Security_ID_as_member_id] +SOURCE_KEY = Security_ID +REGEX = (.+) +FORMAT = member_id::"$1" + +[Member_Name_as_member_dn] +SOURCE_KEY = Member_Name +REGEX = (.+) +FORMAT = member_dn::"$1" + +[Account_Name_as_member_dn] +SOURCE_KEY = Account_Name +REGEX = (.+) +FORMAT = member_dn::"$1" + +[Member_ID_as_member_nt_domain] +SOURCE_KEY = Member_ID +REGEX = ([^\\]+\\)?(?:.+) +FORMAT = member_nt_domain::"$1" + +[Security_ID_as_member_nt_domain] +SOURCE_KEY = Security_ID +REGEX = ([^\\]+\\)?(?:.+) +FORMAT = member_nt_domain::"$1" + +[msad_action_from_Group_Type_Change] +SOURCE_KEY = Group_Type_Change +REGEX = Security (Enabled|Disabled) (\w+) Group (Changed) to Security (Enabled|Disabled) (\w+) Group[:\.] +FORMAT = MSADGroupClassID::"$1" MSADGroupType::"$2" msad_action::"$3" MSADNewGroupClassID::"$4" MSADNewGroupType::"$5" + +[msad_action_from_Change_Type] +SOURCE_KEY = Change_Type +REGEX = Security[ -]([Ee]nabled|[Dd]isabled) (\w+) Group Changed to Security[ -]([Ee]nabled|[Dd]isabled) (\w+) Group[.:] +FORMAT = MSADGroupClassID::"$1" MSADGroupType::"$2" MSADNewGroupClassID::"$3" MSADNewGroupType::"$4" + +[msad_action_from_Description1] +SOURCE_KEY = Description +REGEX = Security (Enabled|Disabled) (\w+) Group (.*?)[:\.] +FORMAT = MSADGroupClassID::"$1" MSADGroupType::"$2" msad_action::"$3" + +[msad_action_from_Description2] +SOURCE_KEY = Description +REGEX = Computer Account (.*?)[:\.] +FORMAT = msad_action::"$1" + +[msad_action_from_Description3] +SOURCE_KEY = Description +REGEX = User Account (.*?)[:\.] +FORMAT = msad_action::"$1" + +[msad_action_from_raw1] +SOURCE_KEY = _raw +REGEX = (?ms).*A computer account was (.*?)[:\.] +FORMAT = msad_action::"$1" + +[msad_action_from_raw2] +SOURCE_KEY = _raw +REGEX = (?ms).*A user account was (.*?)[:\.] +FORMAT = msad_action::"$1" + +[msad_action_from_raw3] +SOURCE_KEY = _raw +REGEX = (?ms).*An attempt was made to (.*?)[:\.] +FORMAT = msad_action::"$1" + +[msad_action_from_raw4] +SOURCE_KEY = _raw +REGEX = (?ms)EventCode=(4781|4912)\s*\n.*Message=(?:.*?)[:\.] +FORMAT = msad_action::"$1" + +[msad_attribute_changes_from_raw1] +SOURCE_KEY = _raw +REGEX = (?ms).*Changed Attributes:\s*\n(.*?)\s*\n\s*Additional Information: +FORMAT = MSADChangedAttributes::"$1" + +[msad_attribute_changes_from_raw2] +SOURCE_KEY = _raw +REGEX = (?ms).*Attributes:\s*\n(.*?)\s*\n\s*Additional Information: +FORMAT = MSADChangedAttributes::"$1" + +[msad_attribute_changes_from_raw3] +SOURCE_KEY = _raw +REGEX = (?ms).*Changed Attributes:\s*\n(.*) +FORMAT = MSADChangedAttributes::"$1" + +[msad_attribute_changes_from_raw4] +SOURCE_KEY = _raw +REGEX = (?ms)EventCode=(?:624|645|4720|4741).*Attributes:\s*\n(.*) +FORMAT = MSADChangedAttributes::"$1" + +[msad_attribute_changes_from_raw5] +SOURCE_KEY = _raw +REGEX = (?ms).*Category Settings:\s*\n(.*) +FORMAT = MSADChangedAttributes::"$1" + +[msad_attribute_changes_from_raw6] +SOURCE_KEY = _raw +REGEX = (?ms).*Policy Change Details:\s*\n(.*) +FORMAT = MSADChangedAttributes::"$1" + +###### Windows System Event Log ###### +[signature_for_windows_system_timesync] +SOURCE_KEY = Message +REGEX = ((?:The\s+time\s+provider\s+\w+\s+is\s+configured\s+to\s+acquire\s+time\s+from\s+one\s+or\s+more\s+time\s+sources\,\s+however\s+none\s+of\s+the\s+sources\s+are\s+currently\s+accessible)|(?:The\s+time\s+service\s+is\s+now\s+synchronizing\s+the\s+system\s+time\s+with\s+the\s+time\s+source)|(?:Time\s+Provider\s+\w+\:\s+An\s+error\s+occurred\s+during\s+DNS\s+lookup\s+of\s+the\s+manually\s+configured\s+peer)) +FORMAT = signature::$1 + +[signature_message_for_windows_system_update] +REGEX = Installation Ready: The following updates are downloaded and ready for installation.*?:\s*((?:.*[\r\n])*.*) +FORMAT = signature_message::$1 + +[signature_for_windows_system_update] +REGEX = Windows successfully installed the following update:\s+(.*) +FORMAT = signature::"$1" + +[signature_for_windows_system_update2] +SOURCE_KEY = signature_message +REGEX = -\s+([^\r\n]+) +FORMAT = signature::$1 +MV_ADD = True + +[user_for_windows_system_ias] +REGEX = Message\=User\s+(?:[^\/\\]+[\/\\])?([^.]+).*?was +FORMAT = user::"$1" + +[service_name_eventcode_7036] +SOURCE_KEY = Message +REGEX = ^The (.*) service entered the (.*) state\. +FORMAT = Service_Name::"$1" status::"$2" + +[ServiceName_as_service_name] +SOURCE_KEY = param1 +REGEX = (.+) +FORMAT = ServiceName::"$1" + +[service_name_eventcode_7040] +SOURCE_KEY = Message +REGEX = ^The start type of the (.*) service was changed from .* to (.*)\. +FORMAT = Service_Name::"$1" start_type2::"$2" + +## IAS (Currently WinEventLog Support Only) +[auto_kv_for_windows_system_ias] +SOURCE_KEY = Message +REGEX = \n([^=\n\r\s]+)\s+\=\s+([^\n]*) +FORMAT = $1::$2 +MV_ADD = TRUE + + +###### Update ###### +[windows_update_status_lookup] +filename = windows_update_statii.csv + +[signature_message_for_windowsupdatelog] +REGEX = (Content\s+Install\s+((?:Restart\s+Required)|(?:Installation\s+Ready)).*) +FORMAT = signature_message::"$1" vendor_status::"$2" + +[signature_for_windowsupdatelog] +REGEX = Content\s+Install\s+(Installation\s+(?:Successful|Failure)):\s+Windows.*the\s+following\s+update.*?:\s+(.*) +FORMAT = vendor_status::"$1" signature::"$2" + +[signature_for_windowsupdatelog_restartrequired] +REGEX = Content\s+Install\s+(Installation\s+successful\s+and\s+restart\s+required)\s+for\s+the\s+following\s+update:\s+(.*) +FORMAT = vendor_status::"$1" signature::"$2" + +[signature_for_windowsupdatelog_signature_message] +SOURCE_KEY = signature_message +REGEX = \-\s+([^)]+\)(?:\,\s+\d+\-[bB]it\s+Edition)?) +FORMAT = signature::"$1" +MV_ADD = True + +[signature_id_for_windowsupdatelog] +SOURCE_KEY = signature +REGEX = (KB\d+) +FORMAT = signature_id::$1 +MV_ADD = True + +[pid-tid-component_for_windowsupdatelog] +REGEX = ^\S+\s+\S+\s+(\S+)\s+(\S+)\s+(\S+) +FORMAT = pid::$1 tid::$2 component::$3 + + +###### Endpoint Changes ###### + +## Endpoint Changes: lookups +[endpoint_change_status_lookup] +filename = status_850.csv +default_match = failure +min_matches = 1 +max_matches = 1 + +[endpoint_change_object_category_lookup] +filename = object_category_850.csv + +[endpoint_change_vendor_action_lookup] +filename = vendor_actions.csv + +[endpoint_change_user_type_lookup] +filename = user_types.csv + +## WinRegistry + +## Registry Extractions +[registry_key_for_WinRegistry] +REGEX = registry_type="\w+Key"[\r\n]+key_path="((?:.*)\\([^"]+)) +FORMAT = registry_path::$1 registry_key_name::$2 + +[registry_key-registry_value_for_WinRegistry] +REGEX = registry_type="\w+Value"[\r\n]+key_path="((?:.*)\\(.*?))\\([^"]+) +FORMAT = registry_path::$1 registry_key_name::$2 registry_value_name::$3 + +[registry_value_data_for_WinRegistry] +REGEX = data="([^"]+)" +FORMAT = registry_value_data::$1 + +## Endpoint Change Extractions +[object_as_registry_key_for_WinRegistry] +REGEX = registry_type="\w+Key"[\r\n]+key_path="((?:.*)\\([^"]+)) +FORMAT = object_path::$1 object::$2 + +[object_as_registry_value_for_WinRegistry] +REGEX = registry_type="\w+Value"[\r\n]+key_path="((?:.*)\\(?:.*?))\\([^"]+) +FORMAT = object_path::$1 object::$2 + +[vendor_status_msg_for_WinRegistry] +REGEX = event_status="\(([0-9-]+)\)([^\"]+)" +FORMAT = vendor_status::$1 msg::$2 + +# Note: user_path is not a CIM field, so we exclude it so as to avoid potential overlap. +# The commented "FORMAT" is for reference only. +[user_for_WinRegistry] +REGEX = process_image=\"(?:[^\"]+)\\([^\"]+)\" +FORMAT = user::$1 +##FORMAT = user_path::$1 user::$2 + + +###### Splunk WMI ###### +[wmi-host] +REGEX = (?m)ComputerName=(.+) +DEST_KEY = MetaData:Host +FORMAT = host::$1 + +[wmi-override-host] +REGEX = (?m)wmi_hostname=(.+) +DEST_KEY = MetaData:Host +FORMAT = host::$1 + +[wmi-source] +REGEX = (?m)wmi_type=([^\r\n]+) +DEST_KEY = MetaData:Source +FORMAT = source::WMI:$1 + +[wmi-sourcetype] +REGEX = (?m)wmi_type=([^\r\n]+) +DEST_KEY = MetaData:Sourcetype +FORMAT = sourcetype::WMI:$1 + +[wmi-wineventlog-source] +REGEX = (?m)wmi_type=(WinEventLog:)(\S+) +DEST_KEY = MetaData:Source +FORMAT = source::$1$2 + +[wmi-wineventlog-sourcetype] +REGEX = (?m)wmi_type=(WinEventLog:)(\S+) +DEST_KEY = MetaData:Sourcetype +FORMAT = sourcetype::$1$2 + +## Installed Apps +[AuthorizedCDFPrefix_for_win_installed_apps] +REGEX = ^AuthorizedCDFPrefix=([^\r\n]+) +FORMAT = AuthorizedCDFPrefix::$1 + +[Comments_for_win_installed_apps] +REGEX = ^Comments=([^\r\n]+) +FORMAT = Comments::$1 + +[Contact_for_win_installed_apps] +REGEX = ^Contact=([^\r\n]+) +FORMAT = Contact::$1 + +[DisplayVersion_for_win_installed_apps] +REGEX = ^DisplayVersion=([^\r\n]+) +FORMAT = DisplayVersion::$1 + +[HelpLink_for_win_installed_apps] +REGEX = ^HelpLink=([^\r\n]+) +FORMAT = HelpLink::$1 + +[HelpTelephone_for_win_installed_apps] +REGEX = ^HelpTelephone=([^\r\n]+) +FORMAT = HelpTelephone::$1 + +[InstallDate_for_win_installed_apps] +REGEX = ^InstallDate=([^\r\n]+) +FORMAT = InstallDate::$1 + +[InstallLocation_for_win_installed_apps] +REGEX = ^InstallLocation=([^\r\n]+) +FORMAT = InstallLocation::$1 + +[InstallSource_for_win_installed_apps] +REGEX = ^InstallSource=([^\r\n]+) +FORMAT = InstallSource::$1 + +[ModifyPath_for_win_installed_apps] +REGEX = ^ModifyPath=([^\r\n]+) +FORMAT = ModifyPath::$1 + +[NoModify_for_win_installed_apps] +REGEX = ^NoModify=([^\r\n]+) +FORMAT = NoModify::$1 + +[NoRepair_for_win_installed_apps] +REGEX = ^NoRepair=([^\r\n]+) +FORMAT = NoRepair::$1 + +[Publisher_for_win_installed_apps] +REGEX = ^Publisher=([^\r\n]+) +FORMAT = Publisher::$1 + +[Readme_for_win_installed_apps] +REGEX = ^Readme=([^\r\n]+) +FORMAT = Readme::$1 + +[Size_for_win_installed_apps] +REGEX = ^Size=([^\r\n]+) +FORMAT = Size::$1 + +[EstimatedSize_for_win_installed_apps] +REGEX = ^EstimatedSize=([^\r\n]+) +FORMAT = EstimatedSize::$1 + +[UninstallString_for_win_installed_apps] +REGEX = ^UninstallString=([^\r\n]+) +FORMAT = UninstallString::$1 + +[URLInfoAbout_for_win_installed_apps] +REGEX = ^URLInfoAbout=([^\r\n]+) +FORMAT = URLInfoAbout::$1 + +[URLUpdateInfo_for_win_installed_apps] +REGEX = ^URLUpdateInfo=([^\r\n]+) +FORMAT = URLUpdateInfo::$1 + +[VersionMajor_for_win_installed_apps] +REGEX = ^VersionMajor=([^\r\n]+) +FORMAT = VersionMajor::$1 + +[VersionMinor_for_win_installed_apps] +REGEX = ^VersionMinor=([^\r\n]+) +FORMAT = VersionMinor::$1 + +[WindowsInstaller_for_win_installed_apps] +REGEX = ^WindowsInstaller=([^\r\n]+) +FORMAT = WindowsInstaller::$1 + +[Version_for_win_installed_apps] +REGEX = ^Version=([^\r\n]+) +FORMAT = Version::$1 + +[Language_for_win_installed_apps] +REGEX = Language=([^\r\n]+) +FORMAT = Language::$1 + +[DisplayName_for_win_installed_apps] +REGEX = ^DisplayName=([^\r\n]+) +FORMAT = DisplayName::$1 + +## Installed Updates +[Description_for_installedupdates] +REGEX = ^Description=([^\r\n]+) +FORMAT = Description::$1 + +## Listening Ports +[dest_ip_for_listeningports] +REGEX = dest_ip=\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) +FORMAT = dest_ip::$1 + +[kv_for_listeningports] +DELIMS = " ", "=" + +## Time Configuration +[Current_time_for_win_timesync] +REGEX = ^Current\s*time:([^\r\n]+) +FORMAT = Current_time::$1 + +[EventLogFlags_for_win_timesync_configuration] +REGEX = ^EventLogFlags:([^\r\n]+) +FORMAT = EventLogFlags::$1 + +[AnnounceFlags_for_win_timesync_configuration] +REGEX = ^AnnounceFlags:([^\r\n]+) +FORMAT = AnnounceFlags::$1 + +[TimeJumpAuditOffset_for_win_timesync_configuration] +REGEX = ^TimeJumpAuditOffset:([^\r\n]+) +FORMAT = TimeJumpAuditOffset::$1 + +[MinPollInterval_for_win_timesync_configuration] +REGEX = ^MinPollInterval:([^\r\n]+) +FORMAT = MinPollInterval::$1 + +[MaxPollInterval_for_win_timesync_configuration] +REGEX = ^MaxPollInterval:([^\r\n]+) +FORMAT = MaxPollInterval::$1 + +[MaxNegPhaseCorrection_for_win_timesync_configuration] +REGEX = ^MaxNegPhaseCorrection:([^\r\n]+) +FORMAT = MaxNegPhaseCorrection::$1 + +[MaxPosPhaseCorrection_for_win_timesync_configuration] +REGEX = ^MaxPosPhaseCorrection:([^\r\n]+) +FORMAT = MaxPosPhaseCorrection::$1 + +[MaxAllowedPhaseOffset_for_win_timesync_configuration] +REGEX = ^MaxAllowedPhaseOffset:([^\r\n]+) +FORMAT = MaxAllowedPhaseOffset::$1 + +[FrequencyCorrectRate_for_win_timesync_configuration] +REGEX = ^FrequencyCorrectRate:([^\r\n]+) +FORMAT = FrequencyCorrectRate::$1 + +[PollAdjustFactor_for_win_timesync_configuration] +REGEX = ^PollAdjustFactor:([^\r\n]+) +FORMAT = PollAdjustFactor::$1 + +[LargePhaseOffset_for_win_timesync_configuration] +REGEX = ^LargePhaseOffset:([^\r\n]+) +FORMAT = LargePhaseOffset::$1 + +[SpikeWatchPeriod_for_win_timesync_configuration] +REGEX = ^SpikeWatchPeriod:([^\r\n]+) +FORMAT = SpikeWatchPeriod::$1 + +[LocalClockDispersion_for_win_timesync_configuration] +REGEX = ^LocalClockDispersion:([^\r\n]+) +FORMAT = LocalClockDispersion::$1 + +[HoldPeriod_for_win_timesync_configuration] +REGEX = ^HoldPeriod:([^\r\n]+) +FORMAT = HoldPeriod::$1 + +[PhaseCorrectRate_for_win_timesync_configuration] +REGEX = ^PhaseCorrectRate:([^\r\n]+) +FORMAT = PhaseCorrectRate::$1 + +[UpdateInterval_for_win_timesync_configuration] +REGEX = ^UpdateInterval:([^\r\n]+) +FORMAT = UpdateInterval::$1 + +[FileLogName_for_win_timesync_configuration] +REGEX = ^FileLogName:([^\r\n]+) +FORMAT = FileLogName::$1 + +[FileLogEntries_for_win_timesync_configuration] +REGEX = ^FileLogEntries:([^\r\n]+) +FORMAT = FileLogEntries::$1 + +[FileLogSize_for_win_timesync_configuration] +REGEX = ^FileLogSize:([^\r\n]+) +FORMAT = FileLogSize::$1 + +[FileLogFlags_for_win_timesync_configuration] +REGEX = ^FileLogFlags:([^\r\n]+) +FORMAT = FileLogFlags::$1 + +[Time_zone_for_win_timesync] +REGEX = ^Time\s*zone:([^\r\n]+) +FORMAT = Time_zone::$1 + +## Time Synchronization +[windows_timesync_action_lookup] +filename = windows_timesync_actions.csv +match_type = WILDCARD(Last_Sync_Error) +max_matches = 1 + +[Leap_Indicator_for_win_timesync_status] +REGEX = ^Leap\s*Indicator:([^\r\n]+) +FORMAT = Leap_Indicator::$1 + +[Stratum_for_win_timesync_status] +REGEX = ^Stratum:([^\r\n]+) +FORMAT = Stratum::$1 + +[Precision_for_win_timesync_status] +REGEX = ^Precision:([^\r\n]+) +FORMAT = Precision::$1 + +[Root_Delay_for_win_timesync_status] +REGEX = ^Root\s*Delay:([^\r\n]+) +FORMAT = Root_Delay::$1 + +[Root_Dispersion_for_win_timesync_status] +REGEX = ^Root\s*Dispersion:([^\r\n]+) +FORMAT = Root_Dispersion::$1 + +[ReferenceId_for_win_timesync_status] +REGEX = ^ReferenceId:([^\r\n]+) +FORMAT = ReferenceId::$1 + +[Last_Successful_Sync_Time_for_win_timesync_status] +REGEX = ^Last\s*Successful\s*Sync\s*Time:([^\r\n]+) +FORMAT = Last_Successful_Sync_Time::$1 + +[Source_for_win_timesync_status] +REGEX = ^Source:([^\r\n]+) +FORMAT = Source::$1 + +[Poll_Interval_for_win_timesync_status] +REGEX = ^Poll\s*Interval:([^\r\n]+) +FORMAT = Poll_Interval::$1 + +[Phase_Offset_for_win_timesync_status] +REGEX = ^Phase\s*Offset:([^\r\n]+) +FORMAT = Phase_Offset::$1 + +[ClockRate_for_win_timesync_status] +REGEX = ^ClockRate:([^\r\n]+) +FORMAT = ClockRate::$1 + +[State_Machine_for_win_timesync_status] +REGEX = ^State\s*Machine:([^\r\n]+) +FORMAT = State_Machine::$1 + +[Time_Source_Flags_for_win_timesync_status] +REGEX = ^Time\s*Source\s*Flags:([^\r\n]+) +FORMAT = Time_Source_Flags::$1 + +[Server_Role_for_win_timesync_status] +REGEX = ^Server\s*Role:([^\r\n]+) +FORMAT = Server_Role::$1 + +[Last_Sync_Error_for_win_timesync_status] +REGEX = ^Last\s*Sync\s*Error:([^\r\n]+) +FORMAT = Last_Sync_Error::$1 + +[Time_since_Last_Good_Sync_Time_for_win_timesync_status] +REGEX = ^Time\s*since\s*Last\s*Good\s*Sync\s*Time:([^\r\n]+) +FORMAT = Time_since_Last_Good_Sync_Time::$1 + +## Version +[wmi_version_range_lookup] +filename = wmi_version_range.csv + +[wmi_user_account_status_lookup] +filename = wmi_user_account_status.csv + +[Caption_for_wmi_version] +REGEX = ^Caption=([^\r\n]+) +FORMAT = Caption::$1 + + +## Setting generic sourcetype and unique source +[ta-windows-fix-classic-source] +DEST_KEY = MetaData:Source +REGEX = (?m)^LogName=(.+?)\s*$ +FORMAT = source::WinEventLog:$1 + +[ta-windows-fix-xml-source] +DEST_KEY = MetaData:Source +REGEX = (.+?)<\/Channel>.* +FORMAT = source::XmlWinEventLog:$1 + +[ta-windows-fix-sourcetype] +SOURCE_KEY = MetaData:Sourcetype +DEST_KEY = MetaData:Sourcetype +REGEX = sourcetype::([^:]*) +FORMAT = sourcetype::$1 + + +## Overriding host to identify system from which events are generated +[WinEventHostOverride] +DEST_KEY = MetaData:Host +REGEX = (?m)^ComputerName=([^.]+) +FORMAT = host::$1 + +[WinEventXmlHostOverride] +DEST_KEY = MetaData:Host +REGEX = ([^.<]+).*?<\/Computer> +FORMAT = host::$1 + + +###### Generic XML eventlog extraction ###### + +# Extract the XML into blocks +[system_xml_block] +REGEX = (?ms)]+)?>(.*?)<\/System> +FORMAT = System_Props_Xml::$1 + +[eventdata_xml_block] +REGEX = (?ms)]+)?>(.*?)<\/EventData> +FORMAT = EventData_Xml::$1 +MV_ADD = 1 + +[userdata_xml_block] +REGEX = (?ms)]+)?>(.*?)<\/UserData> +FORMAT = UserData_Xml::$1 + +[debugdata_xml_block] +REGEX = (?ms)]+)?>(.*?)<\/DebugData> +FORMAT = DebugData_Xml::$1 + +[renderinginfo_xml_block] +REGEX = (?ms)]+)?>(.*?)<\/RenderingInfo> +FORMAT = RenderingInfo_Xml::$1 + +[system_props_xml_kv] +# Extracts anything in the form of value as tag::value +SOURCE_KEY = System_Props_Xml +REGEX = (?ms)<(\w*)>([^<]*)<\/\1> +FORMAT = $1::$2 +MV_ADD = 1 + +[windows_start_mode_lookup] +filename = windows_start_mode_lookup.csv + +[system_props_xml_attributes] +# Extracts values from following fields: +# Provider: Name, Guid +# TimeCreated: SystemTime, RawTime +# Correlation: ActivityID, RelativeActivityID +# Execution: ProcessID, ThreadID, ProcessorID, SessionID, KernelTime, UserTime, ProcessorTime +# Security: UserID +SOURCE_KEY = System_Props_Xml +REGEX = (?ms)\s([^\s=]+)\s*=\s*(\'[^<\']*\'|"[^<"]*") +FORMAT = $1::$2 +MV_ADD = 1 + +[eventdata_xml_data] +# Extracts from value as name:value. Skips ComplexData tags +SOURCE_KEY = EventData_Xml +REGEX = <(?:\w+)\sName='([^>]*)'\/?>([^<]*)(?:<\/\1>)? +FORMAT = $1::$2 +MV_ADD = 1 + +[rendering_info_xml_data] +# Extracts anything in the form of value as tag::value +SOURCE_KEY = RenderingInfo_Xml +REGEX = (?ms)<(\w*)>([^<]*)<\/\1> +FORMAT = $1::$2 +MV_ADD = 1 + +[updatelist_from_user_data] +SOURCE_KEY = UserData_Xml +REGEX = (?ms)]+)?>(.*?)<\/updatelist> +FORMAT = signature_message::$1 + +[updatetitle_from_user_data] +SOURCE_KEY = UserData_Xml +REGEX = (?ms)]+)?>(.*?)<\/updatetitle> +FORMAT = signature::$1 + +[updatetitle_from_event_data] +SOURCE_KEY = EventData_Xml +REGEX = (?ms)(?[^<]+)<\/Data> + +[EventID_as_EventCode] +SOURCE_KEY = EventID +REGEX = (.+) +FORMAT = EventCode::$1 + +[EventID2_as_EventCode] +REGEX = (.+?)<\/EventID>.* +FORMAT = EventCode::$1 + +[EventRecordID_as_RecordNumber] +SOURCE_KEY = EventRecordID +REGEX = (.+) +FORMAT = RecordNumber::$1 + +[PrivilegeList_as_vendor_privilege] +SOURCE_KEY = PrivilegeList +REGEX = (.+) +FORMAT = vendor_privilege::$1 + +[IpPort_as_Source_Port] +SOURCE_KEY = IpPort +REGEX = (.+) +FORMAT = Source_Port::$1 + +[TokenElevationType_as_Token_Elevation_Type] +SOURCE_KEY = TokenElevationType +REGEX = (.+) +FORMAT = Token_Elevation_Type::$1 + +[TargetServerName_as_Target_Server_Name] +SOURCE_KEY = TargetServerName +REGEX = (.+) +FORMAT = Target_Server_Name::$1 + +[LogonType_as_Logon_Type] +SOURCE_KEY = LogonType +REGEX = (.+) +FORMAT = Logon_Type::$1 + +[SubjectLogonId_as_Logon_ID] +SOURCE_KEY = SubjectLogonId +REGEX = (.+) +FORMAT = Logon_ID::$1 + +[SubjectDomainName_as_Caller_Domain] +SOURCE_KEY = SubjectDomainName +REGEX = (.+) +FORMAT = Caller_Domain::$1 + +[TargetDomainName_as_Target_Domain] +SOURCE_KEY = TargetDomainName +REGEX = (.+) +FORMAT = Target_Domain::$1 + +[SubjectUserName_as_Caller_User_Name] +SOURCE_KEY = SubjectUserName +REGEX = (.+) +FORMAT = Caller_User_Name::$1 + +[TargetUserName_as_Target_User_Name] +SOURCE_KEY = TargetUserName +REGEX = (.+) +FORMAT = Target_User_Name::$1 + +[SubStatus_as_Sub_Status] +SOURCE_KEY = SubStatus +REGEX = (.+) +FORMAT = Sub_Status::$1 + +[Workstation_as_Source_Workstation] +SOURCE_KEY = Workstation +REGEX = (.+) +FORMAT = Source_Workstation::$1 + +[WorkstationName_as_Source_Workstation] +SOURCE_KEY = WorkstationName +REGEX = (.+) +FORMAT = Source_Workstation::$1 + +[IpAddress_as_Source_Workstation] +SOURCE_KEY = IpAddress +REGEX = (.+) +FORMAT = Source_Workstation::$1 + + +#Tag Expansion Regexs - ADDON10972 +[field_extract_wmi_localprocesses_anomalous] +REGEX = IDProcess=(?\d+)\s*Name=(?.+)\s*PercentProcessorTime=(?\d+)\s*PrivateBytes=(?\d+) + +[field_extract_wmi_freediskspace_anomalous] +REGEX = FreeMegabytes=(?\d+)\s*Name=(?\S+)\s*PercentFreeSpace=(?\d*) + +[field_extract_wmi_memory_anomalous] +REGEX = AvailableBytes=(?\d+)\s*CommittedBytes=(?\d+)\s*(?:PagesInputPersec=\d+(?:\.\d+)?\s*PagesOutputPersec=\d+(?:\.\d+)?)?\s*PagesPersec=(?\d+(?:\.\d+)?)\s*PercentCommittedBytesInUse=(?\d+(?:\.\d+)?)\s*PoolNonpagedBytes=(?\d+)\s*PoolPagedBytes=(?\d+) + +[field_extract_wmi_service_state_anomalous] +REGEX = Caption=(?.+)\s*Description=(?.+)\s*Name=(?.+)\s*PathName=(?.*)\s*StartMode=(?\S*)\s*StartName=(?.*)\s*State=(?\S*)\s*Status=(?\S+) + +[field_extract_wmi_uptime_anomalous] +REGEX = SystemUpTime=(?\d+) + +[field_extract_wmi_cputime_anomalous] +REGEX = PercentProcessorTime=(?\d+)\s*PercentUserTime=(?\d+) + +[field_extract_wmi_useraccounts_caption_description_name] +REGEX = Caption=(?.+)\s*Description=(?.+)\s*Domain=.*Name=(?.+)\s*SID= + +[field_extract_wmi_service_caption_description_pathname] +REGEX = Caption=(?.+)\s*Description=(?.+)\s*Name=.*PathName=(?.+)\sStartMode= + +[field_extract_wmi_localphysicaldisk_name] +REGEX = Name=(?.+)\s*PercentDiskReadTime + +[group_fields_extraction] +REGEX = Group:[\r\n]+(?:\s+Security\sID:\s*(?[^\r\n]*)[\r\n]*)?(?:\s+(Group|Account)\sName:\s*(?[^\r\n]*)[\r\n]*)?(?:\s+(Group|Account)\sDomain:\s*(?[^\r\n]*)[\r\n]*)? + +[subject_fields_extraction] +REGEX = Subject:[\r\n]+(?:\s+Security\sID:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sDomain:(?[^\r\n]*)[\r\n]*)?(?:\s+Logon\sID:(?[^\r\n]*)[\r\n]*)? + +[target_fields_extraction] +REGEX = Target\sAccount:[\r\n]+(?:\s+Security\sID:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sDomain:(?[^\r\n]*)[\r\n]*)?(?:\s+Old\sAccount\sName:(?[^\r\n]*)[\r\n]*)?(?:\s+New\sAccount\sName:(?[^\r\n]*)[\r\n]*)?(?:\s+Logon\sID:(?[^\r\n]*)[\r\n]*)? + +[new_account_fields_extraction] +REGEX = New\sAccount:[\r\n]+(?:\s+Security\sID:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sDomain:(?[^\r\n]*)[\r\n]*)? + +[member_fields_extraction] +REGEX = Member:[\r\n]+(?:\s+Security\sID:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?[^\r\n]*)[\r\n]*)? + +[user_fields_extraction] +REGEX = User:[\r\n]+(?:\s+Security\sID:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sDomain:(?[^\r\n]*)[\r\n]*)? + +[account_locked_out_fields_extraction] +REGEX = Account\sThat\sWas\sLocked\sOut:[\r\n]+(?:\s+Security\sID:(?[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?[^\r\n]*)[\r\n]*)? + +[task_fields_extraction] +REGEX = Task\sContent:(?[\w\W]*<\/Task>) + +[new_task_fields_extraction] +REGEX = Task\sNew\sContent:(?[\w\W]*<\/Task>) + +[field_extract_wmi_service_path] +REGEX = PathName=[\"\']?([^=]*[\\][^\s:"'><|\/\\]+) +FORMAT = service_path::$1 + +[field_extract_wmi_service_exec] +SOURCE_KEY = service_path +REGEX = (?:.*[\\\/](.*)) +FORMAT = service_exec::$1 + +## WinHostMon +[System_Type_for_WinHostMon_computer] +REGEX = ^System\sType="([^\r\n]+)" +FORMAT = System_Type::$1 + +[Processor_Id_for_WinHostMon_processor] +REGEX = ^Processor\sId="([^\r\n]+)" +FORMAT = Processor_Id::$1 + +[Path_for_WinHostMon_service] +REGEX = ^Path="([^\r\n]+)" +FORMAT = Path::$1 + +[service_exec_for_WinHostMon_service_path] +REGEX = Path=[\"\']?([^=]*[\\][^\s:"'><|\/\\]+) +FORMAT = service_path::$1 + +[service_exec_for_WinHostMon_service_exec] +SOURCE_KEY = service_path +REGEX = (?:.*[\\\/](.*)) +FORMAT = service_exec::$1 + +##Metric store transforms + +[value_for_perfmon_metrics_store] +REGEX = Value=\"?([^\"\r\n]*[^\"\s]) +FORMAT = _value::$1 +WRITE_META = true + +[metric_name_for_perfmon_metrics_store] +REGEX = counter=\"?([^\"\r\n]*[^\"\s]) +FORMAT = metric_name::$1 +WRITE_META = true + +[object_for_perfmon_metrics_store] +REGEX = object=\"?([^\"\r\n]*[^\"\s]) +FORMAT = object::$1 +WRITE_META = true + +[instance_for_perfmon_metrics_store] +REGEX = instance=\"?([^\"\r\n]*[^\"\s]) +FORMAT = instance::$1 +WRITE_META = true + +[collection_for_perfmon_metrics_store] +REGEX = collection=\"?([^\"\r\n]*[^\"\s]) +FORMAT = collection::$1 +WRITE_META = true + +[value_for_wmi_uptime_metrics_store] +REGEX = SystemUpTime=([^\s]+) +FORMAT = _value::$1 +WRITE_META = true + +[metric_name_for_wmi_uptime_metrics_store] +REGEX = wmi_type=([^\s]+) +FORMAT = metric_name::$1 +WRITE_META = true + + +###### Transforms moved from TA-AD ###### + +[MSAD-Netlogon-Subnetaffinity] +DEST_KEY=MetaData:Sourcetype +REGEX=.*NO_CLIENT_SITE:.* +FORMAT=sourcetype::MSAD:SubnetAffinity + +[MSAD-SiteInfo-AdjacentSites] +REGEX=AdjacentSite="([^"]+) +FORMAT=AdjacentSite::$1 +MV_ADD=True + +[MSAD-SiteInfo-SiteLinks] +REGEX=SiteLink="([^"]+) +FORMAT=SiteLink::$1 +MV_ADD=True + +[MSAD-SiteInfo-Sites] +REGEX=Site="([^"]+) +FORMAT=Site::$1 +MV_ADD=True + +[MSAD-SiteInfo-Subnets] +REGEX=Subnet="([^"]+) +FORMAT=Subnet::$1 +MV_ADD=True + + +###### Transforms moved from TA-DNS ###### + +[DNSHealth_ServerAddress_MV] +REGEX = ServerAddress=\"?(?[^"]*)\"? +MV_ADD = true + +[DNSHealth_ListenAddress_MV] +REGEX = ListenAddress=\"?(?[^"]*)\"? +MV_ADD = true + +[DNSHealth_Forwarder_MV] +REGEX = Forwarder=\"?(?[^"]*)\"? +MV_ADD = true + +[DNSHealth_LogIPFilterList_MV] +REGEX = LogIPFilterList=\"?(?[^"]*)\"? +MV_ADD = true + +[KV_for_port] +REGEX = (?:port)\s*(\d{1,5}) +FORMAT = src_port::$1 + +[KV_for_Domain] +REGEX = (\(\d\)*[\w+\(\d\)-]{1,}) +FORMAT = src_domain::$1 + +[KV_for_microsoftdns_action] +REGEX = \[[\d\w]{1,4}\s*[A-Z]*\s*[D|DR]*\s([^.]+)\]\s(?:\w*) +FORMAT = vendor_dns_action::$1 + +[KV_for_Record_type] +REGEX = QTYPE\s+(\w+)\s+ +FORMAT = record_type::$1 + +[KV_for_Record_Class] +REGEX = QCLASS\s+(\w+)\s+ +FORMAT = record_class_number::$1 + +[KV_for_Answer_Section_Count] +REGEX = QCOUNT\s+(?\d+)[\n\s]+ACOUNT\s+(?\d+)[\n\s]+NSCOUNT\s+(?\d+)[\n\s]+ARCOUNT\s+(?\d+) + +[KV_for_Update_Section_Count] +REGEX = UPCOUNT\s+(?\d+)[\n\s]+ARCOUNT\s+(?\d+) + +[Answer_multi_value] +SOURCE_KEY = ANSWER_OR_UPDATE_SECTION +REGEX = (?s)(?:Offset).*?DATA[ \t]*(?:\(\d+\))?(?[\S]*?)(?:\((\d+|none)\))?(?:\n|$) +MV_ADD = true + +[windows_dns_query_type_lookup] +filename = windows_dns_query_type_lookup.csv + +[windows_dns_action_lookup] +filename = windows_dns_action_lookup.csv + +[dns_recordclass_lookup] +filename = dns_recordclass_lookup.csv + +## Security-CIM Mappings + +[extract_parent_process_name] +SOURCE_KEY = Creator_Process_Name +REGEX = (?:.*\\)?(.*) +FORMAT = parent_process_name::$1 + +[extract_new_process_name] +SOURCE_KEY = New_Process_Name +REGEX = (?:.*\\)?(.*) +FORMAT = new_process_name::$1 + +[extract_target_process_name] +SOURCE_KEY = Target_Process_Name +REGEX = (?:.*\\)?(.*) +FORMAT = target_process_name::$1 + +[object_name_and_path_from_object_name] +SOURCE_KEY = Object_Name +REGEX = ^((?:.*[\\/]+)*([^-].*))$ +FORMAT = object_file_path::$1 object_file_name::$2 + +[file_name_and_path_from_file_name] +SOURCE_KEY = File_Name +REGEX = ^((?:.*[\\/]+)*([^-].*))$ +FORMAT = file_path::$1 file_name::$2 + +[file_name_and_path_from_file_path] +SOURCE_KEY = File_Path +REGEX = ^((?:.*[\\/]+)*([^-].*))$ +FORMAT = file_path::$1 file_name::$2 + +[windows_endpoint_service_service_name_lookup] +filename = windows_endpoint_service_service_name.csv + +[process_command_line_process_and_arguments] +SOURCE_KEY = Process_Command_Line +REGEX = (^\"[^\"]+\"|[^\s]+)\s*(.*) +FORMAT = process_command_line_process::$1 process_command_line_arguments::$2 + +[extract_parent_process_name_for_windows_xml] +SOURCE_KEY = parent_process +REGEX = (?:.*\\)?(.*) +FORMAT = parent_process_name::$1 + +[extract_new_process_name_for_windows_xml] +SOURCE_KEY = new_process +REGEX = (?:.*\\)?(.*) +FORMAT = new_process_name::$1 + +[extract_target_process_name_for_windows_xml] +SOURCE_KEY = TargetProcessName +REGEX = (?:.*\\)?(.*) +FORMAT = target_process_name::$1 + +[logfilecleared_xml_block] +SOURCE_KEY = UserData_Xml +REGEX = (?ms)]+)?>(.*?)<\/LogFileCleared> +FORMAT = LogFileCleared_Xml::$1 + +[LogFileClearedData_from_user_data] +SOURCE_KEY = LogFileCleared_Xml +REGEX = (?ms)<(\w*)>([^<]*)<\/\1> +FORMAT = $1::$2 + +[SubjectUserName_from_user_data] +SOURCE_KEY = UserData_Xml +REGEX = (?ms)]+)?>(.*?)<\/SubjectUserName> +FORMAT = Caller_User_Name::$1 + +[object_file_name_and_path_from_ObjectName_for_xml] +SOURCE_KEY = ObjectName +REGEX = ^((?:.*[\\/]+)*([^-].*))$ +FORMAT = object_file_path::$1 object_file_name::$2 + +[file_name_and_path_from_FileName_for_xml] +SOURCE_KEY = FileName +REGEX = ^((?:.*[\\/]+)*([^-].*))$ +FORMAT = file_path::$1 file_name::$2 + +[file_name_and_path_from_KeyFilePath_for_xml] +SOURCE_KEY = KeyFilePath +REGEX = ^((?:.*[\\/]+)*([^-].*))$ +FORMAT = file_path::$1 file_name::$2 + +[windows_endpoint_service_service_type_lookup] +filename = windows_endpoint_service_service_type.csv + +[windows_endpoint_port_transport_lookup] +filename = windows_endpoint_port_transport_890.csv + +[windows_wineventlog_change_object_fields_lookup] +filename = windows_wineventlog_change_object_fields_900.csv + +[windows_wineventlog_change_action_lookup] +filename = windows_wineventlog_change_action_900.csv + +[xmlsecurity_change_audit_and_account_management_lookup] +filename = xmlsecurity_change_audit_and_account_management_900.csv + +[channel_from_user_data] +SOURCE_KEY = UserData_Xml +REGEX = (.*?)<\/Channel> +FORMAT = user_data_channel::$1 + +[special_user_from_member_name] +SOURCE_KEY = MemberName +REGEX = (?:CN|cn)=(.*?(?.*)$ + +[process_command_extraction] +SOURCE_KEY = Process_Name +REGEX = ^.*\\(?.*)$ diff --git a/apps/Splunk_TA_windows/default/wmi.conf b/apps/Splunk_TA_windows/default/wmi.conf new file mode 100644 index 00000000..ee3f0e10 --- /dev/null +++ b/apps/Splunk_TA_windows/default/wmi.conf @@ -0,0 +1,152 @@ +## +## SPDX-FileCopyrightText: 2024 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## DO NOT EDIT THIS FILE! +## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. +## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default +## into ../local and edit there. +## +## This file contains possible attribute/value pairs for configuring WMI access FROM Splunk. +## + +[settings] +initial_backoff = 5 +max_backoff = 20 +max_retries_at_max_backoff = 0 +checkpoint_sync_interval = 2 + +## Pull event logs FROM the local system +## Usually disabled in favor of using WinEventLog inputs +[WMI:LocalApplication] +interval = 10 +event_log_file = Application +disabled = 1 + +[WMI:LocalSystem] +interval = 10 +event_log_file = System +disabled = 1 + +[WMI:LocalSecurity] +interval = 10 +event_log_file = Security +disabled = 1 + + +## Gather performance data FROM the local system + +## Computer System +[WMI:ComputerSystem] +disabled = 1 +## Run once per day +interval = 86400 +wql = SELECT TotalPhysicalMemory FROM Win32_ComputerSystem + + +## CPU +## Usually disabled in favor of Perfmon counters +[WMI:CPUTime] +interval = 3 +wql = SELECT PercentProcessorTime,PercentUserTime,Name FROM Win32_PerfFormattedData_PerfOS_Processor +disabled = 1 + + +## Disk + +## Usually disabled in favor of Perfmon counters +[WMI:FreeDiskSpace] +interval = 120 +wql = SELECT Name,FreeMegabytes,PercentFreeSpace FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk +disabled = 1 + +[WMI:LogicalDisk] +interval = 120 +wql = SELECT Name,AvgDisksecPerRead,AvgDisksecPerWrite,AvgDisksecPerTransfer,DiskReadsPersec,DiskWritesPersec FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk +disabled = 1 + +[WMI:LocalPhysicalDisk] +interval = 10 +wql = SELECT Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime FROM Win32_PerfFormattedData_PerfDisk_PhysicalDisk +disabled = 1 + + +## Memory +## Usually disabled in favor of Perfmon counters +[WMI:Memory] +interval = 5 +wql = SELECT PagesPerSec, PagesInputPerSec, PagesOutputPerSec, AvailableBytes, CommittedBytes, PercentCommittedBytesInUse, PoolPagedBytes, PoolNonpagedBytes FROM Win32_PerfFormattedData_PerfOS_Memory +disabled = 1 + + +## Network +## Usuall disabled in favor of Perfmon counters +[WMI:LocalNetwork] +interval = 10 +wql = SELECT Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth FROM Win32_PerfFormattedData_Tcpip_NetworkInterface +disabled = 1 + + +## Processes +[WMI:LocalProcesses] +interval = 30 +wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process +disabled = 1 + + +## Scheduled Jobs + +## Use the Win32_ScheduledJob class. Note that this class can only return jobs that are created using either a script or AT.exe. +## It cannot return information about jobs that are either created by or modified by the Scheduled Task wizard. +[WMI:ScheduledJobs] +disabled = 1 +## Run twice per day +interval = 43200 +wql = SELECT Caption, Command, Description, InstallDate, InteractWithDesktop, JobId, JobStatus, Name, Notify, Priority, RunRepeatedly, Status FROM Win32_ScheduledJob + +## Services + +## http://msdn.microsoft.com/en-us/library/aa394418(VS.85).aspx +## Lists all services registered on the system,if they are running,and the status +[WMI:Service] +disabled = 1 +## Run once an hour +interval = 3600 +wql = SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service + + +## Update +[WMI:InstalledUpdates] +disabled = 1 +## Run once per day +interval = 86400 +wql = SELECT Description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect FROM Win32_QuickFixEngineering + + +## Uptime +[WMI:Uptime] +disabled = 1 +## Run once per day +interval = 86400 +wql = SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System + + +## User Accounts +[WMI:UserAccounts] +disabled = 1 +## Run twice per day +interval = 43200 +wql = SELECT Caption, Description, Domain, InstallDate, LocalAccount, Name, SID, SIDType, Status FROM Win32_Account WHERE LocalAccount = true + +## Deprecated: The SIDs for local accounts can be retrieved by enabling the WMI:UserAccounts stanza +## disabled = 1 +## Run twice per day +## interval = 43200 +## wql = SELECT * FROM Win32_AccountSID + + +## Version +[WMI:Version] +disabled = 1 +## Run once per day +interval = 86400 +wql = SELECT Caption, ServicePackMajorVersion, ServicePackMinorVersion, Version FROM Win32_OperatingSystem diff --git a/apps/Splunk_TA_windows/default/workflow_actions.conf b/apps/Splunk_TA_windows/default/workflow_actions.conf new file mode 100644 index 00000000..8ce0a0ff --- /dev/null +++ b/apps/Splunk_TA_windows/default/workflow_actions.conf @@ -0,0 +1,50 @@ +## +## SPDX-FileCopyrightText: 2024 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## DO NOT EDIT THIS FILE! +## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. +## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default +## into ../local and edit there. +## + +###### EventID.net ###### +[windows_eventidnet_winapp] +display_location = both +eventtypes = winapp +fields = SourceName, EventCode, signature_id +label = EventId Encyclopedia +link.method = get +link.target = blank +link.uri = https://www.eventid.net/display.asp?eventid=$signature_id$&source=$SourceName$ +type = link + +[windows_eventidnet_winsec] +display_location = both +eventtypes = winsec +fields = SourceName, EventCode, signature_id +label = EventId Encyclopedia +link.method = get +link.target = blank +link.uri = https://www.eventid.net/display.asp?eventid=$signature_id$&source=$SourceName$ +type = link + +[windows_eventidnet_winsystem] +display_location = both +eventtypes = winsystem +fields = SourceName, EventCode, signature_id +label = EventId Encyclopedia +link.method = get +link.target = blank +link.uri = https://www.eventid.net/display.asp?eventid=$signature_id$&source=$SourceName$ +type = link + +###### Ultimate Windows Security ###### +[windows_ultimatewinsec] +display_location = both +eventtypes = winsec +fields = EventCode, signature_id +label = Winsec Encyclopedia +link.method = get +link.target = blank +link.uri = https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=$signature_id$ +type = link diff --git a/apps/Splunk_TA_windows/lookups/dns_recordclass_lookup.csv b/apps/Splunk_TA_windows/lookups/dns_recordclass_lookup.csv new file mode 100644 index 00000000..51cef159 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/dns_recordclass_lookup.csv @@ -0,0 +1,8 @@ +record_class_number,record_class +0,reserved +1,internet(IN) +2,unassigned +3,chaos (CH) +4,hesiod (HS) +255,* (any) +65535,reserved diff --git a/apps/Splunk_TA_windows/lookups/msad_group_type.csv b/apps/Splunk_TA_windows/lookups/msad_group_type.csv new file mode 100644 index 00000000..6664a257 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/msad_group_type.csv @@ -0,0 +1,5 @@ +MSADGroupClassID,MSADGroupClass +Enabled,Security +Disabled,Distribution +enabled,Security +disabled,Distribution diff --git a/apps/Splunk_TA_windows/lookups/msdhcp_signatures.csv b/apps/Splunk_TA_windows/lookups/msdhcp_signatures.csv new file mode 100644 index 00000000..81d57204 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/msdhcp_signatures.csv @@ -0,0 +1,80 @@ +msdhcp_id,signature +00,"The log was started" +01,"The log was stopped" +02,"The log was temporarily paused due to low disk space" +0,"The log was started" +1,"The log was stopped" +2,"The log was temporarily paused due to low disk space" +10,"A new IP address was leased to a client" +11,"A lease was renewed by a client" +12,"A lease was released by a client" +13,"An IP address was found to be in use on the network" +14,"A lease request could not be satisfied because the scope's address pool was exhausted" +15,"A lease was denied" +16,"A lease was deleted" +17,"A lease was expired and DNS records for an expired leases have not been deleted" +18,"A lease was expired and DNS records were deleted" +20,"A BOOTP address was leased to a client" +21,"A dynamic BOOTP address was leased to a client" +22,"A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted" +23,"A BOOTP IP address was deleted after checking to see that it was not in use" +24,"IP address cleanup operation has began" +25,"IP address cleanup statistics" +30,"DNS dynamic update request" +31,"DNS dynamic update failed" +32,"DNS dynamic update successful" +33,"Packet dropped due to NAP policy" +34,"DNS update request failed.as the DNS update request queue limit exceeded" +35,"DNS update request failed" +36,"Packet dropped because the server is in failover standby role or the hash of the client ID does not match" +50,"Rogue Server Detection" +51,"Rogue Server Detection" +52,"Rogue Server Detection" +53,"Rogue Server Detection" +54,"Rogue Server Detection" +55,"Rogue Server Detection" +56,"Rogue Server Detection" +57,"Rogue Server Detection" +58,"Rogue Server Detection" +59,"Rogue Server Detection" +60,"Rogue Server Detection" +61,"Rogue Server Detection" +62,"Rogue Server Detection" +63,"Rogue Server Detection" +64,"Rogue Server Detection" +65,"Rogue Server Detection" +66,"Rogue Server Detection" +67,"Rogue Server Detection" +68,"Rogue Server Detection" +69,"Rogue Server Detection" +70,"Rogue Server Detection" +71,"Rogue Server Detection" +72,"Rogue Server Detection" +73,"Rogue Server Detection" +74,"Rogue Server Detection" +75,"Rogue Server Detection" +76,"Rogue Server Detection" +77,"Rogue Server Detection" +78,"Rogue Server Detection" +79,"Rogue Server Detection" +80,"Rogue Server Detection" +81,"Rogue Server Detection" +82,"Rogue Server Detection" +83,"Rogue Server Detection" +84,"Rogue Server Detection" +85,"Rogue Server Detection" +86,"Rogue Server Detection" +87,"Rogue Server Detection" +88,"Rogue Server Detection" +89,"Rogue Server Detection" +90,"Rogue Server Detection" +91,"Rogue Server Detection" +92,"Rogue Server Detection" +93,"Rogue Server Detection" +94,"Rogue Server Detection" +95,"Rogue Server Detection" +96,"Rogue Server Detection" +97,"Rogue Server Detection" +98,"Rogue Server Detection" +99,"Rogue Server Detection" +100,"Rogue Server Detection" diff --git a/apps/Splunk_TA_windows/lookups/object_category_850.csv b/apps/Splunk_TA_windows/lookups/object_category_850.csv new file mode 100644 index 00000000..374f1a13 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/object_category_850.csv @@ -0,0 +1,2 @@ +object,object_category +WinRegistry,registry diff --git a/apps/Splunk_TA_windows/lookups/status_850.csv b/apps/Splunk_TA_windows/lookups/status_850.csv new file mode 100644 index 00000000..d0ce349f --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/status_850.csv @@ -0,0 +1,2 @@ +vendor_status,status +0,success diff --git a/apps/Splunk_TA_windows/lookups/user_types.csv b/apps/Splunk_TA_windows/lookups/user_types.csv new file mode 100644 index 00000000..7bcd4575 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/user_types.csv @@ -0,0 +1,2 @@ +sourcetype,user_type +WinRegistry,process diff --git a/apps/Splunk_TA_windows/lookups/vendor_actions.csv b/apps/Splunk_TA_windows/lookups/vendor_actions.csv new file mode 100644 index 00000000..161cfb93 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/vendor_actions.csv @@ -0,0 +1,11 @@ +vendor_action,action +CreateKey,created +SetValue,modified +DeleteKey,deleted +RenameKey,modified +add,created +delete,deleted +update,modified +created,created +deleted,deleted +modified,modified diff --git a/apps/Splunk_TA_windows/lookups/windows_actions.csv b/apps/Splunk_TA_windows/lookups/windows_actions.csv new file mode 100644 index 00000000..c34ff1bd --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_actions.csv @@ -0,0 +1,18 @@ +Type,action +"audit failure",failure +"Audit Failure",failure +"AUDIT_FAILURE",failure +"failure audit",failure +"Failure Audit",failure +"FAILURE_AUDIT",failure +"audit success",success +"Audit Success",success +"AUDIT_SUCCESS",success +"success audit",success +"Success Audit",success +"SUCCESS_AUDIT",success +"success","success" +"failure","failure" +"0x8010000000000000","failure" +"0x8020000000000000","success" +"0x4020000000000000","success" diff --git a/apps/Splunk_TA_windows/lookups/windows_apps.csv b/apps/Splunk_TA_windows/lookups/windows_apps.csv new file mode 100644 index 00000000..d14fcff3 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_apps.csv @@ -0,0 +1,21 @@ +EventCode,Source_Network_Address,Target_Server_Name,Logon_Type,source,app +552,,,,,win:remote +4648,,,,,win:remote +,127.0.0.1,,,,win:local +,::1,,,,win:local +,,localhost,,,win:local +,,,0,,win:unknown +,,,1,,win:unknown +,,,2,,win:local +,,,3,,win:remote +,,,4,,win:local +,,,5,,win:local +,,,6,,win:local +,,,7,,win:local +,,,8,,win:remote +,,,9,,win:local +,,,10,,win:remote +,,,11,,win:local +,,,,WinEventLog:Security,win:unknown +,,,,XmlWinEventLog:Security,win:unknown +,,,,WMI:WinEventLog:Security,win:unknown diff --git a/apps/Splunk_TA_windows/lookups/windows_audit_changes_900.csv b/apps/Splunk_TA_windows/lookups/windows_audit_changes_900.csv new file mode 100644 index 00000000..4a101a77 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_audit_changes_900.csv @@ -0,0 +1,73 @@ +EventCode,action,change_type,object_category +517,cleared,audit,audit +1100,stopped,audit,audit +1102,cleared,audit,audit log +4720,created,AAA,user +4741,created,user,user +624,created,user,user +645,created,user,user +4722,modified,AAA,user +626,modified,user,user +4723,modified,AAA,user +627,modified,user,user +4724,modified,AAA,user +628,modified,user,user +4725,modified,AAA,user +629,modified,user,user +4726,deleted,AAA,user +4743,deleted,user,user +630,deleted,user,user +647,deleted,user,user +4738,modified,AAA,user +4742,modified,user,user +642,modified,user,user +646,modified,user,user +4740,lockout,AAA,user +644,modified,user,user +625,modified,user,user +671,modified,user,user +4767,modified,AAA,user +1101,success,audit,audit +1108,success,audit,audit +4719,modified,audit,audit policy +4717,,AAA,security access +4718,,AAA,security access +4727,,AAA,group +4728,,AAA,user +4729,,AAA,user +4730,,AAA,group +4731,,AAA,group +4732,modified,AAA,user +4733,,AAA,user +4734,,AAA,group +4735,,AAA,group +4737,,AAA,group +4739,,AAA,global group +4750,modified,AAA,user group +4753,,AAA,global group +4754,,AAA,group +4755,,AAA,group +4756,,AAA,user +4757,,AAA,user +4758,,AAA,group +4764,,AAA,group +4799,,AAA,group +4781,modified,AAA,user +4703,modified,AAA,user +4704,modified,AAA,user +4705,modified,AAA,user +4706,modified,AAA,directory service +4800,locked,AAA,user +4801,unlocked,AAA,user +4634,logoff,AAA,user +4698,created,scheduled task,scheduled task +4700,started,scheduled task,scheduled task +4701,stopped,scheduled task,scheduled task +4702,modified,scheduled task,scheduled task +4713,modified,AAA,directory service +4794,modified,AAA,user +4798,read,AAA,user +4744,created,AAA,user group +4749,created,AAA,user group +4759,created,AAA,user group +4876,read,AAA,database diff --git a/apps/Splunk_TA_windows/lookups/windows_dns_action_lookup.csv b/apps/Splunk_TA_windows/lookups/windows_dns_action_lookup.csv new file mode 100644 index 00000000..56cbe32d --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_dns_action_lookup.csv @@ -0,0 +1,43 @@ +message_type,vendor_dns_action,action,reply_code,reply_code_id +Response,NOERROR,success,No Error,0 +Response,FORMERR,failure,Format Error,1 +Response,SERVFAIL,failure,Server Failure,2 +Response,NXDOMAIN,failure,Non-Existent Domain,3 +Response,NOTIMPL,failure,NotImp,4 +Response,REFUSED,failure,Refused,5 +Response,YXDOMAIN,failure,YXDomain,6 +Response,YXRRSET,failure,YXRRSet,7 +Response,NXRRSET,failure,NXRRSer,8 +Response,NOTAUTH,failure,NotAuth,9 +Response,NOTZONE,failure,NotZone,10 +Response,DSOTYPENI,failure,DSOTYPENI,11 +Response,BADVERS,failure,BADVERS,16 +Response,BADSIG,failure,BADSIG,16 +Response,BADKEY,failure,BADKEY,17 +Response,BADTIME,failure,BADTIME,18 +Response,BADMODE,failure,BADMODE,19 +Response,BADNAME,failure,BADNAME,20 +Response,BADALG,failure,BADALG,21 +Response,BADTRUNC,failure,BADTRUNC,22 +Response,BADCOOKIE,failure,BADCOOKIE,23 +Query,NOERROR,success,, +Query,FORMERR,failure,, +Query,SERVFAIL,failure,, +Query,NXDOMAIN,failure,, +Query,NOTIMPL,failure,, +Query,REFUSED,failure,, +Query,YXDOMAIN,failure,, +Query,YXRRSET,failure,, +Query,NXRRSET,failure,, +Query,NOTAUTH,failure,, +Query,NOTZONE,failure,, +Query,DSOTYPENI,failure,, +Query,BADVERS,failure,, +Query,BADSIG,failure,, +Query,BADKEY,failure,, +Query,BADTIME,failure,, +Query,BADMODE,failure,, +Query,BADNAME,failure,, +Query,BADALG,failure,, +Query,BADTRUNC,failure,, +Query,BADCOOKIE,failure,, diff --git a/apps/Splunk_TA_windows/lookups/windows_dns_query_type_lookup.csv b/apps/Splunk_TA_windows/lookups/windows_dns_query_type_lookup.csv new file mode 100644 index 00000000..18116cd0 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_dns_query_type_lookup.csv @@ -0,0 +1,4 @@ +opcode,query_type +Q,Query +N,Notify +U,Update diff --git a/apps/Splunk_TA_windows/lookups/windows_endpoint_port_transport_890.csv b/apps/Splunk_TA_windows/lookups/windows_endpoint_port_transport_890.csv new file mode 100644 index 00000000..84ab0f38 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_endpoint_port_transport_890.csv @@ -0,0 +1,16 @@ +Protocol,transport +1,icmp +6,tcp +17,udp +47,gre +51,ah +50,esp +8,egp +3,ggp +20,hmp +88,igmp +66,rvd +89,ospf +12,pup +27,rdp +46,rsvp diff --git a/apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_name.csv b/apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_name.csv new file mode 100644 index 00000000..c57da945 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_name.csv @@ -0,0 +1,9 @@ +EventCode,service,service_name +5024,Firewall,Firewall +5025,Firewall,Firewall +5030,Firewall,Firewall +5033,Firewall Driver,Firewall Driver +5034,Firewall Driver,Firewall Driver +5035,Firewall Driver,Firewall Driver +5478,IPsec Policy Agent service,IPsec Policy Agent service +1100,Event Logging Service,Event Logging Service diff --git a/apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_type.csv b/apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_type.csv new file mode 100644 index 00000000..8e777f47 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_type.csv @@ -0,0 +1,6 @@ +Service_Start_Type,start_mode +0,auto +1,auto +2,auto +3,manual +4,disabled diff --git a/apps/Splunk_TA_windows/lookups/windows_eventtypes.csv b/apps/Splunk_TA_windows/lookups/windows_eventtypes.csv new file mode 100644 index 00000000..8775f160 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_eventtypes.csv @@ -0,0 +1,7 @@ +EventType,Description +0,Information +1,Error +2,Warning +4,Information +8,Success Audit +16,Failure Audit diff --git a/apps/Splunk_TA_windows/lookups/windows_privileges.csv b/apps/Splunk_TA_windows/lookups/windows_privileges.csv new file mode 100644 index 00000000..67c23178 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_privileges.csv @@ -0,0 +1,29 @@ +privilege_id,privilege +SeAssignPrimaryTokenPrivilege,"Replace a process level token" +SeAuditPrivilege,"Generate security audits" +SeBackupPrivilege,"Back up files and directories" +SeChangeNotifyPrivilege,"Bypass traverse checking" +SeCreatePagefilePrivilege,"Create a pagefile" +SeCreatePermanentPrivilege,"Create permanent shared objects" +SeCreateTokenPrivilege,"Create a token object" +SeDebugPrivilege,"Debug programs" +SeEnableDelegationPrivilege,"Enable computer and user accounts to be trusted for delegation" +SeImpersonatePrivilege,"Impersonate a Client After Authentication" +SeIncreaseBasePriorityPrivilege,"Increase scheduling priority" +SeIncreaseQuotaPrivilege,"Adjust memory quotas for a process" +SeLoadDriverPrivilege,"Load and unload device drivers" +SeLockMemoryPrivilege,"Lock pages in memory" +SeMachineAccountPrivilege,"Add workstations to domain" +SeManageVolumePrivilege,"Perform volume maintenance tasks" +SeProfileSingleProcessPrivilege,"Profile single process" +SeRemoteShutdownPrivilege,"Force shutdown from a remote system" +SeRestorePrivilege,"Restore files and directories" +SeSecurityPrivilege,"Manage auditing and security log" +SeShutdownPrivilege,"Shut down the system" +SeSyncAgentPrivilege,"Synchronize directory service data" +SeSystemEnvironmentPrivilege,"Modify firmware environment values" +SeSystemProfilePrivilege,"Profile system performance" +SeSystemtimePrivilege,"Change the system time" +SeTakeOwnershipPrivilege,"Take ownership of files or other objects" +SeTcbPrivilege,"Act as part of the operating system" +SeUndockPrivilege,"Remove computer from docking station" diff --git a/apps/Splunk_TA_windows/lookups/windows_severities.csv b/apps/Splunk_TA_windows/lookups/windows_severities.csv new file mode 100644 index 00000000..1dbb5db4 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_severities.csv @@ -0,0 +1,7 @@ +Type,EventCode,severity +Error,,high +Warning,,medium +Information,,informational +Success Audit,,informational +Failure Audit,,medium +,4739,high diff --git a/apps/Splunk_TA_windows/lookups/windows_signatures_900.csv b/apps/Splunk_TA_windows/lookups/windows_signatures_900.csv new file mode 100644 index 00000000..24b23bde --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_signatures_900.csv @@ -0,0 +1,541 @@ +signature_id,signature,CategoryString,action,result,command +512,"Windows NT is starting up",,,, +513,"Windows is shutting down",,,, +514,"An authentication package has been loaded by the Local Security Authority",,,, +515,"A trusted logon process has registered with the Local Security Authority",,,, +516,"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits",,,, +517,"The audit log was cleared",,,, +518,"A notification package has been loaded by the Security Account Manager",,,, +519,"A process is using an invalid local procedure call (LPC) port",,,, +520,"The system time was changed",,,, +528,"Successful Logon",,,, +529,"Unknown user name or bad password",,,, +530,"Account logon time restriction violation",,,, +531,"Account currently disabled",,,, +532,"The specified user account has expired",,,, +533,"User not allowed to logon at this computer",,,, +534,"The user has not been granted the requested logon type at this machine",,,, +535,"The specified account's password has expired",,,, +536,"The NetLogon component is not active",,,, +537,"The logon attempt failed for other reasons.",,,, +538,"User Logoff",,,, +539,"Logon Failure - Account locked out",,,, +540,"Successful Network Logon",,,, +551,"User initiated logoff",,,, +552,"Logon attempt using explicit credentials",,,, +560,"Object Open",,,, +561,"Handle Allocated",,,, +562,"Handle Closed",,,, +563,"Object Open for Delete",,,, +564,"Object Deleted",,,, +565,"Object Open (Active Directory)",,,, +566,"Object Operation (W3 Active Directory)",,,, +567,"Object Access Attempt",,,, +576,"Special privileges assigned to new logon",,,, +577,"Privileged Service Called",,,, +578,"Privileged object operation",,,, +592,"A new process has been created",,,, +593,"A process has exited",,,, +594,"A handle to an object has been duplicated",,,, +595,"Indirect access to an object has been obtained",,,, +600,"A process was assigned a primary token",,,, +601,"Attempt to install service",,,, +602,"Scheduled Task created",,,, +608,"User Right Assigned",,,, +609,"User Right Removed",,,, +610,"New Trusted Domain",,,, +611,"Removing Trusted Domain",,,, +612,"Audit Policy Change",,,, +613,"IPSec policy agent started",,,, +614,"IPSec policy agent disabled",,,, +615,"IPSEC PolicyAgent Service",,,, +616,"IPSec policy agent encountered a potentially serious failure.",,,, +617,"Kerberos Policy Changed",,,, +618,"Encrypted Data Recovery Policy Changed",,,, +619,"Quality of Service Policy Changed",,,, +620,"Trusted Domain Information Modified",,,, +621,"System Security Access Granted",,,, +622,"System Security Access Removed",,,, +623,"Per User Audit Policy was refreshed",,,, +624,"User Account Created",Account Management,created,, +625,"User Account Type Changed",,,, +626,"User Account Enabled",Account Management,,, +627,"Change Password Attempt",Account Management,,, +628,"User Account password set",Account Management,modified,, +629,"User Account Disabled",Account Management,,, +630,"User Account Deleted",Account Management,deleted,, +631,"Security Enabled Global Group Created",Account Management,,, +632,"Security Enabled Global Group Member Added",Account Management,,, +633,"Security Enabled Global Group Member Removed",Account Management,,, +634,"Security Enabled Global Group Deleted",Account Management,,, +635,"Security Enabled Local Group Created",Account Management,,, +636,"Security Enabled Local Group Member Added",Account Management,,, +637,"Security Enabled Local Group Member Removed",Account Management,,, +638,"Security Enabled Local Group Deleted",Account Management,,, +639,"Security Enabled Local Group Changed",Account Management,,, +640,"General Account Database Change",Account Management,,, +641,"Security Enabled Global Group Changed",Account Management,,, +642,"User Account Changed",Account Management,modified,, +643,"Domain Policy Changed",Account Management,,, +644,"User Account Locked Out",Account Management,modified,lockout, +645,"Computer Account Created",Account Management,,, +646,"Computer Account Changed",Account Management,,, +647,"Computer Account Deleted",Account Management,,, +648,"Security Disabled Local Group Created",Account Management,,, +649,"Security Disabled Local Group Changed",Account Management,,, +650,"Security Disabled Local Group Member Added",Account Management,,, +651,"Security Disabled Local Group Member Removed",Account Management,,, +652,"Security Disabled Local Group Deleted",Account Management,,, +653,"Security Disabled Global Group Created",Account Management,,, +654,"Security Disabled Global Group Changed",Account Management,,, +655,"Security Disabled Global Group Member Added",Account Management,,, +656,"Security Disabled Global Group Member Removed",Account Management,,, +657,"Security Disabled Global Group Deleted",Account Management,,, +658,"Security Enabled Universal Group Created",Account Management,,, +659,"Security Enabled Universal Group Changed",Account Management,,, +660,"Security Enabled Universal Group Member Added",Account Management,,, +661,"Security Enabled Universal Group Member Removed",Account Management,,, +662,"Security Enabled Universal Group Deleted",Account Management,,, +663,"Security Disabled Universal Group Created",Account Management,,, +664,"Security Disabled Universal Group Changed",Account Management,,, +665,"Security Disabled Universal Group Member Added",Account Management,,, +666,"Security Disabled Universal Group Member Removed",Account Management,,, +667,"Security Disabled Universal Group Deleted",Account Management,,, +668,"Group Type Changed",Account Management,,, +669,"Add SID History",Account Management,,, +670,"Add SID History",Account Management,,, +671,"User Account Unlocked",Account Management,,, +672,"Authentication Ticket Granted",,,, +673,"Service Ticket Granted",,,, +674,"Ticket Granted Renewed",,,, +675,"Pre-authentication failed",,,, +676,"Authentication Ticket Request Failed",,,, +677,"Service Ticket Request Failed",,,, +678,"Account Mapped for Logon by",,,, +679,"The name: %2 could not be mapped for logon by: %1",,,, +680,"Account Used for Logon by",,,, +681,"The logon to account: %2 by: %1 from workstation: %3 failed.",,,, +682,"Session reconnected to winstation",,,, +683,"Session disconnected from winstation",,,, +684,"Set ACLs of members in administrators groups",Account Management,,, +685,"Account Name Changed",Account Management,,, +686,"Password of the following user accessed",Account Management,,, +687,"Basic Application Group Created",Account Management,,, +688,"Basic Application Group Changed",Account Management,,, +689,"Basic Application Group Member Added",Account Management,,, +690,"Basic Application Group Member Removed",Account Management,,, +691,"Basic Application Group Non-Member Added",Account Management,,, +692,"Basic Application Group Non-Member Removed",Account Management,,, +693,"Basic Application Group Deleted",Account Management,,, +694,"LDAP Query Group Created",Account Management,,, +695,"LDAP Query Group Changed",Account Management,,, +696,"LDAP Query Group Deleted",Account Management,,, +697,"Password Policy Checking API is called",API Calls,,, +806,"Per User Audit Policy was refreshed",,,, +807,"Per user auditing policy set for user",,,, +808,"A security event source has attempted to register",,,, +809,"A security event source has attempted to unregister",,,, +848,"The following policy was active when the Windows Firewall started",,,, +849,"An application was listed as an exception when the Windows Firewall started",,,, +850,"A port was listed as an exception when the Windows Firewall started",,,, +852,"A change has been made to the Windows Firewall port exception list",,,, +861,"The Windows Firewall has detected an application listening for incoming traffic",,,, +1100,"The event logging service has shut down",,,, +1101,"Audit events have been dropped by the transport.",,,, +1102,"The audit log was cleared",,,, +1104,"The security Log is now full",,,, +1105,"Event log automatic backup",,,, +1108,"The event logging service encountered an error",,,, +4500,"Metabase Add Key",,,, +4501,"Metabase Delete Key",,,, +4502,"Metabase Delete Chid Keys",,,, +4503,"Metabase Copy Key",,,, +4504,"Metabase Rename Key",,,, +4505,"Metabase Set Data",,,, +4506,"Metabase Delete Data",,,, +4507,"Metabase Delete All Data",,,, +4508,"Metabase Copy Data",,,, +4509,"Metabase Set Last Change Time",,,, +4510,"Metabase Restore",,,, +4511,"Metabase Delete Backup",,,, +4512,"Metabase Import",,,, +4608,"Windows is starting up",,,, +4609,"Windows is shutting down",,,, +4610,"An authentication package has been loaded by the Local Security Authority",,,, +4611,"A trusted logon process has been registered with the Local Security Authority",,,, +4612,"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.",,,, +4614,"A notification package has been loaded by the Security Account Manager.",,,, +4615,"Invalid use of LPC port",,,, +4616,"The system time was changed.",,,, +4618,"A monitored security event pattern has occurred",,,, +4621,"Administrator recovered system from CrashOnAuditFail",,,, +4622,"A security package has been loaded by the Local Security Authority.",,,, +4624,"An account was successfully logged on",,,, +4625,"An account failed to log on",,,, +4634,"An account was logged off",,,, +4646,"%1",,,, +4647,"User initiated logoff",,,, +4648,"A logon was attempted using explicit credentials",,,, +4649,"A replay attack was detected",,,, +4650,"An IPsec Main Mode security association was established",,,, +4651,"An IPsec Main Mode security association was established",,,, +4652,"An IPsec Main Mode negotiation failed",,,, +4653,"An IPsec Main Mode negotiation failed",,,, +4654,"An IPsec Quick Mode negotiation failed",,,, +4655,"An IPsec Main Mode security association ended",,,, +4656,"A handle to an object was requested",,,, +4657,"A registry value was modified",,,, +4658,"The handle to an object was closed",,,, +4659,"A handle to an object was requested with intent to delete",,,, +4660,"An object was deleted",,,, +4661,"A handle to an object was requested",,,, +4662,"An operation was performed on an object",,,, +4663,"An attempt was made to access an object",,,, +4664,"An attempt was made to create a hard link",,,, +4665,"An attempt was made to create an application client context.",,,, +4666,"An application attempted an operation",,,, +4667,"An application client context was deleted",,,, +4668,"An application was initialized",,,, +4670,"Permissions on an object were changed",,,, +4671,"An application attempted to access a blocked ordinal through the TBS",,,, +4672,"Special privileges assigned to new logon",,,, +4673,"A privileged service was called",,,, +4674,"An operation was attempted on a privileged object",,,, +4675,"SIDs were filtered",,,, +4685,"The state of a transaction has changed",,,, +4688,"A new process has been created",,,, +4689,"A process has exited",,,, +4690,"An attempt was made to duplicate a handle to an object",,,, +4691,"Indirect access to an object was requested",,,, +4692,"Backup of data protection master key was attempted",,,, +4693,"Recovery of data protection master key was attempted",,,, +4694,"Protection of auditable protected data was attempted",,,, +4695,"Unprotection of auditable protected data was attempted",,,, +4696,"A primary token was assigned to process",,,, +4697,"A service was installed in the system",,,, +4698,"A scheduled task was created",,,, +4699,"A scheduled task was deleted",,,, +4700,"A scheduled task was enabled",,,, +4701,"A scheduled task was disabled",,,, +4702,"A scheduled task was updated",,,, +4704,"A user right was assigned",,,, +4705,"A user right was removed",,,, +4706,"A new trust was created to a domain",,,"A new trust was created to a domain","A new trust was created to a domain." +4707,"A trust to a domain was removed",,,, +4709,"IPsec Services was started",,,, +4710,"IPsec Services was disabled",,,, +4711,"PAStore Engine (1%)",,,, +4712,"IPsec Services encountered a potentially serious failure",,,, +4713,"Kerberos policy was changed",,,"Kerberos policy was changed","Kerberos policy was changed." +4714,"Encrypted data recovery policy was changed",,,, +4715,"The audit policy (SACL) on an object was changed",,,, +4716,"Trusted domain information was modified",,,, +4717,"System security access was granted to an account",,,, +4718,"System security access was removed from an account",,,, +4719,"System audit policy was changed",,,, +4720,"A user account was created",Account Management,,, +4722,"A user account was enabled",Account Management,,, +4723,"An attempt was made to change an account's password",Account Management,,, +4724,"An attempt was made to reset an accounts password",Account Management,,, +4725,"A user account was disabled",Account Management,,, +4726,"A user account was deleted",Account Management,,, +4727,"A security-enabled global group was created",Account Management,,, +4728,"A member was added to a security-enabled global group",Account Management,,, +4729,"A member was removed from a security-enabled global group",Account Management,,, +4730,"A security-enabled global group was deleted",Account Management,,, +4731,"A security-enabled local group was created",Account Management,,, +4732,"A member was added to a security-enabled local group",Account Management,,, +4733,"A member was removed from a security-enabled local group",Account Management,,, +4734,"A security-enabled local group was deleted",Account Management,,, +4735,"A security-enabled local group was changed",Account Management,,, +4737,"A security-enabled global group was changed",Account Management,,, +4738,"A user account was changed",Account Management,,, +4739,"Domain Policy was changed",Account Management,,, +4740,"A user account was locked out",Account Management,,, +4741,"A computer account was created",Account Management,,, +4742,"A computer account was changed",Account Management,,, +4743,"A computer account was deleted",Account Management,,, +4744,"A security-disabled local group was created",,,"A security-disabled local group was created","A security-disabled local group was created." +4745,"A security-disabled local group was changed",Account Management,,, +4746,"A member was added to a security-disabled local group",Account Management,,, +4747,"A member was removed from a security-disabled local group",Account Management,,, +4748,"A security-disabled local group was deleted",Account Management,,, +4749,"A security-disabled global group was created",,,"A security-disabled global group was created","A security-disabled global group was created." +4750,"A security-disabled global group was changed",,,"A security-disabled global group was changed","A security-disabled global group was changed." +4751,"A member was added to a security-disabled global group",Account Management,,, +4752,"A member was removed from a security-disabled global group",Account Management,,, +4753,"A security-disabled global group was deleted",Account Management,,, +4754,"A security-enabled universal group was created",Account Management,,, +4755,"A security-enabled universal group was changed",Account Management,,, +4756,"A member was added to a security-enabled universal group",Account Management,,, +4757,"A member was removed from a security-enabled universal group",Account Management,,, +4758,"A security-enabled universal group was deleted",Account Management,,, +4759,"A security-disabled universal group was created",,,"A security-disabled universal group was created","A security-disabled universal group was created." +4760,"A security-disabled universal group was changed",Account Management,,, +4761,"A member was added to a security-disabled universal group",Account Management,,, +4762,"A member was removed from a security-disabled universal group",Account Management,,, +4763,"A security-disabled universal group was deleted",Account Management,,, +4764,"A group's type was changed",Account Management,,, +4765,"SID History was added to an account",Account Management,,, +4766,"An attempt to add SID History to an account failed",Account Management,,, +4767,"A user account was unlocked",Account Management,,, +4768,"A Kerberos authentication ticket (TGT) was requested",,,, +4769,"A Kerberos service ticket was requested",,,, +4770,"A Kerberos service ticket was renewed",,,, +4771,"Kerberos pre-authentication failed",,,, +4772,"A Kerberos authentication ticket request failed",,,, +4773,"A Kerberos service ticket request failed",,,, +4774,"An account was mapped for logon",,,, +4775,"An account could not be mapped for logon",,,, +4776,"The domain controller attempted to validate the credentials for an account",,,, +4777,"The domain controller failed to validate the credentials for an account",,,, +4778,"A session was reconnected to a Window Station",,,, +4779,"A session was disconnected from a Window Station",,,, +4780,"The ACL was set on accounts which are members of administrators groups",Account Management,,, +4781,"The name of an account was changed",Account Management,,, +4782,"The password hash an account was accessed",Account Management,,, +4783,"A basic application group was created",Account Management,,, +4784,"A basic application group was changed",Account Management,,, +4785,"A member was added to a basic application group",Account Management,,, +4786,"A member was removed from a basic application group",Account Management,,, +4787,"A non-member was added to a basic application group",Account Management,,, +4788,"A non-member was removed from a basic application group..",Account Management,,, +4789,"A basic application group was deleted",Account Management,,, +4790,"An LDAP query group was created",Account Management,,, +4791,"A basic application group was changed",Account Management,,, +4792,"An LDAP query group was deleted",Account Management,,, +4793,"The Password Policy Checking API was called",API Calls,,, +4794,"An attempt was made to set the Directory Services Restore Mode administrator password",Account Management,,,"set the Directory Services Restore Mode administrator password." +4798,"A user's local group membership was enumerated.",,,, +4799,"A security-enabled local group membership was enumerated",,,, +4800,"The workstation was locked",,,, +4801,"The workstation was unlocked",,,, +4802,"The screen saver was invoked",,,, +4803,"The screen saver was dismissed",,,, +4816,"RPC detected an integrity violation while decrypting an incoming message",,,, +4817,"Auditing settings on object were changed.",,,, +4864,"A namespace collision was detected",,,, +4865,"A trusted forest information entry was added",,,, +4866,"A trusted forest information entry was removed",,,, +4867,"A trusted forest information entry was modified",,,, +4868,"The certificate manager denied a pending certificate request",,,, +4869,"Certificate Services received a resubmitted certificate request",,,, +4870,"Certificate Services revoked a certificate",,,, +4871,"Certificate Services received a request to publish the certificate revocation list (CRL)",,,, +4872,"Certificate Services published the certificate revocation list (CRL)",,,, +4873,"A certificate request extension changed",,,, +4874,"One or more certificate request attributes changed.",,,, +4875,"Certificate Services received a request to shut down",,,, +4876,"Certificate Services backup started",,,"Certificate Services backup started","Certificate Services backup started." +4877,"Certificate Services backup completed",,,, +4878,"Certificate Services restore started",,,, +4879,"Certificate Services restore completed",,,, +4880,"Certificate Services started",,,, +4881,"Certificate Services stopped",,,, +4882,"The security permissions for Certificate Services changed",,,, +4883,"Certificate Services retrieved an archived key",,,, +4884,"Certificate Services imported a certificate into its database",,,, +4885,"The audit filter for Certificate Services changed",,,, +4886,"Certificate Services received a certificate request",,,, +4887,"Certificate Services approved a certificate request and issued a certificate",,,, +4888,"Certificate Services denied a certificate request",,,, +4889,"Certificate Services set the status of a certificate request to pending",,,, +4890,"The certificate manager settings for Certificate Services changed.",,,, +4891,"A configuration entry changed in Certificate Services",,,, +4892,"A property of Certificate Services changed",,,, +4893,"Certificate Services archived a key",,,, +4894,"Certificate Services imported and archived a key",,,, +4895,"Certificate Services published the CA certificate to Active Directory Domain Services",,,, +4896,"One or more rows have been deleted from the certificate database",,,, +4897,"Role separation enabled",,,, +4898,"Certificate Services loaded a template",,,, +4899,"A Certificate Services template was updated",,,, +4900,"Certificate Services template security was updated",,,, +4902,"The Per-user audit policy table was created",,,, +4904,"An attempt was made to register a security event source",,,, +4905,"An attempt was made to unregister a security event source",,,, +4906,"The CrashOnAuditFail value has changed",,,, +4907,"Auditing settings on object were changed",,,, +4908,"Special Groups Logon table modified",,,, +4909,"The local policy settings for the TBS were changed",,,, +4910,"The group policy settings for the TBS were changed",,,, +4912,"Per User Audit Policy was changed",,,, +4928,"An Active Directory replica source naming context was established",,,, +4929,"An Active Directory replica source naming context was removed",,,, +4930,"An Active Directory replica source naming context was modified",,,, +4931,"An Active Directory replica destination naming context was modified",,,, +4932,"Synchronization of a replica of an Active Directory naming context has begun",,,, +4933,"Synchronization of a replica of an Active Directory naming context has ended",,,, +4934,"Attributes of an Active Directory object were replicated",,,, +4935,"Replication failure begins",,,, +4936,"Replication failure ends",,,, +4937,"A lingering object was removed from a replica",,,, +4944,"The following policy was active when the Windows Firewall started",,,, +4945,"A rule was listed when the Windows Firewall started",,,, +4946,"A change has been made to Windows Firewall exception list. A rule was added",,,, +4947,"A change has been made to Windows Firewall exception list. A rule was modified",,,, +4948,"A change has been made to Windows Firewall exception list. A rule was deleted",,,, +4949,"Windows Firewall settings were restored to the default values",,,, +4950,"A Windows Firewall setting has changed",,,, +4951,"A rule has been ignored because its major version number was not recognized by Windows Firewall",,,, +4952,"Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall",,,, +4953,"A rule has been ignored by Windows Firewall because it could not parse the rule",,,, +4954,"Windows Firewall Group Policy settings has changed. The new settings have been applied",,,, +4956,"Windows Firewall has changed the active profile",,,, +4957,"Windows Firewall did not apply the following rule",,,, +4958,"Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer",,,, +4960,"IPsec dropped an inbound packet that failed an integrity check",,,, +4961,"IPsec dropped an inbound packet that failed a replay check",,,, +4962,"IPsec dropped an inbound packet that failed a replay check",,,, +4963,"IPsec dropped an inbound clear text packet that should have been secured",,,, +4964,"Special groups have been assigned to a new logon",,,, +4965,"IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI).",,,, +4976,"During Main Mode negotiation, IPsec received an invalid negotiation packet.",,,, +4977,"During Quick Mode negotiation, IPsec received an invalid negotiation packet.",,,, +4978,"During Extended Mode negotiation, IPsec received an invalid negotiation packet.",,,, +4979,"IPsec Main Mode and Extended Mode security associations were established.",,,, +4980,"IPsec Main Mode and Extended Mode security associations were established",,,, +4981,"IPsec Main Mode and Extended Mode security associations were established",,,, +4982,"IPsec Main Mode and Extended Mode security associations were established",,,, +4983,"An IPsec Extended Mode negotiation failed",,,, +4984,"An IPsec Extended Mode negotiation failed",,,, +4985,"The state of a transaction has changed",,,, +5024,"The Windows Firewall Service has started successfully",,,, +5025,"The Windows Firewall Service has been stopped",,,, +5027,"The Windows Firewall Service was unable to retrieve the security policy from the local storage",,,, +5028,"The Windows Firewall Service was unable to parse the new security policy.",,,, +5029,"The Windows Firewall Service failed to initialize the driver",,,, +5030,"The Windows Firewall Service failed to start",,,, +5031,"The Windows Firewall Service blocked an application from accepting incoming connections on the network.",,,, +5032,"Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network",,,, +5033,"The Windows Firewall Driver has started successfully",,,, +5034,"The Windows Firewall Driver has been stopped",,,, +5035,"The Windows Firewall Driver failed to start",,,, +5037,"The Windows Firewall Driver detected critical runtime error. Terminating",,,, +5038,"Code integrity determined that the image hash of a file is not valid",,,, +5039,"A registry key was virtualized.",,,, +5040,"A change has been made to IPsec settings. An Authentication Set was added.",,,, +5041,"A change has been made to IPsec settings. An Authentication Set was modified",,,, +5042,"A change has been made to IPsec settings. An Authentication Set was deleted",,,, +5043,"A change has been made to IPsec settings. A Connection Security Rule was added",,,, +5044,"A change has been made to IPsec settings. A Connection Security Rule was modified",,,, +5045,"A change has been made to IPsec settings. A Connection Security Rule was deleted",,,, +5046,"A change has been made to IPsec settings. A Crypto Set was added",,,, +5047,"A change has been made to IPsec settings. A Crypto Set was modified",,,, +5048,"A change has been made to IPsec settings. A Crypto Set was deleted",,,, +5049,"An IPsec Security Association was deleted",,,, +5050,"An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE",,,, +5051,"A file was virtualized",,,, +5056,"A cryptographic self test was performed",,,, +5057,"A cryptographic primitive operation failed",,,, +5058,"Key file operation",,,, +5059,"Key migration operation",,,, +5060,"Verification operation failed",,,, +5061,"Cryptographic operation",,,, +5062,"A kernel-mode cryptographic self test was performed",,,, +5063,"A cryptographic provider operation was attempted",,,, +5064,"A cryptographic context operation was attempted",,,, +5065,"A cryptographic context modification was attempted",,,, +5066,"A cryptographic function operation was attempted",,,, +5067,"A cryptographic function modification was attempted",,,, +5068,"A cryptographic function provider operation was attempted",,,, +5069,"A cryptographic function property operation was attempted",,,, +5070,"A cryptographic function property operation was attempted",,,, +5120,"OCSP Responder Service Started",,,, +5121,"OCSP Responder Service Stopped",,,, +5122,"A Configuration entry changed in the OCSP Responder Service",,,, +5123,"A configuration entry changed in the OCSP Responder Service",,,, +5124,"A security setting was updated on OCSP Responder Service",,,, +5125,"A request was submitted to OCSP Responder Service",,,, +5126,"Signing Certificate was automatically updated by the OCSP Responder Service",,,, +5127,"The OCSP Revocation Provider successfully updated the revocation information",,,, +5136,"A directory service object was modified",,,, +5137,"A directory service object was created",,,, +5138,"A directory service object was undeleted",,,, +5139,"A directory service object was moved",,,, +5140,"A network share object was accessed",,,, +5141,"A directory service object was deleted",,,, +5142,"A network share object was added.",,,, +5143,"A network share object was modified",,,, +5144,"A network share object was deleted.",,,, +5145,"A network share object was checked to see whether client can be granted desired access",,,, +5148,"The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.",,,, +5149,"The DoS attack has subsided and normal processing is being resumed.",,,, +5150,"The Windows Filtering Platform has blocked a packet.",,,, +5151,"A more restrictive Windows Filtering Platform filter has blocked a packet.",,,, +5152,"The Windows Filtering Platform blocked a packet",,,, +5153,"A more restrictive Windows Filtering Platform filter has blocked a packet",,,, +5154,"The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections",,,, +5155,"The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections",,,, +5156,"The Windows Filtering Platform has allowed a connection",,,, +5157,"The Windows Filtering Platform has blocked a connection",,,, +5158,"The Windows Filtering Platform has permitted a bind to a local port",,,, +5159,"The Windows Filtering Platform has blocked a bind to a local port",,,, +5168,"Spn check for SMB/SMB2 fails.",,,, +5376,"Credential Manager credentials were backed up",Account Management,,, +5377,"Credential Manager credentials were restored from a backup",Account Management,,, +5378,"The requested credentials delegation was disallowed by policy",,,, +5440,"The following callout was present when the Windows Filtering Platform Base Filtering Engine started",,,, +5441,"The following filter was present when the Windows Filtering Platform Base Filtering Engine started",,,, +5442,"The following provider was present when the Windows Filtering Platform Base Filtering Engine started",,,, +5443,"The following provider context was present when the Windows Filtering Platform Base Filtering Engine started",,,, +5444,"The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started",,,, +5446,"A Windows Filtering Platform callout has been changed",,,, +5447,"A Windows Filtering Platform filter has been changed",,,, +5448,"A Windows Filtering Platform provider has been changed",,,, +5449,"A Windows Filtering Platform provider context has been changed",,,, +5450,"A Windows Filtering Platform sub-layer has been changed",,,, +5451,"An IPsec Quick Mode security association was established",,,, +5452,"An IPsec Quick Mode security association ended",,,, +5453,"An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started",,,, +5456,"PAStore Engine applied Active Directory storage IPsec policy on the computer",,,, +5457,"PAStore Engine failed to apply Active Directory storage IPsec policy on the computer",,,, +5458,"PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer",,,, +5459,"PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer",,,, +5460,"PAStore Engine applied local registry storage IPsec policy on the computer",,,, +5461,"PAStore Engine failed to apply local registry storage IPsec policy on the computer",,,, +5462,"PAStore Engine failed to apply some rules of the active IPsec policy on the computer",,,, +5463,"PAStore Engine polled for changes to the active IPsec policy and detected no changes",,,, +5464,"PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services",,,, +5465,"PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully",,,, +5466,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead",,,, +5467,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy",,,, +5468,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes",,,, +5471,"PAStore Engine loaded local storage IPsec policy on the computer",,,, +5472,"PAStore Engine failed to load local storage IPsec policy on the computer",,,, +5473,"PAStore Engine loaded directory storage IPsec policy on the computer",,,, +5474,"PAStore Engine failed to load directory storage IPsec policy on the computer",,,, +5477,"PAStore Engine failed to add quick mode filter",,,, +5478,"IPsec Services has started successfully",,,, +5479,"IPsec Services has been shut down successfully",,,, +5480,"IPsec Services failed to get the complete list of network interfaces on the computer",,,, +5483,"IPsec Services failed to initialize RPC server. IPsec Services could not be started",,,, +5484,"IPsec Services has experienced a critical failure and has been shut down",,,, +5485,"IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces",,,, +5632,"A request was made to authenticate to a wireless network",,,, +5633,"A request was made to authenticate to a wired network",,,, +5712,"A Remote Procedure Call (RPC) was attempted",,,, +5888,"An object in the COM+ Catalog was modified",,,, +5889,"An object was deleted from the COM+ Catalog",,,, +5890,"An object was added to the COM+ Catalog",,,, +6144,"Security policy in the group policy objects has been applied successfully",,,, +6145,"One or more errors occured while processing security policy in the group policy objects",,,, +6272,"Network Policy Server granted access to a user",,,, +6273,"Network Policy Server denied access to a user",,,, +6274,"Network Policy Server discarded the request for a user",,,, +6275,"Network Policy Server discarded the accounting request for a user",,,, +6276,"Network Policy Server quarantined a user",,,, +6277,"Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy",,,, +6278,"Network Policy Server granted full access to a user because the host met the defined health policy",,,, +6279,"Network Policy Server locked the user account due to repeated failed authentication attempts",,,, +6280,"Network Policy Server unlocked the user account",,,, +6281,"Code Integrity determined that the page hashes of an image file are not valid...",,,, +6400,"BranchCache: Received an incorrectly formatted response while discovering availability of content.",,,, +6401,"BranchCache: Received invalid data from a peer. Data discarded.",,,, +6402,"BranchCache: The message to the hosted cache offering it data is incorrectly formatted.",,,, +6403,"BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.",,,, +6404,"BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.",,,, +6405,"BranchCache: %2 instance(s) of event id %1 occurred.",,,, +6406,"%1 registered to Windows Firewall to control filtering for the following:",,,, +6407,"%1",,,, +6408,"Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.",,,, diff --git a/apps/Splunk_TA_windows/lookups/windows_signatures_substatus_850.csv b/apps/Splunk_TA_windows/lookups/windows_signatures_substatus_850.csv new file mode 100644 index 00000000..1c726c7d --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_signatures_substatus_850.csv @@ -0,0 +1,41 @@ +signature_id,Sub_Status,signature +4625,0xc0000064,"User logon with misspelled or bad user account" +4625,0xC0000064,"User logon with misspelled or bad user account" +4625,0xc000006a,"User logon with misspelled or bad password" +4625,0xC000006A,"User logon with misspelled or bad password" +4625,0xc0000234,"User logon with account locked" +4625,0xC0000234,"User logon with account locked" +4625,0xc0000072,"User logon to account disabled by administrator" +4625,0xC0000072,"User logon to account disabled by administrator" +4625,0xc000006f,"User logon outside authorized hours" +4625,0xC000006F,"User logon outside authorized hours" +4625,0xc0000070,"User logon from unauthorized workstation" +4625,0xC0000070,"User logon from unauthorized workstation" +4625,0xc0000193,"User logon with expired account" +4625,0xC0000193,"User logon with expired account" +4625,0xc0000071,"User logon with expired password" +4625,0xC0000071,"User logon with expired password" +4625,0xc0000133,"Clocks between DC and other computer too far out of sync" +4625,0xC0000133,"Clocks between DC and other computer too far out of sync" +4625,0xc0000224,"User is required to change password at next logon" +4625,0xC0000224,"User is required to change password at next logon" +4625,0xc0000225,"Evidently a bug in Windows and not a risk" +4625,0xC0000225,"Evidently a bug in Windows and not a risk" +4625,0xc000005e,"There are currently no logon servers available to service the logon request" +4625,0xC000005E,"There are currently no logon servers available to service the logon request" +4625,0xc000006d,"The cause is either a bad username or authentication information" +4625,0xC000006D,"The cause is either a bad username or authentication information" +4625,0xc000006e,"Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions)" +4625,0xC000006E,"Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions)" +4625,0xc00000dc,"Indicates the Sam Server was in the wrong state to perform the desired operation" +4625,0xC00000DC,"Indicates the Sam Server was in the wrong state to perform the desired operation" +4625,0xc000015b,"The user has not been granted the requested logon type (also called the logon right) at this machine" +4625,0xC000015B,"The user has not been granted the requested logon type (also called the logon right) at this machine" +4625,0xc000018c,"The logon request failed because the trust relationship between the primary domain and the trusted domain failed" +4625,0xC000018C,"The logon request failed because the trust relationship between the primary domain and the trusted domain failed" +4625,0xc0000192,"An attempt was made to logon, but the Netlogon service was not started" +4625,0xC0000192,"An attempt was made to logon, but the Netlogon service was not started" +4625,0xc00002ee,"Failure Reason: An Error occurred during Logon" +4625,0xC00002EE,"Failure Reason: An Error occurred during Logon" +4625,0xc0000413,"Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine" +4625,0xC0000413,"Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine" diff --git a/apps/Splunk_TA_windows/lookups/windows_start_mode_lookup.csv b/apps/Splunk_TA_windows/lookups/windows_start_mode_lookup.csv new file mode 100644 index 00000000..03276718 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_start_mode_lookup.csv @@ -0,0 +1,6 @@ +StartType,start_mode +disabled,disabled +"auto start",auto +"demand start",manual +"boot start",auto +"system start",auto diff --git a/apps/Splunk_TA_windows/lookups/windows_timesync_actions.csv b/apps/Splunk_TA_windows/lookups/windows_timesync_actions.csv new file mode 100644 index 00000000..84f0ea24 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_timesync_actions.csv @@ -0,0 +1,3 @@ +Last_Sync_Error,windows_action +0*,success +*,failure diff --git a/apps/Splunk_TA_windows/lookups/windows_update_statii.csv b/apps/Splunk_TA_windows/lookups/windows_update_statii.csv new file mode 100644 index 00000000..64e2a58f --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_update_statii.csv @@ -0,0 +1,10 @@ +sourcetype,EventCode,vendor_status,status +WMI:InstalledUpdates,,,installed +,17,,available +,18,,available +,19,,installed +,,"Installation Ready",available +,,"Installation Successful",installed +,,"Restart Required","restart required" +,,"Installation successful and restart required","restart required" +,,"Installation Failure",failure diff --git a/apps/Splunk_TA_windows/lookups/windows_wineventlog_change_action_900.csv b/apps/Splunk_TA_windows/lookups/windows_wineventlog_change_action_900.csv new file mode 100644 index 00000000..ee771eca --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_wineventlog_change_action_900.csv @@ -0,0 +1,36 @@ +EventCode,action,status +5461,modified,failure +1100,,stopped +4697,,started +5024,,started +5025,,stopped +5033,,started +5034,,stopped +5478,,started +4706,modified,success +4713,modified,success +4727,created,success +4728,modified,success +4729,modified,success +4730,deleted,success +4731,created,success +4733,modified,success +4734,deleted,success +4735,modified,success +4737,modified,success +4744,created,success +4749,created,success +4750,modified,success +4754,created,success +4755,modified,success +4756,modified,success +4757,modified,success +4758,deleted,success +4759,created,success +4764,modified,success +4794,modified,success +4799,read,success +4876,read,success +5156,allowed,success +5157,blocked,success +4798,read,success diff --git a/apps/Splunk_TA_windows/lookups/windows_wineventlog_change_object_fields_900.csv b/apps/Splunk_TA_windows/lookups/windows_wineventlog_change_object_fields_900.csv new file mode 100644 index 00000000..bf84aef7 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/windows_wineventlog_change_object_fields_900.csv @@ -0,0 +1,60 @@ +EventCode,change_type,object_attrs,object_category,result +1100,,service,, +1101,audit,transport,audit, +1102,,registry,,The audit log was cleared +1108,audit,Microsoft-Windows-Security-Auditing,audit, +4706,AAA,domain trust,directory service,A new trust was created to a domain +4713,AAA,Kerberos policy,directory service,Kerberos policy was changed +4719,audit,Kerberos Authentication Service,audit policy,System audit policy was changed +4717,AAA,,security access,access was granted +4718,AAA,,security access,account was removed +4720,,account,,A user account was created +4722,,account,,A user account was enabled +4723,,account,,An attempt was made to change an account's password +4724,,account,,An attempt was made to reset an account's password +4725,,account,,A user account was disabled +4726,,account,,A user account was deleted +4727,AAA,global group,group,A security-enabled global group was created +4728,AAA,,user,A member was added to a security-enabled global group +4729,AAA,,user,A member was removed from a security-enabled global group +4730,AAA,global group,group,A security-enabled global group was deleted +4731,AAA,local group,group,A security-enabled local group was created +4732,AAA,,user,A member was added to a security-enabled local group +4733,AAA,,user,A member was removed from a security-enabled local group +4734,AAA,local group,group,A security-enabled local group was deleted +4735,AAA,local group,group,A security-enabled local group was changed +4737,AAA,global group,group,A security-enabled global group was changed +4738,,account,,A user account was changed +4739,AAA,domain policy,global group,Domain Policy was changed +4740,,account,,A user account was locked out +4741,,computer account,,account was created +4742,,computer account,,account was changed +4743,,computer account,,account was deleted +4744,AAA,security-disabled local group,user group,A security-disabled local group was created +4749,AAA,security-disabled global group,user group,A security-disabled global group was created +4750,AAA,security-disabled global group,user group,A security-disabled global group was changed +4753,AAA,,global group,group was deleted +4754,AAA,universal group,group,A security-enabled universal group was created +4755,AAA,universal group,group,A security-enabled universal group was changed +4756,AAA,,user,A member was added to a security-enabled universal group +4757,AAA,,user,A member was removed from a security-enabled universal group +4758,AAA,universal group,group,A security-enabled universal group was deleted +4759,AAA,security-disabled universal group,user group,A security-disabled universal group was created +4764,AAA,,group,A group's type was changed +4767,AAA,account,user,A user account was unlocked +4781,AAA,account,user,The name of an account was changed +5461,AAA,registry,policy,failed +4703,,account,,A token right was adjusted +4704,,account,,A user right was assigned +4705,,account,,A user right was removed +4800,AAA,workstation,user,The workstation was locked +4801,AAA,workstation,user,The workstation was unlocked +4876,AAA,Certificate Services,database,Certificate Services backup started +4634,,login session,,An account was logged off +4698,,,,A scheduled task was created +4700,,,,A scheduled task was enabled +4701,,,,A scheduled task was disabled +4702,,,,A scheduled task was updated +4794,AAA,Directory Services Restore Mode,user,set the Directory Services Restore Mode administrator password +4799,AAA,local group,group,A security-enabled local group membership was enumerated +4798,,local group,,A user's local group membership was enumerated diff --git a/apps/Splunk_TA_windows/lookups/wmi_user_account_status.csv b/apps/Splunk_TA_windows/lookups/wmi_user_account_status.csv new file mode 100644 index 00000000..d8db0325 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/wmi_user_account_status.csv @@ -0,0 +1,3 @@ +status,enabled +OK,true +Degraded,false diff --git a/apps/Splunk_TA_windows/lookups/wmi_version_range.csv b/apps/Splunk_TA_windows/lookups/wmi_version_range.csv new file mode 100644 index 00000000..e8f9254b --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/wmi_version_range.csv @@ -0,0 +1,2 @@ +sourcetype,range +WMI:Version,windows diff --git a/apps/Splunk_TA_windows/lookups/xmlsecurity_change_audit_and_account_management_900.csv b/apps/Splunk_TA_windows/lookups/xmlsecurity_change_audit_and_account_management_900.csv new file mode 100644 index 00000000..b1364f67 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/xmlsecurity_change_audit_and_account_management_900.csv @@ -0,0 +1,53 @@ +EventCode,object_attrs,result +1100,service, +1102,registry,The audit log was cleared +4720,account,A user account was created +4741,computer account,account was created +4722,account,A user account was enabled +4723,account,An attempt was made to change an account's password +4724,account,An attempt was made to reset an account's password +4725,account,A user account was disabled +4726,account,A user account was deleted +4743,computer account,account was deleted +4738,account,A user account was changed +4742,computer account,account was changed +4740,account,A user account was locked out +4767,account,A user account was unlocked +1101,transport, +1108,Microsoft-Windows-Security-Auditing, +4719,Kerberos Authentication Service,System audit policy was changed +4717,,access was granted +4718,,account was removed +4727,global group,A security-enabled global group was created +4728,,A member was added to a security-enabled global group +4729,,A member was removed from a security-enabled global group +4730,global group,A security-enabled global group was deleted +4731,local group,A security-enabled local group was created +4732,,A member was added to a security-enabled local group +4733,,A member was removed from a security-enabled local group +4734,local group,A security-enabled local group was deleted +4735,local group,A security-enabled local group was changed +4737,global group,A security-enabled global group was changed +4739,domain policy,Domain Policy was changed +4750,,group was changed +4753,,group was deleted +4754,universal group,A security-enabled universal group was created +4755,universal group,A security-enabled universal group was changed +4756,,A member was added to a security-enabled universal group +4757,,A member was removed from a security-enabled universal group +4758,universal group,A security-enabled universal group was deleted +4764,,A group's type was changed +4799,local group,A security-enabled local group membership was enumerated +4781,account,The name of an account was changed +4703,account,A token right was adjusted +4704,account,A user right was assigned +4705,account,A user right was removed +4800,workstation,The workstation was locked +4801,workstation,The workstation was unlocked +4634,login session,An account was logged off +4698,,A scheduled task was created +4700,,A scheduled task was enabled +4701,,A scheduled task was disabled +4702,,A scheduled task was updated +4794,Directory Services Restore Mode,set the Directory Services Restore Mode administrator password +4798,local group,A user's local group membership was enumerated diff --git a/apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action.csv b/apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action.csv new file mode 100644 index 00000000..cadf1f5c --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action.csv @@ -0,0 +1,362 @@ +EventCode,action,Category,Subcategory,message,os +4608,success,System,Security State Change,Windows is starting up.,"Windows Vista, Windows Server 2008" +4609,unknown,System,Security State Change,Windows is shutting down.,"Windows Vista, Windows Server 2008" +4610,unknown,System,Security System Extension,An authentication package has been loaded by the Local Security Authority.,"Windows Vista, Windows Server 2008" +4611,success,System,Security System Extension,A trusted logon process has been registered with the Local Security Authority.,"Windows Vista, Windows Server 2008" +4612,unknown,System,System Integrity,"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.","Windows Vista, Windows Server 2008" +4614,unknown,System,Security System Extension,A notification package has been loaded by the Security Account Manager.,"Windows Vista, Windows Server 2008" +4615,unknown,System,System Integrity,Invalid use of LPC port.,"Windows Vista, Windows Server 2008" +4616,success,System,Security State Change,The system time was changed.,"Windows Vista, Windows Server 2008" +4618,unknown,System,System Integrity,A monitored security event pattern has occurred.,"Windows Vista, Windows Server 2008" +4621,unknown,System,Security State Change,Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.,"Windows Vista, Windows Server 2008" +4622,unknown,System,Security System Extension,A security package has been loaded by the Local Security Authority.,"Windows Vista, Windows Server 2008" +4624,success,Logon/Logoff,Logon,An account was successfully logged on.,"Windows Vista, Windows Server 2008" +4626,unknown,Logon/Logoff,Logon,User/Device claims information.,"Windows 8, Windows Server 2012" +4634,success,Logon/Logoff,Logoff,An account was logged off.,"Windows Vista, Windows Server 2008" +4646,unknown,Logon/Logoff,IPsec Main Mode,IKE DoS-prevention mode started.,"Windows Vista, Windows Server 2008" +4647,success,Logon/Logoff,Logoff,User initiated logoff.,"Windows Vista, Windows Server 2008" +4648,success,Logon/Logoff,Logon,A logon was attempted using explicit credentials.,"Windows Vista, Windows Server 2008" +4649,unknown,Logon/Logoff,Other Logon/Logoff Events,A replay attack was detected.,"Windows Vista, Windows Server 2008" +4650,unknown,Logon/Logoff,IPsec Main Mode,An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.,"Windows Vista, Windows Server 2008" +4651,unknown,Logon/Logoff,IPsec Main Mode,An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.,"Windows Vista, Windows Server 2008" +4652,unknown,Logon/Logoff,IPsec Main Mode,An IPsec Main Mode negotiation failed.,"Windows Vista, Windows Server 2008" +4653,failure,Logon/Logoff,IPsec Main Mode,An IPsec Main Mode negotiation failed.,"Windows Vista, Windows Server 2008" +4654,unknown,Logon/Logoff,IPsec Quick Mode,An IPsec Quick Mode negotiation failed.,"Windows Vista, Windows Server 2008" +4655,unknown,Logon/Logoff,IPsec Main Mode,An IPsec Main Mode security association ended.,"Windows Vista, Windows Server 2008" +4656,failure,Object Access,Handle Manipulation,A handle to an object was requested.,"Windows Vista, Windows Server 2008" +4657,unknown,Object Access,Registry,A registry value was modified.,"Windows Vista, Windows Server 2008" +4658,success,Object Access,Handle Manipulation,The handle to an object was closed.,"Windows Vista, Windows Server 2008" +4659,unknown,Object Access,Special,A handle to an object was requested with intent to delete.,"Windows Vista, Windows Server 2008" +4660,unknown,Object Access,Special,An object was deleted.,"Windows Vista, Windows Server 2008" +4661,success,Object Access,Special,A handle to an object was requested.,"Windows Vista, Windows Server 2008" +4662,success,DS Access,Directory Service Access,An operation was performed on an object.,"Windows Vista, Windows Server 2008" +4663,success,Object Access,Special,An attempt was made to access an object.,"Windows Vista, Windows Server 2008" +4664,success,Object Access,File System,An attempt was made to create a hard link.,"Windows Vista, Windows Server 2008" +4665,unknown,Object Access,Application Generated,An attempt was made to create an application client context.,"Windows Vista, Windows Server 2008" +4666,unknown,Object Access,Application Generated,An application attempted an operation:,"Windows Vista, Windows Server 2008" +4667,unknown,Object Access,Application Generated,An application client context was deleted.,"Windows Vista, Windows Server 2008" +4668,unknown,Object Access,Application Generated,An application was initialized.,"Windows Vista, Windows Server 2008" +4670,success,Policy Change,Subcategory (special),Permissions on an object were changed.,"Windows Vista, Windows Server 2008" +4671,unknown,Object Access,Other Object Access Events,An application attempted to access a blocked ordinal through the TBS.,"Windows Vista, Windows Server 2008" +4672,success,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,Special privileges assigned to new logon.,"Windows Vista, Windows Server 2008" +4673,failure,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,A privileged service was called.,"Windows Vista, Windows Server 2008" +4674,success,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,An operation was attempted on a privileged object.,"Windows Vista, Windows Server 2008" +4675,unknown,Logon/Logoff,Logon,SIDs were filtered.,"Windows Vista, Windows Server 2008" +4688,success,Detailed Tracking,Process Creation,A new process has been created.,"Windows Vista, Windows Server 2008" +4689,success,Detailed Tracking,Process Termination,A process has exited.,"Windows Vista, Windows Server 2008" +4690,success,Object Access,Handle Manipulation,An attempt was made to duplicate a handle to an object.,"Windows Vista, Windows Server 2008" +4691,unknown,Object Access,Other Object Access Events,Indirect access to an object was requested.,"Windows Vista, Windows Server 2008" +4692,unknown,Detailed Tracking,DPAPI Activity,Backup of data protection master key was attempted.,"Windows Vista, Windows Server 2008" +4693,unknown,Detailed Tracking,DPAPI Activity,Recovery of data protection master key was attempted.,"Windows Vista, Windows Server 2008" +4694,unknown,Detailed Tracking,DPAPI Activity,Protection of auditable protected data was attempted.,"Windows Vista, Windows Server 2008" +4695,unknown,Detailed Tracking,DPAPI Activity,Unprotection of auditable protected data was attempted.,"Windows Vista, Windows Server 2008" +4696,unknown,Detailed Tracking,Process Creation,A primary token was assigned to process.,"Windows Vista, Windows Server 2008" +4697,unknown,System,Security System Extension,A service was installed in the system.,"Windows Vista, Windows Server 2008" +4698,unknown,Object Access,Other Object Access Events,A scheduled task was created.,"Windows Vista, Windows Server 2008" +4699,unknown,Object Access,Other Object Access Events,A scheduled task was deleted.,"Windows Vista, Windows Server 2008" +4700,unknown,Object Access,Other Object Access Events,A scheduled task was enabled.,"Windows Vista, Windows Server 2008" +4701,unknown,Object Access,Other Object Access Events,A scheduled task was disabled.,"Windows Vista, Windows Server 2008" +4702,success,Object Access,Other Object Access Events,A scheduled task was updated.,"Windows Vista, Windows Server 2008" +4704,success,Policy Change,Authorization Policy Change,A user right was assigned.,"Windows Vista, Windows Server 2008" +4705,unknown,Policy Change,Authorization Policy Change,A user right was removed.,"Windows Vista, Windows Server 2008" +4706,unknown,Policy Change,Authorization Policy Change,A new trust was created to a domain.,"Windows Vista, Windows Server 2008" +4707,unknown,Policy Change,Authorization Policy Change,A trust to a domain was removed.,"Windows Vista, Windows Server 2008" +4709,unknown,Policy Change,Filtering Platform Policy Change,IPsec Services was started.,"Windows Vista, Windows Server 2008" +4710,unknown,Policy Change,Filtering Platform Policy Change,IPsec Services was disabled.,"Windows Vista, Windows Server 2008" +4711,unknown,Policy Change,Filtering Platform Policy Change,"May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine applied Active Directory storage IPsec policy on the computer.PAStore Engine applied local registry storage IPsec policy on the computer.PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply local registry storage IPsec policy on the computer.PAStore Engine failed to apply some rules of the active IPsec policy on the computer.PAStore Engine failed to load directory storage IPsec policy on the computer.PAStore Engine loaded directory storage IPsec policy on the computer.PAStore Engine failed to load local storage IPsec policy on the computer.PAStore Engine loaded local storage IPsec policy on the computer.PAStore Engine polled for changes to the active IPsec policy and detected no changes.","Windows Vista, Windows Server 2008" +4712,unknown,Policy Change,Filtering Platform Policy Change,IPsec Services encountered a potentially serious failure.,"Windows Vista, Windows Server 2008" +4713,unknown,Policy Change,Authentication Policy Change,Kerberos policy was changed.,"Windows Vista, Windows Server 2008" +4714,unknown,Policy Change,Authorization Policy Change,Encrypted data recovery policy was changed.,"Windows Vista, Windows Server 2008" +4715,unknown,Policy Change,Audit Policy Change,The audit policy (SACL) on an object was changed.,"Windows Vista, Windows Server 2008" +4716,unknown,Policy Change,Authentication Policy Change,Trusted domain information was modified.,"Windows Vista, Windows Server 2008" +4717,success,Policy Change,Authentication Policy Change,System security access was granted to an account.,"Windows Vista, Windows Server 2008" +4718,unknown,Policy Change,Authentication Policy Change,System security access was removed from an account.,"Windows Vista, Windows Server 2008" +4719,unknown,Policy Change,Audit Policy Change,System audit policy was changed.,"Windows Vista, Windows Server 2008" +4720,created,Account Management,User Account Management,A user account was created.,"Windows Vista, Windows Server 2008" +4722,modified,Account Management,User Account Management,A user account was enabled.,"Windows Vista, Windows Server 2008" +4723,modified,Account Management,User Account Management,An attempt was made to change an account's password.,"Windows Vista, Windows Server 2008" +4724,modified,Account Management,User Account Management,An attempt was made to reset an account's password.,"Windows Vista, Windows Server 2008" +4725,modified,Account Management,User Account Management,A user account was disabled.,"Windows Vista, Windows Server 2008" +4726,deleted,Account Management,User Account Management,A user account was deleted.,"Windows Vista, Windows Server 2008" +4727,success,Account Management,Security Group Management,A security-enabled global group was created.,"Windows Vista, Windows Server 2008" +4728,success,Account Management,Security Group Management,A member was added to a security-enabled global group.,"Windows Vista, Windows Server 2008" +4729,success,Account Management,Security Group Management,A member was removed from a security-enabled global group.,"Windows Vista, Windows Server 2008" +4730,unknown,Account Management,Security Group Management,A security-enabled global group was deleted.,"Windows Vista, Windows Server 2008" +4731,unknown,Account Management,Security Group Management,A security-enabled local group was created.,"Windows Vista, Windows Server 2008" +4732,success,Account Management,Security Group Management,A member was added to a security-enabled local group.,"Windows Vista, Windows Server 2008" +4733,success,Account Management,Security Group Management,A member was removed from a security-enabled local group.,"Windows Vista, Windows Server 2008" +4734,unknown,Account Management,Security Group Management,A security-enabled local group was deleted.,"Windows Vista, Windows Server 2008" +4735,success,Account Management,Security Group Management,A security-enabled local group was changed.,"Windows Vista, Windows Server 2008" +4737,success,Account Management,Security Group Management,A security-enabled global group was changed.,"Windows Vista, Windows Server 2008" +4738,modified,Account Management,User Account Management,A user account was changed.,"Windows Vista, Windows Server 2008" +4739,unknown,Policy Change,Authentication Policy Change,Domain Policy was changed.,"Windows Vista, Windows Server 2008" +4740,unknown,Account Management,User Account Management,A user account was locked out.,"Windows Vista, Windows Server 2008" +4742,modified,Account Management,Computer Account Management,A computer account was changed.,"Windows Vista, Windows Server 2008" +4743,unknown,Account Management,Computer Account Management,A computer account was deleted.,"Windows Vista, Windows Server 2008" +4744,unknown,Account Management,Distribution Group Management,A security-disabled local group was created.,"Windows Vista, Windows Server 2008" +4745,unknown,Account Management,Distribution Group Management,A security-disabled local group was changed.,"Windows Vista, Windows Server 2008" +4746,unknown,Account Management,Distribution Group Management,A member was added to a security-disabled local group.,"Windows Vista, Windows Server 2008" +4747,unknown,Account Management,Distribution Group Management,A member was removed from a security-disabled local group.,"Windows Vista, Windows Server 2008" +4748,unknown,Account Management,Distribution Group Management,A security-disabled local group was deleted.,"Windows Vista, Windows Server 2008" +4749,unknown,Account Management,Distribution Group Management,A security-disabled global group was created.,"Windows Vista, Windows Server 2008" +4750,unknown,Account Management,Distribution Group Management,A security-disabled global group was changed.,"Windows Vista, Windows Server 2008" +4751,unknown,Account Management,Distribution Group Management,A member was added to a security-disabled global group.,"Windows Vista, Windows Server 2008" +4752,unknown,Account Management,Distribution Group Management,A member was removed from a security-disabled global group.,"Windows Vista, Windows Server 2008" +4753,unknown,Account Management,Distribution Group Management,A security-disabled global group was deleted.,"Windows Vista, Windows Server 2008" +4754,success,Account Management,Security Group Management,A security-enabled universal group was created.,"Windows Vista, Windows Server 2008" +4755,success,Account Management,Security Group Management,A security-enabled universal group was changed.,"Windows Vista, Windows Server 2008" +4756,success,Account Management,Security Group Management,A member was added to a security-enabled universal group.,"Windows Vista, Windows Server 2008" +4757,success,Account Management,Security Group Management,A member was removed from a security-enabled universal group.,"Windows Vista, Windows Server 2008" +4758,unknown,Account Management,Security Group Management,A security-enabled universal group was deleted.,"Windows Vista, Windows Server 2008" +4759,unknown,Account Management,Distribution Group Management,A security-disabled universal group was created.,"Windows Vista, Windows Server 2008" +4760,unknown,Account Management,Distribution Group Management,A security-disabled universal group was changed.,"Windows Vista, Windows Server 2008" +4761,unknown,Account Management,Distribution Group Management,A member was added to a security-disabled universal group.,"Windows Vista, Windows Server 2008" +4762,unknown,Account Management,Distribution Group Management,A member was removed from a security-disabled universal group.,"Windows Vista, Windows Server 2008" +4764,unknown,Account Management,Security Group Management,A group's type was changed.,"Windows Vista, Windows Server 2008" +4765,unknown,Account Management,User Account Management,SID History was added to an account.,"Windows Vista, Windows Server 2008" +4766,unknown,Account Management,User Account Management,An attempt to add SID History to an account failed.,"Windows Vista, Windows Server 2008" +4767,modified,Account Management,User Account Management,A user account was unlocked.,"Windows Vista, Windows Server 2008" +4770,success,Account Logon,Kerberos Service Ticket Operations,A Kerberos service ticket was renewed.,"Windows Vista, Windows Server 2008" +4772,unknown,Account Logon,Kerberos Authentication Service,A Kerberos authentication ticket request failed.,"Windows Vista, Windows Server 2008" +4774,unknown,Account Logon,Credential Validation,An account was mapped for logon.,"Windows Vista, Windows Server 2008" +4775,unknown,Account Logon,Credential Validation,An account could not be mapped for logon.,"Windows Vista, Windows Server 2008" +4777,unknown,Account Logon,Credential Validation,The domain controller failed to validate the credentials for an account.,"Windows Vista, Windows Server 2008" +4778,success,Logon/Logoff,Other Logon/Logoff Events,A session was reconnected to a Window Station.,"Windows Vista, Windows Server 2008" +4779,success,Logon/Logoff,Other Logon/Logoff Events,A session was disconnected from a Window Station.,"Windows Vista, Windows Server 2008" +4780,success,Account Management,User Account Management,The ACL was set on accounts which are members of administrators groups.,"Windows Vista, Windows Server 2008" +4781,unknown,Account Management,User Account Management,The name of an account was changed:,"Windows Vista, Windows Server 2008" +4782,unknown,Account Management,Other Account Management Events,The password hash an account was accessed.,"Windows Vista, Windows Server 2008" +4783,unknown,Account Management,Application Group Management,A basic application group was created.,"Windows Vista, Windows Server 2008" +4784,unknown,Account Management,Application Group Management,A basic application group was changed.,"Windows Vista, Windows Server 2008" +4785,unknown,Account Management,Application Group Management,A member was added to a basic application group.,"Windows Vista, Windows Server 2008" +4786,unknown,Account Management,Application Group Management,A member was removed from a basic application group.,"Windows Vista, Windows Server 2008" +4787,unknown,Account Management,Application Group Management,A non-member was added to a basic application group.,"Windows Vista, Windows Server 2008" +4788,unknown,Account Management,Application Group Management,A non-member was removed from a basic application group.,"Windows Vista, Windows Server 2008" +4789,unknown,Account Management,Application Group Management,A basic application group was deleted.,"Windows Vista, Windows Server 2008" +4790,unknown,Account Management,Application Group Management,An LDAP query group was created.,"Windows Vista, Windows Server 2008" +4793,unknown,Account Management,Other Account Management Events,The Password Policy Checking API was called.,"Windows Vista, Windows Server 2008" +4794,unknown,Account Management,User Account Management,An attempt was made to set the Directory Services Restore Mode.,"Windows Vista, Windows Server 2008" +4800,success,Logon/Logoff,Other Logon/Logoff Events,The workstation was locked.,"Windows Vista, Windows Server 2008" +4801,unknown,Logon/Logoff,Other Logon/Logoff Events,The workstation was unlocked.,"Windows Vista, Windows Server 2008" +4802,unknown,Logon/Logoff,Other Logon/Logoff Events,The screen saver was invoked.,"Windows Vista, Windows Server 2008" +4803,unknown,Logon/Logoff,Other Logon/Logoff Events,The screen saver was dismissed.,"Windows Vista, Windows Server 2008" +4816,unknown,System,System Integrity,RPC detected an integrity violation while decrypting an incoming message.,"Windows Vista, Windows Server 2008" +4817,unknown,Policy Change,Audit Policy Change,Auditing settings on an object were changed.,"Windows 7, Windows Server 2008 R2" +4818,unknown,Object Access,Central Policy Staging,Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy,"Windows 8, Windows Server 2012" +4819,unknown,Policy Change,Other Policy Change Events,Central Access Policies on the machine have been changed.,"Windows 8, Windows Server 2012" +4864,unknown,Policy Change,Authentication Policy Change,A namespace collision was detected.,"Windows Vista, Windows Server 2008" +4865,unknown,Policy Change,Authentication Policy Change,A trusted forest information entry was added.,"Windows Vista, Windows Server 2008" +4866,unknown,Policy Change,Authentication Policy Change,A trusted forest information entry was removed.,"Windows Vista, Windows Server 2008" +4867,unknown,Policy Change,Authentication Policy Change,A trusted forest information entry was modified.,"Windows Vista, Windows Server 2008" +4868,unknown,Object Access,Certification Services,The certificate manager denied a pending certificate request.,"Windows Vista, Windows Server 2008" +4869,unknown,Object Access,Certification Services,Certificate Services received a resubmitted certificate request.,"Windows Vista, Windows Server 2008" +4870,unknown,Object Access,Certification Services,Certificate Services revoked a certificate.,"Windows Vista, Windows Server 2008" +4871,unknown,Object Access,Certification Services,Certificate Services received a request to publish the certificate revocation list (CRL).,"Windows Vista, Windows Server 2008" +4872,unknown,Object Access,Certification Services,Certificate Services published the certificate revocation list (CRL).,"Windows Vista, Windows Server 2008" +4873,unknown,Object Access,Certification Services,A certificate request extension changed.,"Windows Vista, Windows Server 2008" +4874,unknown,Object Access,Certification Services,One or more certificate request attributes changed.,"Windows Vista, Windows Server 2008" +4875,unknown,Object Access,Certification Services,Certificate Services received a request to shut down.,"Windows Vista, Windows Server 2008" +4876,unknown,Object Access,Certification Services,Certificate Services backup started.,"Windows Vista, Windows Server 2008" +4877,unknown,Object Access,Certification Services,Certificate Services backup completed.,"Windows Vista, Windows Server 2008" +4878,unknown,Object Access,Certification Services,Certificate Services restore started.,"Windows Vista, Windows Server 2008" +4879,unknown,Object Access,Certification Services,Certificate Services restore completed.,"Windows Vista, Windows Server 2008" +4880,unknown,Object Access,Certification Services,Certificate Services started.,"Windows Vista, Windows Server 2008" +4881,unknown,Object Access,Certification Services,Certificate Services stopped.,"Windows Vista, Windows Server 2008" +4882,unknown,Object Access,Certification Services,The security permissions for Certificate Services changed.,"Windows Vista, Windows Server 2008" +4883,unknown,Object Access,Certification Services,Certificate Services retrieved an archived key.,"Windows Vista, Windows Server 2008" +4884,unknown,Object Access,Certification Services,Certificate Services imported a certificate into its database.,"Windows Vista, Windows Server 2008" +4885,unknown,Object Access,Certification Services,The audit filter for Certificate Services changed.,"Windows Vista, Windows Server 2008" +4886,unknown,Object Access,Certification Services,Certificate Services received a certificate request.,"Windows Vista, Windows Server 2008" +4887,unknown,Object Access,Certification Services,Certificate Services approved a certificate request and issued a certificate.,"Windows Vista, Windows Server 2008" +4888,unknown,Object Access,Certification Services,Certificate Services denied a certificate request.,"Windows Vista, Windows Server 2008" +4889,unknown,Object Access,Certification Services,Certificate Services set the status of a certificate request to pending.,"Windows Vista, Windows Server 2008" +4890,unknown,Object Access,Certification Services,The certificate manager settings for Certificate Services changed.,"Windows Vista, Windows Server 2008" +4891,unknown,Object Access,Certification Services,A configuration entry changed in Certificate Services.,"Windows Vista, Windows Server 2008" +4892,unknown,Object Access,Certification Services,A property of Certificate Services changed.,"Windows Vista, Windows Server 2008" +4893,unknown,Object Access,Certification Services,Certificate Services archived a key.,"Windows Vista, Windows Server 2008" +4894,unknown,Object Access,Certification Services,Certificate Services imported and archived a key.,"Windows Vista, Windows Server 2008" +4895,unknown,Object Access,Certification Services,Certificate Services published the CA certificate to Active Directory Domain Services.,"Windows Vista, Windows Server 2008" +4896,unknown,Object Access,Certification Services,One or more rows have been deleted from the certificate database.,"Windows Vista, Windows Server 2008" +4897,unknown,Object Access,Certification Services,Role separation enabled:,"Windows Vista, Windows Server 2008" +4898,unknown,Object Access,Certification Services,Certificate Services loaded a template.,"Windows Vista, Windows Server 2008" +4902,success,Policy Change,Audit Policy Change,The Per-user audit policy table was created.,"Windows Vista, Windows Server 2008" +4904,success,Policy Change,Audit Policy Change,An attempt was made to register a security event source.,"Windows Vista, Windows Server 2008" +4905,success,Policy Change,Audit Policy Change,An attempt was made to unregister a security event source.,"Windows Vista, Windows Server 2008" +4906,unknown,Policy Change,Audit Policy Change,The CrashOnAuditFail value has changed.,"Windows Vista, Windows Server 2008" +4907,success,Policy Change,Audit Policy Change,Auditing settings on object were changed.,"Windows Vista, Windows Server 2008" +4908,unknown,Policy Change,Audit Policy Change,Special Groups Logon table modified.,"Windows Vista, Windows Server 2008" +4909,unknown,Policy Change,Other Policy Change Events,The local policy settings for the TBS were changed.,"Windows Vista, Windows Server 2008" +4910,unknown,Policy Change,Other Policy Change Events,The group policy settings for the TBS were changed.,"Windows Vista, Windows Server 2008" +4911,unknown,Policy Change,Authorization Policy Change,Resource attributes of the object were changed.,"Windows 8, Windows Server 2012" +4912,unknown,Policy Change,Audit Policy Change,Per User Audit Policy was changed.,"Windows Vista, Windows Server 2008" +4913,unknown,Policy Change,Authorization Policy Change,Central Access Policy on the object was changed.,"Windows 8, Windows Server 2012" +4928,unknown,DS Access,Detailed Directory Service Replication,An Active Directory replica source naming context was established.,"Windows Vista, Windows Server 2008" +4929,unknown,DS Access,Detailed Directory Service Replication,An Active Directory replica source naming context was removed.,"Windows Vista, Windows Server 2008" +4930,unknown,DS Access,Detailed Directory Service Replication,An Active Directory replica source naming context was modified.,"Windows Vista, Windows Server 2008" +4931,success,DS Access,Detailed Directory Service Replication,An Active Directory replica destination naming context was modified.,"Windows Vista, Windows Server 2008" +4932,success,DS Access,Directory Service Replication,Synchronization of a replica of an Active Directory naming context has begun.,"Windows Vista, Windows Server 2008" +4933,failure,DS Access,Directory Service Replication,Synchronization of a replica of an Active Directory naming context has ended.,"Windows Vista, Windows Server 2008" +4934,unknown,DS Access,Detailed Directory Service Replication,Attributes of an Active Directory object were replicated.,"Windows Vista, Windows Server 2008" +4935,unknown,DS Access,Detailed Directory Service Replication,Replication failure begins.,"Windows Vista, Windows Server 2008" +4936,unknown,DS Access,Detailed Directory Service Replication,Replication failure ends.,"Windows Vista, Windows Server 2008" +4937,unknown,DS Access,Detailed Directory Service Replication,A lingering object was removed from a replica.,"Windows Vista, Windows Server 2008" +4944,success,Policy Change,MPSSVC Rule-Level Policy Change,The following policy was active when the Windows Firewall started.,"Windows Vista, Windows Server 2008" +4945,success,Policy Change,MPSSVC Rule-Level Policy Change,A rule was listed when the Windows Firewall started.,"Windows Vista, Windows Server 2008" +4946,success,Policy Change,MPSSVC Rule-Level Policy Change,A change has been made to Windows Firewall exception list. A rule was added.,"Windows Vista, Windows Server 2008" +4947,success,Policy Change,MPSSVC Rule-Level Policy Change,A change has been made to Windows Firewall exception list. A rule was modified.,"Windows Vista, Windows Server 2008" +4948,success,Policy Change,MPSSVC Rule-Level Policy Change,A change has been made to Windows Firewall exception list. A rule was deleted.,"Windows Vista, Windows Server 2008" +4949,unknown,Policy Change,MPSSVC Rule-Level Policy Change,Windows Firewall settings were restored to the default values.,"Windows Vista, Windows Server 2008" +4950,unknown,Policy Change,MPSSVC Rule-Level Policy Change,A Windows Firewall setting has changed.,"Windows Vista, Windows Server 2008" +4951,failure,Policy Change,MPSSVC Rule-Level Policy Change,A rule has been ignored because its major version number was not recognized by Windows Firewall.,"Windows Vista, Windows Server 2008" +4952,unknown,Policy Change,MPSSVC Rule-Level Policy Change,Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.,"Windows Vista, Windows Server 2008" +4953,failure,Policy Change,MPSSVC Rule-Level Policy Change,A rule has been ignored by Windows Firewall because it could not parse the rule.,"Windows Vista, Windows Server 2008" +4954,unknown,Policy Change,MPSSVC Rule-Level Policy Change,Windows Firewall Group Policy settings have changed. The new settings have been applied.,"Windows Vista, Windows Server 2008" +4956,success,Policy Change,MPSSVC Rule-Level Policy Change,Windows Firewall has changed the active profile.,"Windows Vista, Windows Server 2008" +4957,unknown,Policy Change,MPSSVC Rule-Level Policy Change,Windows Firewall did not apply the following rule:,"Windows Vista, Windows Server 2008" +4958,unknown,Policy Change,MPSSVC Rule-Level Policy Change,Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:,"Windows Vista, Windows Server 2008" +4960,unknown,System,IPsec Driver,"IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.","Windows Vista, Windows Server 2008" +4961,unknown,System,IPsec Driver,"IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.","Windows Vista, Windows Server 2008" +4962,unknown,System,IPsec Driver,IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.,"Windows Vista, Windows Server 2008" +4963,unknown,System,IPsec Driver,IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.,"Windows Vista, Windows Server 2008" +4964,unknown,Logon/Logoff,Special Logon,Special groups have been assigned to a new logon.,"Windows Vista, Windows Server 2008" +4965,unknown,System,IPsec Driver,"IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.","Windows Vista, Windows Server 2008" +4976,unknown,Logon/Logoff,IPsec Main Mode,"During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.","Windows Vista, Windows Server 2008" +4977,unknown,Logon/Logoff,IPsec Quick Mode,"During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.","Windows Vista, Windows Server 2008" +4978,unknown,Logon/Logoff,IPsec Extended Mode,"During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.","Windows Vista, Windows Server 2008" +4979,unknown,Logon/Logoff,IPsec Extended Mode,IPsec Main Mode and Extended Mode security associations were established.,"Windows Vista, Windows Server 2008" +4980,unknown,Logon/Logoff,IPsec Extended Mode,IPsec Main Mode and Extended Mode security associations were established.,"Windows Vista, Windows Server 2008" +4981,unknown,Logon/Logoff,IPsec Extended Mode,IPsec Main Mode and Extended Mode security associations were established.,"Windows Vista, Windows Server 2008" +4982,unknown,Logon/Logoff,IPsec Extended Mode,IPsec Main Mode and Extended Mode security associations were established.,"Windows Vista, Windows Server 2008" +4983,unknown,Logon/Logoff,IPsec Extended Mode,An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.,"Windows Vista, Windows Server 2008" +4984,unknown,Logon/Logoff,IPsec Extended Mode,An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.,"Windows Vista, Windows Server 2008" +4985,success,Object Access,File System,The state of a transaction has changed.,"Windows Vista, Windows Server 2008" +5024,success,System,Other System Events,The Windows Firewall Service has started successfully.,"Windows Vista, Windows Server 2008" +5025,unknown,System,Other System Events,The Windows Firewall Service has been stopped.,"Windows Vista, Windows Server 2008" +5027,unknown,System,Other System Events,The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.,"Windows Vista, Windows Server 2008" +5028,unknown,System,Other System Events,The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.,"Windows Vista, Windows Server 2008" +5029,unknown,System,Other System Events,The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.,"Windows Vista, Windows Server 2008" +5030,unknown,System,Other System Events,The Windows Firewall Service failed to start.,"Windows Vista, Windows Server 2008" +5031,unknown,Object Access,Filtering Platform Connection,The Windows Firewall Service blocked an application from accepting incoming connections on the network.,"Windows Vista, Windows Server 2008" +5032,unknown,System,Other System Events,Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.,"Windows Vista, Windows Server 2008" +5033,success,System,Other System Events,The Windows Firewall Driver has started successfully.,"Windows Vista, Windows Server 2008" +5034,unknown,System,Other System Events,The Windows Firewall Driver has been stopped.,"Windows Vista, Windows Server 2008" +5035,unknown,System,Other System Events,The Windows Firewall Driver failed to start.,"Windows Vista, Windows Server 2008" +5037,unknown,System,Other System Events,The Windows Firewall Driver detected critical runtime error. Terminating.,"Windows Vista, Windows Server 2008" +5038,unknown,System,System Integrity,Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.,"Windows Vista, Windows Server 2008" +5039,unknown,Object Access,Registry,A registry key was virtualized.,"Windows Vista, Windows Server 2008" +5040,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. An Authentication Set was added.,"Windows Vista, Windows Server 2008" +5041,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. An Authentication Set was modified.,"Windows Vista, Windows Server 2008" +5042,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. An Authentication Set was deleted.,"Windows Vista, Windows Server 2008" +5043,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Connection Security Rule was added.,"Windows Vista, Windows Server 2008" +5044,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Connection Security Rule was modified.,"Windows Vista, Windows Server 2008" +5045,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Connection Security Rule was deleted.,"Windows Vista, Windows Server 2008" +5046,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Crypto Set was added.,"Windows Vista, Windows Server 2008" +5047,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Crypto Set was modified.,"Windows Vista, Windows Server 2008" +5048,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Crypto Set was deleted.,"Windows Vista, Windows Server 2008" +5049,unknown,Logon/Logoff,IPsec Main Mode,An IPsec Security Association was deleted.,"Windows Vista, Windows Server 2008" +5051,unknown,Object Access,File System,A file was virtualized.,"Windows Vista, Windows Server 2008" +5056,success,System,System Integrity,A cryptographic self test was performed.,"Windows Vista, Windows Server 2008" +5057,unknown,System,System Integrity,A cryptographic primitive operation failed.,"Windows Vista, Windows Server 2008" +5058,success,System,Other System Events,Key file operation.,"Windows Vista, Windows Server 2008" +5059,success,System,Other System Events,Key migration operation.,"Windows Vista, Windows Server 2008" +5060,unknown,System,System Integrity,Verification operation failed.,"Windows Vista, Windows Server 2008" +5061,failure,System,System Integrity,Cryptographic operation.,"Windows Vista, Windows Server 2008" +5062,unknown,System,System Integrity,A kernel-mode cryptographic self test was performed.,"Windows Vista, Windows Server 2008" +5063,unknown,Policy Change,Other Policy Change Events,A cryptographic provider operation was attempted.,"Windows Vista, Windows Server 2008" +5064,unknown,Policy Change,Other Policy Change Events,A cryptographic context operation was attempted.,"Windows Vista, Windows Server 2008" +5065,unknown,Policy Change,Other Policy Change Events,A cryptographic context modification was attempted.,"Windows Vista, Windows Server 2008" +5066,unknown,Policy Change,Other Policy Change Events,A cryptographic function operation was attempted.,"Windows Vista, Windows Server 2008" +5067,unknown,Policy Change,Other Policy Change Events,A cryptographic function modification was attempted.,"Windows Vista, Windows Server 2008" +5068,unknown,Policy Change,Other Policy Change Events,A cryptographic function provider operation was attempted.,"Windows Vista, Windows Server 2008" +5069,unknown,Policy Change,Other Policy Change Events,A cryptographic function property operation was attempted.,"Windows Vista, Windows Server 2008" +5070,unknown,Policy Change,Other Policy Change Events,A cryptographic function property modification was attempted.,"Windows Vista, Windows Server 2008" +5136,success,DS Access,Directory Service Changes,A directory service object was modified.,"Windows Vista, Windows Server 2008" +5137,unknown,DS Access,Directory Service Changes,A directory service object was created.,"Windows Vista, Windows Server 2008" +5138,unknown,DS Access,Directory Service Changes,A directory service object was undeleted.,"Windows Vista, Windows Server 2008" +5139,unknown,DS Access,Directory Service Changes,A directory service object was moved.,"Windows Vista, Windows Server 2008" +5140,failure,Object Access,File Share,A network share object was accessed.,"Windows Vista, Windows Server 2008" +5141,unknown,DS Access,Directory Service Changes,A directory service object was deleted.,"Windows Vista SP1, Windows Server 2008" +5142,unknown,Object Access,File Share,A network share object was added.,"Windows 7, Windows Server 2008 R2" +5143,success,Object Access,File Share,A network share object was modified.,"Windows 7, Windows Server 2008 R2" +5144,unknown,Object Access,File Share,A network share object was deleted.,"Windows 7, Windows Server 2008 R2" +5145,unknown,Object Access,Detailed File Share,A network share object was checked to see whether the client can be granted desired access.,"Windows 7, Windows Server 2008 R2" +5148,unknown,Object Access,Other Object Access Events,The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.,"Windows 7, Windows Server 2008 R2" +5149,unknown,Object Access,Other Object Access Events,The DoS attack has subsided and normal processing is being resumed.,"Windows 7, Windows Server 2008 R2" +5150,unknown,Object Access,Filtering Platform Connection,The Windows Filtering Platform has blocked a packet.,"Windows 7, Windows Server 2008 R2" +5151,unknown,Object Access,Filtering Platform Connection,A more restrictive Windows Filtering Platform filter has blocked a packet.,"Windows 7, Windows Server 2008 R2" +5152,failure,Object Access,Filtering Platform Packet Drop ,The Windows Filtering Platform blocked a packet.,"Windows Vista, Windows Server 2008" +5153,unknown,Object Access,Filtering Platform Packet Drop ,A more restrictive Windows Filtering Platform filter has blocked a packet.,"Windows Vista, Windows Server 2008" +5154,success,Object Access,Filtering Platform Connection,The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.,"Windows Vista, Windows Server 2008" +5155,unknown,Object Access,Filtering Platform Connection,The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.,"Windows Vista, Windows Server 2008" +5156,success,Object Access,Filtering Platform Connection,The Windows Filtering Platform has allowed a connection.,"Windows Vista, Windows Server 2008" +5157,failure,Object Access,Filtering Platform Connection,The Windows Filtering Platform has blocked a connection.,"Windows Vista, Windows Server 2008" +5158,success,Object Access,Filtering Platform Connection,The Windows Filtering Platform has permitted a bind to a local port.,"Windows Vista, Windows Server 2008" +5159,unknown,Object Access,Filtering Platform Connection,The Windows Filtering Platform has blocked a bind to a local port.,"Windows Vista, Windows Server 2008" +5168,unknown,Object Access,File Share,Spn check for SMB/SMB2 failed.,"Windows 7, Windows Server 2008 R2" +5376,unknown,Account Management,User Account Management,Credential Manager credentials were backed up.,"Windows Vista, Windows Server 2008" +5377,unknown,Account Management,User Account Management,Credential Manager credentials were restored from a backup.,"Windows Vista, Windows Server 2008" +5378,unknown,Logon/Logoff,Other Logon/Logoff Events,The requested credentials delegation was disallowed by policy.,"Windows Vista, Windows Server 2008" +5440,success,Policy Change,Filtering Platform Policy Change,The following callout was present when the Windows Filtering Platform Base Filtering Engine started.,"Windows Vista, Windows Server 2008" +5441,success,Policy Change,Filtering Platform Policy Change,The following filter was present when the Windows Filtering Platform Base Filtering Engine started.,"Windows Vista, Windows Server 2008" +5442,success,Policy Change,Filtering Platform Policy Change,The following provider was present when the Windows Filtering Platform Base Filtering Engine started.,"Windows Vista, Windows Server 2008" +5443,unknown,Policy Change,Filtering Platform Policy Change,The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.,"Windows Vista, Windows Server 2008" +5444,success,Policy Change,Filtering Platform Policy Change,The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.,"Windows Vista, Windows Server 2008" +5446,success,Policy Change,Filtering Platform Policy Change,A Windows Filtering Platform callout has been changed.,"Windows Vista, Windows Server 2008" +5447,success,Policy Change,Other Policy Change Events,A Windows Filtering Platform filter has been changed.,"Windows Vista, Windows Server 2008" +5448,success,Policy Change,Filtering Platform Policy Change,A Windows Filtering Platform provider has been changed.,"Windows Vista, Windows Server 2008" +5449,success,Policy Change,Filtering Platform Policy Change,A Windows Filtering Platform provider context has been changed.,"Windows Vista, Windows Server 2008" +5450,success,Policy Change,Filtering Platform Policy Change,A Windows Filtering Platform sub-layer has been changed.,"Windows Vista, Windows Server 2008" +5451,unknown,Logon/Logoff,IPsec Quick Mode,An IPsec Quick Mode security association was established.,"Windows Vista, Windows Server 2008" +5452,unknown,Logon/Logoff,IPsec Quick Mode,An IPsec Quick Mode security association ended.,"Windows Vista, Windows Server 2008" +5453,unknown,Logon/Logoff,IPsec Main Mode,An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.,"Windows Vista, Windows Server 2008" +5456,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine applied Active Directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008" +5457,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008" +5458,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008" +5459,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008" +5460,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine applied local registry storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008" +5461,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to apply local registry storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008" +5462,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.,"Windows Vista, Windows Server 2008" +5463,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine polled for changes to the active IPsec policy and detected no changes.,"Windows Vista, Windows Server 2008" +5464,unknown,Policy Change,Filtering Platform Policy Change,"PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.","Windows Vista, Windows Server 2008" +5465,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.,"Windows Vista, Windows Server 2008" +5466,unknown,Policy Change,Filtering Platform Policy Change,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.","Windows Vista, Windows Server 2008" +5467,unknown,Policy Change,Filtering Platform Policy Change,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.","Windows Vista, Windows Server 2008" +5468,unknown,Policy Change,Filtering Platform Policy Change,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.","Windows Vista, Windows Server 2008" +5471,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine loaded local storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008" +5472,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to load local storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008" +5473,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine loaded directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008" +5474,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to load directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008" +5477,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to add quick mode filter.,"Windows Vista, Windows Server 2008" +5478,unknown,System,IPsec Driver,IPsec Services has started successfully.,"Windows Vista, Windows Server 2008" +5479,unknown,System,IPsec Driver,IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.,"Windows Vista, Windows Server 2008" +5480,unknown,System,IPsec Driver,IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.,"Windows Vista, Windows Server 2008" +5483,unknown,System,IPsec Driver,IPsec Services failed to initialize RPC server. IPsec Services could not be started.,"Windows Vista, Windows Server 2008" +5484,unknown,System,IPsec Driver,IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.,"Windows Vista, Windows Server 2008" +5485,unknown,System,IPsec Driver,IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.,"Windows Vista, Windows Server 2008" +5632,unknown,Logon/Logoff,Other Logon/Logoff Events,A request was made to authenticate to a wireless network.,"Windows Vista, Windows Server 2008" +5633,unknown,Logon/Logoff,Other Logon/Logoff Events,A request was made to authenticate to a wired network.,"Windows Vista, Windows Server 2008" +5712,unknown,Detailed Tracking,RPC Events,A Remote Procedure Call (RPC) was attempted.,"Windows Vista, Windows Server 2008" +5888,unknown,Object Access,Other Object Access Events,An object in the COM+ Catalog was modified.,"Windows Vista, Windows Server 2008" +5889,unknown,Object Access,Other Object Access Events,An object was deleted from the COM+ Catalog.,"Windows Vista, Windows Server 2008" +5890,unknown,Object Access,Other Object Access Events,An object was added to the COM+ Catalog.,"Windows Vista, Windows Server 2008" +6144,success,Policy Change,Other Policy Change Events,Security policy in the group policy objects has been applied successfully.,"Windows Vista, Windows Server 2008" +6145,unknown,Policy Change,Other Policy Change Events,One or more errors occurred while processing security policy in the group policy objects.,"Windows Vista, Windows Server 2008" +6272,unknown,Logon/Logoff,Network Policy Server,Network Policy Server granted access to a user.,"Windows Vista SP1, Windows Server 2008" +6273,unknown,Logon/Logoff,Network Policy Server,Network Policy Server denied access to a user.,"Windows Vista SP1, Windows Server 2008" +6274,unknown,Logon/Logoff,Network Policy Server,Network Policy Server discarded the request for a user.,"Windows Vista SP1, Windows Server 2008" +6275,unknown,Logon/Logoff,Network Policy Server,Network Policy Server discarded the accounting request for a user.,"Windows Vista SP1, Windows Server 2008" +6276,unknown,Logon/Logoff,Network Policy Server,Network Policy Server quarantined a user.,"Windows Vista SP1, Windows Server 2008" +6277,unknown,Logon/Logoff,Network Policy Server,Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.,"Windows Vista SP1, Windows Server 2008" +6278,unknown,Logon/Logoff,Network Policy Server,Network Policy Server granted full access to a user because the host met the defined health policy.,"Windows Vista SP1, Windows Server 2008" +6279,unknown,Logon/Logoff,Network Policy Server,Network Policy Server locked the user account due to repeated failed authentication attempts.,"Windows Vista SP1, Windows Server 2008" +6280,unknown,Logon/Logoff,Network Policy Server,Network Policy Server unlocked the user account.,"Windows Vista SP1, Windows Server 2008" +6281,unknown,System,System Integrity,Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error,"Windows 7, Windows Server 2008 R2" +6400,unknown,System,Other System Events,BranchCache: Received an incorrectly formatted response while discovering availability of content. ,"Windows 7, Windows Server 2008 R2" +6401,unknown,System,Other System Events,BranchCache: Received invalid data from a peer. Data discarded. ,"Windows 7, Windows Server 2008 R2" +6402,unknown,System,Other System Events,BranchCache: The message to the hosted cache offering it data is incorrectly formatted. ,"Windows 7, Windows Server 2008 R2" +6403,unknown,System,Other System Events,BranchCache: The hosted cache sent an incorrectly formatted response to the client.,"Windows 7, Windows Server 2008 R2" +6404,unknown,System,Other System Events,BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. ,"Windows 7, Windows Server 2008 R2" +6405,unknown,System,Other System Events,BranchCache: %2 instance(s) of event id %1 occurred.,"Windows 7, Windows Server 2008 R2" +6406,unknown,System,Other System Events,%1 registered to Windows Firewall to control filtering for the following: %2,"Windows 7, Windows Server 2008 R2" +6407,unknown,System,Other System Events,1%,"Windows 7, Windows Server 2008 R2" +6408,unknown,System,Other System Events,Registered product %1 failed and Windows Firewall is now controlling the filtering for %2,"Windows 7, Windows Server 2008 R2" diff --git a/apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action_multiinput.csv b/apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action_multiinput.csv new file mode 100644 index 00000000..a73c5b48 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action_multiinput.csv @@ -0,0 +1,197 @@ +EventCode,action,Error_Code,Description +4625,failure,0XC000005E,There are currently no logon servers available to service the logon request. +4625,unknown,0xC0000064,User logon with misspelled or bad user account +4625,failure,0xC000006A,User logon with misspelled or bad password +4625,failure,0XC000006D,This is either due to a bad username or authentication information +4625,failure,0XC000006E,Unknown user name or bad password. +4625,failure,0XC000010B,Indicates an invalid value has been provided for the LogonType requested. +4625,denied,0xC000006F,User logon outside authorized hours +4625,denied,0xC0000070,User logon from unauthorized workstation +4625,failure,0xC0000071,User logon with expired password +4625,failure,0xC0000072,User logon to account disabled by administrator +4625,failure,0XC00000DC,Indicates the Sam Server was in the wrong state to perform the desired operation. +4625,error,0XC0000133,Clocks between DC and other computer too far out of sync +4625,denied,0XC000015B,The user has not been granted the requested logon type (aka logon right) at this machine +4625,failure,0XC000018C,The logon request failed because the trust relationship between the primary domain and the trusted domain failed. +4625,failure,0XC0000192,"An attempt was made to logon, but the Netlogon service was not started." +4625,failure,0xC0000193,User logon with expired account +4625,failure,0XC0000224,User is required to change password at next logon +4625,error,0XC0000225,Evidently a bug in Windows and not a risk +4625,denied,0xC0000234,User logon with account locked +4625,failure,0XC00002EE,Failure Reason: An Error occurred during Logon +4625,failure,0XC0000413,Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. +4625,failure,0x0,Status OK. +4776,failure,0xC0000064,The username you typed does not exist. Bad username. +4776,failure,0xC000006A,Account logon with misspelled or bad password. +4776,failure,0xC000006D,Generic logon failure. +4776,denied,0xC000006F,Account logon outside authorized hours. +4776,denied,0xC0000070,Account logon from unauthorized workstation. +4776,failure,0xC0000071,Account logon with expired password. +4776,failure,0xC0000072,Account logon to account disabled by administrator. +4776,failure,0xC0000193,Account logon with expired account. +4776,failure,0xC0000224,Account logon with "Change Password at Next Logon" flagged. +4776,failure,0xC0000234,Account logon with account locked. +4776,failure,0xc0000371,The local account store does not contain secret material for the specified account. +4776,success,0x0,No errors. +4768,success,0x0,No error +4768,failure,0x1,Client's entry in KDC database has expired +4768,failure,0x2,Server's entry in KDC database has expired +4768,failure,0x3,Requested Kerberos version number not supported +4768,failure,0x4,Client's key encrypted in old master key +4768,failure,0x5,Server's key encrypted in old master key +4768,failure,0x6,Client not found in Kerberos database +4768,failure,0x7,Server not found in Kerberos database +4768,failure,0x8,Multiple principal entries in KDC database +4768,failure,0x9,The client or server has a null key (master key) +4768,failure,0xA,Ticket (TGT) not eligible for postdating +4768,failure,0xB,Requested start time is later than end time +4768,failure,0xC,Requested start time is later than end time +4768,failure,0xD,KDC cannot accommodate requested option +4768,failure,0xE,KDC has no support for encryption type +4768,failure,0xF,KDC has no support for checksum type +4768,failure,0x10,KDC has no support for PADATA type (pre-authentication data) +4768,failure,0x11,KDC has no support for transited type +4768,failure,0x12,Client's credentials have been revoked +4768,failure,0x13,Credentials for server have been revoked +4768,failure,0x14,TGT has been revoked +4768,failure,0x15,Client not yet valid-try again later +4768,failure,0x16,Server not yet valid-try again later +4768,failure,0x17,Password has expired-change password to reset +4768,failure,0x18,Pre-authentication information was invalid +4768,failure,0x19,Additional pre-authentication required +4768,failure,0x1A,KDC does not know about the requested server +4768,failure,0x1B,KDC is unavailable +4768,failure,0x1F,Integrity check on decrypted field failed +4768,failure,0x20,The ticket has expired +4768,failure,0x21,The ticket is not yet valid +4768,failure,0x22,The request is a replay +4768,failure,0x23,The ticket is not for us +4768,failure,0x24,The ticket and authenticator do not match +4768,failure,0x25,The clock skew is too great +4768,failure,0x26,Network address in network layer header doesn't match address inside ticket +4768,failure,0x27,Protocol version numbers don't match (PVNO) +4768,failure,0x28,Message type is unsupported +4768,failure,0x29,Message stream modified and checksum didn't match +4768,failure,0x2A,Message out of order (possible tampering) +4768,failure,0x2C,Specified version of key is not available +4768,failure,0x2D,Service key not available +4768,failure,0x2E,Mutual authentication failed +4768,failure,0x2F,Incorrect message direction +4768,failure,0x30,Alternative authentication method required +4768,failure,0x31,Incorrect sequence number in message +4768,failure,0x32,Inappropriate type of checksum in message (checksum may be unsupported) +4768,failure,0x33,Desired path is unreachable +4768,failure,0x34,Too much data +4768,failure,0x3C,Generic error +4768,failure,0x3D,Field is too long for this implementation +4768,failure,0x3E,The client trust failed or is not implemented +4768,failure,0x3F,The KDC server trust failed or could not be verified +4768,failure,0x40,The signature is invalid +4768,failure,0x41,A higher encryption level is needed +4768,failure,0x42,User-to-user authorization is required +4768,failure,0x43,No TGT was presented or available +4768,failure,0x44,Incorrect domain or principal +4769,success,0x0,No error +4769,failure,0x1,Client's entry in KDC database has expired +4769,failure,0x2,Server's entry in KDC database has expired +4769,failure,0x3,Requested Kerberos version number not supported +4769,failure,0x4,Client's key encrypted in old master key +4769,failure,0x5,Server's key encrypted in old master key +4769,failure,0x6,Client not found in Kerberos database +4769,failure,0x7,Server not found in Kerberos database +4769,failure,0x8,Multiple principal entries in KDC database +4769,failure,0x9,The client or server has a null key (master key) +4769,failure,0xA,Ticket (TGT) not eligible for postdating +4769,failure,0xB,Requested start time is later than end time +4769,failure,0xC,Requested start time is later than end time +4769,failure,0xD,KDC cannot accommodate requested option +4769,failure,0xE,KDC has no support for encryption type +4769,failure,0xF,KDC has no support for checksum type +4769,failure,0x10,KDC has no support for PADATA type (pre-authentication data) +4769,failure,0x11,KDC has no support for transited type +4769,failure,0x12,Client's credentials have been revoked +4769,failure,0x13,Credentials for server have been revoked +4769,failure,0x14,TGT has been revoked +4769,failure,0x15,Client not yet valid try again later +4769,failure,0x16,Server not yet valid try again later +4769,failure,0x17,Password has expired change password to reset +4769,failure,0x18,Pre-authentication information was invalid +4769,failure,0x19,Additional pre-authentication required +4769,failure,0x1A,KDC does not know about the requested server +4769,failure,0x1B,KDC is unavailable +4769,failure,0x1F,Integrity check on decrypted field failed +4769,failure,0x20,The ticket has expired +4769,failure,0x21,The ticket is not yet valid +4769,failure,0x22,The request is a replay +4769,failure,0x23,The ticket is not for us +4769,failure,0x24,The ticket and authenticator do not match +4769,failure,0x25,The clock skew is too great +4769,failure,0x26,Network address in network layer header doesn't match address inside ticket +4769,failure,0x27,Protocol version numbers don't match (PVNO) +4769,failure,0x28,Message type is unsupported +4769,failure,0x29,Message stream modified and checksum didn't match +4769,failure,0x2A,Message out of order (possible tampering) +4769,failure,0x2C,Specified version of key is not available +4769,failure,0x2D,Service key not available +4769,failure,0x2E,Mutual authentication failed +4769,failure,0x2F,Incorrect message direction +4769,failure,0x30,Alternative authentication method required +4769,failure,0x31,Incorrect sequence number in message +4769,failure,0x32,Inappropriate type of checksum in message (checksum may be unsupported) +4769,failure,0x33,Desired path is unreachable +4769,failure,0x34,Too much data +4769,failure,0x3C,Generic error +4769,failure,0x3D,Field is too long for this implementation +4769,failure,0x3E,The client trust failed or is not implemented +4769,failure,0x3F,The KDC server trust failed or could not be verified +4769,failure,0x40,The signature is invalid +4769,failure,0x41,A higher encryption level is needed +4769,failure,0x42,User-to-user authorization is required +4769,failure,0x43,No TGT was presented or available +4769,failure,0x44,Incorrect domain or principal +4771,failure,0x1,Client's entry in database has expired +4771,failure,0x2,Server's entry in database has expired +4771,failure,0x3,Requested protocol version # not supported +4771,failure,0x4,Client's key encrypted in old master key +4771,failure,0x5,Server's key encrypted in old master key +4771,failure,0x6,Client not found in Kerberos database +4771,failure,0x7,Server not found in Kerberos database +4771,failure,0x8,Multiple principal entries in database +4771,failure,0x9,The client or server has a null key +4771,failure,0xA,Ticket not eligible for postdating +4771,failure,0xB,Requested start time is later than end time +4771,failure,0xC,KDC policy rejects request +4771,failure,0xD,KDC cannot accommodate requested option +4771,failure,0xE,KDC has no support for encryption type +4771,failure,0xF,KDC has no support for checksum type +4771,failure,0x10,KDC has no support for padata type +4771,failure,0x11,KDC has no support for transited type +4771,failure,0x12,Clients credentials have been revoked +4771,failure,0x13,Credentials for server have been revoked +4771,failure,0x14,TGT has been revoked +4771,failure,0x15,Client not yet valid - try again later +4771,failure,0x16,Server not yet valid - try again later +4771,failure,0x17,Password has expired +4771,failure,0x18,Pre-authentication information was invalid +4771,failure,0x19,Additional pre-authentication required* +4771,failure,0x1F,Integrity check on decrypted field failed +4771,failure,0x20,Ticket expired +4771,failure,0x21,Ticket not yet valid +4771,failure,0x22,Request is a replay +4771,failure,0x23,The ticket isn't for us +4771,failure,0x24,Ticket and authenticator don't match +4771,failure,0x25,Clock skew too great +4771,failure,0x26,Incorrect net address +4771,failure,0x27,Protocol version mismatch +4771,failure,0x28,Invalid msg type +4771,failure,0x29,Message stream modified +4771,failure,0x2A,Message out of order +4771,failure,0x2C,Specified version of key is not available +4771,failure,0x2D,Service key not available +4771,failure,0x2E,Mutual authentication failed +4771,failure,0x2F,Incorrect message direction +4771,failure,0x30,Alternative authentication method required* +4771,failure,0x31,Incorrect sequence number in message +4771,failure,0x32,Inappropriate type of checksum in message +4771,failure,0x3C,Generic error +4771,failure,0x3D,Field is too long for this implementation diff --git a/apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_errorcode_action.csv b/apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_errorcode_action.csv new file mode 100644 index 00000000..0518a53c --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_errorcode_action.csv @@ -0,0 +1,557 @@ +EventCode,action,Error_Code,Description,Category,Subcategory,os +4608,success,-,Windows is starting up.,System,Security State Change,"Windows Vista, Windows Server 2008" +4609,unknown,-,Windows is shutting down.,System,Security State Change,"Windows Vista, Windows Server 2008" +4610,unknown,-,An authentication package has been loaded by the Local Security Authority.,System,Security System Extension,"Windows Vista, Windows Server 2008" +4611,success,-,A trusted logon process has been registered with the Local Security Authority.,System,Security System Extension,"Windows Vista, Windows Server 2008" +4612,unknown,-,"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.",System,System Integrity,"Windows Vista, Windows Server 2008" +4614,unknown,-,A notification package has been loaded by the Security Account Manager.,System,Security System Extension,"Windows Vista, Windows Server 2008" +4615,unknown,-,Invalid use of LPC port.,System,System Integrity,"Windows Vista, Windows Server 2008" +4616,success,-,The system time was changed.,System,Security State Change,"Windows Vista, Windows Server 2008" +4618,unknown,-,A monitored security event pattern has occurred.,System,System Integrity,"Windows Vista, Windows Server 2008" +4621,unknown,-,Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.,System,Security State Change,"Windows Vista, Windows Server 2008" +4622,unknown,-,A security package has been loaded by the Local Security Authority.,System,Security System Extension,"Windows Vista, Windows Server 2008" +4624,success,-,An account was successfully logged on.,Logon/Logoff,Logon,"Windows Vista, Windows Server 2008" +4626,unknown,-,User/Device claims information.,Logon/Logoff,Logon,"Windows 8, Windows Server 2012" +4634,success,-,An account was logged off.,Logon/Logoff,Logoff,"Windows Vista, Windows Server 2008" +4646,unknown,-,IKE DoS-prevention mode started.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008" +4647,success,-,User initiated logoff.,Logon/Logoff,Logoff,"Windows Vista, Windows Server 2008" +4648,success,-,A logon was attempted using explicit credentials.,Logon/Logoff,Logon,"Windows Vista, Windows Server 2008" +4649,unknown,-,A replay attack was detected.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008" +4650,unknown,-,An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008" +4651,unknown,-,An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008" +4652,unknown,-,An IPsec Main Mode negotiation failed.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008" +4653,failure,-,An IPsec Main Mode negotiation failed.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008" +4654,unknown,-,An IPsec Quick Mode negotiation failed.,Logon/Logoff,IPsec Quick Mode,"Windows Vista, Windows Server 2008" +4655,unknown,-,An IPsec Main Mode security association ended.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008" +4656,failure,-,A handle to an object was requested.,Object Access,Handle Manipulation,"Windows Vista, Windows Server 2008" +4657,unknown,-,A registry value was modified.,Object Access,Registry,"Windows Vista, Windows Server 2008" +4658,success,-,The handle to an object was closed.,Object Access,Handle Manipulation,"Windows Vista, Windows Server 2008" +4659,unknown,-,A handle to an object was requested with intent to delete.,Object Access,Special,"Windows Vista, Windows Server 2008" +4660,unknown,-,An object was deleted.,Object Access,Special,"Windows Vista, Windows Server 2008" +4661,success,-,A handle to an object was requested.,Object Access,Special,"Windows Vista, Windows Server 2008" +4662,success,-,An operation was performed on an object.,DS Access,Directory Service Access,"Windows Vista, Windows Server 2008" +4663,success,-,An attempt was made to access an object.,Object Access,Special,"Windows Vista, Windows Server 2008" +4664,success,-,An attempt was made to create a hard link.,Object Access,File System,"Windows Vista, Windows Server 2008" +4665,unknown,-,An attempt was made to create an application client context.,Object Access,Application Generated,"Windows Vista, Windows Server 2008" +4666,unknown,-,An application attempted an operation:,Object Access,Application Generated,"Windows Vista, Windows Server 2008" +4667,unknown,-,An application client context was deleted.,Object Access,Application Generated,"Windows Vista, Windows Server 2008" +4668,unknown,-,An application was initialized.,Object Access,Application Generated,"Windows Vista, Windows Server 2008" +4670,success,-,Permissions on an object were changed.,Policy Change,Subcategory (special),"Windows Vista, Windows Server 2008" +4671,unknown,-,An application attempted to access a blocked ordinal through the TBS.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008" +4672,success,-,Special privileges assigned to new logon.,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,"Windows Vista, Windows Server 2008" +4673,failure,-,A privileged service was called.,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,"Windows Vista, Windows Server 2008" +4674,success,-,An operation was attempted on a privileged object.,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,"Windows Vista, Windows Server 2008" +4675,unknown,-,SIDs were filtered.,Logon/Logoff,Logon,"Windows Vista, Windows Server 2008" +4689,success,-,A process has exited.,Detailed Tracking,Process Termination,"Windows Vista, Windows Server 2008" +4690,success,-,An attempt was made to duplicate a handle to an object.,Object Access,Handle Manipulation,"Windows Vista, Windows Server 2008" +4691,unknown,-,Indirect access to an object was requested.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008" +4692,unknown,-,Backup of data protection master key was attempted.,Detailed Tracking,DPAPI Activity,"Windows Vista, Windows Server 2008" +4693,unknown,-,Recovery of data protection master key was attempted.,Detailed Tracking,DPAPI Activity,"Windows Vista, Windows Server 2008" +4694,unknown,-,Protection of auditable protected data was attempted.,Detailed Tracking,DPAPI Activity,"Windows Vista, Windows Server 2008" +4695,unknown,-,Unprotection of auditable protected data was attempted.,Detailed Tracking,DPAPI Activity,"Windows Vista, Windows Server 2008" +4696,unknown,-,A primary token was assigned to process.,Detailed Tracking,Process Creation,"Windows Vista, Windows Server 2008" +4697,unknown,-,A service was installed in the system.,System,Security System Extension,"Windows Vista, Windows Server 2008" +4698,unknown,-,A scheduled task was created.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008" +4699,unknown,-,A scheduled task was deleted.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008" +4700,unknown,-,A scheduled task was enabled.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008" +4701,unknown,-,A scheduled task was disabled.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008" +4702,success,-,A scheduled task was updated.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008" +4704,success,-,A user right was assigned.,Policy Change,Authorization Policy Change,"Windows Vista, Windows Server 2008" +4705,unknown,-,A user right was removed.,Policy Change,Authorization Policy Change,"Windows Vista, Windows Server 2008" +4706,unknown,-,A new trust was created to a domain.,Policy Change,Authorization Policy Change,"Windows Vista, Windows Server 2008" +4707,unknown,-,A trust to a domain was removed.,Policy Change,Authorization Policy Change,"Windows Vista, Windows Server 2008" +4709,unknown,-,IPsec Services was started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +4710,unknown,-,IPsec Services was disabled.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +4711,unknown,-,May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine applied Active Directory storage IPsec policy on the computer.PAStore Engine applied local registry storage IPsec policy on the computer.PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply local registry storage IPsec policy on the computer.PAStore Engine failed to apply some rules of the active IPsec policy on the computer.PAStore Engine failed to load directory storage IPsec policy on the computer.PAStore Engine loaded directory storage IPsec policy on the computer.PAStore Engine failed to load local storage IPsec policy on the computer.PAStore Engine loaded local storage IPsec policy on the computer.PAStore Engine polled for changes to the active IPsec policy and detected no changes.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +4712,unknown,-,IPsec Services encountered a potentially serious failure.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +4713,unknown,-,Kerberos policy was changed.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008" +4714,unknown,-,Encrypted data recovery policy was changed.,Policy Change,Authorization Policy Change,"Windows Vista, Windows Server 2008" +4715,unknown,-,The audit policy (SACL) on an object was changed.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008" +4716,unknown,-,Trusted domain information was modified.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008" +4717,success,-,System security access was granted to an account.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008" +4718,unknown,-,System security access was removed from an account.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008" +4719,unknown,-,System audit policy was changed.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008" +4720,created,-,A user account was created.,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +4722,modified,-,A user account was enabled.,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +4723,modified,-,An attempt was made to change an account's password.,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +4724,modified,-,An attempt was made to reset an account's password.,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +4725,modified,-,A user account was disabled.,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +4726,deleted,-,A user account was deleted.,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +4727,success,-,A security-enabled global group was created.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4728,success,-,A member was added to a security-enabled global group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4729,success,-,A member was removed from a security-enabled global group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4730,unknown,-,A security-enabled global group was deleted.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4731,unknown,-,A security-enabled local group was created.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4732,success,-,A member was added to a security-enabled local group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4733,success,-,A member was removed from a security-enabled local group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4734,unknown,-,A security-enabled local group was deleted.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4735,success,-,A security-enabled local group was changed.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4737,success,-,A security-enabled global group was changed.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4738,modified,-,A user account was changed.,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +4739,unknown,-,Domain Policy was changed.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008" +4740,unknown,-,A user account was locked out.,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +4742,modified,-,A computer account was changed.,Account Management,Computer Account Management,"Windows Vista, Windows Server 2008" +4743,unknown,-,A computer account was deleted.,Account Management,Computer Account Management,"Windows Vista, Windows Server 2008" +4744,unknown,-,A security-disabled local group was created.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008" +4745,unknown,-,A security-disabled local group was changed.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008" +4746,unknown,-,A member was added to a security-disabled local group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008" +4747,unknown,-,A member was removed from a security-disabled local group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008" +4748,unknown,-,A security-disabled local group was deleted.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008" +4749,unknown,-,A security-disabled global group was created.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008" +4750,unknown,-,A security-disabled global group was changed.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008" +4751,unknown,-,A member was added to a security-disabled global group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008" +4752,unknown,-,A member was removed from a security-disabled global group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008" +4753,unknown,-,A security-disabled global group was deleted.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008" +4754,success,-,A security-enabled universal group was created.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4755,success,-,A security-enabled universal group was changed.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4756,success,-,A member was added to a security-enabled universal group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4757,success,-,A member was removed from a security-enabled universal group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4758,unknown,-,A security-enabled universal group was deleted.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4759,unknown,-,A security-disabled universal group was created.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008" +4760,unknown,-,A security-disabled universal group was changed.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008" +4761,unknown,-,A member was added to a security-disabled universal group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008" +4762,unknown,-,A member was removed from a security-disabled universal group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008" +4764,unknown,-,A group's type was changed.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008" +4765,unknown,-,SID History was added to an account.,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +4766,unknown,-,An attempt to add SID History to an account failed.,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +4767,modified,-,A user account was unlocked.,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +4770,success,-,A Kerberos service ticket was renewed.,Account Logon,Kerberos Service Ticket Operations,"Windows Vista, Windows Server 2008" +4772,unknown,-,A Kerberos authentication ticket request failed.,Account Logon,Kerberos Authentication Service,"Windows Vista, Windows Server 2008" +4774,unknown,-,An account was mapped for logon.,Account Logon,Credential Validation,"Windows Vista, Windows Server 2008" +4775,unknown,-,An account could not be mapped for logon.,Account Logon,Credential Validation,"Windows Vista, Windows Server 2008" +4777,unknown,-,The domain controller failed to validate the credentials for an account.,Account Logon,Credential Validation,"Windows Vista, Windows Server 2008" +4778,success,-,A session was reconnected to a Window Station.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008" +4779,success,-,A session was disconnected from a Window Station.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008" +4780,success,-,The ACL was set on accounts which are members of administrators groups.,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +4781,unknown,-,The name of an account was changed:,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +4782,unknown,-,The password hash an account was accessed.,Account Management,Other Account Management Events,"Windows Vista, Windows Server 2008" +4783,unknown,-,A basic application group was created.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008" +4784,unknown,-,A basic application group was changed.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008" +4785,unknown,-,A member was added to a basic application group.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008" +4786,unknown,-,A member was removed from a basic application group.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008" +4787,unknown,-,A non-member was added to a basic application group.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008" +4788,unknown,-,A non-member was removed from a basic application group.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008" +4789,unknown,-,A basic application group was deleted.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008" +4790,unknown,-,An LDAP query group was created.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008" +4793,unknown,-,The Password Policy Checking API was called.,Account Management,Other Account Management Events,"Windows Vista, Windows Server 2008" +4794,unknown,-,An attempt was made to set the Directory Services Restore Mode.,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +4800,success,-,The workstation was locked.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008" +4801,unknown,-,The workstation was unlocked.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008" +4802,unknown,-,The screen saver was invoked.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008" +4803,unknown,-,The screen saver was dismissed.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008" +4816,unknown,-,RPC detected an integrity violation while decrypting an incoming message.,System,System Integrity,"Windows Vista, Windows Server 2008" +4817,unknown,-,Auditing settings on an object were changed.,Policy Change,Audit Policy Change,"Windows 7, Windows Server 2008 R2" +4818,unknown,-,Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy,Object Access,Central Policy Staging,"Windows 8, Windows Server 2012" +4819,unknown,-,Central Access Policies on the machine have been changed.,Policy Change,Other Policy Change Events,"Windows 8, Windows Server 2012" +4864,unknown,-,A namespace collision was detected.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008" +4865,unknown,-,A trusted forest information entry was added.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008" +4866,unknown,-,A trusted forest information entry was removed.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008" +4867,unknown,-,A trusted forest information entry was modified.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008" +4868,unknown,-,The certificate manager denied a pending certificate request.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4869,unknown,-,Certificate Services received a resubmitted certificate request.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4870,unknown,-,Certificate Services revoked a certificate.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4871,unknown,-,Certificate Services received a request to publish the certificate revocation list (CRL).,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4872,unknown,-,Certificate Services published the certificate revocation list (CRL).,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4873,unknown,-,A certificate request extension changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4874,unknown,-,One or more certificate request attributes changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4875,unknown,-,Certificate Services received a request to shut down.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4876,unknown,-,Certificate Services backup started.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4877,unknown,-,Certificate Services backup completed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4878,unknown,-,Certificate Services restore started.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4879,unknown,-,Certificate Services restore completed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4880,unknown,-,Certificate Services started.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4881,unknown,-,Certificate Services stopped.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4882,unknown,-,The security permissions for Certificate Services changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4883,unknown,-,Certificate Services retrieved an archived key.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4884,unknown,-,Certificate Services imported a certificate into its database.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4885,unknown,-,The audit filter for Certificate Services changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4886,unknown,-,Certificate Services received a certificate request.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4887,unknown,-,Certificate Services approved a certificate request and issued a certificate.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4888,unknown,-,Certificate Services denied a certificate request.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4889,unknown,-,Certificate Services set the status of a certificate request to pending.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4890,unknown,-,The certificate manager settings for Certificate Services changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4891,unknown,-,A configuration entry changed in Certificate Services.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4892,unknown,-,A property of Certificate Services changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4893,unknown,-,Certificate Services archived a key.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4894,unknown,-,Certificate Services imported and archived a key.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4895,unknown,-,Certificate Services published the CA certificate to Active Directory Domain Services.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4896,unknown,-,One or more rows have been deleted from the certificate database.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4897,unknown,-,Role separation enabled:,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4898,unknown,-,Certificate Services loaded a template.,Object Access,Certification Services,"Windows Vista, Windows Server 2008" +4902,success,-,The Per-user audit policy table was created.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008" +4904,success,-,An attempt was made to register a security event source.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008" +4905,success,-,An attempt was made to unregister a security event source.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008" +4906,unknown,-,The CrashOnAuditFail value has changed.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008" +4907,success,-,Auditing settings on object were changed.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008" +4908,unknown,-,Special Groups Logon table modified.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008" +4909,unknown,-,The local policy settings for the TBS were changed.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008" +4910,unknown,-,The group policy settings for the TBS were changed.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008" +4911,unknown,-,Resource attributes of the object were changed.,Policy Change,Authorization Policy Change,"Windows 8, Windows Server 2012" +4912,unknown,-,Per User Audit Policy was changed.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008" +4913,unknown,-,Central Access Policy on the object was changed.,Policy Change,Authorization Policy Change,"Windows 8, Windows Server 2012" +4928,unknown,-,An Active Directory replica source naming context was established.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008" +4929,unknown,-,An Active Directory replica source naming context was removed.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008" +4930,unknown,-,An Active Directory replica source naming context was modified.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008" +4931,success,-,An Active Directory replica destination naming context was modified.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008" +4932,success,-,Synchronization of a replica of an Active Directory naming context has begun.,DS Access,Directory Service Replication,"Windows Vista, Windows Server 2008" +4933,failure,-,Synchronization of a replica of an Active Directory naming context has ended.,DS Access,Directory Service Replication,"Windows Vista, Windows Server 2008" +4934,unknown,-,Attributes of an Active Directory object were replicated.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008" +4935,unknown,-,Replication failure begins.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008" +4936,unknown,-,Replication failure ends.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008" +4937,unknown,-,A lingering object was removed from a replica.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008" +4944,success,-,The following policy was active when the Windows Firewall started.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008" +4945,success,-,A rule was listed when the Windows Firewall started.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008" +4946,success,-,A change has been made to Windows Firewall exception list. A rule was added.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008" +4947,success,-,A change has been made to Windows Firewall exception list. A rule was modified.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008" +4948,success,-,A change has been made to Windows Firewall exception list. A rule was deleted.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008" +4949,unknown,-,Windows Firewall settings were restored to the default values.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008" +4950,unknown,-,A Windows Firewall setting has changed.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008" +4951,failure,-,A rule has been ignored because its major version number was not recognized by Windows Firewall.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008" +4952,unknown,-,Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008" +4953,failure,-,A rule has been ignored by Windows Firewall because it could not parse the rule.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008" +4954,unknown,-,Windows Firewall Group Policy settings have changed. The new settings have been applied.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008" +4956,success,-,Windows Firewall has changed the active profile.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008" +4957,unknown,-,Windows Firewall did not apply the following rule:,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008" +4958,unknown,-,Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008" +4960,unknown,-,"IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.",System,IPsec Driver,"Windows Vista, Windows Server 2008" +4961,unknown,-,"IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.",System,IPsec Driver,"Windows Vista, Windows Server 2008" +4962,unknown,-,IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.,System,IPsec Driver,"Windows Vista, Windows Server 2008" +4963,unknown,-,IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.,System,IPsec Driver,"Windows Vista, Windows Server 2008" +4964,unknown,-,Special groups have been assigned to a new logon.,Logon/Logoff,Special Logon,"Windows Vista, Windows Server 2008" +4965,unknown,-,"IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.",System,IPsec Driver,"Windows Vista, Windows Server 2008" +4976,unknown,-,"During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008" +4977,unknown,-,"During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",Logon/Logoff,IPsec Quick Mode,"Windows Vista, Windows Server 2008" +4978,unknown,-,"During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008" +4979,unknown,-,IPsec Main Mode and Extended Mode security associations were established.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008" +4980,unknown,-,IPsec Main Mode and Extended Mode security associations were established.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008" +4981,unknown,-,IPsec Main Mode and Extended Mode security associations were established.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008" +4982,unknown,-,IPsec Main Mode and Extended Mode security associations were established.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008" +4983,unknown,-,An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008" +4984,unknown,-,An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008" +4985,success,-,The state of a transaction has changed.,Object Access,File System,"Windows Vista, Windows Server 2008" +5024,success,-,The Windows Firewall Service has started successfully.,System,Other System Events,"Windows Vista, Windows Server 2008" +5025,unknown,-,The Windows Firewall Service has been stopped.,System,Other System Events,"Windows Vista, Windows Server 2008" +5027,unknown,-,The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.,System,Other System Events,"Windows Vista, Windows Server 2008" +5028,unknown,-,The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.,System,Other System Events,"Windows Vista, Windows Server 2008" +5029,unknown,-,The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.,System,Other System Events,"Windows Vista, Windows Server 2008" +5030,unknown,-,The Windows Firewall Service failed to start.,System,Other System Events,"Windows Vista, Windows Server 2008" +5031,unknown,-,The Windows Firewall Service blocked an application from accepting incoming connections on the network.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008" +5032,unknown,-,Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.,System,Other System Events,"Windows Vista, Windows Server 2008" +5033,success,-,The Windows Firewall Driver has started successfully.,System,Other System Events,"Windows Vista, Windows Server 2008" +5034,unknown,-,The Windows Firewall Driver has been stopped.,System,Other System Events,"Windows Vista, Windows Server 2008" +5035,unknown,-,The Windows Firewall Driver failed to start.,System,Other System Events,"Windows Vista, Windows Server 2008" +5037,unknown,-,The Windows Firewall Driver detected critical runtime error. Terminating.,System,Other System Events,"Windows Vista, Windows Server 2008" +5038,unknown,-,Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.,System,System Integrity,"Windows Vista, Windows Server 2008" +5039,unknown,-,A registry key was virtualized.,Object Access,Registry,"Windows Vista, Windows Server 2008" +5040,unknown,-,A change has been made to IPsec settings. An Authentication Set was added.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5041,unknown,-,A change has been made to IPsec settings. An Authentication Set was modified.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5042,unknown,-,A change has been made to IPsec settings. An Authentication Set was deleted.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5043,unknown,-,A change has been made to IPsec settings. A Connection Security Rule was added.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5044,unknown,-,A change has been made to IPsec settings. A Connection Security Rule was modified.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5045,unknown,-,A change has been made to IPsec settings. A Connection Security Rule was deleted.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5046,unknown,-,A change has been made to IPsec settings. A Crypto Set was added.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5047,unknown,-,A change has been made to IPsec settings. A Crypto Set was modified.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5048,unknown,-,A change has been made to IPsec settings. A Crypto Set was deleted.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5049,unknown,-,An IPsec Security Association was deleted.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008" +5051,unknown,-,A file was virtualized.,Object Access,File System,"Windows Vista, Windows Server 2008" +5056,success,-,A cryptographic self test was performed.,System,System Integrity,"Windows Vista, Windows Server 2008" +5057,unknown,-,A cryptographic primitive operation failed.,System,System Integrity,"Windows Vista, Windows Server 2008" +5058,success,-,Key file operation.,System,Other System Events,"Windows Vista, Windows Server 2008" +5059,success,-,Key migration operation.,System,Other System Events,"Windows Vista, Windows Server 2008" +5060,unknown,-,Verification operation failed.,System,System Integrity,"Windows Vista, Windows Server 2008" +5061,failure,-,Cryptographic operation.,System,System Integrity,"Windows Vista, Windows Server 2008" +5062,unknown,-,A kernel-mode cryptographic self test was performed.,System,System Integrity,"Windows Vista, Windows Server 2008" +5063,unknown,-,A cryptographic provider operation was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008" +5064,unknown,-,A cryptographic context operation was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008" +5065,unknown,-,A cryptographic context modification was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008" +5066,unknown,-,A cryptographic function operation was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008" +5067,unknown,-,A cryptographic function modification was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008" +5068,unknown,-,A cryptographic function provider operation was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008" +5069,unknown,-,A cryptographic function property operation was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008" +5070,unknown,-,A cryptographic function property modification was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008" +5136,success,-,A directory service object was modified.,DS Access,Directory Service Changes,"Windows Vista, Windows Server 2008" +5137,unknown,-,A directory service object was created.,DS Access,Directory Service Changes,"Windows Vista, Windows Server 2008" +5138,unknown,-,A directory service object was undeleted.,DS Access,Directory Service Changes,"Windows Vista, Windows Server 2008" +5139,unknown,-,A directory service object was moved.,DS Access,Directory Service Changes,"Windows Vista, Windows Server 2008" +5140,failure,-,A network share object was accessed.,Object Access,File Share,"Windows Vista, Windows Server 2008" +5141,unknown,-,A directory service object was deleted.,DS Access,Directory Service Changes,"Windows Vista SP1, Windows Server 2008" +5142,unknown,-,A network share object was added.,Object Access,File Share,"Windows 7, Windows Server 2008 R2" +5143,success,-,A network share object was modified.,Object Access,File Share,"Windows 7, Windows Server 2008 R2" +5144,unknown,-,A network share object was deleted.,Object Access,File Share,"Windows 7, Windows Server 2008 R2" +5145,unknown,-,A network share object was checked to see whether the client can be granted desired access.,Object Access,Detailed File Share,"Windows 7, Windows Server 2008 R2" +5148,unknown,-,The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.,Object Access,Other Object Access Events,"Windows 7, Windows Server 2008 R2" +5149,unknown,-,The DoS attack has subsided and normal processing is being resumed.,Object Access,Other Object Access Events,"Windows 7, Windows Server 2008 R2" +5150,unknown,-,The Windows Filtering Platform has blocked a packet.,Object Access,Filtering Platform Connection,"Windows 7, Windows Server 2008 R2" +5151,unknown,-,A more restrictive Windows Filtering Platform filter has blocked a packet.,Object Access,Filtering Platform Connection,"Windows 7, Windows Server 2008 R2" +5152,failure,-,The Windows Filtering Platform blocked a packet.,Object Access,Filtering Platform Packet Drop ,"Windows Vista, Windows Server 2008" +5153,unknown,-,A more restrictive Windows Filtering Platform filter has blocked a packet.,Object Access,Filtering Platform Packet Drop ,"Windows Vista, Windows Server 2008" +5154,success,-,The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008" +5155,unknown,-,The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008" +5156,success,-,The Windows Filtering Platform has allowed a connection.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008" +5157,failure,-,The Windows Filtering Platform has blocked a connection.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008" +5158,success,-,The Windows Filtering Platform has permitted a bind to a local port.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008" +5159,unknown,-,The Windows Filtering Platform has blocked a bind to a local port.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008" +5168,unknown,-,Spn check for SMB/SMB2 failed.,Object Access,File Share,"Windows 7, Windows Server 2008 R2" +5376,unknown,-,Credential Manager credentials were backed up.,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +5377,unknown,-,Credential Manager credentials were restored from a backup.,Account Management,User Account Management,"Windows Vista, Windows Server 2008" +5378,unknown,-,The requested credentials delegation was disallowed by policy.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008" +5440,success,-,The following callout was present when the Windows Filtering Platform Base Filtering Engine started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5441,success,-,The following filter was present when the Windows Filtering Platform Base Filtering Engine started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5442,success,-,The following provider was present when the Windows Filtering Platform Base Filtering Engine started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5443,unknown,-,The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5444,success,-,The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5446,success,-,A Windows Filtering Platform callout has been changed.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5447,success,-,A Windows Filtering Platform filter has been changed.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008" +5448,success,-,A Windows Filtering Platform provider has been changed.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5449,success,-,A Windows Filtering Platform provider context has been changed.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5450,success,-,A Windows Filtering Platform sub-layer has been changed.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5451,unknown,-,An IPsec Quick Mode security association was established.,Logon/Logoff,IPsec Quick Mode,"Windows Vista, Windows Server 2008" +5452,unknown,-,An IPsec Quick Mode security association ended.,Logon/Logoff,IPsec Quick Mode,"Windows Vista, Windows Server 2008" +5453,unknown,-,An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008" +5456,unknown,-,PAStore Engine applied Active Directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5457,unknown,-,PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5458,unknown,-,PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5459,unknown,-,PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5460,unknown,-,PAStore Engine applied local registry storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5461,unknown,-,PAStore Engine failed to apply local registry storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5462,unknown,-,PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5463,unknown,-,PAStore Engine polled for changes to the active IPsec policy and detected no changes.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5464,unknown,-,"PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.",Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5465,unknown,-,PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5466,unknown,-,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.",Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5467,unknown,-,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.",Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5468,unknown,-,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.",Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5471,unknown,-,PAStore Engine loaded local storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5472,unknown,-,PAStore Engine failed to load local storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5473,unknown,-,PAStore Engine loaded directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5474,unknown,-,PAStore Engine failed to load directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5477,unknown,-,PAStore Engine failed to add quick mode filter.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008" +5478,unknown,-,IPsec Services has started successfully.,System,IPsec Driver,"Windows Vista, Windows Server 2008" +5479,unknown,-,IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.,System,IPsec Driver,"Windows Vista, Windows Server 2008" +5480,unknown,-,IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.,System,IPsec Driver,"Windows Vista, Windows Server 2008" +5483,unknown,-,IPsec Services failed to initialize RPC server. IPsec Services could not be started.,System,IPsec Driver,"Windows Vista, Windows Server 2008" +5484,unknown,-,IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.,System,IPsec Driver,"Windows Vista, Windows Server 2008" +5485,unknown,-,IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.,System,IPsec Driver,"Windows Vista, Windows Server 2008" +5632,unknown,-,A request was made to authenticate to a wireless network.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008" +5633,unknown,-,A request was made to authenticate to a wired network.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008" +5712,unknown,-,A Remote Procedure Call (RPC) was attempted.,Detailed Tracking,RPC Events,"Windows Vista, Windows Server 2008" +5888,unknown,-,An object in the COM+ Catalog was modified.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008" +5889,unknown,-,An object was deleted from the COM+ Catalog.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008" +5890,unknown,-,An object was added to the COM+ Catalog.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008" +6144,success,-,Security policy in the group policy objects has been applied successfully.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008" +6145,unknown,-,One or more errors occurred while processing security policy in the group policy objects.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008" +6272,unknown,-,Network Policy Server granted access to a user.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008" +6273,unknown,-,Network Policy Server denied access to a user.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008" +6274,unknown,-,Network Policy Server discarded the request for a user.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008" +6275,unknown,-,Network Policy Server discarded the accounting request for a user.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008" +6276,unknown,-,Network Policy Server quarantined a user.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008" +6277,unknown,-,Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008" +6278,unknown,-,Network Policy Server granted full access to a user because the host met the defined health policy.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008" +6279,unknown,-,Network Policy Server locked the user account due to repeated failed authentication attempts.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008" +6280,unknown,-,Network Policy Server unlocked the user account.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008" +6281,unknown,-,Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error,System,System Integrity,"Windows 7, Windows Server 2008 R2" +6400,unknown,-,BranchCache: Received an incorrectly formatted response while discovering availability of content. ,System,Other System Events,"Windows 7, Windows Server 2008 R2" +6401,unknown,-,BranchCache: Received invalid data from a peer. Data discarded. ,System,Other System Events,"Windows 7, Windows Server 2008 R2" +6402,unknown,-,BranchCache: The message to the hosted cache offering it data is incorrectly formatted. ,System,Other System Events,"Windows 7, Windows Server 2008 R2" +6403,unknown,-,BranchCache: The hosted cache sent an incorrectly formatted response to the client.,System,Other System Events,"Windows 7, Windows Server 2008 R2" +6404,unknown,-,BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. ,System,Other System Events,"Windows 7, Windows Server 2008 R2" +6405,unknown,-,BranchCache: %2 instance(s) of event id %1 occurred.,System,Other System Events,"Windows 7, Windows Server 2008 R2" +6406,unknown,-,%1 registered to Windows Firewall to control filtering for the following: %2,System,Other System Events,"Windows 7, Windows Server 2008 R2" +6407,unknown,-,1%,System,Other System Events,"Windows 7, Windows Server 2008 R2" +6408,unknown,-,Registered product %1 failed and Windows Firewall is now controlling the filtering for %2,System,Other System Events,"Windows 7, Windows Server 2008 R2" +4625,failure,0XC000005E,There are currently no logon servers available to service the logon request.,,, +4625,unknown,0xC0000064,User logon with misspelled or bad user account,,, +4625,failure,0xC000006A,User logon with misspelled or bad password,,, +4625,failure,0XC000006D,This is either due to a bad username or authentication information,,, +4625,failure,0XC000006E,Unknown user name or bad password.,,, +4625,failure,0XC000010B,Indicates an invalid value has been provided for the LogonType requested.,,, +4625,denied,0xC000006F,User logon outside authorized hours,,, +4625,denied,0xC0000070,User logon from unauthorized workstation,,, +4625,failure,0xC0000071,User logon with expired password,,, +4625,failure,0xC0000072,User logon to account disabled by administrator,,, +4625,failure,0XC00000DC,Indicates the Sam Server was in the wrong state to perform the desired operation.,,, +4625,error,0XC0000133,Clocks between DC and other computer too far out of sync,,, +4625,denied,0XC000015B,The user has not been granted the requested logon type (aka logon right) at this machine,,, +4625,failure,0XC000018C,The logon request failed because the trust relationship between the primary domain and the trusted domain failed.,,, +4625,failure,0XC0000192,"An attempt was made to logon, but the Netlogon service was not started.",,, +4625,failure,0xC0000193,User logon with expired account,,, +4625,failure,0XC0000224,User is required to change password at next logon,,, +4625,error,0XC0000225,Evidently a bug in Windows and not a risk,,, +4625,denied,0xC0000234,User logon with account locked,,, +4625,failure,0XC00002EE,Failure Reason: An Error occurred during Logon,,, +4625,failure,0XC0000413,Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.,,, +4625,failure,0x0,Status OK.,,, +4776,failure,0xC0000064,The username you typed does not exist. Bad username.,,, +4776,failure,0xC000006A,Account logon with misspelled or bad password.,,, +4776,failure,0xC000006D,Generic logon failure.,,, +4776,denied,0xC000006F,Account logon outside authorized hours.,,, +4776,denied,0xC0000070,Account logon from unauthorized workstation.,,, +4776,failure,0xC0000071,Account logon with expired password.,,, +4776,failure,0xC0000072,Account logon to account disabled by administrator.,,, +4776,failure,0xC0000193,Account logon with expired account.,,, +4776,failure,0xC0000224,"Account logon with ""Change Password at Next Logon"" flagged.",,, +4776,failure,0xC0000234,Account logon with account locked.,,, +4776,failure,0xc0000371,The local account store does not contain secret material for the specified account.,,, +4776,success,0x0,No errors.,,, +4768,success,0x0,No error,,, +4768,failure,0x1,Client's entry in KDC database has expired,,, +4768,failure,0x2,Server's entry in KDC database has expired,,, +4768,failure,0x3,Requested Kerberos version number not supported,,, +4768,failure,0x4,Client's key encrypted in old master key,,, +4768,failure,0x5,Server's key encrypted in old master key,,, +4768,failure,0x6,Client not found in Kerberos database,,, +4768,failure,0x7,Server not found in Kerberos database,,, +4768,failure,0x8,Multiple principal entries in KDC database,,, +4768,failure,0x9,The client or server has a null key (master key),,, +4768,failure,0xA,Ticket (TGT) not eligible for postdating,,, +4768,failure,0xB,Requested start time is later than end time,,, +4768,failure,0xC,Requested start time is later than end time,,, +4768,failure,0xD,KDC cannot accommodate requested option,,, +4768,failure,0xE,KDC has no support for encryption type,,, +4768,failure,0xF,KDC has no support for checksum type,,, +4768,failure,0x10,KDC has no support for PADATA type (pre-authentication data),,, +4768,failure,0x11,KDC has no support for transited type,,, +4768,failure,0x12,Client's credentials have been revoked,,, +4768,failure,0x13,Credentials for server have been revoked,,, +4768,failure,0x14,TGT has been revoked,,, +4768,failure,0x15,Client not yet valid-try again later,,, +4768,failure,0x16,Server not yet valid-try again later,,, +4768,failure,0x17,Password has expired-change password to reset,,, +4768,failure,0x18,Pre-authentication information was invalid,,, +4768,failure,0x19,Additional pre-authentication required,,, +4768,failure,0x1A,KDC does not know about the requested server,,, +4768,failure,0x1B,KDC is unavailable,,, +4768,failure,0x1F,Integrity check on decrypted field failed,,, +4768,failure,0x20,The ticket has expired,,, +4768,failure,0x21,The ticket is not yet valid,,, +4768,failure,0x22,The request is a replay,,, +4768,failure,0x23,The ticket is not for us,,, +4768,failure,0x24,The ticket and authenticator do not match,,, +4768,failure,0x25,The clock skew is too great,,, +4768,failure,0x26,Network address in network layer header doesn't match address inside ticket,,, +4768,failure,0x27,Protocol version numbers don't match (PVNO),,, +4768,failure,0x28,Message type is unsupported,,, +4768,failure,0x29,Message stream modified and checksum didn't match ,,, +4768,failure,0x2A,Message out of order (possible tampering),,, +4768,failure,0x2C,Specified version of key is not available,,, +4768,failure,0x2D,Service key not available,,, +4768,failure,0x2E,Mutual authentication failed,,, +4768,failure,0x2F,Incorrect message direction,,, +4768,failure,0x30,Alternative authentication method required,,, +4768,failure,0x31,Incorrect sequence number in message,,, +4768,failure,0x32,Inappropriate type of checksum in message (checksum may be unsupported),,, +4768,failure,0x33,Desired path is unreachable,,, +4768,failure,0x34,Too much data,,, +4768,failure,0x3C,Generic error,,, +4768,failure,0x3D,Field is too long for this implementation,,, +4768,failure,0x3E,The client trust failed or is not implemented,,, +4768,failure,0x3F,The KDC server trust failed or could not be verified,,, +4768,failure,0x40,The signature is invalid,,, +4768,failure,0x41,A higher encryption level is needed,,, +4768,failure,0x42,User-to-user authorization is required,,, +4768,failure,0x43,No TGT was presented or available,,, +4768,failure,0x44,Incorrect domain or principal,,, +4769,success,0x0,No error,,, +4769,failure,0x1,Client's entry in KDC database has expired,,, +4769,failure,0x2,Server's entry in KDC database has expired,,, +4769,failure,0x3,Requested Kerberos version number not supported,,, +4769,failure,0x4,Client's key encrypted in old master key,,, +4769,failure,0x5,Server's key encrypted in old master key,,, +4769,failure,0x6,Client not found in Kerberos database,,, +4769,failure,0x7,Server not found in Kerberos database,,, +4769,failure,0x8,Multiple principal entries in KDC database,,, +4769,failure,0x9,The client or server has a null key (master key),,, +4769,failure,0xA,Ticket (TGT) not eligible for postdating,,, +4769,failure,0xB,Requested start time is later than end time,,, +4769,failure,0xC,Requested start time is later than end time,,, +4769,failure,0xD,KDC cannot accommodate requested option,,, +4769,failure,0xE,KDC has no support for encryption type,,, +4769,failure,0xF,KDC has no support for checksum type,,, +4769,failure,0x10,KDC has no support for PADATA type (pre-authentication data),,, +4769,failure,0x11,KDC has no support for transited type,,, +4769,failure,0x12,Client's credentials have been revoked,,, +4769,failure,0x13,Credentials for server have been revoked,,, +4769,failure,0x14,TGT has been revoked,,, +4769,failure,0x15,Client not yet valid try again later,,, +4769,failure,0x16,Server not yet valid try again later,,, +4769,failure,0x17,Password has expired change password to reset,,, +4769,failure,0x18,Pre-authentication information was invalid,,, +4769,failure,0x19,Additional pre-authentication required,,, +4769,failure,0x1A,KDC does not know about the requested server,,, +4769,failure,0x1B,KDC is unavailable,,, +4769,failure,0x1F,Integrity check on decrypted field failed,,, +4769,failure,0x20,The ticket has expired,,, +4769,failure,0x21,The ticket is not yet valid,,, +4769,failure,0x22,The request is a replay,,, +4769,failure,0x23,The ticket is not for us,,, +4769,failure,0x24,The ticket and authenticator do not match,,, +4769,failure,0x25,The clock skew is too great,,, +4769,failure,0x26,Network address in network layer header doesn't match address inside ticket,,, +4769,failure,0x27,Protocol version numbers don't match (PVNO),,, +4769,failure,0x28,Message type is unsupported,,, +4769,failure,0x29,Message stream modified and checksum didn't match,,, +4769,failure,0x2A,Message out of order (possible tampering),,, +4769,failure,0x2C,Specified version of key is not available,,, +4769,failure,0x2D,Service key not available,,, +4769,failure,0x2E,Mutual authentication failed,,, +4769,failure,0x2F,Incorrect message direction,,, +4769,failure,0x30,Alternative authentication method required,,, +4769,failure,0x31,Incorrect sequence number in message,,, +4769,failure,0x32,Inappropriate type of checksum in message (checksum may be unsupported),,, +4769,failure,0x33,Desired path is unreachable,,, +4769,failure,0x34,Too much data,,, +4769,failure,0x3C,Generic error,,, +4769,failure,0x3D,Field is too long for this implementation,,, +4769,failure,0x3E,The client trust failed or is not implemented,,, +4769,failure,0x3F,The KDC server trust failed or could not be verified,,, +4769,failure,0x40,The signature is invalid,,, +4769,failure,0x41,A higher encryption level is needed,,, +4769,failure,0x42,User-to-user authorization is required,,, +4769,failure,0x43,No TGT was presented or available,,, +4769,failure,0x44,Incorrect domain or principal,,, +4771,failure,0x1,Client's entry in database has expired,,, +4771,failure,0x2,Server's entry in database has expired,,, +4771,failure,0x3,Requested protocol version # not supported,,, +4771,failure,0x4,Client's key encrypted in old master key,,, +4771,failure,0x5,Server's key encrypted in old master key,,, +4771,failure,0x6,Client not found in Kerberos database,,, +4771,failure,0x7,Server not found in Kerberos database,,, +4771,failure,0x8,Multiple principal entries in database,,, +4771,failure,0x9,The client or server has a null key,,, +4771,failure,0xA,Ticket not eligible for postdating,,, +4771,failure,0xB,Requested start time is later than end time,,, +4771,failure,0xC,KDC policy rejects request,,, +4771,failure,0xD,KDC cannot accommodate requested option,,, +4771,failure,0xE,KDC has no support for encryption type,,, +4771,failure,0xF,KDC has no support for checksum type,,, +4771,failure,0x10,KDC has no support for padata type,,, +4771,failure,0x11,KDC has no support for transited type,,, +4771,failure,0x12,Clients credentials have been revoked ,,, +4771,failure,0x13,Credentials for server have been revoked,,, +4771,failure,0x14,TGT has been revoked,,, +4771,failure,0x15,Client not yet valid - try again later,,, +4771,failure,0x16,Server not yet valid - try again later,,, +4771,failure,0x17,Password has expired,,, +4771,failure,0x18,Pre-authentication information was invalid,,, +4771,failure,0x19,Additional pre-authentication required*,,, +4771,failure,0x1F,Integrity check on decrypted field failed,,, +4771,failure,0x20,Ticket expired,,, +4771,failure,0x21,Ticket not yet valid,,, +4771,failure,0x22,Request is a replay,,, +4771,failure,0x23,The ticket isn't for us,,, +4771,failure,0x24,Ticket and authenticator don't match ,,, +4771,failure,0x25,Clock skew too great,,, +4771,failure,0x26,Incorrect net address,,, +4771,failure,0x27,Protocol version mismatch,,, +4771,failure,0x28,Invalid msg type,,, +4771,failure,0x29,Message stream modified,,, +4771,failure,0x2A,Message out of order,,, +4771,failure,0x2C,Specified version of key is not available,,, +4771,failure,0x2D,Service key not available,,, +4771,failure,0x2E,Mutual authentication failed,,, +4771,failure,0x2F,Incorrect message direction,,, +4771,failure,0x30,Alternative authentication method required*,,, +4771,failure,0x31,Incorrect sequence number in message,,, +4771,failure,0x32,Inappropriate type of checksum in message,,, +4771,failure,0x3C,Generic error,,, +4771,failure,0x3D,Field is too long for this implementation,,, diff --git a/apps/Splunk_TA_windows/lookups/xmlwindows_severities.csv b/apps/Splunk_TA_windows/lookups/xmlwindows_severities.csv new file mode 100644 index 00000000..82bba6b2 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/xmlwindows_severities.csv @@ -0,0 +1,8 @@ +Level,EventCode,severity +0,,informational +1,,critical +2,,high +3,,medium +4,,informational +5,,informational +,4739,high diff --git a/apps/Splunk_TA_windows/lookups/xmlwindows_task_category.csv b/apps/Splunk_TA_windows/lookups/xmlwindows_task_category.csv new file mode 100644 index 00000000..56b06514 --- /dev/null +++ b/apps/Splunk_TA_windows/lookups/xmlwindows_task_category.csv @@ -0,0 +1,4016 @@ +Name,Task,TaskCategory,EventGuid +Devices ,1,Devices,00000000-0000-0000-0000-000000000000 +Disk ,2,Disk,00000000-0000-0000-0000-000000000000 +Printers ,3,Printers,00000000-0000-0000-0000-000000000000 +Services ,4,Services,00000000-0000-0000-0000-000000000000 +Shell ,5,Shell,00000000-0000-0000-0000-000000000000 +System Event ,6,System Event,00000000-0000-0000-0000-000000000000 +Network ,7,Network,00000000-0000-0000-0000-000000000000 +Task_UserCrash,100,Application Crashing Events,00000000-0000-0000-0000-000000000000 +Task_Hang,101,Hanging Events,00000000-0000-0000-0000-000000000000 +Database Repair ,8,Database Repair,00000000-0000-0000-0000-000000000000 +Database Conversion ,9,Database Conversion,00000000-0000-0000-0000-000000000000 +Online Defragmentation ,10,Online Defragmentation,00000000-0000-0000-0000-000000000000 +System Parameter Settings ,11,System Parameter Settings,00000000-0000-0000-0000-000000000000 +Database Corruption ,12,Database Corruption,00000000-0000-0000-0000-000000000000 +Database Zeroing ,13,Database Zeroing,00000000-0000-0000-0000-000000000000 +Transaction Manager ,14,Transaction Manager,00000000-0000-0000-0000-000000000000 +Resource Failure Simulation ,15,Resource Failure Simulation,00000000-0000-0000-0000-000000000000 +ShadowCopy ,16,ShadowCopy,00000000-0000-0000-0000-000000000000 +UfsScanFileTask,17,,08a8495f-8d8f-476c-a083-e26e8eabb1b7 +UfsScanProcTask,18,,6f031e9a-9195-42fe-b149-4b02b31bf05d +SenseOnboardingInfoTask,19,,46617335-4f57-402d-b957-d1b55c95a775 +EngineLoadTask,20,,7f2f8f1a-0c3e-4091-9743-ef3ec84bdeb0 +DlpPerfOperation,21,,107a2be9-5c4c-433c-b97f-b9100ae83f5f +DCEvent,22,,4510012b-aecf-4db6-b0bf-e9347fa5b94c +RTPFileScanResult,23,,eb4232ea-6379-422b-aa7a-94cac90148ac +Spynet_EventSpynetRequired,24,,c6b43d16-0b63-44e1-9fd5-d29c6cda90e9 +Spynet_EventCloudRequest,25,,b18f770a-83ae-4807-ae51-06d4a27fbf71 +Spynet_EventSendTelemetry,26,,3e6d25ab-8bb3-4d6f-b2b7-47673382c55d +Spynet_MpCmdRunStart,27,,6e2e0e7c-3702-4f8c-b2aa-0941120fb025 +Spynet_GenerateReportStart,28,,08d058c6-226a-4e7e-925f-3b6c2027448e +Spynet_GenerateReportComplete,29,,9b439dd8-db34-4ebf-b11f-40925f723fdd +Spynet_HandleResponseStart,30,,f9f0f8a6-8732-4414-98e6-9f870d0a7b10 +Spynet_HandleResponseComplete,31,,fc524ec4-f03c-4182-a556-a816c6b37895 +Spynet_SendReportStart,32,,d2ec2c24-e0a4-47b3-b777-b3cd8e65defe +Spynet_SendReportComplete,33,,c9ff11d6-95d6-4d17-8d49-2a6de248d96b +MpCmdRun_CreateProcess,34,,d6ad8781-44b7-41cd-890c-9762b53c3714 +Spynet_MpCmdRunCreateTimer,35,,533f0835-145f-429c-ac51-459a0e46cf54 +Spynet_MpCmdRunTimerTrigger,36,,6d1edd32-3ca2-4958-ba77-5edd7fb9bb3b +IOAVScanTriggered,37,,8f2e98ae-df1a-4f53-a580-4b1441b8bfbb +Sense_RemediationInfoThreat,38,,2c36db2a-a39b-4a9b-8e23-321ee163c57e +Sense_HipsFGInfo,39,,c452a803-8378-4da1-b495-b6630bec649a +Sense_NetworkFilterLookup,40,,3434a803-8348-34a1-b345-34630bec3434 +Sense_NetworkFilterConnectionInfo,41,,7ac24ce5-7284-4429-9ed1-d8ce2f7296e7 +Sense_DlpInfo,42,,ff6a1ea6-49e6-4d61-a4af-be6047461795 +Sense_DlpEventInfo,43,,6a0dc6d8-05e1-4ea5-b9a5-b789238ddc99 +Sense_DlpStatusInfo,44,,f07136b9-28c6-4856-984c-8460e4f69dc7 +Sense_NetworkFilterBreakTheGlass,45,,37a766da-53a7-4d12-b452-dd98a3dd64ce +Sense_HipsAsrUserExclusionInfo,46,,3567d4a1-1429-4fac-a035-0694069f7ae1 +Sense_NetworkFilterDnsQuestion,47,,6d20b44b-9bf9-48d7-98c3-d303ba92d476 +Sense_NetworkFilterDnsAnswer,48,,b70ea01e-b3e1-4f05-b7be-cbef371ee536 +Sense_NetworkFilterVolumeNotification,49,,f466b5e3-a006-4493-93a6-cb0cf7ec024b +Sense_TroubleshootingModeNotification,50,,27aaeffd-d2d8-4c11-9790-d42eb4ccc48d +Sense_NetworkFilterTlsAlert,51,,f70c7fa9-6671-4ebf-b6e9-64eda8e2790e +RbM_RollbackComplete,52,,b25110ec-4ed1-4dcf-abaa-9e3b3f0a6bc8 +StartRundownTask,53,,3e80208a-9f94-4150-b3fc-bd51a81517c4 +EndRundownTask,54,,f51df377-c690-4441-876a-cf3016e01469 +Sense_TamperProtectionNotification,55,,c73f41d1-0d4c-460a-9bd3-4b5caeed65b0 +Generic.AppLaunch,10001,Generic.AppLaunch,00000000-0000-0000-0000-000000000000 +Catalog.CreateMigrateMachineCatalog,102,CreateMigrateMachineCatalog,00000000-0000-0000-0000-000000000000 +Catalog.GetMachineCatalog,103,GetMachineCatalog,00000000-0000-0000-0000-000000000000 +Catalog.CatalogUserLogon,104,CatalogUserLogon,00000000-0000-0000-0000-000000000000 +Catalog.CreateMigrateUserCatalog,105,CreateMigrateUserCatalog,00000000-0000-0000-0000-000000000000 +Catalog.GetUserCatalog,106,GetUserCatalog,00000000-0000-0000-0000-000000000000 +Catalog.ConfigurePackage,107,ConfigurePackage,00000000-0000-0000-0000-000000000000 +Catalog.ConfigurePackageGetOldPackageData,108,ConfigurePackageGetOldPackageData,00000000-0000-0000-0000-000000000000 +Catalog.ConfigurePackageFinalize,109,ConfigurePackageFinalize,00000000-0000-0000-0000-000000000000 +Catalog.ConfigurePackageComplete,110,ConfigurePackageComplete,00000000-0000-0000-0000-000000000000 +Catalog.PublishPackage,111,PublishPackage,00000000-0000-0000-0000-000000000000 +Catalog.PublishPackageGetOldPackageData,112,PublishPackageGetOldPackageData,00000000-0000-0000-0000-000000000000 +Catalog.PublishPackageFinalize,113,PublishPackageFinalize,00000000-0000-0000-0000-000000000000 +Catalog.PublishPackageUnpublishOldVersion,114,PublishPackageUnpublishOldVersion,00000000-0000-0000-0000-000000000000 +Catalog.PublishPackageComplete,115,PublishPackageComplete,00000000-0000-0000-0000-000000000000 +Catalog.ConfigurePackageGroup,116,ConfigurePackageGroup,00000000-0000-0000-0000-000000000000 +Catalog.ConfigurePackageGroupGetOldGroupData,117,ConfigurePackageGroupGetOldGroupData,00000000-0000-0000-0000-000000000000 +Catalog.ConfigurePackageGroupFinalize,118,ConfigurePackageGroupFinalize,00000000-0000-0000-0000-000000000000 +Catalog.ConfigurePackageGroupComplete,119,ConfigurePackageGroupComplete,00000000-0000-0000-0000-000000000000 +Catalog.PublishPackageGroup,120,PublishPackageGroup,00000000-0000-0000-0000-000000000000 +Catalog.PublishPackageGroupGetOldGroupData,121,PublishPackageGroupGetOldGroupData,00000000-0000-0000-0000-000000000000 +Catalog.PublishPackageGroupFinalize,122,PublishPackageGroupFinalize,00000000-0000-0000-0000-000000000000 +Catalog.PublishPackageGroupUnpublishOldVersion,123,PublishPackageGroupUnpublishOldVersion,00000000-0000-0000-0000-000000000000 +Catalog.PublishPackageGroupComplete,124,PublishPackageGroupComplete,00000000-0000-0000-0000-000000000000 +Catalog.PublishFromServer,125,PublishFromServer,00000000-0000-0000-0000-000000000000 +ClientProgrammability.AddAppvPackageTask,201,Add-AppvPackage,00000000-0000-0000-0000-000000000000 +ClientProgrammability.RemoveAppvPackageTask,202,Remove-AppvPackage,00000000-0000-0000-0000-000000000000 +ClientProgrammability.SetAppvPackageTask,203,Set-AppvPackage,00000000-0000-0000-0000-000000000000 +ClientProgrammability.PublishAppvPackageTask,204,Publish-AppvPackage,00000000-0000-0000-0000-000000000000 +ClientProgrammability.UnpublishAppvPackageTask,205,Unpublish-AppvPackage,00000000-0000-0000-0000-000000000000 +ClientProgrammability.GetAppvPackageTask,206,Get-AppvPackage,00000000-0000-0000-0000-000000000000 +ClientProgrammability.MountAppvPackageTask,207,Mount-AppvPackage,00000000-0000-0000-0000-000000000000 +ClientProgrammability.RepairAppvPackageTask,208,Repair-AppvPackage,00000000-0000-0000-0000-000000000000 +ClientProgrammability.StopAppvPackageTask,209,Stop-AppvPackage,00000000-0000-0000-0000-000000000000 +ClientProgrammability.CancelMountAppvPackageTask,210,CancelMount-AppvPackage,00000000-0000-0000-0000-000000000000 +ClientProgrammability.SetAppvClientModeTask,211,Set-AppvClientMode,00000000-0000-0000-0000-000000000000 +ClientProgrammability.GetAppvClientModeTask,212,Get-AppvClientMode,00000000-0000-0000-0000-000000000000 +ClientProgrammability.AddAppvClientConnectionGroupTask,220,Add-AppvClientConnectionGroup,00000000-0000-0000-0000-000000000000 +ClientProgrammability.DisableAppvClientConnectionGroupTask,221,Disable-AppvClientConnectionGroup,00000000-0000-0000-0000-000000000000 +ClientProgrammability.EnableAppvClientConnectionGroupTask,222,Enable-AppvClientConnectionGroup,00000000-0000-0000-0000-000000000000 +ClientProgrammability.GetAppvClientConnectionGroupTask,223,Get-AppvClientConnectionGroup,00000000-0000-0000-0000-000000000000 +ClientProgrammability.MountAppvClientConnectionGroupTask,224,Mount-AppvClientConnectionGroup,00000000-0000-0000-0000-000000000000 +ClientProgrammability.RemoveAppvClientConnectionGroupTask,225,Remove-AppvClientConnectionGroup,00000000-0000-0000-0000-000000000000 +ClientProgrammability.RepairAppvClientConnectionGroupTask,226,Repair-AppvClientConnectionGroup,00000000-0000-0000-0000-000000000000 +ClientProgrammability.StopAppvClientConnectionGroupTask,227,Stop-AppvClientConnectionGroup,00000000-0000-0000-0000-000000000000 +ClientProgrammability.GetAppvPublishingServersTask,250,Get-AppvPublishingServer,00000000-0000-0000-0000-000000000000 +ClientProgrammability.AddAppvPublishingServerTask,251,Add-AppvPublishingServer,00000000-0000-0000-0000-000000000000 +ClientProgrammability.SetAppvPublishingServerTask,252,Set-AppvPublishingServer,00000000-0000-0000-0000-000000000000 +ClientProgrammability.RemoveAppvPublishingServerTask,253,Remove-AppvPublishingServer,00000000-0000-0000-0000-000000000000 +ClientProgrammability.RefreshAppvPublishingServerTask,254,Refresh-AppvPublishingServer,00000000-0000-0000-0000-000000000000 +ClientProgrammability.GetAppvApplicationTask,260,Get-AppvClientApplication,00000000-0000-0000-0000-000000000000 +ClientProgrammability.StartAppvVirtualProcessTask,270,Start-AppvVirtualProcess,00000000-0000-0000-0000-000000000000 +ClientProgrammability.GetAppvClientConfigurationTask,280,Get-AppvClientConfiguration,00000000-0000-0000-0000-000000000000 +ClientProgrammability.SetAppvClientConfigurationTask,281,Set-AppvClientConfiguration,00000000-0000-0000-0000-000000000000 +ClientProgrammability.SendAppvClientReportTask,291,Send-AppvClientReport,00000000-0000-0000-0000-000000000000 +ClientProgrammability.EnableAppvTask,292,Enable-AppV,00000000-0000-0000-0000-000000000000 +ClientProgrammability.DisableAppvTask,293,Disable-AppV,00000000-0000-0000-0000-000000000000 +ClientService.ServiceStartup,301,ServiceStartup,00000000-0000-0000-0000-000000000000 +ClientService.ControllerStartup,302,ControllerStartup,00000000-0000-0000-0000-000000000000 +ClientService.ControllerRun,303,ControllerRun,00000000-0000-0000-0000-000000000000 +ClientService.ServiceShutdown,304,ServiceShutdown,00000000-0000-0000-0000-000000000000 +ClientService.ControllerStop,305,ControllerStop,00000000-0000-0000-0000-000000000000 +ClientService.ControllerShutdown,306,ControllerShutdown,00000000-0000-0000-0000-000000000000 +ClientService.ControllerUserLogon,307,ControllerUserLogon,00000000-0000-0000-0000-000000000000 +ClientService.ControllerUserLogoff,308,ControllerUserLogoff,00000000-0000-0000-0000-000000000000 +ClientService.QueueClientEvent,309,QueueClientEvent,00000000-0000-0000-0000-000000000000 +ClientService.GlobalMaintenance,310,GlobalMaintenance,00000000-0000-0000-0000-000000000000 +ClientService.GlobalMaintenanceComponent,311,GlobalMaintenanceComponent,00000000-0000-0000-0000-000000000000 +ClientService.UserMaintenance,312,UserMaintenance,00000000-0000-0000-0000-000000000000 +ClientService.UserMaintenanceComponent,313,UserMaintenanceComponent,00000000-0000-0000-0000-000000000000 +ClientUX.ReloadDataOperation,401,ReloadData,00000000-0000-0000-0000-000000000000 +ClientUX.LoadCommand,402,Load,00000000-0000-0000-0000-000000000000 +ClientUX.CancelLoadCommand,403,CancelLoad,00000000-0000-0000-0000-000000000000 +ClientUX.PublishingRefreshCommand,404,PublishingRefresh,00000000-0000-0000-0000-000000000000 +ClientUX.GetPackagesOperation,405,GetPackages,00000000-0000-0000-0000-000000000000 +ClientUX.GetConnectionGroupsOperation,406,GetConnectionGroups,00000000-0000-0000-0000-000000000000 +ClientUX.RepairCommand,407,GetConnectionGroups,00000000-0000-0000-0000-000000000000 +ClientUX.LoadAllPackagesCommand,408,LoadAllPackages,00000000-0000-0000-0000-000000000000 +ClientUX.ToggleOnlineModeCommand,409,ToggleOnlineMode,00000000-0000-0000-0000-000000000000 +ClientUX.GetPublishingServersOperation,410,GetPublishingServers,00000000-0000-0000-0000-000000000000 +ClientUX.SetPackageIsInConnectionGroupOperation,411,SetPackageIsInConnectionGroup,00000000-0000-0000-0000-000000000000 +ClientUX.GetConfigurationOperation,412,GetConfiguration,00000000-0000-0000-0000-000000000000 +ClientUX.SetConfigurationOperation,413,SetConfiguration,00000000-0000-0000-0000-000000000000 +Scripting.VirtualEnvironmentCreatedFinalize,503,VirtualEnvironmentCreatedFinalize,00000000-0000-0000-0000-000000000000 +Scripting.VirtualProcessCreatedFinalize,504,VirtualProcessCreatedFinalize,00000000-0000-0000-0000-000000000000 +Scripting.VirtualProcessTerminated,505,VirtualProcessTerminated,00000000-0000-0000-0000-000000000000 +Scripting.VirtualEnvironmentTerminated,506,VirtualEnvironmentTerminated,00000000-0000-0000-0000-000000000000 +Scripting.UnpublishPackage,507,UnpublishPackage,00000000-0000-0000-0000-000000000000 +Scripting.RemovePackage,508,RemovePackage,00000000-0000-0000-0000-000000000000 +Scripting.ConfigurePackageFinalize,509,ConfigurePackageFinalize,00000000-0000-0000-0000-000000000000 +Scripting.PublishPackageFinalize,510,PublishPackageFinalize,00000000-0000-0000-0000-000000000000 +IsvApi.IsvStartup,601,IsvStartup,00000000-0000-0000-0000-000000000000 +IsvApi.IsvShutdown,602,IsvShutdown,00000000-0000-0000-0000-000000000000 +IsvApi.ControllerStartup,603,ControllerStartup,00000000-0000-0000-0000-000000000000 +IsvApi.ControllerRun,604,ControllerRun,00000000-0000-0000-0000-000000000000 +IsvApi.ControllerUserLogon,605,ControllerUserLogon,00000000-0000-0000-0000-000000000000 +IsvApi.ControllerUserLogoff,606,ControllerUserLogoff,00000000-0000-0000-0000-000000000000 +IsvApi.ControllerStop,607,ControllerStop,00000000-0000-0000-0000-000000000000 +IsvApi.ControllerShutdown,608,ControllerShutdown,00000000-0000-0000-0000-000000000000 +ManifestLibrary.ManifestCreateManifestDocumentFromDocument,701,ManifestCreateManifestDocumentFromDocument,00000000-0000-0000-0000-000000000000 +ManifestLibrary.ManifestCreateManifestDocumentFromFile,702,ManifestCreateManifestDocumentFromFile,00000000-0000-0000-0000-000000000000 +ManifestLibrary.ManifestCreateManifestDocumentFromXML,703,ManifestCreateManifestDocumentFromXML,00000000-0000-0000-0000-000000000000 +ManifestLibrary.ManifestValidateAppXNamespace,704,ManifestValidateAppXNamespace,00000000-0000-0000-0000-000000000000 +ManifestLibrary.ManifestValidateAppXNamespaceSave,705,ManifestValidateAppXNamespaceSave,00000000-0000-0000-0000-000000000000 +ManifestLibrary.ManifestValidateAppXNamespaceCreateManifestReader,706,ManifestValidateAppXNamespaceCreateManifestReader,00000000-0000-0000-0000-000000000000 +ManifestLibrary.ManifestValidateAppVNamespace,707,ManifestValidateAppVNamespace,00000000-0000-0000-0000-000000000000 +ManifestLibrary.ManifestValidateUsingClientConfigOnly,708,ManifestValidateUsingClientConfigOnly,00000000-0000-0000-0000-000000000000 +ManifestLibrary.ManifestValidateAppVNamespaceApplyTransformCleanupAppX,709,ManifestValidateAppVNamespaceApplyTransformCleanupAppX,00000000-0000-0000-0000-000000000000 +ManifestLibrary.ManifestValidateAppVNamespaceApplyTransformNormalize,710,ManifestValidateAppVNamespaceApplyTransformNormalize,00000000-0000-0000-0000-000000000000 +ManifestLibrary.ManifestValidateAppVNamespaceApplySchemas,711,ManifestValidateAppVNamespaceApplySchemas,00000000-0000-0000-0000-000000000000 +ManifestLibrary.ManifestNormalizeManifest,712,ManifestNormalizeManifest,00000000-0000-0000-0000-000000000000 +ManifestLibrary.ManifestPrepareOutputDocument,713,ManifestPrepareOutputDocument,00000000-0000-0000-0000-000000000000 +Mav-VEMgr.DriverLoad,801,VEMgr Driver Load,00000000-0000-0000-0000-000000000000 +Mav-VEMgr.DriverUnload,802,VEMgr Driver Unload,00000000-0000-0000-0000-000000000000 +Mav-VEMgr.AddPackage,803,VEMgr Add Package,00000000-0000-0000-0000-000000000000 +Mav-VEMgr.RemovePackage,804,VEMgr Remove Package,00000000-0000-0000-0000-000000000000 +Mav-VEMgr.AddUser,805,VEMgr Add User,00000000-0000-0000-0000-000000000000 +Mav-VEMgr.RemoveUser,806,VEMgr Remove User,00000000-0000-0000-0000-000000000000 +Mav-VEMgr.ProcessLaunch,807,VEMgr Process Launch,00000000-0000-0000-0000-000000000000 +Mav-VEMgr.ProcessShutdown,808,VEMgr Process Shutdown,00000000-0000-0000-0000-000000000000 +Mav-VEMgr.LookupProcess,809,VEMgr Lookup Process,00000000-0000-0000-0000-000000000000 +Mav-VEMgr.LookupProcessEx,810,VEMgr Lookup Process Ex,00000000-0000-0000-0000-000000000000 +Mav-VEMgr.AddPackageGroup,811,Add Package Group,00000000-0000-0000-0000-000000000000 +Mav-VEMgr.RemovePackageGroup,812,Remove Package Group,00000000-0000-0000-0000-000000000000 +Mav-VEMgr.JITVProcessStart,813,JITV Process Start,00000000-0000-0000-0000-000000000000 +Mav-VEMgr.GlobalPublish,814,Global Publishing,00000000-0000-0000-0000-000000000000 +Mav-VEMgr.GlobalUnpublish,815,Global Unpublishing,00000000-0000-0000-0000-000000000000 +Mav-Vfsc.PerfPreCreate,901,PreCreate,00000000-0000-0000-0000-000000000000 +Mav-Vfsc.PerfPreCleanup,902,PreCleanup,00000000-0000-0000-0000-000000000000 +Mav-Vfsc.PerfPreWrite,903,PreWrite,00000000-0000-0000-0000-000000000000 +Mav-Vfsc.PerfPreDirectoryCtrl,904,PreDirectoryCtrl,00000000-0000-0000-0000-000000000000 +Mav-Vfsc.PerfPreSetInfo,905,PreSetInfo,00000000-0000-0000-0000-000000000000 +Mav-Vfsc.PerfPreSetSecurity,906,PreSetSecurity,00000000-0000-0000-0000-000000000000 +Mav-Vfsc.PerfPreAcquireForSection,907,PreAcquireForSection,00000000-0000-0000-0000-000000000000 +Orchestration.ComponentStartup,1001,ComponentStartup,00000000-0000-0000-0000-000000000000 +Orchestration.ComponentRun,1002,ComponentRun,00000000-0000-0000-0000-000000000000 +Orchestration.ComponentStop,1003,ComponentStop,00000000-0000-0000-0000-000000000000 +Orchestration.ComponentShutdown,1004,ComponentShutdown,00000000-0000-0000-0000-000000000000 +Orchestration.ComponentUserLogon,1005,ComponentUserLogon,00000000-0000-0000-0000-000000000000 +Orchestration.ComponentUserLogoff,1006,ComponentUserLogoff,00000000-0000-0000-0000-000000000000 +Orchestration.ConfigurePackage,1007,ConfigurePackage,00000000-0000-0000-0000-000000000000 +Orchestration.ConfigurePackageComponent,1008,ConfigurePackageComponent,00000000-0000-0000-0000-000000000000 +Orchestration.ConfigurePackageFinalize,1009,ConfigurePackageFinalize,00000000-0000-0000-0000-000000000000 +Orchestration.ConfigurePackageFinalizeComponent,1010,ConfigurePackageFinalizeComponent,00000000-0000-0000-0000-000000000000 +Orchestration.ConfigurePackageComplete,1011,ConfigurePackageComplete,00000000-0000-0000-0000-000000000000 +Orchestration.ConfigurePackageCompleteComponent,1012,ConfigurePackageCompleteComponent,00000000-0000-0000-0000-000000000000 +Orchestration.PublishPackage,1013,PublishPackage,00000000-0000-0000-0000-000000000000 +Orchestration.PublishPackageComponent,1014,PublishPackageComponent,00000000-0000-0000-0000-000000000000 +Orchestration.PublishPackageFinalize,1015,PublishPackageFinalize,00000000-0000-0000-0000-000000000000 +Orchestration.PublishPackageFinalizeComponent,1016,PublishPackageFinalizeComponent,00000000-0000-0000-0000-000000000000 +Orchestration.PublishPackageComplete,1017,PublishPackageComplete,00000000-0000-0000-0000-000000000000 +Orchestration.PublishPackageCompleteComponent,1018,PublishPackageCompleteComponent,00000000-0000-0000-0000-000000000000 +Orchestration.ConfigurePackageGroup,1019,ConfigurePackageGroup,00000000-0000-0000-0000-000000000000 +Orchestration.ConfigurePackageGroupComponent,1020,ConfigurePackageGroupComponent,00000000-0000-0000-0000-000000000000 +Orchestration.ConfigurePackageGroupFinalize,1021,ConfigurePackageGroupFinalize,00000000-0000-0000-0000-000000000000 +Orchestration.ConfigurePackageGroupFinalizeComponent,1022,ConfigurePackageGroupFinalizeComponent,00000000-0000-0000-0000-000000000000 +Orchestration.ConfigurePackageGroupComplete,1023,ConfigurePackageGroupComplete,00000000-0000-0000-0000-000000000000 +Orchestration.ConfigurePackageGroupCompleteComponent,1024,ConfigurePackageGroupCompleteComponent,00000000-0000-0000-0000-000000000000 +Orchestration.PublishPackageGroup,1025,PublishPackageGroup,00000000-0000-0000-0000-000000000000 +Orchestration.PublishPackageGroupComponent,1026,PublishPackageGroupComponent,00000000-0000-0000-0000-000000000000 +Orchestration.PublishPackageGroupFinalize,1027,PublishPackageGroupFinalize,00000000-0000-0000-0000-000000000000 +Orchestration.PublishPackageGroupFinalizeComponent,1028,PublishPackageGroupFinalizeComponent,00000000-0000-0000-0000-000000000000 +Orchestration.PublishPackageGroupComplete,1029,PublishPackageGroupComplete,00000000-0000-0000-0000-000000000000 +Orchestration.PublishPackageGroupCompleteComponent,1030,PublishPackageGroupCompleteComponent,00000000-0000-0000-0000-000000000000 +Orchestration.CoordinateActivity,1031,CoordinateActivity,00000000-0000-0000-0000-000000000000 +PublishingClient.prfActivity,1100,Publishing Activity,00000000-0000-0000-0000-000000000000 +PublishingClient.prfDownloadPackageList,1102,Download package list,00000000-0000-0000-0000-000000000000 +PublishingClient.prfDownloadPolicy,1103,Download policy,00000000-0000-0000-0000-000000000000 +PublishingClient.prfDownloadMachinePolicy,1104,Download machine policy,00000000-0000-0000-0000-000000000000 +PublishingClient.prfRefreshPackages,1110,Refresh packages,00000000-0000-0000-0000-000000000000 +PublishingClient.prfConfigurePackage,1111,Configure a package,00000000-0000-0000-0000-000000000000 +PublishingClient.prfPublishPackage,1112,Publish a package,00000000-0000-0000-0000-000000000000 +PublishingClient.prfUnPublishPackages,1113,Unpublish packages,00000000-0000-0000-0000-000000000000 +PublishingClient.prfUnPublishPackage,1114,Unpublish a package,00000000-0000-0000-0000-000000000000 +PublishingClient.prfRefreshGroups,1120,Refresh Groups,00000000-0000-0000-0000-000000000000 +PublishingClient.prfConfigureGroup,1121,Configure a Group,00000000-0000-0000-0000-000000000000 +PublishingClient.prfPublishGroup,1122,Publish a Group,00000000-0000-0000-0000-000000000000 +PublishingClient.prfUnPublishGroups,1123,Unpublish Groups,00000000-0000-0000-0000-000000000000 +PublishingClient.prfUnPublishGroup,1124,Unpublish a Group,00000000-0000-0000-0000-000000000000 +RegistryStaging.ServiceStartRuntime,1201,Registry Staging service start runtime,00000000-0000-0000-0000-000000000000 +RegistryStaging.ProcessStartRuntime,1202,Registry Staging process start runtime,00000000-0000-0000-0000-000000000000 +RegistryStaging.ServiceStopRuntime,1203,Registry Staging service stop runtime,00000000-0000-0000-0000-000000000000 +RegistryStaging.ProcessStopRuntime,1204,Registry Staging process stop runtime,00000000-0000-0000-0000-000000000000 +RegistryStaging.StageKeyOnDemand,1205,Stage key on demand,00000000-0000-0000-0000-000000000000 +RegistryStaging.StageKeyBackground,1206,Stage key in the background,00000000-0000-0000-0000-000000000000 +RegistryStaging.StagePolicyXMLs,1207,Stage all policy XMLs,00000000-0000-0000-0000-000000000000 +RegistryStaging.StagePackages,1208,Stage all packages,00000000-0000-0000-0000-000000000000 +RegistryStaging.StageSinglePackage,1209,Stage a single package,00000000-0000-0000-0000-000000000000 +RegistryNotification.EnumerateSettingChangesTask,1301,Enumerate setting changes,00000000-0000-0000-0000-000000000000 +RegistryNotification.SendChangeNotificationTask,1302,Send change notifications,00000000-0000-0000-0000-000000000000 +FTA.Packaging,1401,Packaging,00000000-0000-0000-0000-000000000000 +FTA.ShellNotifyFtaAssocChanged,1402,ShellNotifyFtaAssocChanged,00000000-0000-0000-0000-000000000000 +Integration.NotifyFta,1501,NotifyFta,00000000-0000-0000-0000-000000000000 +Integration.NotifyShortcutAdded,1502,NotifyShortcutAdded,00000000-0000-0000-0000-000000000000 +Integration.NotifyShortcutRemoved,1503,NotifyShortcutRemoved,00000000-0000-0000-0000-000000000000 +Integration.NotifyStopProxy,1504,NotifyStopProxy,00000000-0000-0000-0000-000000000000 +Integration.NotifyCancelAllPending,1505,NotifyCancelAllPending,00000000-0000-0000-0000-000000000000 +Integration.NotifyStartProxy,1506,NotifyStartProxy,00000000-0000-0000-0000-000000000000 +Integration.NotifyShortcutUnpin,1507,NotifyShortcutUnpin,00000000-0000-0000-0000-000000000000 +Integration.Initialize,1508,Initialize,00000000-0000-0000-0000-000000000000 +Integration.InitializeISV,1509,InitializeISV,00000000-0000-0000-0000-000000000000 +Integration.Deinitialize,1510,Deinitialize,00000000-0000-0000-0000-000000000000 +Integration.Stop,1511,Stop,00000000-0000-0000-0000-000000000000 +Integration.UserLogon,1512,UserLogon,00000000-0000-0000-0000-000000000000 +Integration.UserLogoff,1513,UserLogoff,00000000-0000-0000-0000-000000000000 +Integration.HandleActivity,1514,HandleActivity,00000000-0000-0000-0000-000000000000 +Integration.PublishPackage,1515,PublishPackage,00000000-0000-0000-0000-000000000000 +Integration.PublishPackageFinalize,1516,PublishPackageFinalize,00000000-0000-0000-0000-000000000000 +Integration.PublishPackageComplete,1517,PublishPackageComplete,00000000-0000-0000-0000-000000000000 +Integration.PublishPackageUndo,1518,PublishPackageUndo,00000000-0000-0000-0000-000000000000 +Integration.UnpublishPackage,1519,UnpublishPackage,00000000-0000-0000-0000-000000000000 +Integration.ReintegratePackage,1520,ReintegratePackage,00000000-0000-0000-0000-000000000000 +Integration.ReintegrateVirtualApplications,1521,ReintegrateVirtualApplications,00000000-0000-0000-0000-000000000000 +Integration.TransactionExecute,1522,TransactionExecute,00000000-0000-0000-0000-000000000000 +Integration.TransactionFinalize,1523,TransactionExecute,00000000-0000-0000-0000-000000000000 +Integration.TransactionComplete,1524,TransactionComplete,00000000-0000-0000-0000-000000000000 +Integration.TransactionUndo,1525,TransactionUndo,00000000-0000-0000-0000-000000000000 +Integration.TransactionBeginCancel,1526,TransactionBeginCancel,00000000-0000-0000-0000-000000000000 +Integration.TransactionEndCancel,1527,TransactionEndCancel,00000000-0000-0000-0000-000000000000 +Integration.DeserializeExtensions,1528,DeserializeExtensions,00000000-0000-0000-0000-000000000000 +Integration.DeserializeExtensionsFromManifest,1529,DeserializeExtensionsFromManifest,00000000-0000-0000-0000-000000000000 +Integration.DeserializeExtensionsFromDepConfig,1530,DeserializeExtensionsFromDepConfig,00000000-0000-0000-0000-000000000000 +Integration.DeserializeExtensionsFromUserConfig,1531,DeserializeExtensionsFromUserConfig,00000000-0000-0000-0000-000000000000 +Integration.DeserializeExtensionsApplyPolicies,1532,DeserializeExtensionsApplyPolicies,00000000-0000-0000-0000-000000000000 +Policy.CreatePackageMachinePolicyDocumentFromDefault,1601,CreatePackageMachinePolicyDocumentFromDefault,00000000-0000-0000-0000-000000000000 +Policy.CreatePackageMachinePolicyDocumentFromXML,1602,CreatePackageMachinePolicyDocumentFromXML,00000000-0000-0000-0000-000000000000 +Policy.CreatePackageMachinePolicyDocumentFromFile,1603,CreatePackageMachinePolicyDocumentFromFile,00000000-0000-0000-0000-000000000000 +Policy.CreatePackageUserPolicyDocumentFromDefault,1604,CreatePackageUserPolicyDocumentFromDefault,00000000-0000-0000-0000-000000000000 +Policy.CreatePackageUserPolicyDocumentFromXML,1605,CreatePackageUserPolicyDocumentFromXML,00000000-0000-0000-0000-000000000000 +Policy.CreatePackageUserPolicyDocumentFromFile,1606,CreatePackageUserPolicyDocumentFromFile,00000000-0000-0000-0000-000000000000 +Policy.CreatePackageGroupDescriptorDocumentFromXML,1611,CreatePackageGroupDescriptorDocumentFromXML,00000000-0000-0000-0000-000000000000 +Policy.CreatePackageGroupDescriptorDocumentFromFile,1612,CreatePackageGroupDescriptorDocumentFromFile,00000000-0000-0000-0000-000000000000 +Policy.CreatePublishingDescriptorDocumentFromFile,1613,CreatePublishingDescriptorDocumentFromFile,00000000-0000-0000-0000-000000000000 +Policy.CreatePublishingDescriptorDocumentFromXML,1614,CreatePublishingDescriptorDocumentFromXML,00000000-0000-0000-0000-000000000000 +Reporting.Activity,1700,Reporting Activity,00000000-0000-0000-0000-000000000000 +Reporting.VirtualEnvironmentCreated,1701,Virtual Environment Created Activity,00000000-0000-0000-0000-000000000000 +Reporting.VirtualEnvironmentTerminated,1702,Virtual Environment Terminated Activity,00000000-0000-0000-0000-000000000000 +Reporting.VirtualProcessCreated,1703,Virtual Process Created Activity,00000000-0000-0000-0000-000000000000 +Reporting.VirtualProcessTerminated,1704,Virtual Process Created Activity,00000000-0000-0000-0000-000000000000 +Reporting.UploadReportingData,1705,Upload Reporting Data Activity,00000000-0000-0000-0000-000000000000 +Reporting.SendReportingData,1706,Send Reporting Data Activity,00000000-0000-0000-0000-000000000000 +Reporting.VirtualProcessLaunchFailure,1707,Virtual Process Launch Failure Activity,00000000-0000-0000-0000-000000000000 +Shortcut.ShellNotifyRpcServer,1801,ShellNotifyRpcServer,00000000-0000-0000-0000-000000000000 +Shortcut.ShellNotifyPath,1802,ShellNotifyPath,00000000-0000-0000-0000-000000000000 +Shortcut.ShellNotifyAddShortcut,1803,ShellNotifyAddShortcut,00000000-0000-0000-0000-000000000000 +Shortcut.ShellNotifyRemoveShortcut,1804,ShellNotifyRemoveShortcut,00000000-0000-0000-0000-000000000000 +Shortcut.ShellNotifyUnpinShortcut,1805,ShellNotifyUnpinShortcut,00000000-0000-0000-0000-000000000000 +Strm.crtmsg,1900,Create file message task.,00000000-0000-0000-0000-000000000000 +Strm.writemsg,1901,Write file message task.,00000000-0000-0000-0000-000000000000 +Strm.querymsg,1902,Query file allocation message task.,00000000-0000-0000-0000-000000000000 +Strm.irpcreate,1903,IRP_MJ_CREATE task.,00000000-0000-0000-0000-000000000000 +Strm.irpread,1904,IRP_MJ_READ task.,00000000-0000-0000-0000-000000000000 +Strm.streamfault,1905,Stream fault task.,00000000-0000-0000-0000-000000000000 +Strm.loadfilefault,1906,load file task.,00000000-0000-0000-0000-000000000000 +Strm.stagedir,1907,Stage directory task.,00000000-0000-0000-0000-000000000000 +StrmMgr.Activity,2000,Streaming Manager activity processing.,00000000-0000-0000-0000-000000000000 +StrmMgr.Startup,2001,Streaming Manager startup task.,00000000-0000-0000-0000-000000000000 +StrmMgr.Run,2002,Streaming Manager run task.,00000000-0000-0000-0000-000000000000 +StrmMgr.Shutdown,2003,Streaming Manager shutting down task.,00000000-0000-0000-0000-000000000000 +StrmMgr.LogOn,2004,User Logon.,00000000-0000-0000-0000-000000000000 +StrmMgr.LogOff,2005,User logoff.,00000000-0000-0000-0000-000000000000 +StrmMgr.Stop,2006,Streaming Manager stopping task.,00000000-0000-0000-0000-000000000000 +StrmMgr.ConfigPkg,2007,HandleConfigurePackage,00000000-0000-0000-0000-000000000000 +StrmMgr.ConfigPkgUndo,2008,HandleConfigurePackageUndo,00000000-0000-0000-0000-000000000000 +StrmMgr.RemovePkg,2009,HandleRemovePackage,00000000-0000-0000-0000-000000000000 +StrmMgr.PkgLoad,2010,HandlePackageLoadActivity,00000000-0000-0000-0000-000000000000 +StrmMgr.PkgLoadRanges,2011,HandleConfigurePackageLoadRangesActivity,00000000-0000-0000-0000-000000000000 +StrmMgr.PkgCancelLoad,2012,HandlePackageCancelLoadActivity,00000000-0000-0000-0000-000000000000 +StrmMgr.ReqSessionLookup,2013,Filter request session lookup.,00000000-0000-0000-0000-000000000000 +StrmMgr.ConfigurePkgGroup,2015,HandleConfigurePackageGroupActivity,00000000-0000-0000-0000-000000000000 +StrmMgr.RemovePkgGroup,2016,HandleRemovePackageGroupActivity,00000000-0000-0000-0000-000000000000 +StrmMgr.VECreated,2017,HandleVirtualEnvironmentCreatedActivity,00000000-0000-0000-0000-000000000000 +StrmMgr.VECreatedComplete,2018,HandleVirtualEnvironmentCreatedCompleteActivity,00000000-0000-0000-0000-000000000000 +StrmMgr.PkgBytesLoaded,2019,HandleGetPackageBytesLoadedActivity,00000000-0000-0000-0000-000000000000 +StrmMgr.PublishPkgComplete,2020,HandlePublishPackageCompleteActivity,00000000-0000-0000-0000-000000000000 +StrmMgr.UnpublishPkg,2021,HandleUnpublishPackageActivity,00000000-0000-0000-0000-000000000000 +StrmMgr.PkgAttributes,2022,HandleGetPackageStreamingAttributes,00000000-0000-0000-0000-000000000000 +StrmMgr.PublishPkg,2023,HandlePublishPackageActivity,00000000-0000-0000-0000-000000000000 +StrmMgr.PublishPkgUndo,2024,HandlePublishPackageUndoActivity,00000000-0000-0000-0000-000000000000 +StrmMgr.VirtualEnvironmentTerminated,2025,HandleVirtualEnvironmentTerminatedActivity,00000000-0000-0000-0000-000000000000 +StrmMgr.SettingChanged,2026,HandleSettingChangedActivity,00000000-0000-0000-0000-000000000000 +StrmMgr.SessionConnect,2027,SessionConnect,00000000-0000-0000-0000-000000000000 +StrmMgr.PackageIndexInitialize,2028,PackageIndexInitialize,00000000-0000-0000-0000-000000000000 +StrmMgr.GetPackageGUIDsFromURL,2029,GetPackageGUIDsFromURLActivity,00000000-0000-0000-0000-000000000000 +StrmMgr.FeatureBlockLoad,2030,FeatureBlockLoad,00000000-0000-0000-0000-000000000000 +Tran.StreamContent,2100,Transport Stream Content operation,00000000-0000-0000-0000-000000000000 +Tran.GetAttributes,2101,Transport get attributes operation,00000000-0000-0000-0000-000000000000 +Tran.RunRequest,2102,Transport run request operation,00000000-0000-0000-0000-000000000000 +Tran.CancelRequest,2103,Transport cancel request operation,00000000-0000-0000-0000-000000000000 +VSC.NewVE,2201,NewVE Task.,00000000-0000-0000-0000-000000000000 +VSC.TerminateVE,2202,TerminateVE Task.,00000000-0000-0000-0000-000000000000 +VSC.AddProcessToVE,2203,AddProcessToVE Task.,00000000-0000-0000-0000-000000000000 +VSC.RemoveProcessFromVE,2204,RemoveProcessFromVE Task.,00000000-0000-0000-0000-000000000000 +VSC.InjectDll,2205,InjectDll Task.,00000000-0000-0000-0000-000000000000 +VSC.StartSubsystemRuntime,2206,StartSubsystemRuntime Task.,00000000-0000-0000-0000-000000000000 +VSC.StopSubsystemRuntime,2207,StopSubsystemRuntime Task.,00000000-0000-0000-0000-000000000000 +VSC.Startup,2208,Startup Task.,00000000-0000-0000-0000-000000000000 +VSC.Run,2209,Run Task.,00000000-0000-0000-0000-000000000000 +VSC.Stop,2210,Stop Task.,00000000-0000-0000-0000-000000000000 +VSC.Shutdown,2211,Shutdown Task.,00000000-0000-0000-0000-000000000000 +VSC.HandleActivity,2212,HandleActivityTask.,00000000-0000-0000-0000-000000000000 +VSC.InjectChildProcess,2213,Handle inject dll to a child process.,00000000-0000-0000-0000-000000000000 +VSC.InjectModuleIntoModule,2214,InjectModuleIntoModule Task.,00000000-0000-0000-0000-000000000000 +VSC.StartSubsystemProcessRuntimes,2215,VSC.StartSubsystemProcessRuntimes,00000000-0000-0000-0000-000000000000 +VSC.StopSubsystemProcessRuntimes,2216,VSC.StopSubsystemProcessRuntimes,00000000-0000-0000-0000-000000000000 +VENV.ServiceDllAttach,2250,VENV.ServiceDllAttach,00000000-0000-0000-0000-000000000000 +VENV.ProcessDllAttach,2251,VENV.ProcessDllAttach,00000000-0000-0000-0000-000000000000 +VENV.ServiceDllDetach,2252,VENV.ServiceDllDetach,00000000-0000-0000-0000-000000000000 +VENV.ProcessDllDetach,2253,VENV.ProcessDllDetach,00000000-0000-0000-0000-000000000000 +VENV.ServiceStartRuntime,2254,VENV.ServiceStartRuntime,00000000-0000-0000-0000-000000000000 +VENV.ProcessStartRuntime,2255,VENV.ProcessStartRuntime,00000000-0000-0000-0000-000000000000 +VENV.ServiceStopRuntime,2256,VENV.ServiceStopRuntime,00000000-0000-0000-0000-000000000000 +VENV.ProcessStopRuntime,2257,VENV.ProcessStopRuntime,00000000-0000-0000-0000-000000000000 +VENV.ServiceReadXML,2258,VENV.ServiceReadXML,00000000-0000-0000-0000-000000000000 +VENV.ServiceLoadEnvVarList,2259,VENV.ServiceLoadEnvVarList,00000000-0000-0000-0000-000000000000 +VENV.ProcessRetrieveEnvVar,2260,VENV.ProcessRetrieveEnvVar,00000000-0000-0000-0000-000000000000 +VENV.ProcessWriteEnvVar,2261,VENV.ProcessWriteEnvVar,00000000-0000-0000-0000-000000000000 +VENV.CreateProcess,2262,VENV.CreateProcess,00000000-0000-0000-0000-000000000000 +VFS.ServiceStartRuntime,2301,VFS service start runtime,00000000-0000-0000-0000-000000000000 +VFS.ProcessStartRuntime,2302,VFS process start runtime,00000000-0000-0000-0000-000000000000 +VFS.ServiceStopRuntime,2303,VFS service stop runtime,00000000-0000-0000-0000-000000000000 +VFS.ProcessStopRuntime,2304,VFS process stop runtime,00000000-0000-0000-0000-000000000000 +VFS.ProcessGetConfiguration,2305,VFS process get configuration,00000000-0000-0000-0000-000000000000 +VFS.CreateFile,2400,VFS create file,00000000-0000-0000-0000-000000000000 +VFS.CloseHandle,2411,VFS close handle,00000000-0000-0000-0000-000000000000 +VFS.QueryAttributesFile,2412,VFS query attributes file,00000000-0000-0000-0000-000000000000 +VFS.QueryFullAttributesFile,2413,VFS query full attributes file,00000000-0000-0000-0000-000000000000 +VFS.QueryDirectoryFile,2414,VFS query directory file,00000000-0000-0000-0000-000000000000 +VFS.DeleteFile,2415,VFS delete file,00000000-0000-0000-0000-000000000000 +VFS.SetInfoFileDelete,2416,VFS SetInformationFile delete request,00000000-0000-0000-0000-000000000000 +VFS.SetInfoFileRename,2417,VFS SetInformationFile rename request,00000000-0000-0000-0000-000000000000 +VFS.CreateActCtxA,2418,VFS CreateActCtxA request,00000000-0000-0000-0000-000000000000 +VFS.CreateActCtxW,2419,VFS CreateActCtxW request,00000000-0000-0000-0000-000000000000 +VIRTMAN.Activity,2501,Activity Task.VIRTMAN.,00000000-0000-0000-0000-000000000000 +VIRTMAN.Notification,2502,Notification Task.VIRTMAN.,00000000-0000-0000-0000-000000000000 +VIRTMAN.Startup,2503,Startup Task.VIRTMAN.,00000000-0000-0000-0000-000000000000 +VIRTMAN.Run,2504,Run Task.VIRTMAN.,00000000-0000-0000-0000-000000000000 +VIRTMAN.Stop,2505,Stop Task.VIRTMAN.,00000000-0000-0000-0000-000000000000 +VIRTMAN.Shutdown,2506,Shutdown Task.VIRTMAN.,00000000-0000-0000-0000-000000000000 +VIRTMAN.InjectNotification,2507,Inject Notification Task.VIRTMAN.,00000000-0000-0000-0000-000000000000 +VIRTMAN.PublishRoaming,2508,Publish Roaming Task.VIRTMAN.,00000000-0000-0000-0000-000000000000 +VReg.ServiceStartRuntime,2601,VReg.ServiceStartRuntime,00000000-0000-0000-0000-000000000000 +VReg.ProcessStartRuntime,2602,VReg.ProcessStartRuntime,00000000-0000-0000-0000-000000000000 +VReg.ServiceStopRuntime,2603,VReg.ServiceStopRuntime,00000000-0000-0000-0000-000000000000 +VReg.ProcessStopRuntime,2604,VReg.ProcessStopRuntime,00000000-0000-0000-0000-000000000000 +VReg.CreateKey,2610,VReg.CreateKey,00000000-0000-0000-0000-000000000000 +VReg.OpenKey,2611,VReg.OpenKey,00000000-0000-0000-0000-000000000000 +VReg.EnumKey,2612,VReg.EnumKey,00000000-0000-0000-0000-000000000000 +VReg.QueryKey,2613,VReg.QueryKey,00000000-0000-0000-0000-000000000000 +VReg.SetInformationKey,2614,VReg.SetInformationKey,00000000-0000-0000-0000-000000000000 +VReg.DeleteKey,2615,VReg.DeleteKey,00000000-0000-0000-0000-000000000000 +VReg.RenameKey,2616,VReg.RenameKey,00000000-0000-0000-0000-000000000000 +VReg.FlushKey,2617,VReg.FlushKey,00000000-0000-0000-0000-000000000000 +VReg.NotifyChangeKey,2618,VReg.NotifyChangeKey,00000000-0000-0000-0000-000000000000 +VReg.NotifyChangeMultipleKeys,2619,VReg.NotifyChangeMultipleKeys,00000000-0000-0000-0000-000000000000 +VReg.EnumValue,2620,VReg.EnumValue,00000000-0000-0000-0000-000000000000 +VReg.QueryValue,2621,VReg.QueryValue,00000000-0000-0000-0000-000000000000 +VReg.QueryMultipleValues,2622,VReg.QueryMultipleValues,00000000-0000-0000-0000-000000000000 +VReg.SetValue,2623,VReg.SetValue,00000000-0000-0000-0000-000000000000 +VReg.DeleteValue,2624,VReg.DeleteValue,00000000-0000-0000-0000-000000000000 +VReg.CloseKey,2625,VReg.CloseKey,00000000-0000-0000-0000-000000000000 +VReg.QuerySecurity,2626,VReg.QuerySecurity,00000000-0000-0000-0000-000000000000 +VReg.SetSecurity,2627,VReg.SetSecurity,00000000-0000-0000-0000-000000000000 +VReg.QueryObject,2628,VReg.QueryObject,00000000-0000-0000-0000-000000000000 +VReg.DuplicateObject,2629,VReg.DuplicateObject,00000000-0000-0000-0000-000000000000 +VShell.StartupRuntime,2701,VShell.StartupRuntime,00000000-0000-0000-0000-000000000000 +VShell.ShutdownRuntime,2702,VShell.ShutdownRuntime,00000000-0000-0000-0000-000000000000 +VShell.StartupProcessRuntime,2703,VShell.StartupProcessRuntime,00000000-0000-0000-0000-000000000000 +VShell.ShutdownProcessRuntime,2704,VShell.ShutdownProcessRuntime,00000000-0000-0000-0000-000000000000 +VShell.SetAppUserModelID,2705,VShell.SetAppUserModelID,00000000-0000-0000-0000-000000000000 +VIRTAPPS.Packaging,2801,Packaging,00000000-0000-0000-0000-000000000000 +VIRTAPPS.ManifestWrite,2802,Manifest Write,00000000-0000-0000-0000-000000000000 +VIRTAPPS.ManifestWrite_VirtualApplication,2803,Manifest Write - Virtual Application,00000000-0000-0000-0000-000000000000 +VIRTAPPS.Publishing_DeserializeManifest,2804,Publishing - Deserialize Manifest,00000000-0000-0000-0000-000000000000 +VIRTAPPS.Publishing_PublishEp,2805,Publishing - Publish EP,00000000-0000-0000-0000-000000000000 +VIRTAPPS.Publishing_UnpublishEp,2806,Publishing - Unpublish EP,00000000-0000-0000-0000-000000000000 +VIRTAPPS.Publishing_PublishPackage,2807,Publishing - Publish Package,00000000-0000-0000-0000-000000000000 +VIRTAPPS.Publishing_UnpublishPackage,2808,Publishing - Unpublish Package,00000000-0000-0000-0000-000000000000 +SHELLEX.Packaging,2901,Shell Extensions Packaging,00000000-0000-0000-0000-000000000000 +SHELLEX.ManifestWrite,2902,Shell Extensions Manifest Write,00000000-0000-0000-0000-000000000000 +SHELLEX.Publishing_DeserializeManifest,2903,Shell Extensions Publishing - Deserialize Manifest,00000000-0000-0000-0000-000000000000 +SHELLEX.Publishing_DeserializePolicy,2904,Shell Extensions Publishing - Deserialize Policy,00000000-0000-0000-0000-000000000000 +SHELLEX.Publishing_PublishEp,2905,Shell Extensions Publishing - Publish EP,00000000-0000-0000-0000-000000000000 +SHELLEX.Publishing_UnpublishEp,2906,Shell Extensions Publishing - Unpublish EP,00000000-0000-0000-0000-000000000000 +SHELLEX.Publishing_PublishPackage,2907,Shell Extensions Publishing - Publish Package,00000000-0000-0000-0000-000000000000 +SHELLEX.Publishing_UnpublishPackage,2908,Shell Extensions Publishing - Unpublish Package,00000000-0000-0000-0000-000000000000 +SHELLEX.ShellNotifyAssocChanged,2909,Shell Extensions Publishing - Sending AssocChanged notification to Shell,00000000-0000-0000-0000-000000000000 +PackageConfig.ConfigurePackage,3100,PackageConfig.ConfigurePackage,00000000-0000-0000-0000-000000000000 +PackageConfig.RemovePackage,3101,PackageConfig.RemovePackage,00000000-0000-0000-0000-000000000000 +PackageConfig.AddUserPackage,3102,PackageConfig.AddUserPackage,00000000-0000-0000-0000-000000000000 +PackageConfig.RemoveUserPackage,3103,PackageConfig.RemoveUserPackage,00000000-0000-0000-0000-000000000000 +PackageConfig.GetUserCowMappings,3104,PackageConfig.GetUserCowMappings,00000000-0000-0000-0000-000000000000 +PackageConfig.SendMappingsToDriver,3105,PackageConfig.SendMappingsToDriver,00000000-0000-0000-0000-000000000000 +PackageConfig.ConfigurePackageGroup,3106,PackageConfig.ConfigurePackageGroup,00000000-0000-0000-0000-000000000000 +PackageConfig.RemovePackageGroup,3107,PackageConfig.RemovePackageGroup,00000000-0000-0000-0000-000000000000 +PackageConfig.PublishGlobalPackage,3108,PackageConfig.PublishGlobalPackage,00000000-0000-0000-0000-000000000000 +PackageConfig.UnpublishGlobalPackage,3109,PackageConfig.UnpublishGlobalPackage,00000000-0000-0000-0000-000000000000 +VFONTS.ServiceDllAttach,3200,VFONTS.ServiceDllAttach,00000000-0000-0000-0000-000000000000 +VFONTS.ProcessDllAttach,3201,VFONTS.ProcessDllAttach,00000000-0000-0000-0000-000000000000 +VFONTS.ServiceDllDetach,3202,VFONTS.ServiceDllDetach,00000000-0000-0000-0000-000000000000 +VFONTS.ProcessDllDetach,3203,VFONTS.ProcessDllDetach,00000000-0000-0000-0000-000000000000 +VFONTS.ServiceStartRuntime,3204,VFONTS.ServiceStartRuntime,00000000-0000-0000-0000-000000000000 +VFONTS.ProcessStartRuntime,3205,VFONTS.ProcessStartRuntime,00000000-0000-0000-0000-000000000000 +VFONTS.ServiceStopRuntime,3206,VFONTS.ServiceStopRuntime,00000000-0000-0000-0000-000000000000 +VFONTS.ProcessStopRuntime,3207,VFONTS.ProcessStopRuntime,00000000-0000-0000-0000-000000000000 +VFONTS.ServiceLoadFontList,3208,VFONTS.ServiceLoadFontList,00000000-0000-0000-0000-000000000000 +VFONTS.ProcessRetrieveFonts,3209,VFONTS.ProcessRetrieveFonts,00000000-0000-0000-0000-000000000000 +VFONTS.ProcessInstallFonts,3210,VFONTS.ProcessInstallFonts,00000000-0000-0000-0000-000000000000 +VObjects.ServiceDllAttach,3300,VObjects.ServiceDllAttach,00000000-0000-0000-0000-000000000000 +VObjects.ProcessDllAttach,3301,VObjects.ProcessDllAttach,00000000-0000-0000-0000-000000000000 +VObjects.ServiceDllDetach,3302,VObjects.ServiceDllDetach,00000000-0000-0000-0000-000000000000 +VObjects.ProcessDllDetach,3303,VObjects.ProcessDllDetach,00000000-0000-0000-0000-000000000000 +VObjects.ServiceStartRuntime,3304,VObjects.ServiceStartRuntime,00000000-0000-0000-0000-000000000000 +VObjects.ProcessStartRuntime,3305,VObjects.ProcessStartRuntime,00000000-0000-0000-0000-000000000000 +VObjects.ServiceStopRuntime,3306,VObjects.ServiceStopRuntime,00000000-0000-0000-0000-000000000000 +VObjects.ProcessStopRuntime,3307,VObjects.ProcessStopRuntime,00000000-0000-0000-0000-000000000000 +VObjects.ServiceLoadExclusions,3308,VObjects.ServiceLoadExclusions,00000000-0000-0000-0000-000000000000 +VObjects.ProcessRetrieveExclusions,3309,VObjects.ProcessRetrieveExclusions,00000000-0000-0000-0000-000000000000 +VObjects.ServiceReadXML,3310,VObjects.ServiceReadXML,00000000-0000-0000-0000-000000000000 +VObjects.ProcessInitializeExclusions,3311,VObjects.ProcessInitializeExclusions,00000000-0000-0000-0000-000000000000 +VObjects.ProcessApplyHooks,3312,VObjects.ProcessApplyHooks,00000000-0000-0000-0000-000000000000 +VObjects.ProcessMapName,3313,VObjects.ProcessMapName,00000000-0000-0000-0000-000000000000 +VServices.ServiceDllAttach,3400,VServices.ServiceDllAttach,00000000-0000-0000-0000-000000000000 +VServices.ProcessDllAttach,3401,VServices.ProcessDllAttach,00000000-0000-0000-0000-000000000000 +VServices.ServiceDllDetach,3402,VServices.ServiceDllDetach,00000000-0000-0000-0000-000000000000 +VServices.ProcessDllDetach,3403,VServices.ProcessDllDetach,00000000-0000-0000-0000-000000000000 +VServices.ServiceStartRuntime,3404,VServices.ServiceStartRuntime,00000000-0000-0000-0000-000000000000 +VServices.ProcessStartRuntime,3405,VServices.ProcessStartRuntime,00000000-0000-0000-0000-000000000000 +VServices.ServiceStopRuntime,3406,VServices.ServiceStopRuntime,00000000-0000-0000-0000-000000000000 +VServices.ProcessStopRuntime,3407,VServices.ProcessStopRuntime,00000000-0000-0000-0000-000000000000 +VServices.ServiceAutoStartServices,3408,VServices.ServiceAutoStartServices,00000000-0000-0000-0000-000000000000 +VServices.ProcessRetrievePolicies,3409,VServices.ProcessRetrievePolicies,00000000-0000-0000-0000-000000000000 +VServices.ProcessApplyHooks,3410,VServices.ProcessApplyHooks,00000000-0000-0000-0000-000000000000 +AppPath.DeserializeManifest,3500,DeserializeManifest,00000000-0000-0000-0000-000000000000 +AppPath.DeserializePolicy,3501,DeserializePolicy,00000000-0000-0000-0000-000000000000 +AppPath.PublishEp,3502,PublishEp,00000000-0000-0000-0000-000000000000 +AppPath.UnpublishEp,3503,UnpublishEp,00000000-0000-0000-0000-000000000000 +AppPath.PublishPackage,3504,PublishPackage,00000000-0000-0000-0000-000000000000 +AppPath.UnpublishPackage,3505,UnpublishPackage,00000000-0000-0000-0000-000000000000 +AppPath.Packaging,3506,Packaging,00000000-0000-0000-0000-000000000000 +AppPath.Packaging_ManifestWrite,3507,Packaging_ManifestWrite,00000000-0000-0000-0000-000000000000 +AppPath.Packaging_ManifestWrite_ExtensionPoint,3508,Packaging_ManifestWrite_ExtensionPoint,00000000-0000-0000-0000-000000000000 +Shortcuts.Packaging,3600,Packaging,00000000-0000-0000-0000-000000000000 +Shortcuts.Packaging.ManifestReading,3601,ManifestReading,00000000-0000-0000-0000-000000000000 +Shortcuts.Packaging.ManifestWriting,3602,ManifestWriting,00000000-0000-0000-0000-000000000000 +Shortcuts.Packaging.ParsingShortcutFiles,3603,ParsingShortcutFiles,00000000-0000-0000-0000-000000000000 +Shortcuts.Packaging.ParsingShortcutFilesSearchingForLinkFiles,3604,ParsingShortcutFilesSearchingForLinkFiles,00000000-0000-0000-0000-000000000000 +SoftCli.Packaging,3700,Packaging,00000000-0000-0000-0000-000000000000 +SoftCli.PublishExtensionPoint,3701,PublishExtensionPoint,00000000-0000-0000-0000-000000000000 +SoftCli.UnpublishPackage,3702,UnpublishPackage,00000000-0000-0000-0000-000000000000 +SoftCli.PublishPackage,3703,PublishPackage,00000000-0000-0000-0000-000000000000 +SoftCli.DeserializePolicy,3704,DeserializePolicy,00000000-0000-0000-0000-000000000000 +SoftCli.DeserializeManifest,3705,DeserializeManifest,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingRegistryRead,3706,PackagingRegistryRead,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingBrowser,3707,PackagingBrowser,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingBrowserLocalMachine,3708,PackagingBrowserLocalMachine,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingBrowserCurrentUser,3709,PackagingBrowserCurrentUser,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingEmail,3710,PackagingEmail,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingEmailLocalMachine,3711,PackagingEmailLocalMachine,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingEmailCurrentUser,3712,PackagingEmailCurrentUser,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingMediaPlayer,3713,PackagingMediaPlayer,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingMediaPlayerLocalMachine,3714,PackagingMediaPlayerLocalMachine,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingMediaPlayerCurrentUser,3715,PackagingMediaPlayerCurrentUser,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingInstantMessaging,3716,PackagingInstantMessaging,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingInstantMessagingLocalMachine,3717,PackagingInstantMessagingLocalMachine.,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingInstantMessagingCurrentUser,3718,PackagingInstantMessagingCurrentUser,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingJavaVirtualMachine,3719,PackagingJavaVirtualMachine,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingJavaVirtualMachineLocalMachine,3720,PackagingJavaVirtualMachineLocalMachine,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingJavaVirtualMachineCurrentUser,3721,PackagingJavaVirtualMachineCurrentUser,00000000-0000-0000-0000-000000000000 +SoftCli.Packaging_Binding,3722,Packaging_Binding,00000000-0000-0000-0000-000000000000 +SoftCli.Packaging_ManifestWrite,3723,Packaging_ManifestWrite,00000000-0000-0000-0000-000000000000 +SoftCli.Packaging_ManifestWrite_ExtensionPoint,3724,Packaging_ManifestWrite_ExtensionPoint,00000000-0000-0000-0000-000000000000 +SoftCli.Packaging_ManifestWrite_Browser,3725,Packaging_ManifestWrite_Browser,00000000-0000-0000-0000-000000000000 +SoftCli.Packaging_ManifestWrite_Email,3726,Packaging_ManifestWrite_Email,00000000-0000-0000-0000-000000000000 +SoftCli.Packaging_ManifestWrite_MediaPlayer,3727,Packaging_ManifestWrite_MediaPlayer,00000000-0000-0000-0000-000000000000 +SoftCli.Packaging_ManifestWrite_InstantMessaging,3728,Packaging_ManifestWrite_InstantMessaging,00000000-0000-0000-0000-000000000000 +SoftCli.Packaging_ManifestWrite_JavaVirtualMachine,3729,Packaging_ManifestWrite_JavaVirtualMachine,00000000-0000-0000-0000-000000000000 +SoftCli.Packaging_ManifestWrite_ClientBase,3730,Packaging_ManifestWrite_ClientBase,00000000-0000-0000-0000-000000000000 +SoftCli.Packaging_ManifestWrite_InstallationInformation,3731,Packaging_ManifestWrite_InstallationInformation,00000000-0000-0000-0000-000000000000 +SoftCli.Packaging_ManifestWrite_ShellCommands,3732,Packaging_ManifestWrite_ShellCommands,00000000-0000-0000-0000-000000000000 +SoftCli.Packaging_ManifestWrite_MailToProtocol,3733,Packaging_ManifestWrite_MailToProtocol,00000000-0000-0000-0000-000000000000 +SoftCli.Packaging_ManifestWrite_RegistrationCommands,3734,Packaging_ManifestWrite_RegistrationCommands,00000000-0000-0000-0000-000000000000 +SoftCli.Packaging_ManifestWrite_OEMSettings,3735,Packaging_ManifestWrite_OEMSettings.,00000000-0000-0000-0000-000000000000 +SoftCli.Publishing_UnpublishExtensionPoint,3736,Publishing_UnpublishExtensionPoint,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingDefaultClients,3737,PackagingDefaultClients,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingDefaultClientsLocalMachine,3738,PackagingDefaultClientsLocalMachine,00000000-0000-0000-0000-000000000000 +SoftCli.PackagingDefaultClientsCurrentUser,3739,PackagingDefaultClientsCurrentUser,00000000-0000-0000-0000-000000000000 +SPAD.Packaging,3800,Packaging,00000000-0000-0000-0000-000000000000 +SPAD.ManifestRead,3801,ManifestRead,00000000-0000-0000-0000-000000000000 +SPAD.PolicyRead,3802,PolicyRead,00000000-0000-0000-0000-000000000000 +SPAD.Publishing,3803,Publishing,00000000-0000-0000-0000-000000000000 +SPAD.Unpublishing,3804,Unpublishing,00000000-0000-0000-0000-000000000000 +UPH.Packaging,3900,Packaging,00000000-0000-0000-0000-000000000000 +UPH.ManifestRead,3901,ManifestRead,00000000-0000-0000-0000-000000000000 +UPH.PolicyRead,3902,PolicyRead,00000000-0000-0000-0000-000000000000 +UPH.Publishing,3903,Publishing,00000000-0000-0000-0000-000000000000 +UPH.Unpublishing,3904,Unpublishing,00000000-0000-0000-0000-000000000000 +BPI.Packaging,4000,Packaging,00000000-0000-0000-0000-000000000000 +BPI.ManifestRead,4001,ManifestRead,00000000-0000-0000-0000-000000000000 +BPI.PolicyRead,4002,PolicyRead,00000000-0000-0000-0000-000000000000 +BPI.Publishing,4003,Publishing,00000000-0000-0000-0000-000000000000 +BPI.Unpublishing,4004,Unpublishing,00000000-0000-0000-0000-000000000000 +AX.Packaging,4100,Packaging,00000000-0000-0000-0000-000000000000 +AX.ManifestRead,4101,ManifestRead,00000000-0000-0000-0000-000000000000 +AX.PolicyRead,4102,PolicyRead,00000000-0000-0000-0000-000000000000 +AX.Publishing,4103,Publishing,00000000-0000-0000-0000-000000000000 +AX.Unpublishing,4104,Unpublishing,00000000-0000-0000-0000-000000000000 +AX.ManifestSerialize,4105,ManifestSerialize,00000000-0000-0000-0000-000000000000 +AX.DeserializeManifest,4106,DeserializeManifest,00000000-0000-0000-0000-000000000000 +AX.DeserializePolicy,4107,DeserializePolicy,00000000-0000-0000-0000-000000000000 +AX.PublishPackage,4108,PublishPackage,00000000-0000-0000-0000-000000000000 +AX.UnpublishPackage,4109,UnpublishPackage,00000000-0000-0000-0000-000000000000 +AX.AssociateLowRights,4110,AssociateLowRights,00000000-0000-0000-0000-000000000000 +VCOM.ServiceDllAttach,4200,VCOM.ServiceDllAttach,00000000-0000-0000-0000-000000000000 +VCOM.ServiceDllDetach,4201,VCOM.ServiceDllDetach,00000000-0000-0000-0000-000000000000 +VCOM.ProcessDllAttach,4202,VCOM.ProcessDllAttach,00000000-0000-0000-0000-000000000000 +VCOM.ProcessDllDetach,4203,VCOM.ProcessDllDetach,00000000-0000-0000-0000-000000000000 +VCOM.ServiceStartRuntime,4204,VCOM.ServiceStartRuntime,00000000-0000-0000-0000-000000000000 +VCOM.ServiceStopRuntime,4205,VCOM.ServiceStopRuntime,00000000-0000-0000-0000-000000000000 +VCOM.ProcessStartRuntime,4206,VCOM.ProcessStartRuntime,00000000-0000-0000-0000-000000000000 +VCOM.ProcessStopRuntime,4207,VCOM.ProcessStopRuntime,00000000-0000-0000-0000-000000000000 +VCOM.ServiceLoadGUIDMappings,4208,VCOM.ServiceLoadGUIDMappings,00000000-0000-0000-0000-000000000000 +VCOM.ServiceStoreGUIDMappings,4209,VCOM.ServiceStoreGUIDMappings,00000000-0000-0000-0000-000000000000 +VCOM.ProcessRetrievePolicies,4210,VCOM.ProcessRetrievePolicies,00000000-0000-0000-0000-000000000000 +VCOM.ProcessApplyHooks,4211,VCOM.ProcessApplyHooks,00000000-0000-0000-0000-000000000000 +COM.DeserializeManifest,4300,DeserializeManifest,00000000-0000-0000-0000-000000000000 +COM.DeserializePolicy,4301,DeserializePolicy.,00000000-0000-0000-0000-000000000000 +COM.PublishPackage,4302,PublishPackage,00000000-0000-0000-0000-000000000000 +COM.UnpublishPackage,4303,UnpublishPackage,00000000-0000-0000-0000-000000000000 +COM.PublishExtensionPoint,4304,PublishExtensionPoint,00000000-0000-0000-0000-000000000000 +COM.UnpublishExtensionPoint,4305,UnpublishExtensionPoint,00000000-0000-0000-0000-000000000000 +SQM.Logging,4400,Logging,00000000-0000-0000-0000-000000000000 +SxS.InstallAssembly,4500,InstallAssembly,00000000-0000-0000-0000-000000000000 +SxS.IsAssemblyInstalled,4501,IsAssemblyInstalled,00000000-0000-0000-0000-000000000000 +SxS.DeserializeExtensionPoints,4502,DeserializeExtensionPoints,00000000-0000-0000-0000-000000000000 +SxS.PublishPackage,4503,PublishPackage,00000000-0000-0000-0000-000000000000 +GamingServicesMessage,9001,Gaming Services,00000000-0000-0000-0000-000000000000 +GameFltMessage,9005,Gaming Services,00000000-0000-0000-0000-000000000000 +XvddMessage,9009,Gaming Services,00000000-0000-0000-0000-000000000000 +Mshtml_CView_InvalidateRect,56,,728e67f7-6514-48a0-a351-6c936de5516e +Mshtml_CView_InvalidateRgn,57,,9244d42d-0d70-4138-9aa3-a518adfaeded +Mshtml_CDoc_Invalidate,58,,e7b3844d-9ba7-4b33-9747-4d50ed2ddfa2 +Mshtml_CHTMLoad_Write,59,,98b28a59-bcdd-4ed3-b381-53da6249e974 +Mshtml_CWindow_SuperNavigate2,60,,37590ed7-ede5-49d8-9865-8acc6e69f793 +Mshtml_CImgHelper_RequestLayout,61,,2dddf0c2-6f5a-4770-8832-f6079c63e8c6 +Mshtml_HtmPre_Run,62,,4a5e5c1e-e03b-476d-9a3d-f471ab5047bd +Mshtml_CImgTaskExec,63,,03a5dff3-35f3-4d5d-8384-3b5570f6a815 +Mshtml_CImgTask_ReadYield,64,,bafe3296-1d5e-451c-8232-931efcb2d585 +Mshtml_CDwnTaskExec_ThreadExecBail,65,,76cc5f6b-c697-4dfc-af58-af1413a48a64 +Mshtml_CDwnTaskExec_ThreadExecRun,66,,bc7b650a-d25f-4b62-8a86-6229e0c10e6d +Mshtml_CWindow_Script,67,,9d5f58f2-da12-41cd-88ce-21fb3a6c05f7 +Mshtml_CWindow_CommitCodeLight,68,,59157b9e-820f-468c-87ae-335d79d1c703 +Mshtml_HtmPost_PostManExecute,69,,61ca4022-f990-4adb-adfd-b39ce7918fd3 +Mshtml_HtmPost_Exec,70,,3ecb1f76-955a-41d5-93bd-518b1efdc476 +Mshtml_CImgTask_Init,71,,5587ebf5-c623-4cf7-892d-eaa04f1ad35a +Mshtml_OnQuiescence,72,,dd5bce65-96f0-4677-8746-5a7800077d2e +Mshtml_OffscreenBufferCreated,73,,d587f680-b55b-4e1a-b3f5-f250ed34249e +Mshtml_CDoc_PaintRect,78,,6d9ced46-b175-49be-b066-0c8ad9162c3f +Mshtml_CElement_HandleMouseHoverForStyle,79,,39d91ea0-3940-470f-bacd-4f32f0f13f69 +Mshtml_CStorage_GetItem,80,,9bce746d-7444-4939-b6b3-ea226b579451 +Mshtml_CStorage_SetItem,81,,cae5f9fa-9d79-40c1-8e70-77b43881bdec +Mshtml_CStorage_RemoveItem,82,,124b91fa-4dd6-431a-949a-3b11c90e2ccf +Mshtml_CStorageHelper_CommitToDisk,83,,b650822f-76de-4a66-b113-0b260b56a92d +Mshtml_CStorageHelper_MergeFromDisk,84,,4f656bfd-026f-4a59-a622-de1979026c2a +Mshtml_CStorageListHelper_Load,85,,0c933dfd-cb94-4def-a2e1-3d9d678143ab +Mshtml_CStorageListHelper_Save,86,,561cb72e-24ac-4084-898f-97df604475ad +Mshtml_DOM_Marshalling_GetDispID,87,,d469a15d-0141-45a5-a0ff-dde388f3a406 +Mshtml_DOM_Marshalling_InvokeEx,88,,25a17500-6acd-4b43-805d-4fcd940adf27 +Mshtml_DOM_Marshalling_Native,89,,a556061f-ad5c-4713-9a79-b825bd8662e2 +Mshtml_CSS_Parser,90,,f07397fc-ae33-4818-9763-f74a1203e3fc +Mshtml_FormatCalculation_ComputeFormats,91,,66f7d70e-128f-4540-a7d8-b22f25ae93ed +JScript_GC,92,,9799f65b-9484-4515-8262-b82c8853b496 +JScript_Parse,93,,d4f809cf-f27e-443e-9313-ac3e3847394e +JScript_Run,94,,f8e2c332-484f-42e6-ae5c-ad6ee8e19926 +Mshtml_Collections_EnsureAry,95,,51ee78af-26ea-466f-a2ac-22e7c5a315c1 +Mshtml_DOM_Expando,96,,7177d883-1a7f-4762-9080-22340cd4f383 +Mshtml_View_RenderView,97,,bb6b8879-8409-41e0-a4d5-43f9096c505a +Mshtml_View_OnViewQ,98,,7eab0166-6ae8-48ca-946d-7bd60ba4ab42 +Mshtml_View_OnViewD,99,,5fedbf73-b1ea-4d35-a62f-a6bbc0e4cf8a +Mshtml_CDwnInfo_CacheHit,126,,bcf76734-e935-4718-8ebe-8c0b76e979b8 +Mshtml_Image_Draw,127,,6526d653-e288-44d7-8dc6-4b26191bba1c +Mshtml_CImgInfo_Destroy,128,,e7aa8d06-95c7-4166-aa62-3ca4a4e52578 +Mshtml_Print_Document,129,,e736443b-7ea8-47b5-8708-e700cb7a4458 +Mshtml_Print_Page,130,,3d622c7b-cb4f-4804-abad-17f5da4f5b19 +Mshtml_Scroll_SetOffset,131,,293a5a4e-35d8-48c3-a7f9-768f1d4a9a88 +Mshtml_Scroll_Frame,132,,058aa077-236c-4432-9c16-58618cdb7c2b +Mshtml_Scroll_WaitForNextFrame,133,,11dc119f-47a1-4c1f-a22e-da4fcdf2baa2 +Mshtml_SAM_Allocate,134,,43906a41-a0b3-4afd-b5e7-18821d6c6740 +Mshtml_SAM_Free,135,,879fcdd0-8c71-4070-b567-e8558b856b23 +Mshtml_SAM_Segment_Create,136,,4fde1ba8-9c6d-4b82-ab8a-cd18d93ee77e +Mshtml_SAM_Segment_Delete,137,,32aa4821-0744-4f57-a082-8124da484535 +Mshtml_AlignedTimer_Setup,138,,49fa47fc-e415-468a-b5da-91230e562d78 +Mshtml_AlignedTimer_Kill,139,,bf24bd3d-245d-45de-95bf-8a011e9231ec +Mshtml_AlignedTimer_Fire,140,,237d7c7b-1680-4b09-8fce-fc60be7cd82b +Mshtml_AlignedBeat_Setup,141,,89cdb8c0-905c-4e1a-9f48-75edd5c6d74c +Mshtml_AlignedBeat_Kill,142,,40c17825-7140-4021-934a-ce1073b0b14d +Mshtml_AlignedBeat_Fire,143,,250540e4-3432-45bf-bcfe-1c8d599945f8 +Mshtml_AlignedBeat_Watchdog,144,,35abe3da-2a80-4551-989a-d355b8f1d0b4 +Mshtml_AlignedBeat_VSync,145,,3a2c55cf-de5c-496e-a186-f161a68ac7a5 +Mshtml_AlignedBeat_VSyncStatus,146,,87009fa8-6a38-4608-8151-c67361f992fe +Mshtml_MsPerformance_FullyLoaded,147,,5708439e-1844-40af-9cab-c3426d242863 +Mshtml_MsPerformance_Mark,148,,b84e43e9-ffc9-4ed7-b256-c0e2a1194286 +Mshtml_MsPerformance_Measure,149,,5eeef362-f68b-485a-a61d-89356d669b4e +Mshtml_AttachIDispImage,150,,06a1fafc-0ee0-4f36-9e71-d887530885f7 +Mshtml_DetachIDispImage,151,,96774cf8-64f3-4bb0-84e9-1c3e7135694b +Mshtml_LowPriMethodCall_Watchdog,152,,bc68fbce-db43-4ed4-b7f5-19056d51ab6f +Mshtml_MediaEngine_Created,153,,4d36a011-7fab-4256-997b-5b6716b386c0 +Mshtml_MediaEngine_Play,154,,3080e1c7-f3b8-4b96-a482-4c793dcda1fb +Mshtml_MediaEngine_Pause,155,,2a10d65a-1fb3-4ffc-8427-e7084b2bf93a +Mshtml_MediaEngine_Seek,156,,6bdd5592-61b2-4f35-ad1e-48dbfd82d258 +Mshtml_MediaEngine_Ended,157,,d5b15cad-1092-448c-ae00-b073cd838e0d +Mshtml_MediaEngine_PlaybackRateChange,158,,1c3a9537-cdcd-44b2-93a8-fc03cd53bd91 +Mshtml_MediaEngine_StreamInfo,159,,543500a5-d97c-4323-9b94-1bf56919cc97 +Mshtml_MediaEngine_VideoMediaType,160,,9864acb5-a90b-40ea-ae79-7ecc4f26cb05 +Mshtml_MediaEngine_AudioMediaType,161,,7b1f0177-ab3d-4581-8ab2-008ccb6a5794 +Mshtml_MediaEngine_VideoFramePresented,162,,2ecb371d-64b8-45f7-af93-c2bb81671380 +Mshtml_MediaEngine_VideoFrameDropped,163,,44a37a5c-b36f-49e0-9235-fc5865c03a08 +Mshtml_MediaEngine_VideoQualityMessage,164,,8542a092-18f3-45e3-8357-3901efd02311 +Mshtml_MediaEngine_AudioDataPresented,168,,8b4df7b1-79f4-4e2b-96e5-ad5e017eaf16 +Mshtml_MediaEngine_VSyncTick,169,,5c2f20c8-a33e-477e-adfc-61eb99b3d514 +Mshtml_MediaEngine_Destroyed,170,,3a824b87-1eac-477d-af77-c6d8abb0c39a +Mshtml_CImgTask_LazyDecoded,171,,fbbcbc31-7341-46a9-a169-f85f7b49296b +Mshtml_CImgInfo_ForcedDecoding,172,,1aeb9c50-ecb3-42b9-8055-284859754f67 +Mshtml_CPaintController_NotReadyToPaint,173,,c0ddfe28-2d6e-4a27-85e4-30225a5d2f41 +Mshtml_CTimerMan_Wait,174,,c81d560a-17e9-49db-be51-f4e7e094e4b3 +Mshtml_CHighFreqScheduler_Fire,175,,62610a63-231b-4e49-8d56-cba32928330d +Mshtml_CPaintController_CanNotPaintNow,176,,6da7b586-cb99-4627-82bd-0d240a2f0b61 +Mshtml_CMarkup_QME,177,,650fd506-af66-4c72-8603-c94cbf944eb8 +Mshtml_IViewObjectPresentSite_Present,178,,eb7169e4-04fa-43a9-bacd-a499ab46a24f +Mshtml_IViewObjectPresentNotifySite_RequestFrame,179,,bab712f8-6533-467a-bc7b-c4f1ad3e5dea +Mshtml_MediaEngine_TransferVideoFrame,180,,332a09bc-8cfd-404a-864d-4cde45021230 +Mshtml_GlyphRun_Draw,181,,4bcf36ea-5618-4256-b3bf-df1384026e26 +Mshtml_CTouchHelper_HandleTouchMessage,200,,8e42678c-3bb8-472d-b5fb-363fcd66d7a7 +Mshtml_MediaElement_Zoom,214,,665e7732-cc54-418d-be15-6f5dfe838d3e +Mshtml_MediaElement_PlayTo_Connect,215,,3becbe8d-188c-4098-9505-bd6918eee814 +Mshtml_MediaElement_PlayTo_Disconnect,216,,55eee259-4dd3-4f5b-9a4f-33177cf34ee3 +Mshtml_Composition_Destination_PreRender,228,,dd713edd-41aa-4251-a9dc-c92f5313209a +Mshtml_Composition_Destination_RenderLayer,229,,d71c5767-414c-4893-90d1-4d6981ccf832 +Mshtml_Composition_Create_Layer,230,,7b9946d4-a120-4093-8824-f1fb88b429eb +Mshtml_Composition_Destroy_Layer_Group,231,,78efec6e-413d-4984-af34-2240750de800 +Mshtml_Composition_Destroy_All_Layers,232,,7cf42d8a-e0f4-4d93-9bfe-d1b24c04e31f +Mshtml_Composition_Update_Implicit_Layers,233,,d4ac2a80-5416-461e-bc23-8db87fe97819 +Mshtml_Composition_Layer_Invalidate,234,,f9a07233-865c-459d-9e23-da34d6953c49 +Mshtml_CTouchHelper_DispatchGestureEvent,235,,4b061cde-2055-4882-b03f-65bd626278ac +Mshtml_Animations_Animating,236,,fda18f5e-312b-4863-bcde-c0facd26339b +Mshtml_Animations_Transitioning,237,,f997e9ea-afc6-467a-84ce-30fe84df59d7 +Mshtml_HTMLSpell_Notify,238,,c430e1b9-2000-4678-90ca-4e93c049fce4 +Mshtml_HTMLSpell_CreateSpeller,239,,556e5bad-5165-432b-8b27-30f042357285 +Mshtml_SetTimeout_Url,247,,5e24c505-56ad-4749-9f4a-edf91dc76849 +Mshtml_FormsTimer_Set,248,,9a7ce4a2-f6dc-4757-9139-aac4b02e6216 +Mshtml_FormsTimer_Reset,249,,15da02b0-0159-4422-93c7-762d7476eacb +Mshtml_HTMLSpell_ShowContextMenu,256,,4a95ed8a-f82e-4554-b034-213ddf72b420 +Mshtml_HTMLSpell_ContextMenuInvoke,257,,96f2f85c-6e14-4862-8b3a-2bf06f214aeb +Mshtml_Composition_Scrollbar_Paint,259,,f72a08b8-95f4-4658-b37c-bfbb9258d478 +Mshtml_UrlAction_ActiveX_Immersive_Incompatible,261,,c46f1b3b-cf7c-4fec-baa7-d1e60b6b1e40 +Mshtml_MediaElement_FrameStep,262,,3ad7959f-5c18-4c0c-8b70-29e60952a045 +Mshtml_IndependentAnimation_Start,263,,5445fbd1-238f-40cd-8c85-fe9e1ab3c274 +Mshtml_IndependentAnimation_Stop,264,,030450c7-a682-487a-a26b-e9459855e207 +Mshtml_IndependentAnimation_Candidacy_Failure,265,,dee736af-806b-4688-b1ce-26f67566ad03 +Mshtml_Composition_Layer_PaintRect,266,,b69d6ce0-6aba-4b78-b9b0-84bb651d5583 +Mshtml_PredictedView_Update,267,,16830896-b738-4949-afbd-c72fbd6893c1 +Mshtml_MediaElement_EndOfMedia,268,,d03d4d09-23c4-46ec-bf37-6eb4ab00a39a +Mshtml_CActiveScriptHolder_Construct,269,,764f6f6d-b0b4-4e50-843f-95a4e8c88ed8 +Mshtml_CJScript9Holder_TypeSystem_Init,271,,f388b273-67ae-4ac2-a3ec-02fbdd377a07 +Mshtml_CScriptCollection_WebOC_FirstScriptExecutionEvent,272,,1963414c-2511-4044-9365-0cc442aaf679 +Mshtml_CScriptCollection_DevToolbar_FirstScriptExecutionEvent,273,,de361bd5-a10a-4198-aa54-d08279021d1d +Mshtml_CActiveScriptHolder_WebPlatform_NewScriptEngineEvent,274,,52450625-ceb9-4932-b232-eb6767206665 +Mshtml_CView_HitTest_InActiveView,275,,f9a039cd-45a8-4113-90a9-d7adede6032d +Mshtml_CView_HitTest_MessageContext,276,,f4412585-b9ca-4567-94ae-98e8771135be +Mshtml_CView_ExecuteInvalidationTasks,277,,cf348711-cbac-459d-a92e-c0c18e92e42f +Mshtml_DisplayTreeOpen,278,,c5a20404-45ee-4b4f-a5dc-e9e8476bc127 +Mshtml_CDirectManipulationHandler_TouchHandler_Configuration,279,,7592a1f3-172c-4944-8370-67b294fb9069 +Mshtml_IndependentHitTestInfo,282,,6f07ea89-81da-4a5c-a4ec-71379c1e8fa5 +Mshtml_CElement_GetTooltipText,283,,d79c580a-88c5-4d3b-a03a-8027a67e5a6a +Mshtml_Composition_Create_ImplicitLayer,294,,40d86025-46c6-4c81-8b11-15f8356df21f +Mshtml_Composition_Max_ImplicitLayers_Exceeded,295,,6b7cd4b7-c1ae-488a-add3-a85cc974e482 +Mshtml_HoverDeferral_Undeferred,296,,4b23d696-6b92-4ff2-8d9c-0d7c6a4861ee +Mshtml_Composition_Create_SBLayer,297,,06c30dab-bb04-4f54-9500-5bea18cb6283 +Mshtml_Composition_Create_SBLayer_Surface,298,,1cbea198-a383-453d-9d4f-3ff638078db3 +Mshtml_Composition_Destroy_SBLayer,299,,58a431f1-29d4-421e-be20-58513bc67430 +Mshtml_Composition_Trim_SBLayer,300,,b9fc9260-d9d1-4747-aaf1-c2551cf9e860 +Mshtml_MediaElement_FullScreen,314,,0b8c102f-2205-4e24-9ab9-89f964904a86 +Mshtml_Animations_Timer,315,,b6ae3cf4-c3df-4349-a23f-39512a6850e4 +Mshtml_Animations_Instance,316,,e11fa254-ea06-4d55-ad1a-45fa9702b4ff +Mshtml_Canvas_Operation,317,,00000000-0000-0000-0000-000000000000 +Mshtml_EventDebug_DOM_Event_Dispatch,318,,a6c0f5cb-f6ee-468d-9119-3a77fd9b2fb8 +Mshtml_EventDebug_DOM_Event_Invoke_Callback,319,,cf5cb6a1-fc12-433e-bfc1-1193579a8b6c +Mshtml_EventDebug_Timer_Invoke_Callback,320,,67740b38-321f-4787-941d-5a7d6ddd652c +Mshtml_DynamicDependencyTracker,321,,a9444c1e-c14f-4e76-bd99-71e79964c5ae +Mshtml_DMTouchTarget_SetContentRect,322,,2abda02d-8499-4258-83af-2ba425440138 +Mshtml_DMTouchTarget_UpdateContentRectForBusyState,323,,acf6fb0f-3bc0-44ee-bf80-4649ca45bc69 +Mshtml_DispNode_Description,324,,4065c791-41ea-4212-9c68-1039f19a5ac0 +Mshtml_Prefetching,325,,2bc92422-ad54-473c-9ab3-c8591dfddc1d +Mshtml_Prerendering,326,,7e1fdc61-f83b-4290-aef8-a102de1c22c0 +Mshtml_Composition_IR_Enabled,327,,ad481ead-7bd7-4dd7-bb50-b60f21482372 +Mshtml_Composition_IR_Disabled,328,,8d8346c1-646b-4c74-8c50-a970c65a6a2f +WPGeneralTracing,329,,da65d47d-01cb-44f9-a6eb-a5c2f0d0a94b +Mshtml_Scheduler_API,330,,b9b61822-e097-457f-ae3c-ff5b5ad3e158 +Mshtml_RenderTask_Queued,331,,b6a6ec88-fd65-4684-92c6-9ce49830b7ab +Mshtml_RenderTask_Processing,332,,1fb1b0d5-dcfe-4b0c-9ab5-6d7922acfe75 +Mshtml_RenderTask_RenderThreadStateUpdate,333,,19b49b8a-347a-4d0e-b14a-6c6f1b79694e +Mshtml_FormatDetection,334,,51414f52-2c8c-4027-9161-36ab6eb24039 +Mshtml_FormatDetection_LanguageChange,335,,ee1bb2fe-0aef-45b3-8900-85561ad629bd +Mshtml_FormatDetection_EntityFound,336,,22964ace-b0c8-4f68-8f56-d44d62fd1ec7 +Mshtml_View_LinkHighlightShow,337,,56363e94-6943-4891-97e5-2a46914491e0 +Mshtml_View_LinkHighlightHide,338,,a41b638b-2fe0-4703-b6a9-b5170b73d519 +Mshtml_View_LinkHighlightStartFromNormalEvent,340,,351dbcea-921e-4bc5-a833-67d568c8efae +Mshtml_View_LinkHighlightStartFromQueryContinue,341,,83ba9da6-6abf-4439-8465-820cadb119d4 +Mshtml_View_LinkHighlightTimerPaint,342,,5edb1b12-c67b-46fb-9bea-ae505c11d885 +Mshtml_View_LinkHighlightPointerUpdateCancel,344,,e615b4ac-a820-4580-877c-ce684e476d76 +Mshtml_Phone_DoubleTap,345,,dd91b3c2-eaef-4eda-9753-774acb085ed9 +Mshtml_EventDebug_XmlHttpRequest_Open,346,,fac2ebdf-fcea-44ff-871f-fe0387d2a523 +Mshtml_EventDebug_XmlHttpRequest_Relate,347,,a230f90d-f062-40bc-94be-68718668387d +Mshtml_FormatDetection_TextExtraction,348,,94ebd88b-44a2-4d1f-9db4-c1fb8d87952e +Mshtml_FormatDetection_EntityExtraction,349,,ac313a49-f613-4ef7-96a0-88a65afada91 +Mshtml_FormatDetection_EntityHighlighting,350,,4d56aec0-0d35-472f-a6fb-753917a23714 +Mshtml_ElementRundown,351,,5ee38653-8c9d-4706-b449-ec40ff991eb5 +Mshtml_EventDebug_MediaQuery_Invoke_Callback,352,,36d68ede-24b2-4d0e-b8e7-9cfa368efe38 +Mshtml_TouchSelection_GripperShown,353,,e42e454b-a0cd-4994-94ef-06b3d563cb0e +Mshtml_TouchSelection_GripperHidden,354,,1eab1992-89da-4827-9773-dd0ade75abc9 +Mshtml_TouchSelection_CaretShown,355,,4afebae7-d830-44b4-b5b8-ffb6c31cb9a4 +Mshtml_TouchSelection_CaretHidden,356,,2ce357cc-0c56-4792-9c9c-8b2c5f3649a7 +Mshtml_TouchSelection_CaretPlacement,357,,b4e49168-599d-47b0-ab1c-a3bc2adb1f47 +Mshtml_TouchSelection_TouchSelectionManipulation_Initiation,358,,195f967f-4a90-465c-af1d-94b49fb163a2 +Mshtml_TouchSelection_TouchSelectionManipulation_Completion,359,,9ae17f82-f32b-425a-9995-4ef05615c10c +Mshtml_TravelLogPrerendering,361,,2030f9c6-b73c-4101-b773-c43786e81bde +Mshtml_BFCache,362,,f3fd389a-5ba8-435e-8c03-5868754a1195 +Mshtml_Media_TextTrack_Parsing,363,,df2bfcc5-a429-4069-b787-cf12a77cf2a5 +Mshtml_CDoc_Navigation,364,,001c34f0-2ad8-4353-95d8-7f2ead39d3d1 +Mshtml_WebWorker,365,,78d925b1-e3a1-4f4a-8579-2fcf6927a3c8 +Mshtml_MessagePort,366,,18bdb909-5c8e-4ebe-b658-5564171bacf6 +Mshtml_RenderTask_ApplyPSP,367,,4e1a5dc8-9331-4254-9b8e-3376be528e3b +Mshtml_CDoc_PrepareForSetVisible,368,,4de4130d-c460-4aab-ad8d-939f0ef4083a +Mshtml_CDoc_OnSuspendDocument,369,,9f22bc55-d072-44f6-a67c-153efcb849b9 +Mshtml_CDoc_OnUserVisibilityChanged,370,,dbc0a4ef-6efa-4869-84be-7b28cadbe28e +Mshtml_SetStyle,371,,eaa1611d-56dc-467f-8b4c-3f7fc8423192 +Mshtml_CGarbageTracker_CollectGarbage,378,,552698b5-96de-421a-8e1a-a96faa9e85ab +Mshtml_CDoc_HostPaintUpdateNotification,380,,fab96dff-f382-4f84-b8ef-3df5f6407b7d +Mshtml_CDoc_HostPaintUpdateNotification_IgnoredRequest,381,,e5eabcbe-21cc-4455-b617-fc65d970c28c +Mshtml_EventDebug_MutationObserverCallback,382,,84f64a70-83b0-4a77-ba21-42f4f290f415 +Mshtml_Generic_Diagnosis,383,,1e8cb4da-8149-4b1b-bb54-232f780fc834 +Mshtml_Video_Sizing,384,,4c57790b-f346-46c6-bb11-216bb9ba8255 +Mshtml_CDoc_UpdateUnitInfo,385,,eb667ebe-6fab-43e1-a123-b193bcb13fa2 +Mshtml_CView_UpdateRootScrollerSizeAndZoom,386,,7d6c549d-bd20-431c-8daf-2d553d8c21e5 +Mshtml_CView_SetFixedLayoutWidth,387,,ae123fd8-0a5d-4a9f-9224-a64d4b9b852e +Mshtml_CView_SetViewportMode_FixedLayoutWidth,388,,7a5410bf-e29c-429a-90a2-dba4bf112883 +Mshtml_CView_SetViewportMode_VisualHeightExclusion,389,,d4608e1c-1d0f-4ac9-9fe6-8a56bd2ece65 +Mshtml_CDMScrollableTouchTarget_OnViewportStatusChanged,390,,7358098e-294a-4a06-b86a-a9a928875ef5 +Mshtml_CDMScrollableTouchTarget_BeginInteraction,391,,b7b52b65-7db6-4b65-9e3c-dbdfe3423166 +Mshtml_CDMTouchTarget_InputTransform,392,,a41acadf-70bc-46a1-970a-152996e106c0 +Mshtml_CDMTouchTarget_DisplayTransform,393,,35ed1b96-fc01-400a-abbb-43d05150e139 +Mshtml_IndependentHitTest_HitTestPointer,394,,49fc18b6-ca3c-41a5-88a3-ad9f10661be0 +Mshtml_CDMScrollableTouchTargetHandler_ContentState,395,,a891ee36-437f-4c4b-a0b1-4431e4e53acb +Mshtml_CDMScrollableTouchTargetHandler_StartTarget,396,,e9907dbb-826e-4c2c-9f48-e1028b270409 +Mshtml_CDMTouchTargetHandler_ApplyViewportStatusChange,397,,dbadbd74-9a7a-4b61-a021-508ac3bbfd24 +Mshtml_TouchDiagnosis_GenericInfo_Output,398,,379c1172-a536-4ec2-ac02-4fee6b871351 +Mshtml_CDMCrossSlideDraggableTouchTarget_AssignDispLayerImpl,399,,4969251a-baff-4c1d-aa1d-b745291e3add +Mshtml_CDMCrossSlideDraggableTouchTarget_AssignDispLayerWithDragState,400,,fdc51f98-82ec-4973-9f0a-8fb5dc7d16d0 +Mshtml_CTouchHelper_OnPointerMessage_StartDoubleTapTimer,414,,99322629-7001-452f-9b3f-cb6dbec4a6a1 +Mshtml_CTouchHelper_DoubleTapOnTick_CommitDeferredActionsForDoubleTapZoomCancel,415,,160c0347-bc24-457e-8473-7183b58d3b13 +Mshtml_CTouchHelper_PreFilterMessageForCapture_CommitDeferredActionsForDoubleTapZoomCancel,416,,da5a5c66-9f56-428d-bd9f-034d1b7f2d9e +Mshtml_CTouchHelper_PreFilterMessageForCapture_CommitDeferredActionsForDoubleTapZoom,417,,6c8ea67a-879d-4106-9199-36a1600207ce +Mshtml_CDoubleTap_PanAndZoom,418,,ad91a9fd-c86f-4618-9e6e-acbfac8df33e +Mshtml_CDoubleTap_IsDoubleTapAllowed,419,,6b6fea84-67e6-44ef-beb8-17cce71fe3fa +Mshtml_CTouchHelper_IsDoubleClick,420,,e665e2f5-674b-465a-84e1-c322c08df10b +Mshtml_CTouchHelper_HandleTouchMessage_Info,421,,4fc27176-9ef4-4d19-9177-dcadd7d21214 +Mshtml_DragAndDrop_Fire_DragEnd,422,,e2584924-ef1b-4023-bb15-f0b2a575eacf +Mshtml_DragAndDrop_Fire_DragEnter,423,,13a4f944-d938-4a89-a154-a60e1d23a505 +Mshtml_DragAndDrop_Fire_DragOver,424,,80694e14-552a-4fd0-890e-856a9313ab37 +Mshtml_DragAndDrop_Fire_DragStart,425,,77e1309b-c648-42ef-9d83-c2540b575082 +Mshtml_DragAndDrop_Fire_Drop,426,,94d113a0-4a4f-4fea-94ea-65cb81618664 +Mshtml_DragAndDrop_Fire_Drag,427,,d45c7882-15f5-4e98-bab7-9ad5fb0c7a6a +Mshtml_DragAndDrop_Fire_DragLeave,428,,089429fb-969d-425b-bb38-65a7aee6ed7b +Mshtml_Post_MSManipulationStateChange,429,,00342801-80e8-47ff-9eec-c81fc02dec46 +Mshtml_Fire_MSManipulationStateChange,430,,4677c8db-c4c7-4772-8c57-b8dd26850c86 +Mshtml_CDragPreview_RenderPreview,431,,0815ea5d-f398-4705-9f7b-327c8e418f09 +Mshtml_CDragPreview_Initialize,432,,ccebac4a-93ec-4c6a-86e6-8dcebf5d7518 +Mshtml_CDragPreview_CreateSurface,433,,9ca23e08-e4b2-484d-aaca-9553a2d35e72 +Mshtml_CDragPreview_Hookup,434,,fbceecf4-4a24-48e6-b417-952078cc43ba +Mshtml_CTouchDragDropHelper_DragInitiated,435,,fd6ac28d-8d57-4646-b899-70e64a213dfb +Mshtml_CTouchDragDropHelper_DragCancelled,436,,95f44252-074e-4f87-88e0-b5818658a301 +Mshtml_CTouchDragDropHelper_OnDragging,437,,7133e3b2-addb-4cb7-8204-e4e535df4f09 +Mshtml_CTouchDragDropHelper_OnDropped,438,,1d5fd3c6-2ac5-4757-b0cd-be5e9a0a6dd0 +Mshtml_CTouchDragDropHelper_Shutdown,439,,2319ed3a-31cb-48f8-9668-21a188231e58 +Mshtml_DMTouchTargetHandler_TouchEnd,440,,d3031e7b-a6c1-4b7d-9f25-6e4e7db82a92 +Mshtml_WebOCEvents_BeforeNavigate,441,,357330cb-d0de-4574-8794-3903c32999cc +Mshtml_WebOCEvents_BeforeNavigateRefresh,442,,02f0a186-9bbf-46ae-adab-6d71fc7ddd4f +Mshtml_WebOCEvents_NavigateComplete,443,,4d140d9a-5f6f-4f71-8af5-2b4622b8aab2 +Mshtml_WebOCEvents_DownloadBegin,444,,b2e86fa5-b398-41dd-a3ae-21fa284a060a +Mshtml_WebOCEvents_DownloadComplete,445,,7dfaefb5-49c3-448a-8f2a-34756f926a39 +Mshtml_WebOCEvents_DocumentComplete,446,,09646260-aedd-4a22-acbc-7f6a3a3329f9 +Mshtml_WebOCEvents_NavigateError,447,,3acc3cbf-2a90-40a7-b0b9-5f2495744065 +Mshtml_WebOCEvents_NavigateRedirected,448,,f49b3b53-c85b-4e90-8392-9aa9bb255e29 +Mshtml_WebOCEvents_DelegateNavigate,449,,0cbb5e10-0b2e-4fcd-846f-a2a55759c5a8 +Mshtml_WebOCEvents_DOMContentLoaded,450,,07140996-caad-41a1-b0e8-0dc684f6a5a2 +Mshtml_MemoryProtector_ReclaimMemoryWithoutProtection,451,,c08c4f5e-4dcb-bfd1-ee96-b68df1c7ab4a +Mshtml_MemoryProtector_SyncMark,452,,bb84d4c3-48f1-9d98-aa78-2b8bdafc9a49 +Mshtml_MemoryProtector_ReclaimUnmarked,453,,91b0c262-4a7f-c336-5c03-a18274587d94 +Edgehtml_HtmlPopup,454,,1fcb01fb-b490-4c0f-8bf9-6acfbc22375e +Mshtml_CSP_AddPolicy,455,,d4a4f715-06aa-4564-befc-b273a32c0f48 +Mshtml_CSP_CheckPolicy,456,,c1b07f81-50f8-4eca-8205-942d93e065ba +EdgeHTML_Webview_AppPermissionResponse,457,,7f7a5362-5fd2-4508-99a4-a2559b0456cb +Mshtml_CrossCDoc_NodeAdoptionAttempt,458,,5e7a4f1e-9ad3-479e-9405-68956ed7c028 +Mshtml_Download_Initiator,459,,e1ecb8cb-581b-44c2-8062-0063c38a285d +Mshtml_Ortc_Candidate_Gathering,460,,6acf4d4a-577c-4320-9cef-039b0bbf95c3 +Mshtml_Ortc_Connectivity_Check,461,,51f1d8ef-31f0-41f4-bbd2-7a18a5694930 +Mshtml_Ortc_Dtls_State,462,,dc0f27a7-a1f1-48be-887c-818827ee8d4e +Mshtml_Ortc_Create_Render_Sample_Queue,463,,4c661eb2-1522-4688-8fc2-ada2f4e80476 +Mshtml_Ortc_Render_Sample_Dropped,464,,b1e4443c-321a-40dc-a9ee-e919c22f424f +Mshtml_Ortc_Audio_Render_Sample_Time_Push,465,,b8ad52cd-10f1-4a38-8144-21da91c3f79b +Mshtml_Ortc_Audio_Render_Sample_Time_Pull,466,,dab240c6-39ba-4967-b9d3-ae43403742c6 +Mshtml_Ortc_Audio_Render_Sample_Time_Delivery,467,,4c3b1bcc-168a-40ae-9d0e-6742092ef83e +Mshtml_Ortc_Video_Render_Sample_Time_Push,468,,010bd254-e699-440e-b3e7-3c2d3eae6ca4 +Mshtml_Ortc_Video_Render_Sample_Time_Pull,469,,0d956746-81f0-43f4-b618-a7165967af6e +Mshtml_Ortc_Video_Render_Sample_Time_Delivery,470,,cc1a4020-c77a-4bf5-a23f-fa466721c041 +Mshtml_Generic_Diagnosis_Hr_Error,471,,b91ef46d-b681-4a21-8ae8-fca302f3fc13 +Mshtml_Generic_Diagnosis_Win_Error,472,,445bd9dc-6914-4569-b0e8-25f5086ad7b0 +Mshtml_Generic_Diagnosis_Trace_Hr_Error,473,,32fdf84c-5301-40b6-94b9-05268be7ddd6 +Mshtml_Generic_Diagnosis_Info1,474,,79fc1acf-9b25-4d4e-81b8-3d817f50343f +Mshtml_Generic_Diagnosis_Warn0,475,,d57f4c3e-7f8d-42a6-b17c-226384ff74f4 +Mshtml_Generic_Diagnosis_Warn1,476,,60dbc467-8890-42e7-85aa-ad2e04f74e72 +Mshtml_Selectors_Api_Query_Selector,477,,8ef2399e-90ed-45f7-b5fa-c2fefcc81c15 +Mshtml_Image_Pooling_Budget_Enforce,478,,c7195f2e-fe71-4a06-9b7b-2e8e8c96d447 +Mshtml_Ortc_Set_Video_Size_Preference,479,,2d8e9610-9011-4082-987b-5d2bdac64f69 +Mshtml_Ortc_Audio_Drift_Render_Sample_Dropped,480,,0b7bc2cc-9be1-49ec-a952-f744016f20da +Mshtml_Ortc_Audio_Clock_Stall_Render_Sample_Dropped,481,,24284c5f-5936-4a80-8d5e-951d9d74a950 +Mshtml_Ortc_Capture_Sample_Requested,482,,a2dfb0dc-4867-403b-b087-349788e85a04 +Mshtml_Ortc_Capture_Sample_Delivered,483,,6a75bf4f-61b5-4db8-90db-bb50304e1979 +Mshtml_Ortc_Capture_Sample_Received,484,,a955e542-0648-440f-851f-f2e571668d19 +Mshtml_Ortc_Capture_Sample_Dropped,485,,370184a1-517d-46ac-8529-3903d70cad38 +Mshtml_Ortc_Ice_Transport_Stats,486,,87cc3eb2-9504-499d-b978-c09ef9e6399b +Mshtml_Ortc_Sender_Stats,487,,389f18c4-8e28-473d-931f-3a237cfdb3d8 +Mshtml_Ortc_Receiver_Stats,488,,88b762c2-9820-47a2-8d85-966559ca2139 +Mshtml_Media_Capture_Sample_Requested,489,,45f690eb-c914-4ebe-8445-065b8fcf3ec6 +Mshtml_Media_Capture_Sample_Delivered,490,,50d2c08a-0f81-4767-a0b2-006aa0956dee +Mshtml_Media_Capture_Sample_Received,491,,92686016-a981-478e-8d45-5600afe9e9cf +Mshtml_Media_Capture_Sample_Dropped,492,,62338740-8ab6-4c33-a7a9-b999dc3c6669 +WebPlatStorageServer,493,,3c0d9fba-177f-4b83-9ad1-19e5abd766a0 +Mshtml_AlignedTimer_Processing,494,,9a0b8f97-2f65-44a3-8b34-d97f88041cce +Mshtml_CBase_AddPrivateRef,495,,d2b6faae-edf2-4f8d-ab30-e70d77399545 +Mshtml_CBase_ReleasePrivateRef,496,,3d3a150f-4ca9-489f-9c33-e65c1e9e07b3 +Mshtml_CBase_AddInternalRef,497,,647e1b8b-5b48-44dd-ba9e-77e77f6f00c1 +Mshtml_CBase_ReleaseInternalRef,498,,b695acdf-347b-4610-84af-9bfe731af1ac +Mshtml_CBase_AddSubRef,499,,9323ae71-4268-46bf-ba8c-d12c46ceae1d +Mshtml_CBase_ReleaseSubRef,500,,4160d07f-d742-4ce3-b226-e16466cdb42f +WebPlatStorageServer_Handle,501,,9aae36ca-1b17-4ff5-afb4-015c62742075 +WebPlatStorageServer_RPC_Method,502,,1a8f0299-0856-49cd-9f63-37550f613c4f +Mshtml_EventLoop_QueueSentinel,511,,2ad1b503-5caa-411d-af27-1c02cc9eb47a +Mshtml_EventLoop_OnSentinelFired,512,,f9f2de7a-1a25-400c-ba0f-edc2183384b0 +Mshtml_EventLoop_RunReadiedTasks,513,,0ec2769c-dd6c-4f62-bf8b-5076a2a1652e +Mshtml_EventLoop_PerformMicrotaskCheckpoint,514,,5c2255c9-796a-4fce-aeb5-1747d1a7e6a2 +Mshtml_EventLoop_YieldTaskExecution,515,,303963a9-d113-41f5-83bc-c8f064855733 +Mshtml_WebRTC_Ice_Connection_State,516,,15e64d20-9c79-4377-9a45-c5ad344acd5a +Mshtml_WebRTC_Ice_Gathering_State,517,,8cfcc429-7182-43d9-b418-e99a51250f24 +Mshtml_WebRTC_Signaling_State,518,,ca309ad0-11a6-4d0c-ba11-5d88afb0f456 +Mshtml_WebRTC_Gathered_Ice_Candidate,519,,e347a95c-7a32-457b-ae74-4d56ceef03c3 +Mshtml_WebRTC_Add_Ice_Candidate,520,,f0708618-cd3a-4485-b1d7-928bb86c368a +Mshtml_ElementFromPointCache_Hit,521,,6884a442-790a-41ce-b2f8-c06bd0966d8b +Mshtml_ElementFromPointCache_Miss,522,,fc996ae9-66ff-4ae1-8858-f60bd843a7dd +Mshtml_PowerStateController_Register,523,,98a96a22-67cc-46da-99c0-5b95e188063c +Mshtml_PowerStateController_Unregister,524,,a9b1f699-ac50-4480-a516-ebd63ef6d8fb +Mshtml_PowerStateController_Visible,525,,39d4b56a-950a-4300-bc76-2195a1e950cf +Mshtml_PowerStateController_Invisible,526,,d71c5733-3206-40ad-b8cf-a212b6799309 +Mshtml_PowerStateController_LowPowerState,527,,3f89c8b4-ea6a-4e10-a849-6160c2eabe48 +Mshtml_PowerStateController_NormalPowerState,528,,7e85fc9e-1e59-4d9a-b752-4bd57fd422ee +Mshtml_EventLoop_MessageGroupCallbackRePost,529,,be4cc110-e720-41c1-a9c6-7e86a2d05812 +Mshtml_EventLoop_MessageGroupCallbackStop,530,,2090ef8d-df36-467d-ba5f-bb9eac9b607c +Mshtml_EventLoop_MessageGroupEnable,531,,bc7dc648-61b2-4041-967f-a614b8988f7a +Mshtml_EventLoop_MessageGroupAlreadyQueued,532,,919e0ca3-4d96-41a9-b1c0-d6d6163452ac +Mshtml_EventLoop_DriveRegularTasksFromLow,533,,aa42dbb1-12f3-4d1a-93f7-8f3953274afd +Mshtml_EventLoop_DriveRegularTasks,534,,51b5e3d6-92e0-479b-88e9-b06db9340433 +JScript_Parse_Script,535,,e228472e-3dd8-455b-88a9-3cce55b28e6d +Mshtml_Canvas_CommandList,536,,a2b9c3e4-70b5-460d-86d1-e1ebedd5f97a +Edgehtml_Extensions_WrxMessage,537,,a75f254e-5003-4d3d-98b1-24ac8be733a0 +Mshtml_Container_Size,538,,b53f9cb9-cabe-4ce7-857d-093894d31399 +Mshtml_AlignedBeat_Timer_Beat,539,,93b85a9d-6458-427f-8c72-15d7e6ebafe7 +Mshtml_AlignedBeat_VSync_Beat,540,,fc46beae-3ebf-4967-9363-a88aa16ad408 +Edgehtml_Extensions_Script_Execution,541,,490df4b6-ea47-40ee-b6ba-3ccd13dd83af +UnifiedListView_GroupPopulated,74,,4a247660-9336-4509-a105-e706cab3a514 +UnifiedListView_DefaultAction,75,,11813cf1-ec45-4a5d-bc91-cd3451780b0c +UnifiedListView_SwitchMode,76,,0da7c0c0-e36d-448b-95c4-e396849e26a2 +WS_ExecuteQuery,77,,04fcc4d0-edba-471c-8edd-a32a2b1712f8 +Browseui_CBrowserFrame_OnClose,182,,3bd69470-b5de-4299-b8d2-ef8482e613e1 +Shdocvw_BaseBrowser_FireEvent_BeforeNavigate,183,,a85dac1d-8fd8-41e9-a389-ad16541cc45c +Shdocvw_BaseBrowser_FireEvent_DocumentComplete,185,,25dfce47-605a-4df6-83a3-2832854a6396 +Shdocvw_BaseBrowser_FireEvent_DownloadBegin,187,,acfb46f4-539f-434f-804a-5f5a660de0a5 +Shdocvw_BaseBrowser_FireEvent_DownloadComplete,189,,397f28c9-6ba8-40e9-8227-a9d231b05603 +Shdocvw_BaseBrowser_FireEvent_NavigateComplete,191,,7bdcc2fc-6553-4a10-a748-e1af5d6320ae +Shdocvw_BaseBrowser_FireEvent_NavigateError,193,,ab2949e5-3a84-4dd4-8f98-1422671b41d6 +Shdocvw_BaseBrowser_FireEvent_NewWindow,195,,8b429e6f-d1a3-46c2-98c0-f5ee3fae541e +Shdocvw_BaseBrowser_FireEvent_Quit,197,,430aec68-a19e-4bac-bdd7-660f50fe7a8d +Shdocvw_BaseBrowser_FireEvent_WindowStateChanged,199,,e2cffdda-d872-487c-bc70-f5c6c2943c97 +DLM_Security_AppRep,213,,e723907d-8979-4e4e-aa80-6d66ce331fe7 +DLM_DownloadBar_Close,217,,a73fd3f4-66e9-4f1d-ad7d-8dfde6eddc37 +Frame_MinIETabBandCreate,219,,0a1dad58-f450-4496-8dad-79871e81335e +Frame_AddFirstTab,339,,e8837931-a75f-41a4-8173-ea687d007777 +FindBar_TermChange,343,,82f900ca-3f1f-42a0-9075-19ddbdc4583b +Immersive_Travellog_NavigationComplete_TimeOut,542,,48d9b342-68d2-4dba-bdee-eaa70d117df5 +Immersive_Travellog_ScrollComplete_TimeOut,543,,e7dd2bf1-fd5a-4c5c-9a3f-6ef3b45d1591 +Immersive_Travellog_ScrollComplete_Fired,544,,890cf38d-6655-46a5-8720-12f385d20a86 +Immersive_Travellog_PageAvailable_Fired,545,,5d71d7c2-4afc-48c5-b3f7-6f305a89996c +Immersive_Travellog_BeforeUnload_Fired,546,,cb246a3b-9651-463d-ade8-8505d68cde43 +Browseui_BringBrowserTabAlternateOwnerForward,547,,690fe0ed-96b1-46c9-9734-d0a26056d6f1 +Browseui_BringBrowserTabAlternateOwnerForward_Hung,548,,36575e48-b416-4054-86ec-577bc2b74677 +Browseui_DestroyDetachedBrowserTabUI,551,,756bdd88-3ff9-4806-8a21-b02c7859cf3e +Browseui_HungTabHeartBeat_Timer_Invisible,552,,50a659aa-7ddb-4730-b8ca-1813082eb237 +TabRoaming_FindRoamedMachines,553,,cf9aa83c-2aa6-4705-9bce-c412a19ec9cf +TabRoaming_LoadRoamedMachine,554,,90e5179b-6a32-45ec-89f5-e1de782a67ea +Shdocvw_VirtualTab_RedirectUrlWithBindInfo,555,,14806630-017b-4be3-a953-d4a7cf89ef21 +Shdocvw_VirtualTab_NavigateImmediateTab,556,,6a74e617-8237-49d0-936d-96050b0066e6 +Shdocvw_VirtualTab_NavigateDeferredNewTab,557,,2b810646-7a97-4411-af2f-8ba2833acf29 +Shdocvw_VirtualTab_GetIWB2,558,,ee23e5cb-ae45-4e17-ad03-911b3b32f9c3 +Shdocvw_VirtualTab_NavigateTabManager,559,,397c1d2a-b2e7-4f88-b7e1-565aaa0ccfbd +Shdocvw_VirtualTab_GetWebOCWindow,560,,6839d1f8-21a7-403c-a9f6-5cfcd925e8f5 +Shdocvw_VirtualTab_NavigateInWebBrowser,561,,786c2b7f-3eb4-4096-83d1-aa40cc7cf8d4 +Shdocvw_VirtualTab_NavigateThreadProc,562,,7fbc348e-d1dd-44f8-9088-7aaa9ec604d5 +Browseui_VirtualTab_PreNewFrameTabCreate,563,,b39c3220-4b44-4fbf-8e47-effd5525cd8f +Browseui_VirtualTab_PostNewFrameTabCreate,564,,badb9062-61ca-4785-ad15-8b3bb75e4814 +Shdocvw_VirtualTab_NavigateThreadProc_NavigateEx2Call,565,,5b93fc43-ed74-4a36-9b1d-1afb0f1b4da5 +Shdocvw_VirtualTab_NavigateThreadProc_Navigate2Call,566,,799fbea6-8e5a-4933-a131-e280f0270565 +Shdocvw_VirtualTab_NavigateInWebBrowser_Navigate2Call,567,,6852e750-b927-4b76-9051-cee4e8e36675 +BrowseUI_CStorage,568,,46aaa12e-ec8f-42c6-a3c8-8888c4bf5e23 +CFaviconHolder_UpdateReal,569,,0d937b98-62a1-4e51-8e7a-a78644cae3da +History_Journal_Write_Command,570,,30301968-3662-4891-be95-833c4e598bb8 +Browseui_TabSuspension_Check_Suspendable,571,,4b309b37-5cc1-4377-8cc8-abb7bc9ee1ce +TabRoaming_FindRoamedTabs,573,,4563dabe-b9ef-4497-afa6-07153d51056c +TabRoaming_LoadRoamedTab,574,,54723edc-f81a-418d-bd34-a9a230f0cdfb +TabRoaming_WriteProcessInfo,575,,c4df466f-b7bc-45c9-b0e2-ab81fe73068c +TabRoaming_ReadProcessInfo,576,,54577938-a0c3-43da-9be2-869bf33a30c2 +Recovery_WriteInitialStore,577,,c5428bf0-f669-4392-b3c1-23352d81fefb +Recovery_ReadRecoveryStore,578,,be5e476f-b773-4850-8381-594e17810b90 +Courier_FunctionalTest,579,,3f957451-57da-4efd-878b-55a36fe39b86 +Browseui_TabBand_Activity,580,,cbcfe481-85f8-461c-8a7c-6fd3867ec676 +Device_Info_Util,581,,edf6bc57-9cf3-4655-a680-fa86c3411af2 +HistoryJournal,582,,eb58452e-1db9-4312-b0bd-847b720b8fbb +NewTabPage_SearchBox_Show,583,,84a56938-a376-47a5-9492-b605b0151600 +NewTabPage_SearchBox_Hide,584,,99080976-0087-4857-b699-b019fc1854c6 +NewTabPage_SearchLogo_Show,585,,32f328f2-8527-463c-a866-08419a7b5b8d +WebStorage_Platform,586,,110110a0-bec3-4cea-8ce0-36fb0fd91a58 +tskRunOneCoreSetup,1000,Run Setup Specialization,49616aee-29a5-4d6b-806e-cec2629f31bc +FavoritesBar_PopulateFeedsMenu_Perftrack,609,,9abca919-ef89-4443-a660-c1b751fed918 +CreateThumbnail_Perftrack,611,,7e2f4fc1-e7af-43e4-9f0c-b479817bc1fa +Imaging_CreateWebPagePreview_Perftrack,613,,d738f475-f52b-4d8a-b075-5ba4a36bb4c3 +Find_FindHits_Perftrack,615,,2ad3a840-f22f-4080-993b-4d4dd777d1d1 +Find_HighlightHits_Perftrack,617,,e9c04285-a813-4b4d-b489-1fcc435d9a64 +Search_SuggestionsProcessing_Perftrack,619,,300d3ede-a993-4bd1-9060-89b7231cc0bc +Search_ImageProcessing_Perftrack,621,,9f8fc385-7dca-4020-a28f-46f5eefc7ea7 +UnifiedListView_Typed_Perftrack,623,,9072e79e-f34d-4ba3-8435-ccdb1d8953bb +UnifiedListView_Dropdown_Perftrack,625,,dbc92608-82bb-4412-ab3d-a08ec9edc2ae +UnifiedListView_Displayed_Perftrack,627,,b01b5583-fcf6-44ee-bcff-39fcf2d9f18f +UnifiedListView_Cancelled_Perftrack,629,,abb1baad-ef58-4ac6-9e3c-3485f83d3492 +UnifiedListView_Displayed_Complete_Perftrack,631,,c33f52ea-3067-43a9-bde5-989ae3f92213 +UnifiedListView_Query_History_Perftrack,633,,12413cae-8db6-4df8-806e-26ade6a1af11 +UnifiedListView_Query_Favorites_Perftrack,635,,5ad3676f-692a-4e6d-90f8-ddf7ce4f9fd9 +UnifiedListView_Query_Feeds_Perftrack,637,,b230582a-c4d6-4695-8cb1-5bb88941983e +Print_Dialog_Perftrack,639,,cd09c101-f81b-430f-a4bc-7124d2b1a7ee +Tab_Fast_Shutdown_Perftrack,641,,dccd78c8-8b22-48fd-a6e5-4ccc019656d0 +Frame_Fast_Shutdown_Perftrack,644,,11d1f841-3f7e-4a15-81b2-897942ad5b16 +CreateThumbnail_Immersive_Perftrack,650,,d98ae171-c26b-4e9d-9be1-a246a4e22d46 +CreateThumbnail_Superbar_Perftrack,652,,76b25024-6cad-43c0-adb2-2f6495c63312 +Browseui_Tabs_Tearoff_ShowVisual,700,,58f54a09-a66b-439e-a17f-9e536d866972 +Find_MatchAndHighlightHits_Perftrack,714,,208a74ca-9930-4799-ae1e-2918bf890eb0 +Browseui_Tabs_Tearoff_BetweenWindows_TabProc,717,,21408fd0-0046-4733-8485-5581caeda35e +Browseui_CIMBrowserFrame_CreateInstance_Perftrack,800,,5b9c5e3b-6d50-4120-b6a0-9572b067a86c +QSA_CalculateTilesInView_Perftrack,816,,47f9386a-c133-46b4-a627-7cf87cc3d122 +QSA_PopulateTiles_Perftrack,818,,ce5692e1-4ddd-4151-9131-f27cd054a20f +TabWindowManager_DehydrateTabsOnSuspend_Perftrack,828,,5bb5c49f-5b23-479e-bd09-d4ba95b8cfe5 +TabWindowManager_UnDehydrateTabsOnResume_Perftrack,830,,c90895ee-a827-498f-859f-b86385795e74 +ULV_AggregateItems_Perftrack,832,,e0dfc54f-c49d-427a-9cc2-e9223b21e0c8 +QSA_UpdateGroup_Perftrack,836,,c5aa11e3-899c-4ef5-97a2-eddeb0c915d4 +Snippet_Aggregate_Perftrack,838,,fa410590-dbbd-423d-8e6c-5744d3003d1f +Snippet_MetaExtraction_Perftrack,840,,3f4ce608-629e-4d3b-b48e-76955188bef6 +Snippet_UserSelExtraction_Perftrack,842,,cf58d88d-0ceb-4c02-95ba-d89ec0bae6aa +Snippet_BOLLExtraction_Perftrack,844,,fa22be40-3e4f-4397-a06a-5d207db2cb13 +DLVA_Animation_Perftrack,846,,6cf3a24b-5448-475b-b26f-f0b10c1dd511 +CIMFindBar_Show_Perftrack,900,,c5496d89-c2c7-4139-86be-4d5497f70c2e +QSA_OpenUnfilteredView_Perftrack,908,,2d7701ef-1e3d-45a6-9fac-907eaab4447f +UnifiedListView_Query_DomainSuggestion_Perftrack,911,,ea1d040b-e0e2-40c2-8e33-52006e089dce +FlipAhead_RulesFileUpdate,913,,ac62a862-d5f9-4670-b612-d71199941f32 +IMDownloadWindow_Show_Perftrack,915,,10d86aad-53fd-455a-820c-438107a6492b +IMDownloadWindow_Hide_Perftrack,917,,ab78ac33-016f-46d1-85d4-7864e32ed923 +CIMContextMenuBar_Show_Perftrack,919,,93d499b0-6401-4525-a5cc-894ffe46fef7 +CIMContextMenuBar_Hide_Perftrack,921,,4f24a370-c727-4ba4-b0aa-2a4f49960a16 +DownloadWindow_HistoryQuery_Perftrack,923,,be498270-ed58-49ae-88d9-dace8a3bcb70 +DownloadWindow_HistoryPopulate_Perftrack,925,,2ef065f8-714d-4123-9e43-ff389c829385 +Immersive_Travellog_SwipeStartThresholdMet,926,,cd36f5aa-89df-4305-98b0-ef29e06ff0e3 +JournalEncryption_Init_Perftrack,927,,7c23da43-5a49-4ea3-b339-83cac29a79d5 +Browseui_TabWindow_CommitRoamingState_Perftrack,928,,b6f87ea5-e0c5-4c8b-818c-c7933631cd2a +EUPP_HPNavigationTriggerProtection_Perftrack,929,,020dc37f-36e3-42af-bd38-b8e71f2776e5 +EUPP_DoAsyncOperation_Perftrack,930,,07c9f121-2e2b-4083-ba50-eac74040f67c +EUPP_HandleAsyncOperationResult_Perftrack,931,,f42ea3a5-02ca-42b4-8ec2-73eb3c73e005 +win:None,0,None,00000000-0000-0000-0000-000000000000 +SqmSaveSessionData,10000,Task to save in-memory SQM session data to a file.,c76d062f-3368-4f22-ae81-b71da68d09f8 +ActivationDispatchSession,2500,ActivationDispatchSession,cc62b5a3-2fe1-4546-ae18-2ea42aaf4978 +BufferPooling,2509,BufferPooling,6f83b987-9660-4211-af87-22994065d03b +CacheRootMetadata,2510,CacheRootMetadata,a2c991a1-a330-4f57-ac54-41f0997ce72e +ChannelFactoryCaching,2511,ChannelFactoryCaching,643d11c2-6eee-4388-965e-8beac2b6c705 +ChannelFactoryCreate,2512,ChannelFactoryCreate,8b16dba4-17cb-451f-9dce-2b6a0a61d230 +ChannelReceive,2513,ChannelReceive,bdaeec18-49e2-46da-bd4c-b32f3e955cfb +ClientRuntime,2514,ClientRuntime,2a726cd5-610e-4a23-b411-61f1d8ab244d +ClientSendPreamble,2515,ClientSendPreamble,00830c8d-78eb-4ea3-bcae-cf5fe60ffd71 +CompensationState,2516,CompensationState,0da1bff2-411e-430f-8a5d-c956543c5c97 +CompleteActivity,2517,CompleteActivity,f2ff22dd-397c-467b-9812-0a79e8c5a12b +CompleteWorkItem,2518,CompleteWorkItem,63680005-ee91-4154-ae7a-240942510b98 +Connect,2519,Connect,7386e51a-8418-4599-b82f-d1d08925c8d6 +ConnectionAbort,2520,ConnectionAbort,d28a7513-7db8-4175-9c38-3ae98e633f75 +ConnectionAccept,2521,ConnectionAccept,8289b69b-1b48-4160-ae03-50a6ea893e61 +ConnectionPooling,2522,ConnectionPooling,bc25d06d-a60a-4769-a3f2-3858b0e7c5db +Correlation,2523,Correlation,a945f7d1-4dba-4537-b8de-a2db621e2ade +CreateBookmark,2524,CreateBookmark,d156f187-f5c0-4213-b859-87c761616702 +CreateHttpMessageHandler,2525,CreateHttpMessageHandler,4c4e08dd-6602-4cbe-b338-d42fd19ac90b +CreateWorkflowServiceHost,2526,CreateWorkflowServiceHost,dc5e2af3-2c21-40d9-8216-6832b11d5796 +CustomTrackingRecord,2527,CustomTrackingRecord,01132c8e-cb5f-47c8-98c3-67473440cdad +DataContractResolver,2528,DataContractResolver,5809dff9-c1eb-469d-9a88-d1e708225c03 +DiscoveryClient,2529,DiscoveryClient,3419e18e-ab9c-495f-8853-4fd253fee742 +DiscoveryClientChannel,2530,DiscoveryClientChannel,1733b7bf-beb5-4f77-9ca4-fb4e47b8ba92 +DiscoveryMessage,2531,DiscoveryMessage,6718f681-ceb8-418b-aa29-2d4b1762fcdc +DiscoverySynchronizationContext,2532,DiscoverySynchronizationContext,6dae34cb-a41e-4f83-9215-36a6d99b920f +DispatchMessage,2533,DispatchMessage,cfa3eff0-bf4d-48ba-948e-7d747d4c3c29 +EndpointDiscoverability,2534,EndpointDiscoverability,3a550486-6e72-409a-af80-2bdd33d95de7 +ExecuteActivity,2535,ExecuteActivity,e36d0c20-32cb-4568-9897-663f382a02e5 +ExecuteFlowchart,2536,ExecuteFlowchart,4a46e34a-6765-4bdd-b81d-7c7738ad6c3f +ExecuteWorkItem,2537,ExecuteWorkItem,6d072edb-429e-4046-9397-aff005752eb2 +ExpressionResult,2538,ExpressionResult,046c6554-41aa-4e98-ba6c-2ed457c42eb9 +FormatterDeserializeReply,2539,FormatterDeserializeReply,1383449f-3231-4a82-b08f-a67b5df71c6f +FormatterDeserializeRequest,2540,FormatterDeserializeRequest,a6034273-e068-4663-a5bb-a3bbc13b1953 +FormatterSerializeReply,2541,FormatterSerializeReply,cbf0fa02-6964-4298-9bf7-2f0379f83608 +FormatterSerializeRequest,2542,FormatterSerializeRequest,150fd34c-30d9-41c0-bcd0-86784a36be3b +GenerateDeserializer,2543,GenerateDeserializer,0a195d68-ee49-4a4b-b311-36717ad8e842 +GenerateSerializer,2544,GenerateSerializer,2eac2877-e183-4280-847e-dbb44baf6429 +GenerateXmlSerializable,2545,GenerateXmlSerializable,2bd9d243-9e23-4a78-9ada-600cc128f7ff +HostedTransportConfigurationManagerConfigInit,2546,HostedTransportConfigurationManagerConfigInit,209e9d89-3301-4132-b12e-cb03b4c908d1 +ImportKnownType,2547,ImportKnownType,751739d0-0aff-4f56-b878-c270c58a17a1 +InferDescription,2548,InferDescription,11efeeee-6ca2-484c-9f52-3996d40e3973 +InitializeBookmarkScope,2549,InitializeBookmarkScope,19b94d63-4a80-4eed-afc7-4813f2c3d317 +InternalCacheMetadata,2550,InternalCacheMetadata,b7c65e88-50b2-49c8-9c5f-5679eb06635a +InvokeMethod,2551,InvokeMethod,281c1dc8-ac41-4170-a7ef-13d216ff5873 +ListenerOpen,2552,ListenerOpen,db4cadc2-970c-46b3-9995-74f399e57d25 +LockWorkflowInstance,2553,LockWorkflowInstance,c9dec4a9-2a27-48ae-9b76-073a60aa1bdf +MessageChannelCache,2554,MessageChannelCache,09bf4c8a-579b-44ea-8cd9-2490ac2e640f +MessageDecoding,2555,MessageDecoding,3c7bb03f-cb27-4ac7-88b3-74996c38d00f +MessageEncoding,2556,MessageEncoding,7d9dc4bc-cf40-494d-9e9d-ab00e9d95628 +MessageQueueRegister,2557,MessageQueueRegister,18c94a0d-c90c-4045-ad31-07bb222e6dbf +MsmqQuotas,2558,MsmqQuotas,01b57294-49fc-4a9d-b46d-42589e86328d +NoPersistBlock,2559,NoPersistBlock,42a1f6b2-f9c5-4dc4-a7da-1892a83046ab +Quotas,2560,Quotas,3b3023ac-e7bf-4d11-896b-7810ba5b43f5 +ReliableSession,2561,ReliableSession,f105d9e4-3bee-44f3-9e34-176c4c36966b +RoutingService,2562,RoutingService,29e2a04c-aaed-4439-a34d-884050317c37 +RoutingServiceClient,2563,RoutingServiceClient,854a57e9-7fc3-49be-bfb1-a4dfe1319d6e +RoutingServiceFilterTableMatch,2564,RoutingServiceFilterTableMatch,8d9dab05-283c-4e06-820d-1a86512a6fae +RoutingServiceMessage,2565,RoutingServiceMessage,7604f4c2-da79-4b5c-8927-890006a43a3a +RoutingServiceReceiveContext,2566,RoutingServiceReceiveContext,d051f201-c391-438c-ba86-c4b36ad43354 +RoutingServiceTransaction,2567,RoutingServiceTransaction,39b697ed-79b9-4172-a62f-c19e1d807e32 +RuntimeTransaction,2568,RuntimeTransaction,e71036aa-4d1e-4acb-8f5b-d1ab148ddc5e +ScheduleActivity,2569,ScheduleActivity,75bfa87e-b64f-4e34-b6c9-bf315bab5268 +ScheduleWorkItem,2570,ScheduleWorkItem,e55a99e9-adf3-4da2-b812-376c682ad991 +SecureMessage,2571,SecureMessage,4a44e657-bb88-40e6-b4b6-7c4bade8645c +SecurityImpersonation,2572,SecurityImpersonation,215c2b1c-bcc4-406b-928f-53c5af9ab8ce +SecurityNegotiation,2573,SecurityNegotiation,906923a1-1501-456b-ad24-dc6e6e7a7e0e +SecurityVerification,2574,SecurityVerification,a18a4968-a0fe-4218-a2c6-41bc9804ae40 +ServiceActivation,2575,ServiceActivation,495cdd67-1051-4a73-8671-f55cd4f8262a +ServiceChannelCall,2576,ServiceChannelCall,e0bc1bbf-dc44-4bfe-8248-c13547471de5 +ServiceChannelOpen,2577,ServiceChannelOpen,3a4d4500-a5ff-48e8-98f3-031e37c75c46 +ServiceHostActivation,2578,ServiceHostActivation,889b37e9-86e8-4394-b9cf-51a9f86151f3 +ServiceHostCompilation,2579,ServiceHostCompilation,b89a8822-f97f-4dc6-a85f-82a18558e8fc +ServiceHostCreate,2580,ServiceHostCreate,6b129f40-fc49-4032-8ec4-0b1396a47d5d +ServiceHostFactoryCreation,2581,ServiceHostFactoryCreation,9c411076-9eb0-4579-8741-f8037e9140dc +ServiceHostFault,2582,ServiceHostFault,a3276f7a-bf2b-4e74-b4d5-2329b0b19620 +ServiceHostOpen,2583,ServiceHostOpen,0a0d5fc5-939d-4f85-9c73-6b10be96faea +ServiceInstance,2584,ServiceInstance,b0cd6c86-90b8-4382-b8e0-40f77a70584a +ServiceShutdown,2585,ServiceShutdown,aa2e18aa-3618-4be9-b938-5a04ffc0d232 +SessionStart,2586,SessionStart,5fab4482-260c-4280-a670-72cb40a6d38c +SessionUpgrade,2587,SessionUpgrade,29f551a4-5a53-4ce2-b708-38983b5f68cc +Signpost,2588,Signpost,467f2eed-797f-4a5b-aa77-f60e8174d287 +SqlCommandExecute,2589,SqlCommandExecute,837f6564-75a0-4ca1-8087-23069935efa4 +StartWorkItem,2590,StartWorkItem,8931a237-d6c2-42c7-9438-83ee5d3a24c1 +SurrogateDeserialize,2591,SurrogateDeserialize,fd67d29d-3b67-4138-853f-02febdb1bb3c +SurrogateSerialize,2592,SurrogateSerialize,48379681-20f4-4ba2-9259-f797949b3172 +ThreadScheduling,2593,ThreadScheduling,8ab777e0-9d97-498f-bec6-eed9f9732e1a +Throttles,2594,Throttles,f71d9f5c-8697-457f-acaa-7848c7f71c33 +Timeout,2595,Timeout,cbb66a44-9a0d-498c-ba30-f52f9b11d734 +TimeoutException,2596,TimeoutException,a2b6a84c-3e36-4847-b63a-046bb4ffb0fc +TrackingProfile,2597,TrackingProfile,b8405407-f1c7-436b-9cc7-d141cad8a9a1 +TrackingRecord,2598,TrackingRecord,b92f3124-6b3b-41ca-8970-a01951fc871a +TransportReceive,2599,TransportReceive,32dc9a79-b143-42c0-847e-1a0d8158fa82 +TransportSend,2600,TransportSend,21222074-fec4-4a37-a502-7d3fa5dd7bbd +WFApplicationStateChange,2605,WFApplicationStateChange,e2f60385-fabc-46ba-b60a-1644a96dda92 +WFMessage,2606,WFMessage,f048298b-e812-42b8-a0fe-399a9417cc12 +WorkflowActivity,2607,WorkflowActivity,d0c1971f-e415-4b16-927d-4a07102176ff +WorkflowInstanceRecord,2608,WorkflowInstanceRecord,ba2a6ac8-4687-470a-beb8-0f73a0880bff +WorkflowTracking,2609,WorkflowTracking,4dc544cd-a2dd-47c1-98f8-2dbfd5b2db84 +FM_RegisterForExtensionRevokedEvent,165,,00000000-0000-0000-0000-000000000000 +FM_CompleteExtendedExecution,166,,00000000-0000-0000-0000-000000000000 +FM_RevokeSuspensionExtension,167,,00000000-0000-0000-0000-000000000000 +FM_ChildOnApplicationStateChangedEx,184,,00000000-0000-0000-0000-000000000000 +FM_ChildOnResourceAcquired,186,,00000000-0000-0000-0000-000000000000 +FM_SendActivationNotification,188,,00000000-0000-0000-0000-000000000000 +FM_AcquireResourceSet,190,,00000000-0000-0000-0000-000000000000 +FM_OnResourceAcquired,192,,00000000-0000-0000-0000-000000000000 +FM_PostPausePendingActivation,194,,00000000-0000-0000-0000-000000000000 +FM_FireCachedResourceCallback,196,,00000000-0000-0000-0000-000000000000 +FM_TCDeniedByEDPPolicy,198,,00000000-0000-0000-0000-000000000000 +ActivateAssignedAccessApplication,3000,,2c7310a7-4f13-4476-a498-ea65b52e3a89 +WaitForAssignedAccessApplicationToDie,3001,,c24d664f-c8ef-4a43-b9b5-b245e5f62fa3 +CustomTask,3002,,c1e052c6-cbb1-40b1-9618-98de4220ab3c +LockFrameworkQueryTask,3003,,558aab81-f5b4-4ff7-bddb-96631f61664b +UnlockTask,3004,,01d1ffe7-6bd8-460f-85d5-5fd343847889 +LockAppPidTask,3005,,fd3f5507-0e62-480f-ba95-e6a2e5b4fc4c +AbovelockToastTask,3006,,d42ce10d-f15f-4f42-9502-3ead1841b7fd +SetPowerManagerStatusTask,3007,,eaf07f81-be42-4122-ba0b-b69213c95a44 +ClosePowerRequestHandleTask,3008,,633ff652-a7b5-4978-916d-69e6fde8eff7 +ReportUnresponsiveAssignedAccessApplication,3009,,a60ccdc6-bf55-447e-ab1c-3f3a9f638d23 +AppSpecificSettingsTask,3010,,20d2b000-cb98-4c2e-b839-0f610aa88f1d +CredUIPromptForWindowsCredentials,11001,,00000000-0000-0000-0000-000000000000 +CredUIPromptForCredentials,11002,,00000000-0000-0000-0000-000000000000 +das_Query,5000,,00000000-0000-0000-0000-000000000000 +das_Association,7000,,00000000-0000-0000-0000-000000000000 +SearchWindowsUpdate,7022,,00000000-0000-0000-0000-000000000000 +DownloadFromWindowsUpdate,7023,,00000000-0000-0000-0000-000000000000 +InstallFromWindowsUpdate,7024,,00000000-0000-0000-0000-000000000000 +PartnershipStore_LoadStore,768,,00000000-0000-0000-0000-000000000000 +PartnershipStore_Create,769,,00000000-0000-0000-0000-000000000000 +PartnershipStore_Destroy,770,,00000000-0000-0000-0000-000000000000 +PartnershipStore_FindById,771,,00000000-0000-0000-0000-000000000000 +PartnershipStore_Enum,772,,00000000-0000-0000-0000-000000000000 +PartnershipStore_Commit,773,,00000000-0000-0000-0000-000000000000 +PartnershipStore_RemoveOwnership,774,,00000000-0000-0000-0000-000000000000 +AppHistory_AddDesktopApplication,255,,00000000-0000-0000-0000-000000000000 +Shell,4005,System Performance Monitoring,00000000-0000-0000-0000-000000000000 +VidMem,4006,Desktop Window Manager Monitoring,00000000-0000-0000-0000-000000000000 +Shutdown,4007,Shutdown Performance Monitoring,00000000-0000-0000-0000-000000000000 +Boot_Loopback_SnapshotKMScenario,7001,,00000000-0000-0000-0000-000000000000 +BootApps_ResolverLoopback,7101,,00000000-0000-0000-0000-000000000000 +BootDrivers_ResolverLoopback,7102,,00000000-0000-0000-0000-000000000000 +ShutdownApps_ResolverLoopback,7103,,00000000-0000-0000-0000-000000000000 +SuspendApps_ResolverLoopback,7104,,00000000-0000-0000-0000-000000000000 +SuspendDrivers_ResolverLoopback,7105,,00000000-0000-0000-0000-000000000000 +ResumeDrivers_ResolverLoopback,7106,,00000000-0000-0000-0000-000000000000 +Shutdown_ArchiveCorrupt,8001,,00000000-0000-0000-0000-000000000000 +Shutdown_ThreadCreateFailed,8002,,00000000-0000-0000-0000-000000000000 +Shutdown_Troubleshooting,8003,,00000000-0000-0000-0000-000000000000 +Shutdown_WaitingForBoot,8005,,00000000-0000-0000-0000-000000000000 +Shutdown_LocatedCKCL,8006,,00000000-0000-0000-0000-000000000000 +Shutdown_LocatedPossibleDCL,8007,,00000000-0000-0000-0000-000000000000 +Shutdown_RestoringConfig,8008,,00000000-0000-0000-0000-000000000000 +Shutdown_LoadConfig,8009,,00000000-0000-0000-0000-000000000000 +Shutdown_ProxyCallback,8010,,00000000-0000-0000-0000-000000000000 +Shutdown_StartCKCL,8011,,00000000-0000-0000-0000-000000000000 +Shutdown_CancelledAnalysisViaRegistry,8013,,00000000-0000-0000-0000-000000000000 +SecondaryLogon_UnexpectedEvent,9003,,00000000-0000-0000-0000-000000000000 +SecondaryLogon_DetectedMultipleLogons,9007,,00000000-0000-0000-0000-000000000000 +SecondaryLogon_Troubleshooting,9011,,00000000-0000-0000-0000-000000000000 +SecondaryLogon_CancelledAnalysisViaRegistry,9013,,00000000-0000-0000-0000-000000000000 +SecondaryLogon_CapturedDCL,9015,,00000000-0000-0000-0000-000000000000 +Standby_FailedTransition,11003,,00000000-0000-0000-0000-000000000000 +Standby_DetectRegressions,11005,,00000000-0000-0000-0000-000000000000 +PerfPipe_TraceCapture_Trigger,218,,00000000-0000-0000-0000-000000000000 +IdleDetection_PostResumeFromSleep,1101,,00000000-0000-0000-0000-000000000000 +IdleDetection_Parameters,1105,,00000000-0000-0000-0000-000000000000 +IdleDetection_Sample,1106,,00000000-0000-0000-0000-000000000000 +IdleDetection_Sample_Error,1107,,00000000-0000-0000-0000-000000000000 +IdleDetection_SliceSummary,1108,,00000000-0000-0000-0000-000000000000 +IdleDetection_Disk_OpenedDisk,1109,,00000000-0000-0000-0000-000000000000 +MainPath_HybridBoot,1500,,00000000-0000-0000-0000-000000000000 +ID3D11VideoDevice_CreateVideoProcessor,910,,00000000-0000-0000-0000-000000000000 +ID3D11VideoProcessor_Release,914,,00000000-0000-0000-0000-000000000000 +ID3D11VideoContext_VideoProcessorBlt,939,,00000000-0000-0000-0000-000000000000 +ID3D11VideoContext_GetDecoderBuffer,940,,00000000-0000-0000-0000-000000000000 +ID3D11VideoContext_DecoderBeginFrame,942,,00000000-0000-0000-0000-000000000000 +ID3D11VideoContext_DecoderEndFrame,943,,00000000-0000-0000-0000-000000000000 +ID3D11VideoContext_SubmitDecoderBuffers,944,,00000000-0000-0000-0000-000000000000 +ID3D11VideoContext_SubmitDecoderBuffers1,945,,00000000-0000-0000-0000-000000000000 +IDXGIDevice3_Trim,952,,00000000-0000-0000-0000-000000000000 +ID3D11VideoDevice_CreateCryptoSession,953,,00000000-0000-0000-0000-000000000000 +ID3D11VideoContext_NegotiateCryptoSessionKeyExchange,954,,00000000-0000-0000-0000-000000000000 +ID3D11VideoContext_VideoProcessorGetBehaviorHints,955,,00000000-0000-0000-0000-000000000000 +CryptoSessionTeardownCount,956,,00000000-0000-0000-0000-000000000000 +RecoverTeardown,957,,00000000-0000-0000-0000-000000000000 +ID3D11VideoContext_VideoProcessorBltParameters,958,,00000000-0000-0000-0000-000000000000 +ID3D11VideoDevice_DestroyCryptoSession,959,,00000000-0000-0000-0000-000000000000 +ID3D11VideoContext_GetDataForNewHardwareKey,960,,00000000-0000-0000-0000-000000000000 +JournalEntry,961,,00000000-0000-0000-0000-000000000000 +IDXGIResource_CreateSharedHandle,962,,00000000-0000-0000-0000-000000000000 +ID3D11VideoDevice_NegotiateCryptoSessionKeyExchangeMT,963,,00000000-0000-0000-0000-000000000000 +ID3D11TrackedWorkload_Processed,964,,00000000-0000-0000-0000-000000000000 +ID3D11TrackedWorkload_Completed,965,,00000000-0000-0000-0000-000000000000 +CheckPresentDurationSupport,966,,00000000-0000-0000-0000-000000000000 +DnsActivityStart,60001,,00000000-0000-0000-0000-000000000000 +DnsActivityStop,60002,,00000000-0000-0000-0000-000000000000 +DnsActivityTransfer,60003,,00000000-0000-0000-0000-000000000000 +DnsNetError,60004,,00000000-0000-0000-0000-000000000000 +DnsNetWarning,60005,,00000000-0000-0000-0000-000000000000 +DnsStateTransition,60006,,00000000-0000-0000-0000-000000000000 +DnsContextUpdate,60007,,00000000-0000-0000-0000-000000000000 +DnsPolicyReadError,60008,,00000000-0000-0000-0000-000000000000 +DnsV4Tuple,60101,,00000000-0000-0000-0000-000000000000 +DnsV6Tuple,60102,,00000000-0000-0000-0000-000000000000 +DnsInterfaceInfo,60103,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_DrvDeviceCapabilities,1200,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsPrint_Submit,1600,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsPrint_Callback_Error,1607,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsPrint_Dependent_CreateXGC,1608,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsPrint_Dependent_XGCStartDocument,1609,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsPrint_Dependent_XGCPrintPage,1610,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsPrint_Dependent_XpsOMCreateColorProfile,1615,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsPrint_Dependent_XpsOMCreateDictionary,1616,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsPrint_Dependent_PTMergePrintTicket,1617,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsPrint_Dependent_WritePrinter,1618,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsPrint_CollectPage,1619,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsPrint_WriteXPSOMToPrinter,1620,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsPrint_XpsDrv_ConvertPageMarkup,1621,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsPrint_XpsDrv_ConvertImageResource,1622,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsPrint_XpsDrv_ConvertResourceDictionary,1623,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsPrint_API_EnterExit,1624,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_GetPrinterDriver,1708,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_GetPrinterDriver_SplAPI,1709,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_AddPrinterDriver,1710,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_AddPrinterDriver_SplAPI,1711,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_RemovePrinterDriver,1712,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_RemovePrinterDriver_SplAPI,1713,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_GetPrinterPort,1714,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_GetPrinterPort_SplAPI,1715,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_AddPrinterPort,1716,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_AddPrinterPort_SplAPI,1717,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_RemovePrinterPort,1718,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_RemovePrinterPort_SplAPI,1719,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_GetPrintConfig,1720,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_SetPrintConfig,1721,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_GetPrintJob,1722,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_GetPrintJob_SplAPI,1723,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_SetPrintJob,1724,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PS_SetPrintJob_SplAPI,1725,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_WinspoolFunction,1800,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PrintTicket_CloseProvider,1825,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PrintTicket_ConvertDevModeToPrintTicket,1826,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PrintTicket_ConvertPrintTicketToDevMode,1827,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PrintTicket_GetPrintCapabilities,1828,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PrintTicket_MergeAndValidatePrintTicket,1829,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PrintTicket_OpenProvider,1830,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PrintTicket_QuerySchemaVersionSupport,1831,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PrintTicket_GetPrintDeviceCapabilities,1832,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PrintTicket_GetPrintDeviceResources,1833,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Mxdc_AnalyzeContentTree,2014,,f159fc8a-cccc-4aee-a85c-3031524b83c4 +DocPerf_Task_PFPM_API_EnterExit,2104,,ec342b23-e0a4-4dc8-bfa0-dc4ed20620e3 +DocPerf_Task_Smc_App,3050,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Smc_ScannerDiscover,3051,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Smc_LoadPSPs,3052,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Smc_GetScannerProps,3053,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Smc_ShowPSPs,3054,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Smc_DeletePSP,3055,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_DeviceCenter_FDQuery,3150,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_HomeGroup_ServerAddPrinter,3175,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_HomeGroup_ServerRemovePrinter,3176,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_HomeGroup_ServerJoin,3177,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_HomeGroup_ServerDepart,3178,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_HomeGroup_ClientAddPrinter,3179,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_HomeGroup_ClientRemovePrinter,3180,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PrintUI_PrintDialog,3251,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Xps_WritePackage,4050,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Xps_WriteStreaming,4051,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Xps_WriteAddPage,4052,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Opc_OM_Package_Validate,5001,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Opc_OM_GetParts,5002,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Opc_OM_GetRelationships,5003,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Opc_OM_SavePackage,5004,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Opc_OM_Write_TempFile,5005,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Opc_Signature_Validate,5006,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Opc_Signature_Sign,5007,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Opc_Signature_ParseXml,5008,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Scan_CreatePostScanJob,6001,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Scan_SendImage,6002,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Scan_EndPostScanJob,6003,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Scan_ProcessPostScanJob,6004,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Scan_Service_Startup,6005,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Scan_Email_Filter,6006,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Scan_FileShare_Filter,6007,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Scan_FileShare_File_Upload,6008,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Scan_SharePoint_Filter,6009,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Scan_SharePoint_File_Upload,6010,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Setup_InstallDriverFromCurrentInf,6101,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Setup_SplUploadPrinterDriverPackage,6102,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Setup_SplInstallPrinterDriverFromPackage,6103,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Setup_PnPPrinterInstall,6104,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Setup_StagePackageDriver,6105,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Setup_InstallPackageDriver,6106,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Setup_DetectRemotePrinterHardwareID,6107,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Setup_FillWindowsUpdateCatalog,6108,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Setup_FindDriverFromWindowsUpdate,6109,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Setup_InstallPrinterDriverFromTheWeb,6110,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Setup_DownloadDriverFromWindowsUpdate,6111,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_Setup_FindDriverFromDriverStore,6112,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_USBMon_BidiQuery,6201,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_USBMon_LoadBidiExtensions,6202,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_USBMon_CancelDoc,6203,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_WSDMon_BackupPort,6301,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_WSDMon_RestorePort,6302,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_WSDMon_BackupServiceId,6303,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_WSDMon_BackupDeviceId,6304,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_WSDMon_CancelDoc,6305,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_Render_RenderHilites,7002,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_Mainframe_OpenPackage,7003,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_Mainframe_OnDestroy,7004,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_Find_PageIndexing,7005,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_Find_FindNext,7006,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_Find_FindAll,7007,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_Thumbnails_SetPagesPerBlock,7008,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_Thumbnails_LoadingPages,7010,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_View_OnPaint,7011,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_Thumbnails_LoadPageTexture,7012,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_Thumbnails_LoadHighDetailPageTexture,7013,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_PackageLoader_ParsePage,7014,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_View_SetScrollBars,7015,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_ShellExt_PartHolder_Save,7016,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_MainframeBase_ExecuteCopy,7017,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_PackageLoader_OnPageLoaded_ProcessPage,7018,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_MainframeBase_ExecuteInvokeFileSaveAs,7019,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_Viewer_LoadingPages,7020,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_DigSig_LoadDigSig,7021,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_DigSig_SaveAndReload_SavePackage,7025,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_SelectContent,7026,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_PrintDocument,7027,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_PrintPrepare,7028,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_DigSig_CosignDigSig,7029,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_DigSig_RemoveRequest,7030,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_DigSig_RemoveSignature,7031,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_MainframeBase_DisplayMessageID,7032,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_MainframeBase_OpenPackage,7033,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_ReportBadPage,7034,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_XpsViewer_ReportPreviewDocumentType,7035,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_GetPrintCapabilities,8000,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PrintJob_RequestCancel,8004,,00000000-0000-0000-0000-000000000000 +DocPerf_Task_PrintConfig_DDI_EnterExit,8100,,00000000-0000-0000-0000-000000000000 +ETWGUID_POP_EXTERNAL_LAYER_EVENT,240,,00000000-0000-0000-0000-000000000000 +ETWGUID_HW_PROTECTED_ENTITY_CHANGE,241,,00000000-0000-0000-0000-000000000000 +ETWGUID_VISUAL_RENDERCONTENT,243,,00000000-0000-0000-0000-000000000000 +ETWGUID_DIRTY_ADDRECT,244,,00000000-0000-0000-0000-000000000000 +ADVANCED_DIRECTFLIP_NORESTORE_RECORDCANDIDATE,245,,00000000-0000-0000-0000-000000000000 +SHADERS_EFFECT_COMPILE,258,,00000000-0000-0000-0000-000000000000 +UNPRESENTED_FRAME,284,,00000000-0000-0000-0000-000000000000 +PROCESS_ATTRIBUTION,285,,00000000-0000-0000-0000-000000000000 +COMMAND_PROCESSED_ONBEHALF,286,,00000000-0000-0000-0000-000000000000 +CHANNEL_OPENED_FOR_PROCESS,287,,00000000-0000-0000-0000-000000000000 +CHANNEL_CLOSED_FOR_PROCESS,288,,00000000-0000-0000-0000-000000000000 +COMPUTESCRIBBLE_GPUFINISHED,289,,00000000-0000-0000-0000-000000000000 +COMPUTESCRIBBLE_DRAWINFO,290,,00000000-0000-0000-0000-000000000000 +UdwmProcessSetIconicLivePreviewBitmap,5009,,00000000-0000-0000-0000-000000000000 +UdwmProcessInvalidateIconicBitmaps,5010,,00000000-0000-0000-0000-000000000000 +UdwmGlassSheetAnimation,5011,,00000000-0000-0000-0000-000000000000 +UdwmRippleAnimation,5012,,00000000-0000-0000-0000-000000000000 +UdwmGlassSheetFadeOut,5013,,00000000-0000-0000-0000-000000000000 +UdwmLoadTheme,5014,,00000000-0000-0000-0000-000000000000 +UdwmDirectTouchDownAnimation,5015,,00000000-0000-0000-0000-000000000000 +UdwmTouchUpReceived,5016,,00000000-0000-0000-0000-000000000000 +UdwmContactStationaryVisual,5017,,00000000-0000-0000-0000-000000000000 +UdwmAnimationInitialization,5019,,00000000-0000-0000-0000-000000000000 +UdwmAnimationRecalc,5020,,00000000-0000-0000-0000-000000000000 +UdwmSystemAnimation,5021,,00000000-0000-0000-0000-000000000000 +UdwmAnimationClock,5022,,00000000-0000-0000-0000-000000000000 +UdwmPressTapVisual,5025,,00000000-0000-0000-0000-000000000000 +UdwmTetherVisual,5026,,00000000-0000-0000-0000-000000000000 +UdwmPenPressHoldVisual,5027,,00000000-0000-0000-0000-000000000000 +UdwmFlickVisual,5028,,00000000-0000-0000-0000-000000000000 +UdwmTouchDragVisual,5029,,00000000-0000-0000-0000-000000000000 +UdwmTitleTextAligned,5030,,00000000-0000-0000-0000-000000000000 +UdwmAnimationEngine,5031,,00000000-0000-0000-0000-000000000000 +UdwmLoginTransition,5032,,00000000-0000-0000-0000-000000000000 +UdwmTransitionVisualController,5033,,00000000-0000-0000-0000-000000000000 +UdwmScreenRotationCapture,5034,,00000000-0000-0000-0000-000000000000 +UdwmPenBarrel,5035,,00000000-0000-0000-0000-000000000000 +UdwmIndirectTouchVisual,5036,,00000000-0000-0000-0000-000000000000 +UdwmStoryboard,5037,,00000000-0000-0000-0000-000000000000 +UdwmGradientLoad,5038,,00000000-0000-0000-0000-000000000000 +UdwmGradientColorize,5039,,00000000-0000-0000-0000-000000000000 +UdwmAccentLoad,5040,,00000000-0000-0000-0000-000000000000 +UdwmAnimationComponent,5041,,00000000-0000-0000-0000-000000000000 +UdwmTouchPressHoldVisual,5042,,00000000-0000-0000-0000-000000000000 +UdwmAnimatedTransitionVisual,5043,,00000000-0000-0000-0000-000000000000 +UdwmScreenRotationDelay,5044,,00000000-0000-0000-0000-000000000000 +UdwmScreenRotationAnimation,5045,,00000000-0000-0000-0000-000000000000 +UdwmTransitionRequest,5046,,00000000-0000-0000-0000-000000000000 +UdwmTransitionCVISnapshot,5047,,00000000-0000-0000-0000-000000000000 +UdwmTransitionProcessSnapshotOnVisual,5048,,00000000-0000-0000-0000-000000000000 +UdwmSecondaryWindowBrushSnapshot,5049,,00000000-0000-0000-0000-000000000000 +UdwmSecondaryWindowMakeStatic,5050,,00000000-0000-0000-0000-000000000000 +UdwmThumbnailVisualValidated,5051,,00000000-0000-0000-0000-000000000000 +UdwmScreenRotationPreDelayAnimation,5094,,00000000-0000-0000-0000-000000000000 +UdwmScreenRotationPostDelayAnimation,5095,,00000000-0000-0000-0000-000000000000 +UdwmScreenRotationHintDelay,5096,,00000000-0000-0000-0000-000000000000 +UdwmScreenRotationHintFired,5097,,00000000-0000-0000-0000-000000000000 +UdwmHardwareExpressionDelay,5098,,00000000-0000-0000-0000-000000000000 +UdwmHardwareExpressionAnimation,5099,,00000000-0000-0000-0000-000000000000 +UdwmHardwareExpressionPreDelayAnimation,5100,,00000000-0000-0000-0000-000000000000 +UdwmHardwareExpressionPostDelayAnimation,5101,,00000000-0000-0000-0000-000000000000 +UdwmHardwareExpressionHintDelay,5102,,00000000-0000-0000-0000-000000000000 +UdwmHardwareExpressionHintFired,5103,,00000000-0000-0000-0000-000000000000 +UdwmHardwareExpressionCapture,5104,,00000000-0000-0000-0000-000000000000 +UdwmAnimationResource,5105,,00000000-0000-0000-0000-000000000000 +UdwmWindowDPIChange,5127,,00000000-0000-0000-0000-000000000000 +UdwmMaximizeSnapTransition,5128,,00000000-0000-0000-0000-000000000000 +DMM_SnapPerfCounters,10010,,00000000-0000-0000-0000-000000000000 +PerfTrack_Dxgkrnl_StateChangeNotify,10011,,00000000-0000-0000-0000-000000000000 +DestroyDisplayedAllocation,242,,00000000-0000-0000-0000-000000000000 +VmBusSendCommandGlobal,246,,00000000-0000-0000-0000-000000000000 +MiracastStopMiracastSessionAbnormal,1032,,00000000-0000-0000-0000-000000000000 +MiracastPerfTrackStartMiracastSession,1033,,00000000-0000-0000-0000-000000000000 +MiracastPerfTrackStartMiracastSessionDone,1034,,00000000-0000-0000-0000-000000000000 +MiracastPerfTrackStartMiracastSessionDoneNoMonitor,1035,,00000000-0000-0000-0000-000000000000 +MiracastPerfTrackStartMiracastSessionFailed,1036,,00000000-0000-0000-0000-000000000000 +MiracastPerfTrackSourceDroppedFrames,1037,,00000000-0000-0000-0000-000000000000 +MiracastPerfTrackGraphicsLatency,1038,,00000000-0000-0000-0000-000000000000 +MiracastPerfTrackIFrameRequest,1039,,00000000-0000-0000-0000-000000000000 +MiracastGlobalConfiguration,1040,,00000000-0000-0000-0000-000000000000 +MiracastChunkReportViolation,1041,,00000000-0000-0000-0000-000000000000 +MiracastPerfTrackStartMiracastSessionNoSend,1042,,00000000-0000-0000-0000-000000000000 +DWMVsyncCountWait,1043,,00000000-0000-0000-0000-000000000000 +DWMVsyncSignal,1044,,00000000-0000-0000-0000-000000000000 +CommitVirtualAddress,1045,,00000000-0000-0000-0000-000000000000 +SetProcessStatus,1046,,00000000-0000-0000-0000-000000000000 +IndirectSwapChainCreate,1047,,00000000-0000-0000-0000-000000000000 +IndirectSwapChainOpen,1048,,00000000-0000-0000-0000-000000000000 +IndirectSwapChainSurfaceList,1049,,00000000-0000-0000-0000-000000000000 +IndirectSwapChainCloseHandle,1050,,00000000-0000-0000-0000-000000000000 +IndirectSwapChainDestroy,1051,,00000000-0000-0000-0000-000000000000 +IndirectSwapChainMarkAbandoned,1052,,00000000-0000-0000-0000-000000000000 +IndirectSwapChainAcquire,1053,,00000000-0000-0000-0000-000000000000 +IndirectSwapChainRelease,1054,,00000000-0000-0000-0000-000000000000 +IndirectSwapChainGetMetaData,1055,,00000000-0000-0000-0000-000000000000 +IndirectSwapChainSetMetaData,1056,,00000000-0000-0000-0000-000000000000 +BltQueueUpdatePresentStats,1057,,00000000-0000-0000-0000-000000000000 +BltQueueUpdateVSyncState,1058,,00000000-0000-0000-0000-000000000000 +BltQueueCompleteIndirectPresent,1059,,00000000-0000-0000-0000-000000000000 +BltQueueRemoveEntry,1060,,00000000-0000-0000-0000-000000000000 +OutputDuplicationCreate,1061,,00000000-0000-0000-0000-000000000000 +OutputDuplicationGetFrameInfo,1062,,00000000-0000-0000-0000-000000000000 +OutputDuplicationReleaseFrame,1063,,00000000-0000-0000-0000-000000000000 +OutputDuplicationProcessHighLevel,1064,,00000000-0000-0000-0000-000000000000 +OutputDuplicationBlit,1065,,00000000-0000-0000-0000-000000000000 +OutputDuplicationDestroy,1066,,00000000-0000-0000-0000-000000000000 +OpmGetCertificate,1067,,00000000-0000-0000-0000-000000000000 +OpmGetCertificateSize,1068,,00000000-0000-0000-0000-000000000000 +OpmCreateProtectedOutput,1069,,00000000-0000-0000-0000-000000000000 +OPMGetRandomNumber,1070,,00000000-0000-0000-0000-000000000000 +OPMSetSigningKeyAndSequenceNumbers,1071,,00000000-0000-0000-0000-000000000000 +OPMGetInformation,1072,,00000000-0000-0000-0000-000000000000 +OPMGetCOPPCompatibleInformation,1073,,00000000-0000-0000-0000-000000000000 +OPMConfigureProtectedOutput,1074,,00000000-0000-0000-0000-000000000000 +OPMDestroyProtectedOutput,1075,,00000000-0000-0000-0000-000000000000 +OPMSetProtectionLevel,1076,,00000000-0000-0000-0000-000000000000 +OPMGetConnectorType,1077,,00000000-0000-0000-0000-000000000000 +OPMGetSupportedProtectionTypes,1078,,00000000-0000-0000-0000-000000000000 +OPMGetActualProtectionLevel,1079,,00000000-0000-0000-0000-000000000000 +SetVidPnSourceVisibility,1080,,00000000-0000-0000-0000-000000000000 +IndirectDisableRenderD3,1081,,00000000-0000-0000-0000-000000000000 +DdiExchangePreStartInfo,1082,,00000000-0000-0000-0000-000000000000 +TraceAdapterLock,1083,,00000000-0000-0000-0000-000000000000 +DdiDisplayDetectControl,1084,,00000000-0000-0000-0000-000000000000 +DdiQueryConnectionChange,1085,,00000000-0000-0000-0000-000000000000 +DdiSetTargetAdjustedColorimetry,1086,,00000000-0000-0000-0000-000000000000 +PresentRedirected,1087,,00000000-0000-0000-0000-000000000000 +VidMmDefragment,1088,,00000000-0000-0000-0000-000000000000 +VidMmSaveRestoreResource,1089,,00000000-0000-0000-0000-000000000000 +PagingOpSaveRestoreFrameBuffer,1090,,00000000-0000-0000-0000-000000000000 +IndirectSwapChainAddSurface,1091,,00000000-0000-0000-0000-000000000000 +IndirectSwapChainRemoveSurface,1092,,00000000-0000-0000-0000-000000000000 +IndirectSwapChainUnOrderedPresent,1093,,00000000-0000-0000-0000-000000000000 +DripsBlockerTracking_AddProcessEntry,1094,,00000000-0000-0000-0000-000000000000 +DripsBlockerTracking_AddActiveTime,1095,,00000000-0000-0000-0000-000000000000 +CSAccountingInProgress,1096,,00000000-0000-0000-0000-000000000000 +DripsBlockerTracking_AddD0LagTime,1097,,00000000-0000-0000-0000-000000000000 +RemoteMonitorAddMapping,1098,,00000000-0000-0000-0000-000000000000 +RemoteMonitorRemoveMapping,1099,,00000000-0000-0000-0000-000000000000 +Notification_PasskeyChangeRequired_Event,6011,,00000000-0000-0000-0000-000000000000 +Notification_MergeRequired_Event,6012,,00000000-0000-0000-0000-000000000000 +Notification_AvailableToJoin_Balloon,6013,,00000000-0000-0000-0000-000000000000 +Notification_PasskeyChangeRequired_Balloon,6014,,00000000-0000-0000-0000-000000000000 +Notification_MergeRequired_Balloon,6015,,00000000-0000-0000-0000-000000000000 +Action_LaunchCreateJoin,6017,,00000000-0000-0000-0000-000000000000 +Initialization_SharingPage,7009,,00000000-0000-0000-0000-000000000000 +VMT_VID_RESERVE_PAGES,1536,VID - reserve pages,00000000-0000-0000-0000-000000000000 +VMT_VID_RELEASE_PAGES,1537,VID - release pages,00000000-0000-0000-0000-000000000000 +VMT_VID_BALLOON_PAGES,1538,VID - balloon pages,00000000-0000-0000-0000-000000000000 +VMT_VID_UNBALLOON_PAGES,1539,VID - un balloon pages,00000000-0000-0000-0000-000000000000 +VMT_VID_HOTADD_PAGES,1540,VID - hot add,00000000-0000-0000-0000-000000000000 +VMT_VID_HOTADD_UNDO_PAGES,1541,VID - hot add undo,00000000-0000-0000-0000-000000000000 +VMT_VID_CREATE_MEMBLOCK,1542,VID - create memory block,00000000-0000-0000-0000-000000000000 +VMT_VID_ALLOCATE_PARTITION_NODE_PAGES,1543,,00000000-0000-0000-0000-000000000000 +VMT_VID_MEMORY_BLOCK_PERSIST,1544,,00000000-0000-0000-0000-000000000000 +VMT_KSR_MEMORY_BLOCK_PERSIST,1545,,00000000-0000-0000-0000-000000000000 +VMT_VID_MEMORY_BLOCK_RESTORE,1546,,00000000-0000-0000-0000-000000000000 +VMT_VID_MEMORY_BLOCK_PHU_TEARDOWN,1547,,00000000-0000-0000-0000-000000000000 +VMT_VID_PARTITION_PERSIST,1548,,00000000-0000-0000-0000-000000000000 +VMT_VID_PARTITION_UNPERSIST,1549,,00000000-0000-0000-0000-000000000000 +VMT_VID_PARTITION_WITHDRAW_MEMORY,1550,,00000000-0000-0000-0000-000000000000 +VMT_VID_GPA_MAP,1551,,00000000-0000-0000-0000-000000000000 +VMT_VID_GPA_UNMAP,1552,,00000000-0000-0000-0000-000000000000 +VMT_VID_MDL_PAGE_FREE,1553,,00000000-0000-0000-0000-000000000000 +VMT_VID_CREATE_DAX_MEMBLOCK,1554,VID - create DAX file backed memory block,00000000-0000-0000-0000-000000000000 +VMT_VID_EPF,1555,,00000000-0000-0000-0000-000000000000 +VMT_VID_ALLOCATE_PARTITION_NODE_IOSPACE_PAGES,1556,,00000000-0000-0000-0000-000000000000 +Shell_LaunchTool_Emulation,909,,00000000-0000-0000-0000-000000000000 +Shell_LaunchTool_VisualProfiler,912,,00000000-0000-0000-0000-000000000000 +Shell_ShowTool_Dom,916,,00000000-0000-0000-0000-000000000000 +Shell_ShowTool_Emulation,918,,00000000-0000-0000-0000-000000000000 +Shell_ShowTool_Memory,920,,00000000-0000-0000-0000-000000000000 +Shell_LaunchTool_Popup,922,,00000000-0000-0000-0000-000000000000 +ImmersiveApplicationManagerForegroundBoost,7700,,00000000-0000-0000-0000-000000000000 +AppLayoutItem,1310,,00000000-0000-0000-0000-000000000000 +LayoutCache_LayoutShown,1315,,00000000-0000-0000-0000-000000000000 +SwitchToAppByIdWithArguments,1317,,00000000-0000-0000-0000-000000000000 +BackstackManager_GetBackstack,1400,,00000000-0000-0000-0000-000000000000 +BackstackManager_ClearBackstack,1404,,00000000-0000-0000-0000-000000000000 +BackstackManager_RemoveApp,1407,,00000000-0000-0000-0000-000000000000 +DropFeedback_Show,1460,,00000000-0000-0000-0000-000000000000 +DropFeedback_Hide,1461,,00000000-0000-0000-0000-000000000000 +DropFeedbackItem_Show,1462,,00000000-0000-0000-0000-000000000000 +DropFeedbackItem_Update,1463,,00000000-0000-0000-0000-000000000000 +DragVisual_Show,1470,,00000000-0000-0000-0000-000000000000 +DragVisual_AppChange,1471,,00000000-0000-0000-0000-000000000000 +DragVisual_ModeChange,1472,,00000000-0000-0000-0000-000000000000 +DragVisual_Hide,1473,,00000000-0000-0000-0000-000000000000 +DragVisual_Destroy,1474,,00000000-0000-0000-0000-000000000000 +DragVisual_TargetChanged,1476,,00000000-0000-0000-0000-000000000000 +LauncherTip_ContextMenuHash,1477,,00000000-0000-0000-0000-000000000000 +Launcher_Uninstall_StartingThread,1625,,00000000-0000-0000-0000-000000000000 +Launcher_Uninstall_RemovePackage,1627,,00000000-0000-0000-0000-000000000000 +AppsFolder_ImmersiveApp_InstallRequest,1630,,00000000-0000-0000-0000-000000000000 +AppsFolder_LaunchImmersiveApp_Failure,1632,,00000000-0000-0000-0000-000000000000 +Tiles_MRT,1843,,00000000-0000-0000-0000-000000000000 +TileNotifications_InitializeWPNFailure,1858,,00000000-0000-0000-0000-000000000000 +TileNotifications_ImageDownloadFailed,1864,,00000000-0000-0000-0000-000000000000 +TileNotifications_PresentNotificationFailed,1865,,00000000-0000-0000-0000-000000000000 +Picker_View_ItemToggled,2106,,00000000-0000-0000-0000-000000000000 +Picker_Basket_Ready,2108,,00000000-0000-0000-0000-000000000000 +Picker_ActionButton_EnabledChanged,2110,,00000000-0000-0000-0000-000000000000 +Picker_JumpBar_MenuInvoked,2112,,00000000-0000-0000-0000-000000000000 +Picker_ActionButton_ContentChanged,2114,,00000000-0000-0000-0000-000000000000 +Picker_BusyState_Shown,2116,,00000000-0000-0000-0000-000000000000 +Picker_WaitForApplications,2118,,00000000-0000-0000-0000-000000000000 +Picker_Application_Signalled,2120,,00000000-0000-0000-0000-000000000000 +Picker_LocationLabel_Updated,2124,,00000000-0000-0000-0000-000000000000 +PerfTrack_Picker_NavigateLocal_Responsive,2126,,00000000-0000-0000-0000-000000000000 +PerfTrack_Picker_NavigateLocal_ViewComplete,2128,,00000000-0000-0000-0000-000000000000 +PerfTrack_Picker_Launch_Open_Tile_Responsive,2130,,00000000-0000-0000-0000-000000000000 +PerfTrack_Picker_Launch_Open_Tile_ViewComplete,2132,,00000000-0000-0000-0000-000000000000 +PerfTrack_Picker_Launch_Open_Thumbnail_Responsive,2134,,00000000-0000-0000-0000-000000000000 +PerfTrack_Picker_Launch_Open_Thumbnail_ViewComplete,2136,,00000000-0000-0000-0000-000000000000 +PerfTrack_Picker_Launch_Save_Tile_Responsive,2138,,00000000-0000-0000-0000-000000000000 +PerfTrack_Picker_Launch_Save_Tile_ViewComplete,2140,,00000000-0000-0000-0000-000000000000 +PerfTrack_Picker_NavigateHG_Responsive,2146,,00000000-0000-0000-0000-000000000000 +PerfTrack_Picker_NavigateHG_ViewComplete,2148,,00000000-0000-0000-0000-000000000000 +PerfTrack_Picker_NavigateUNC_Responsive,2150,,00000000-0000-0000-0000-000000000000 +PerfTrack_Picker_NavigateUNC_ViewComplete,2152,,00000000-0000-0000-0000-000000000000 +Picker_AppInstanceView_HostedApplication,2160,,00000000-0000-0000-0000-000000000000 +Picker_AppInstanceView_Closing,2163,,00000000-0000-0000-0000-000000000000 +Picker_AppInstanceView_Commit,2164,,00000000-0000-0000-0000-000000000000 +Picker_AppInstanceView_StartFileUpdate,2165,,00000000-0000-0000-0000-000000000000 +Picker_AppInstanceView_ProvideSaveFile,2166,,00000000-0000-0000-0000-000000000000 +Picker_AppInstanceView_CompleteFileUpdate,2167,,00000000-0000-0000-0000-000000000000 +Picker_CachedFileUpdater_UIRequested,2169,,00000000-0000-0000-0000-000000000000 +Picker_CachedFileUpdater_FileUpdateRequested,2172,,00000000-0000-0000-0000-000000000000 +Picker_CachedFileUpdater_FileUpdateRequest,2174,,00000000-0000-0000-0000-000000000000 +Picker_FileSavePickerUI_FileNameChanged,2179,,00000000-0000-0000-0000-000000000000 +Picker_FileSavePickerUI_TargetFileRequest,2180,,00000000-0000-0000-0000-000000000000 +Picker_FileOpenPickerUI_Closing,2184,,00000000-0000-0000-0000-000000000000 +SharingManager_InitSharing,2200,,00000000-0000-0000-0000-000000000000 +SharingManager_ActivateTarget,2218,,00000000-0000-0000-0000-000000000000 +SharingTargetCallback_DoneTransfer,2222,,00000000-0000-0000-0000-000000000000 +QuickShareTargetList_SaveQuickShareTarget,2224,,00000000-0000-0000-0000-000000000000 +SharingTargetAppList_QueryTargets,2226,,00000000-0000-0000-0000-000000000000 +QuickShareTargetList_QueryTargets,2228,,00000000-0000-0000-0000-000000000000 +Share_ShowFailure,2232,,00000000-0000-0000-0000-000000000000 +Share_LoadDUIFailure,2235,,00000000-0000-0000-0000-000000000000 +Share_ShowErrorUI,2236,,00000000-0000-0000-0000-000000000000 +Share_InitUI,2238,,00000000-0000-0000-0000-000000000000 +Share_TransitionContent,2240,,00000000-0000-0000-0000-000000000000 +Share_ViewToRunningShares,2241,,00000000-0000-0000-0000-000000000000 +Share_RunningSharesToView,2242,,00000000-0000-0000-0000-000000000000 +PerfTrack_Share_ShowFlow,2245,,00000000-0000-0000-0000-000000000000 +PerfTrack_Share_TimeToApp,2246,,00000000-0000-0000-0000-000000000000 +SharingManager_RetrieveSquare30x30Logo,2264,,00000000-0000-0000-0000-000000000000 +SharingManager_RetrieveLogoBackgroundColor,2266,,00000000-0000-0000-0000-000000000000 +SharingManager_RetrieveSourceAppName,2268,,00000000-0000-0000-0000-000000000000 +SharingManager_RetrieveAppListingUri,2270,,00000000-0000-0000-0000-000000000000 +Launcher_OnSearch,2313,,00000000-0000-0000-0000-000000000000 +Launcher_Apps_ViewChange,2315,,00000000-0000-0000-0000-000000000000 +Launcher_Apps_SwitchToAllAppsViewFromSearch,2320,,00000000-0000-0000-0000-000000000000 +Launcher_Apps_SwitchToAllAppsViewFromStart,2324,,00000000-0000-0000-0000-000000000000 +PerfTrack_DesktopToLauncherTransition,2326,,00000000-0000-0000-0000-000000000000 +Launcher_Scenario,2335,,00000000-0000-0000-0000-000000000000 +Launcher_OrientationChange,2338,,00000000-0000-0000-0000-000000000000 +Launcher_Dismiss_Explicit_ToDesktop,2341,,00000000-0000-0000-0000-000000000000 +Launcher_Dismiss_Explicit_ToImmersiveMode,2342,,00000000-0000-0000-0000-000000000000 +Launcher_Show_FromImmersiveMode,2343,,00000000-0000-0000-0000-000000000000 +Launcher_Apps_SwitchToStartViewFromAllAppsView,2344,,00000000-0000-0000-0000-000000000000 +PerfTrack_AppSearch_ViewComplete,2361,,00000000-0000-0000-0000-000000000000 +PerfTrack_PLM_ResumeApplication,2405,,00000000-0000-0000-0000-000000000000 +PerfTrack_PLM_HungApplication_Activation,2406,,00000000-0000-0000-0000-000000000000 +PLM_ApplicationStateChange,2407,,00000000-0000-0000-0000-000000000000 +PLM_PSM_WakeCounterChange,2408,,00000000-0000-0000-0000-000000000000 +PLM_MemoryPolicy,2409,,00000000-0000-0000-0000-000000000000 +PLM_TerminateApp_API,2410,,00000000-0000-0000-0000-000000000000 +PLM_QuiesceHangReport,2420,,00000000-0000-0000-0000-000000000000 +PLM_ActivationHangReport,2421,,00000000-0000-0000-0000-000000000000 +PerfTrack_PLM_ResumeApplication_EndToEnd,2422,,00000000-0000-0000-0000-000000000000 +PLM_ExecutionReason,2423,,00000000-0000-0000-0000-000000000000 +PLM_JobError,2424,,00000000-0000-0000-0000-000000000000 +Settings_SettingsLifetime,2630,,00000000-0000-0000-0000-000000000000 +Settings_PermissionsLifetime,2633,,00000000-0000-0000-0000-000000000000 +Settings_HotkeyInvoke,2666,,00000000-0000-0000-0000-000000000000 +Settings_GetAppCommands,2670,,00000000-0000-0000-0000-000000000000 +Settings_Launch_SettingsCommand,2678,,00000000-0000-0000-0000-000000000000 +Settings_Launch_Permissions,2681,,00000000-0000-0000-0000-000000000000 +Settings_Launch_RateAndReview,2684,,00000000-0000-0000-0000-000000000000 +Settings_Flow_Broker_Show,2687,,00000000-0000-0000-0000-000000000000 +Settings_Launch_Accounts,2691,,00000000-0000-0000-0000-000000000000 +Settings_Launch_PrivacyPolicy,2693,,00000000-0000-0000-0000-000000000000 +TileUI_CrossSlide,2814,,00000000-0000-0000-0000-000000000000 +Tile_ImageLoad_WrongFormat,2823,,00000000-0000-0000-0000-000000000000 +Tile_ImageLoad_BadSize,2824,,00000000-0000-0000-0000-000000000000 +Tile_ImageLoad_BadPath,2825,,00000000-0000-0000-0000-000000000000 +Tile_ImageLoad_BadProtocol,2827,,00000000-0000-0000-0000-000000000000 +Tile_ImageLoad_Success,2829,,00000000-0000-0000-0000-000000000000 +Tile_ImageLoad_FileName,2850,,00000000-0000-0000-0000-000000000000 +TDBN_AudioFlyout_Display,2922,,00000000-0000-0000-0000-000000000000 +AutoPlay_Broker_Device,3111,,00000000-0000-0000-0000-000000000000 +AutoPlay_Calculate_Response_Time,3113,,00000000-0000-0000-0000-000000000000 +AutoPlay_Volume_FirstConnect_ToDefaultLaunch,3151,,00000000-0000-0000-0000-000000000000 +AutoPlay_Volume_NthConnect_ToUI,3152,,00000000-0000-0000-0000-000000000000 +AutoPlay_Volume_NthConnect_ToDefaultLaunch,3153,,00000000-0000-0000-0000-000000000000 +AutoPlay_Device_FirstConnect_ToUI,3154,,00000000-0000-0000-0000-000000000000 +AutoPlay_Device_FirstConnect_ToDefaultLaunch,3155,,00000000-0000-0000-0000-000000000000 +AutoPlay_Device_NthConnect_ToUI,3156,,00000000-0000-0000-0000-000000000000 +AutoPlay_Device_NthConnect_ToDefaultLaunch,3157,,00000000-0000-0000-0000-000000000000 +AssociationLaunch_FileLaunch_UnsupportedFileExtension,4015,,00000000-0000-0000-0000-000000000000 +AssociationLaunch_FileLaunch_MissingFileExtension,4016,,00000000-0000-0000-0000-000000000000 +AssociationLaunch_FileLaunch_DesktopAppsDisabled,4017,,00000000-0000-0000-0000-000000000000 +AssociationLaunch_UriLaunch_UnsupportedScheme,4018,,00000000-0000-0000-0000-000000000000 +AssociationLaunch_UriLaunch_DesktopAppsDisabled,4019,,00000000-0000-0000-0000-000000000000 +AssociationLaunch_UriLaunch_UnsupportedFileExtension,4020,,00000000-0000-0000-0000-000000000000 +AssociationLaunch_UriLaunch_MissingFileExtension,4021,,00000000-0000-0000-0000-000000000000 +AssociationLaunch_UriLaunch_LocalZoneBlocked,4022,,00000000-0000-0000-0000-000000000000 +AssociationLaunch_UriLaunch_MissingIntranetCapability,4023,,00000000-0000-0000-0000-000000000000 +AssociationLaunch_UriLaunch_UntrustedFileBlocked,4024,,00000000-0000-0000-0000-000000000000 +ImmersiveMonitorHandleDisplayChange,4312,,00000000-0000-0000-0000-000000000000 +ImmersiveMonitorConnectObject,4316,,00000000-0000-0000-0000-000000000000 +ImmersiveMonitorReconcileMonitors,4318,,00000000-0000-0000-0000-000000000000 +ImmersiveMonitorCreatePerMonitorComponents,4325,,00000000-0000-0000-0000-000000000000 +ImmersiveMonitorDestroyPerMonitorComponents,4326,,00000000-0000-0000-0000-000000000000 +Tiles_Cache_Data_CRC_Failure,4668,,00000000-0000-0000-0000-000000000000 +Tiles_Cache_Entry_CRC_Failure,4669,,00000000-0000-0000-0000-000000000000 +Tiles_Cache_Remap_Failed,4677,,00000000-0000-0000-0000-000000000000 +PerfTrack_AppActivation_Activate,5901,,00000000-0000-0000-0000-000000000000 +AppActivation_ActivateApplicationForContract,5903,,00000000-0000-0000-0000-000000000000 +AppActivation_ActivateApplicationForContractByAppID,5905,,00000000-0000-0000-0000-000000000000 +AppActivation_ActivateExtensionForContract,5907,,00000000-0000-0000-0000-000000000000 +AppActivation_UnresponsiveApplicationCheck,5909,,00000000-0000-0000-0000-000000000000 +AppActivation_MinimumResolutionCheck,5911,,00000000-0000-0000-0000-000000000000 +AppActivation_CompositionEnabledCheck,5913,,00000000-0000-0000-0000-000000000000 +AppActivation_RPCTimeoutSet,5915,,00000000-0000-0000-0000-000000000000 +AppActivation_SplashScreenFactoried,5917,,00000000-0000-0000-0000-000000000000 +AppActivation_PackageActivationSettings,5919,,00000000-0000-0000-0000-000000000000 +AppActivation_ErrorDialogDisplayed,5921,,00000000-0000-0000-0000-000000000000 +AppActivation_ErrorDialogDismissed,5922,,00000000-0000-0000-0000-000000000000 +AppActivation_RPCTimeout,5924,,00000000-0000-0000-0000-000000000000 +AppActivation_RPCTimeout_Wait,5927,,00000000-0000-0000-0000-000000000000 +AppActivation_ActivateApplicationForComponentUIByAUMID,5929,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_Success,5950,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_NotRegistered,5951,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_MultipleExtensions,5952,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_MultiplePackages,5953,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_UACDisabled,5954,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_FullAdmin,5955,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_Elevated,5956,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_DWMDisabled,5958,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_TimedOut,5959,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_Remediation,5960,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_GenericFailure,5961,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_DisabledByPolicy,5963,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_AppManagerNotRunning,5964,,00000000-0000-0000-0000-000000000000 +AppActivation_AppSpinupStep,5965,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_RemediationBinaryInformation,5970,,00000000-0000-0000-0000-000000000000 +AppActivation_GlobalAppLog_FailedActivation,5973,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_TemporaryLicenseError,5974,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_PackageUpdating,5975,,00000000-0000-0000-0000-000000000000 +AppActivation_Log_LicenseExpired,5976,,00000000-0000-0000-0000-000000000000 +PerfTrack_ModernApp_LaunchVisibleComplete,5977,,00000000-0000-0000-0000-000000000000 +PerfTrack_ModernApp_LaunchResponsive,5978,,00000000-0000-0000-0000-000000000000 +PerfTrack_ModernApp_ResumeVisibleComplete,5979,,00000000-0000-0000-0000-000000000000 +PerfTrack_ModernApp_ResumeResponsive,5980,,00000000-0000-0000-0000-000000000000 +PerfTrack_ModernApp_ResizeVisibleComplete,5981,,00000000-0000-0000-0000-000000000000 +PerfTrack_ModernApp_ResizeResponsive,5982,,00000000-0000-0000-0000-000000000000 +AccessibilityDocking_GetAvailableSize,6200,,00000000-0000-0000-0000-000000000000 +AccessibilityDocking_QueryWorkArea,6204,,00000000-0000-0000-0000-000000000000 +SplashScreen_ImageLoad,6252,,00000000-0000-0000-0000-000000000000 +SplashScreen_Activation,6256,,00000000-0000-0000-0000-000000000000 +AppList_PopulateElementWithExtensionTiles,6400,,00000000-0000-0000-0000-000000000000 +AppList_CreateExtensionList,6402,,00000000-0000-0000-0000-000000000000 +AppList_GetFilteredAndSortedExtensionList,6404,,00000000-0000-0000-0000-000000000000 +AppList_PinItem,6406,,00000000-0000-0000-0000-000000000000 +AppList_UnpinItem,6408,,00000000-0000-0000-0000-000000000000 +AppList_HideItem,6410,,00000000-0000-0000-0000-000000000000 +AppList_UnhideItem,6412,,00000000-0000-0000-0000-000000000000 +WPNSettings_PermissionsUI,6500,,00000000-0000-0000-0000-000000000000 +ConnectCharm_Print,6600,,00000000-0000-0000-0000-000000000000 +ConnectCharm_PrintTargetsEnum,6605,,00000000-0000-0000-0000-000000000000 +ConnectCharm_Play,6610,,00000000-0000-0000-0000-000000000000 +ConnectCharm_PlayTargetsEnum,6615,,00000000-0000-0000-0000-000000000000 +ConnectCharm_Project,6620,,00000000-0000-0000-0000-000000000000 +ConnectCharm_ProximitySendDisplayUi,6630,,00000000-0000-0000-0000-000000000000 +ConnectCharm_ProximitySendSupportCheck,6635,,00000000-0000-0000-0000-000000000000 +ConnectCharm_DisplayUI,6640,,00000000-0000-0000-0000-000000000000 +ConnectCharm_DisplayHierarchyUI,6641,,00000000-0000-0000-0000-000000000000 +ConnectCharm_PrintSourceEvaluate,6643,,00000000-0000-0000-0000-000000000000 +ConnectCharm_PlaytoSourceEvaluate,6646,,00000000-0000-0000-0000-000000000000 +ConnectCharm_DisplayUI_EndToEnd,6649,,00000000-0000-0000-0000-000000000000 +DevicesCharm_PrintTaskRequestTimedOut,6690,,00000000-0000-0000-0000-000000000000 +DevicesCharm_PlaySourceRequestTimedOut,6691,,00000000-0000-0000-0000-000000000000 +SecondaryTile_FlyoutDisplayed,6714,,00000000-0000-0000-0000-000000000000 +SecondaryTile_FlyoutReadyToDisplay,6716,,00000000-0000-0000-0000-000000000000 +SecondaryTile_FlyoutPreviewResult,6718,,00000000-0000-0000-0000-000000000000 +ImmersiveOpenWithUI_CreateAndShow,6720,,00000000-0000-0000-0000-000000000000 +ImmersiveOpenWithUI_Mode,6722,,00000000-0000-0000-0000-000000000000 +ImmersiveOpenWithUI_InvokeApp,6723,,00000000-0000-0000-0000-000000000000 +LockScreen_AddInvoked,6820,,00000000-0000-0000-0000-000000000000 +LockScreen_AddOperation,6821,,00000000-0000-0000-0000-000000000000 +LockScreen_AddDialogDisplayed,6822,,00000000-0000-0000-0000-000000000000 +LockScreen_AddContentionFlyoutDisplayed,6823,,00000000-0000-0000-0000-000000000000 +LockScreen_AddReturnedCachedValue,6824,,00000000-0000-0000-0000-000000000000 +SecondaryTile_FlyoutShowing,6840,,00000000-0000-0000-0000-000000000000 +SecondaryTile_FlyoutFlipViewButtonPress,6844,,00000000-0000-0000-0000-000000000000 +SecondaryTileQuota_CheckQuotaUsage,6850,,00000000-0000-0000-0000-000000000000 +SecondaryTileQuota_EnforceQuota,6852,,00000000-0000-0000-0000-000000000000 +SecondaryTileQuota_CleanupOrphanFiles,6855,,00000000-0000-0000-0000-000000000000 +LockscreenApplications_LoadPopup,7130,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_Settings_SafeSearch,7150,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_Settings_LocationAwareness,7151,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_Settings_UseConnectedSearch,7152,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_Settings_DeleteOnlineHistory,7153,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_Settings_DeleteLocalHistory,7154,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_Settings_MeteredConnection,7155,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_Settings_ShareHistory,7156,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_BadSignature,7157,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_BadCertificate,7158,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_ResourceMissing,7159,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_DeletingInvalidTemplate,7160,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LoadTemplate,7161,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_BlockingTemplateDownload,7162,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogPerfTemplateRequest,7163,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogPerfImagesLoading,7164,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogPrefetchImagesComplete,7165,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogPerfColdStart,7166,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_SetTracingData,7167,,00000000-0000-0000-0000-000000000000 +Perftrack_ConnectedSearch_PageLoadWithImages,7169,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_SetScope,7170,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_ServiceLoad,7200,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogWebClick,7204,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogWebClickBG,7205,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogLocalClick,7206,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogLocalClickBG,7207,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogClickPayload,7208,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_UploadEventEnqueued,7209,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_UploadEventDequeued,7210,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_InstrumentationUpload,7211,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_ConnectionEstablished,7212,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_SentUploadRequest,7213,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_Authentication,7214,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_AuthenticationSuccess,7215,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_AuthenticationFailure,7216,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_AuthenticationGettingTokenFailure,7218,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_HTTPRequestFailure,7219,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogScroll,7220,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogScrollBG,7221,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogScrollPayload,7222,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogWebLayout,7223,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogWebLayoutBG,7224,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogLocalLayout,7225,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogLocalLayoutBG,7226,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogLayoutPayload,7227,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogAppVisibility,7228,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogAppVisibilityBG,7229,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogAppResize,7230,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogAppResizeBG,7231,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogAppResizePayload,7232,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogAppVisibilityPayload,7233,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_Unauthentication,7234,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_UnauthenticationFailure,7236,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_UnauthenticationSuccessAllCookiesCleared,7237,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_DirectQueryInst,7238,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogSuggestion,7239,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogSuggestionBG,7240,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogParsingErrorBG,7241,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogHttpError,7242,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogHttpErrorBG,7243,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogHttpErrorPayload,7244,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_RetryTimerScheduled,7245,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_RetryTimerCallback,7246,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_ErrorInstDroppedRetry,7247,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_ErrorInstDroppedOverflow,7248,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_AttributionVisibility,7249,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_AttributionVisibilityBG,7250,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_AppBarClick,7251,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_AppBarClickBG,7252,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LocalSuggestionPayload,7253,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_PerfPayload,7254,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogDetailArrowVisibilityPayload,7255,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogAttributionVisibilityPayload,7256,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogAppBarClickPayload,7257,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_DetailsViewVisibility,7258,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_DetailsViewVisibilityBG,7259,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_UploadPerfPing,7260,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_UploadPerfPingBG,7261,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogRequestStart,7262,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogResponseReceived,7263,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogRequestSent,7264,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogRenderComplete,7265,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogImagesComplete,7266,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogPerfAbandoned,7267,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_TemplateWrittenToDisk,7268,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogTemplateFallbackPayload,7269,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogTemplateFallbackBG,7270,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogTemplateErrorBG,7271,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogTemplateRequestInfoPayload,7272,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_DetailArrowClickBG,7282,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogAttributionClick,7283,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogAttributionClickBG,7284,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogDetailArrowClickPayload,7285,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogAttributionClickPayload,7286,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_TemplateDownloadEvent,7287,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_DetailArrowClick,7288,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogParsingErrorEvent,7289,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_SetActiveImpression,7290,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogTemplateError,7291,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogTemplateFallback,7292,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_ImageDownloaderPreFetchTask,7293,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_ImageDownloaderDeferredPreFetchTask,7294,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_ImageDownloaderDownloadUrl,7295,,00000000-0000-0000-0000-000000000000 +Perftrack_ConnectedSearch_ImageDownload,7296,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_DomainRedirection,7297,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogTemplateRequestInfo,7298,,00000000-0000-0000-0000-000000000000 +ConnectedSearch_LogTemplateRequestInfoBG,7299,,00000000-0000-0000-0000-000000000000 +WallpaperBackground_SceneInitialization,7380,,00000000-0000-0000-0000-000000000000 +AppointmentActions_ExecuteAction,8024,,00000000-0000-0000-0000-000000000000 +AppointmentActions_ReplaceAppointment,8026,,00000000-0000-0000-0000-000000000000 +BackStackMusicPlay_Invoke_MusicSuggestion,8204,,00000000-0000-0000-0000-000000000000 +BackStackMusicPlay_Mark_Interactive,8206,,00000000-0000-0000-0000-000000000000 +BackStackMusicPlay_Show_MTC_UI,8208,,00000000-0000-0000-0000-000000000000 +BackStackMusicPlay_Proffer_Data_Source_Service,8210,,00000000-0000-0000-0000-000000000000 +BackStackMusicPlay_Revoke_Data_Source_Service,8212,,00000000-0000-0000-0000-000000000000 +BackStackMusicPlay_Activate_App,8214,,00000000-0000-0000-0000-000000000000 +BackStackMusicPlay_Playback_Session_Changed,8217,,00000000-0000-0000-0000-000000000000 +BackStackMusicPlay_Playback_Started,8219,,00000000-0000-0000-0000-000000000000 +BackStackMusicPlay_Mark_NonInteractive,8221,,00000000-0000-0000-0000-000000000000 +TWinUICreateInstance_SxS,9950,,00000000-0000-0000-0000-000000000000 +DllGetClassObject_SxS,9951,,00000000-0000-0000-0000-000000000000 +Accounts_LoadAppWidgets,11201,,00000000-0000-0000-0000-000000000000 +Accounts_Launch_ProviderCommand,11204,,00000000-0000-0000-0000-000000000000 +Accounts_Launch_AccountCommand,11206,,00000000-0000-0000-0000-000000000000 +Accounts_Launch_CredentialCommand,11208,,00000000-0000-0000-0000-000000000000 +Accounts_Launch_Command,11210,,00000000-0000-0000-0000-000000000000 +Accounts_GetProviderCommands,11212,,00000000-0000-0000-0000-000000000000 +Accounts_GetAccountCommands,11213,,00000000-0000-0000-0000-000000000000 +Accounts_GetCredentialCommands,11214,,00000000-0000-0000-0000-000000000000 +Accounts_GetCommands,11215,,00000000-0000-0000-0000-000000000000 +LockScreenCallBroker_StartCall,11301,,00000000-0000-0000-0000-000000000000 +LockScreenCallBroker_EndCall,11303,,00000000-0000-0000-0000-000000000000 +LockScreenCallBroker_AppLaunched,11305,,00000000-0000-0000-0000-000000000000 +LockScreenCallBroker_VisualsChanged,11306,,00000000-0000-0000-0000-000000000000 +LockScreenCallBroker_CallTitleChanged,11307,,00000000-0000-0000-0000-000000000000 +CoreApplicationPsmDoStateChange,2041,,00000000-0000-0000-0000-000000000000 +CoreApplicationQuiescePsmBlockUnblockASTA,2042,,00000000-0000-0000-0000-000000000000 +CoreApplicationQuiesceWaitForAppResume,2044,,00000000-0000-0000-0000-000000000000 +CoreApplicationViewInitializationProcessAndThread,2045,,00000000-0000-0000-0000-000000000000 +CoreApplicationSuspendingDeferral,2046,,00000000-0000-0000-0000-000000000000 +CoreApplicationEnteredBackground,2047,,00000000-0000-0000-0000-000000000000 +CoreApplicationLeavingBackground,2048,,00000000-0000-0000-0000-000000000000 +CoreApplicationEnteredBackgroundDispatch,2049,,00000000-0000-0000-0000-000000000000 +CoreApplicationLeavingBackgroundDispatch,2050,,00000000-0000-0000-0000-000000000000 +CoreApplicationInvalidEventInProgress,2051,,00000000-0000-0000-0000-000000000000 +ImmersiveSettingsPane_QueryCommands,2107,,00000000-0000-0000-0000-000000000000 +ImmersiveSettingsPane_CommandsRequestedEventHandler,2113,,00000000-0000-0000-0000-000000000000 +SearchPane_API_GetForCurrentView,6000,,00000000-0000-0000-0000-000000000000 +CommitVidPn,600,,00000000-0000-0000-0000-000000000000 +GenericDeviceAction,819,,00000000-0000-0000-0000-000000000000 +AssignResources,850,,00000000-0000-0000-0000-000000000000 +Rebalance,852,,00000000-0000-0000-0000-000000000000 +SwDevice_LifetimeChange,1130,,00000000-0000-0000-0000-000000000000 +SwDevice_RegisterInterface,1140,,00000000-0000-0000-0000-000000000000 +SwDevice_SetInterfaceState,1143,,00000000-0000-0000-0000-000000000000 +SwDevice_SetDeviceProperty,1150,,00000000-0000-0000-0000-000000000000 +SwDevice_SetInterfaceProperty,1160,,00000000-0000-0000-0000-000000000000 +SwDevice_IrpClose,1170,,00000000-0000-0000-0000-000000000000 +SwDevice_KernelClose,1172,,00000000-0000-0000-0000-000000000000 +SwDevice_CloseDescendants,1174,,00000000-0000-0000-0000-000000000000 +SwDevice_CloseDevice,1175,,00000000-0000-0000-0000-000000000000 +SwDevice_ProcessRemove,1176,,00000000-0000-0000-0000-000000000000 +SwDevice_ProcessParentRemove,1177,,00000000-0000-0000-0000-000000000000 +SwDevice_GetChildPdo,1190,,00000000-0000-0000-0000-000000000000 +ConsentUI_GetUserDesktopSnapshot,15001,,00000000-0000-0000-0000-000000000000 +ConsentUI_WindowThread,15002,,00000000-0000-0000-0000-000000000000 +ConsentUI_SwitchDesktop,15003,,00000000-0000-0000-0000-000000000000 +ConsentUI_ReturnUserDesktop,15004,,00000000-0000-0000-0000-000000000000 +ConsentUI_CheckActiveDesktop,15005,,00000000-0000-0000-0000-000000000000 +ConsentUI_Experience,15006,,00000000-0000-0000-0000-000000000000 +ConsentUI_LEASVC,15007,,00000000-0000-0000-0000-000000000000 +ConsentUI_AMScan,15008,,00000000-0000-0000-0000-000000000000 +AppInfo_PerfTrack_ElevationPath,16000,,00000000-0000-0000-0000-000000000000 +Route-Serialize,5023,,00000000-0000-0000-0000-000000000000 +Route-Deserialize,5024,,00000000-0000-0000-0000-000000000000 +JupiterMapOverlay,11104,,00000000-0000-0000-0000-000000000000 +NoOutstandingMapControls,11105,,00000000-0000-0000-0000-000000000000 +Map-Authentication,13001,,00000000-0000-0000-0000-000000000000 +Map-Finder,14001,,00000000-0000-0000-0000-000000000000 +AVTransport,610,AVTransport,00000000-0000-0000-0000-000000000000 +MDEServer_Lifetime,620,Media Delivery Engine - lifetime,00000000-0000-0000-0000-000000000000 +MDEServer_GetSourceMetadata,622,Media Delivery Engine - get the source metadata,00000000-0000-0000-0000-000000000000 +Network_Client_Play,360,Network Client Play,00000000-0000-0000-0000-000000000000 +Network_Source_Disconnect,372,Network Source Disconnect,00000000-0000-0000-0000-000000000000 +Network_Source_Begin_Reconnect,373,Network Source Begin Reconnect,00000000-0000-0000-0000-000000000000 +Network_Source_End_Reconnect,374,Network Source End Reconnect,00000000-0000-0000-0000-000000000000 +Network_Source_Announce,375,Network Source Announce,00000000-0000-0000-0000-000000000000 +Network_Source_EOS,376,Network Source EOS,00000000-0000-0000-0000-000000000000 +Network_Source_Stream_Switch,377,Network Source Stream Switch,00000000-0000-0000-0000-000000000000 +Network_Source_Buffering_Stop,379,Network Source Buffering Stop,00000000-0000-0000-0000-000000000000 +WMPPlayback_Error_Queue,549,WMPPlayback Error Queue,00000000-0000-0000-0000-000000000000 +PEAuth_Comm_Acquire_Session_Key,550,PEAuth Comm Acquire Session Key,00000000-0000-0000-0000-000000000000 +Capture_Source_Ready_Queue_Empty,572,Capture Source Ready Queue Empty,00000000-0000-0000-0000-000000000000 +MediaProc_Dynamic_Transform_Insertion,587,MediaProc: Dynamic Transform Insertion,00000000-0000-0000-0000-000000000000 +Mem2DAlloc_Create,589,2D: Create,00000000-0000-0000-0000-000000000000 +Mem2DAlloc_Buffer,590,2D: Allocate buffer,00000000-0000-0000-0000-000000000000 +Mem2DAlloc_Copy,591,2D: Copy,00000000-0000-0000-0000-000000000000 +Property_Handler_ThumbnailGeneration,592,Property Handler Thumbnail Generation,00000000-0000-0000-0000-000000000000 +Property_Handler_ThumbnailGeneration_BestFrame,593,Property Handler Thumbnail Generation Best Frame,00000000-0000-0000-0000-000000000000 +MFMediaSource_Sample_Received_Task,594,MFMediaSource sample received,00000000-0000-0000-0000-000000000000 +Audio_Low_Latency,596,Audio Low Latency,00000000-0000-0000-0000-000000000000 +DXGI_Map,597,DXGI Map Surface,00000000-0000-0000-0000-000000000000 +CopyImage,598,MFCopyImage,00000000-0000-0000-0000-000000000000 +MediaProc_SinkTriggered_Format_Change,599,MediaProc: Sink-triggered format change,00000000-0000-0000-0000-000000000000 +DXGIBuffer,612,DXGIBuffer,00000000-0000-0000-0000-000000000000 +Attributes_CopyAllItems,614,Attributes_CopyAllItems,00000000-0000-0000-0000-000000000000 +QM_AdviseClientsOnBranch,651,QM_AdviseClientsOnBranch,00000000-0000-0000-0000-000000000000 +IMFPMPHost_CreateObjectByCLSID,1115,Media Foundation IMFPMPHost_CreateObjectByCLSID,00000000-0000-0000-0000-000000000000 +IMFOutputPolicy_GenerateRequiredSchemas,1116,Media Foundation IMFOutputPolicy_GenerateRequiredSchemas,00000000-0000-0000-0000-000000000000 +RequiredSchema,1117,Media Foundation RequiredSchema,00000000-0000-0000-0000-000000000000 +PolicyEvent,1118,Media Foundation PolicyEvent,00000000-0000-0000-0000-000000000000 +IMFPMPHostApp_ActivateClassById,1119,Media Foundation IMFPMPHostApp_ActivateClassById,00000000-0000-0000-0000-000000000000 +OPMFail,1151,Media Foundation OPMFail,00000000-0000-0000-0000-000000000000 +AsyncWrapperMFTProcessInput,1125,Media Foundation Async Wrapper Process Input (MFT),00000000-0000-0000-0000-000000000000 +AsyncWrapperMFTProcessOutput,1126,Media Foundation Async Wrapper Process Output (MFT),00000000-0000-0000-0000-000000000000 +AsyncWrapperHaveOutput,1127,Media Foundation Async Wrapper Have Output,00000000-0000-0000-0000-000000000000 +AsyncWrapperProcessOutput,1128,Media Foundation Async Wrapper Process Output,00000000-0000-0000-0000-000000000000 +MF_Devproxy-MFT-ProcessMessage-Task,1129,MF Devproxy MFT ProcessMessage Task,00000000-0000-0000-0000-000000000000 +MF-Devproxy-sample-TimeStamp-Task,1131,MF Devproxy sample_TimeStamp Task,00000000-0000-0000-0000-000000000000 +AsyncWrapperMFTRunning,1132,Media Foundation Async Wrapper Running,00000000-0000-0000-0000-000000000000 +AsyncWrapperSetWorkQueue,1133,Media Foundation Async Wrapper SetWorkQueue,00000000-0000-0000-0000-000000000000 +AsyncWrapper,1134,Media Foundation Async Wrapper,00000000-0000-0000-0000-000000000000 +AsyncWrapperDeadline,1135,Media Foundation Async Wrapper Deadline,00000000-0000-0000-0000-000000000000 +AsyncWrapperMFTLoopActive,1136,Media Foundation Async Wrapper Loop Running,00000000-0000-0000-0000-000000000000 +AsyncWrapperCompactedOutput,1137,Media Foundation Async Wrapper Compacted output,00000000-0000-0000-0000-000000000000 +Multisample_Expand,1138,Multisample Expand,00000000-0000-0000-0000-000000000000 +Multisample_Compact,1139,Multisample Compact,00000000-0000-0000-0000-000000000000 +SyncMFTNodeProcessInput,1141,Media Foundation Sync Process Input (MFT),00000000-0000-0000-0000-000000000000 +SyncMFTNodeProcessOutput,1142,Media Foundation Sync Process Output (MFT),00000000-0000-0000-0000-000000000000 +AsyncMFTNodeProcessOutput,1144,Media Foundation Async Process Output (MFT),00000000-0000-0000-0000-000000000000 +MFTInfoSetWorkQueue,1145,Media Foundation Node Info SetWorkQueue,00000000-0000-0000-0000-000000000000 +SrcPrefetch_FillBuffer,1210,SrcPrefetch Fill Buffer,00000000-0000-0000-0000-000000000000 +SrcStreamEOSState,1211,SrcStreamEOSState,00000000-0000-0000-0000-000000000000 +SrcStreamNeedMoreSamples,1212,SrcStreamNeedMoreSamples,00000000-0000-0000-0000-000000000000 +SrcPrefetch_Timeout,1213,SrcPrefetch Timeout,00000000-0000-0000-0000-000000000000 +SrcStreamRequestSample,1214,SrcStreamRequestSample Timeout,00000000-0000-0000-0000-000000000000 +MP4_CreateQTMovie,1220,MP CreateQTMovie,00000000-0000-0000-0000-000000000000 +MP4_SampleQueue,1221,MP SampleQueue,00000000-0000-0000-0000-000000000000 +MP4_CompactAudioSample,1222,MP CompactAudioSample,00000000-0000-0000-0000-000000000000 +SyncMgrTraceId_SyncFolderSyncTime,60105,,00000000-0000-0000-0000-000000000000 +SyncMgrTraceId_SyncFolderHandlerNotifyStop,60107,,00000000-0000-0000-0000-000000000000 +SyncMgrTraceId_SyncFolderHandlerNotifyStart,60109,,00000000-0000-0000-0000-000000000000 +SyncMgrTraceId_HandlerLoad,60111,,00000000-0000-0000-0000-000000000000 +SyncMgrTraceId_HandlerCollectionEnumeration,60113,,00000000-0000-0000-0000-000000000000 +SyncMgrTraceId_ViewCBRegistration,60115,,00000000-0000-0000-0000-000000000000 +SyncMgrTraceId_HandlerCacheEnum,60117,,00000000-0000-0000-0000-000000000000 +SyncMgrTraceId_HandlerCacheCreate,60119,,00000000-0000-0000-0000-000000000000 +SyncMgrTraceId_FolderItemCacheLoad,60121,,00000000-0000-0000-0000-000000000000 +SyncMgrTraceId_SyncFolderRemoveEvents,60123,,00000000-0000-0000-0000-000000000000 +NcaSvc_PerfTrack_InternetConnected_ResolveName,10003,,00000000-0000-0000-0000-000000000000 +NcaSvc_PerfTrack_InternetConnected_DAConnected,10005,,00000000-0000-0000-0000-000000000000 +NcaSvc_PerfTrack_SmartcardRequired_SmartcardEntered,10007,,00000000-0000-0000-0000-000000000000 +NcaSvc_PerfTrack_SmartcardEntered_DAConnected,10009,,00000000-0000-0000-0000-000000000000 +NcaSvc_PerfTrack_InternetConnected_DTESucceeded,10013,,00000000-0000-0000-0000-000000000000 +Inplace_Sharing,1300,,00000000-0000-0000-0000-000000000000 +Perftrack-RoamOnResume,24000,Connect to same network on resume,00000000-0000-0000-0000-000000000000 +Perftrack-ReconnectOnResume,24001,Connect to network on resume after intervening disconnect,00000000-0000-0000-0000-000000000000 +EnterLowPowerState,24002,EnterLowPowerState,00000000-0000-0000-0000-000000000000 +LeaveLowPowerState,24003,LeaveLowPowerState,00000000-0000-0000-0000-000000000000 +Perftrack-IMSoftAPStart,24004,Starting device network at IM driver,00000000-0000-0000-0000-000000000000 +Perftrack-IMSoftAPStop,24005,Stopping device network at IM driver,00000000-0000-0000-0000-000000000000 +Animation,6041,,00000000-0000-0000-0000-000000000000 +Navigation,6042,,00000000-0000-0000-0000-000000000000 +WebPlatformCreate,6043,,00000000-0000-0000-0000-000000000000 +IntroAnimationRequest,6044,,00000000-0000-0000-0000-000000000000 +ShowAnimationRequest,6045,,00000000-0000-0000-0000-000000000000 +OOBE_DisplayUI,6100,,00000000-0000-0000-0000-000000000000 +WebWizardHost_FinalNext,6113,,00000000-0000-0000-0000-000000000000 +SettingWizardPage_UpdatesOptionSelected,6114,,00000000-0000-0000-0000-000000000000 +SettingWizardPage_BooleanSettingOptionSelected,6115,,00000000-0000-0000-0000-000000000000 +WirelessWizardPage_SectionReady,6116,,00000000-0000-0000-0000-000000000000 +WizardPage_OnPageShown,6117,,00000000-0000-0000-0000-000000000000 +WizardPage_OnBack,6118,,00000000-0000-0000-0000-000000000000 +WizardPage_OnSkip,6119,,00000000-0000-0000-0000-000000000000 +EULAWizardPage_LoadEulas,6120,,00000000-0000-0000-0000-000000000000 +RtfReader_LoadFile,6121,,00000000-0000-0000-0000-000000000000 +RtfReader_ChangeColor,6122,,00000000-0000-0000-0000-000000000000 +TimezoneModule_PopulateTimezones,6123,,00000000-0000-0000-0000-000000000000 +RegionModule_Activate,6124,,00000000-0000-0000-0000-000000000000 +RtfReader_SetFontSize,6125,,00000000-0000-0000-0000-000000000000 +EULAWizardPage_OEMEulaShown,6126,,00000000-0000-0000-0000-000000000000 +WorkQueue_Thread,588,WorkQueue: Thread,00000000-0000-0000-0000-000000000000 +MMCSS_Registration,595,MMCSS Registration,00000000-0000-0000-0000-000000000000 +UpdateWorkqueueCpuGroupMask,616,UpdateWorkqueueCpuGroupMask,00000000-0000-0000-0000-000000000000 +SetThreadCpuGroupMask,618,SetThreadCpuGroupMask,00000000-0000-0000-0000-000000000000 +Platform_Shutdown,624,Platform: Shutdown,00000000-0000-0000-0000-000000000000 +WorkQueue_RunLimit,626,WorkQueue: RunLimit,00000000-0000-0000-0000-000000000000 +WorkQueue_GetMMCSSFailure,628,WorkQueue: GetMMCSSFailure,00000000-0000-0000-0000-000000000000 +AcquireCredentialHandle,4096,,00000000-0000-0000-0000-000000000000 +AcceptSecurityContext,8192,,00000000-0000-0000-0000-000000000000 +MemoryAllocation,12288,,00000000-0000-0000-0000-000000000000 +CAPI2Calls,16384,,00000000-0000-0000-0000-000000000000 +PKCrypto,20480,,00000000-0000-0000-0000-000000000000 +FreeCredentialHandle,24576,,00000000-0000-0000-0000-000000000000 +DeleteSecurityContext,28672,,00000000-0000-0000-0000-000000000000 +SE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION,12289,Security System Extension,00000000-0000-0000-0000-000000000000 +SE_ADT_SYSTEM_INTEGRITY,12290,System Integrity,00000000-0000-0000-0000-000000000000 +SE_ADT_SYSTEM_IPSECDRIVEREVENTS,12291,IPsec Driver,00000000-0000-0000-0000-000000000000 +SE_ADT_SYSTEM_OTHERS,12292,Other System Events,00000000-0000-0000-0000-000000000000 +SE_ADT_LOGON_LOGON,12544,Logon,00000000-0000-0000-0000-000000000000 +SE_ADT_LOGON_LOGOFF,12545,Logoff,00000000-0000-0000-0000-000000000000 +SE_ADT_LOGON_ACCOUNTLOCKOUT,12546,Account Lockout,00000000-0000-0000-0000-000000000000 +SE_ADT_LOGON_IPSECMAINMODE,12547,IPsec Main Mode,00000000-0000-0000-0000-000000000000 +SE_ADT_LOGON_SPECIALLOGON,12548,Special Logon,00000000-0000-0000-0000-000000000000 +SE_ADT_LOGON_IPSECQUICKMODE,12549,IPsec Quick Mode,00000000-0000-0000-0000-000000000000 +SE_ADT_LOGON_IPSECUSERMODE,12550,IPsec Extended Mode,00000000-0000-0000-0000-000000000000 +SE_ADT_LOGON_OTHERS,12551,Other Logon/Logoff Events,00000000-0000-0000-0000-000000000000 +SE_ADT_LOGON_NPS,12552,Network Policy Server,00000000-0000-0000-0000-000000000000 +SE_ADT_LOGON_CLAIMS,12553,User / Device Claims,00000000-0000-0000-0000-000000000000 +SE_ADT_LOGON_GROUPS,12554,Group Membership,00000000-0000-0000-0000-000000000000 +SE_ADT_OBJECTACCESS_FILESYSTEM,12800,File System,00000000-0000-0000-0000-000000000000 +SE_ADT_OBJECTACCESS_REGISTRY,12801,Registry,00000000-0000-0000-0000-000000000000 +SE_ADT_OBJECTACCESS_KERNEL,12802,Kernel Object,00000000-0000-0000-0000-000000000000 +SE_ADT_OBJECTACCESS_SAM,12803,SAM,00000000-0000-0000-0000-000000000000 +SE_ADT_OBJECTACCESS_OTHER,12804,Other Object Access Events,00000000-0000-0000-0000-000000000000 +SE_ADT_OBJECTACCESS_CERTIFICATIONAUTHORITY,12805,Certification Services,00000000-0000-0000-0000-000000000000 +SE_ADT_OBJECTACCESS_APPLICATIONGENERATED,12806,Application Generated,00000000-0000-0000-0000-000000000000 +SE_ADT_OBJECTACCESS_HANDLE,12807,Handle Manipulation,00000000-0000-0000-0000-000000000000 +SE_ADT_OBJECTACCESS_SHARE,12808,File Share,00000000-0000-0000-0000-000000000000 +SE_ADT_OBJECTACCESS_FIREWALLPACKETDROPS,12809,Filtering Platform Packet Drop,00000000-0000-0000-0000-000000000000 +SE_ADT_OBJECTACCESS_FIREWALLCONNECTION,12810,Filtering Platform Connection,00000000-0000-0000-0000-000000000000 +SE_ADT_OBJECTACCESS_DETAILEDFILESHARE,12811,Detailed File Share,00000000-0000-0000-0000-000000000000 +SE_ADT_OBJECTACCESS_REMOVABLESTORAGE,12812,Removable Storage,00000000-0000-0000-0000-000000000000 +SE_ADT_OBJECTACCESS_CBACSTAGING,12813,Central Access Policy Staging,00000000-0000-0000-0000-000000000000 +SE_ADT_PRIVILEGEUSE_SENSITIVE,13056,Sensitive Privilege Use,00000000-0000-0000-0000-000000000000 +SE_ADT_PRIVILEGEUSE_NONSENSITIVE,13057,Non Sensitive Privilege Use,00000000-0000-0000-0000-000000000000 +SE_ADT_PRIVILEGEUSE_OTHERS,13058,Other Privilege Use Events,00000000-0000-0000-0000-000000000000 +SE_ADT_DETAILEDTRACKING_PROCESSCREATION,13312,Process Creation,00000000-0000-0000-0000-000000000000 +SE_ADT_DETAILEDTRACKING_PROCESSTERMINATION,13313,Process Termination,00000000-0000-0000-0000-000000000000 +SE_ADT_DETAILEDTRACKING_DPAPIACTIVITY,13314,DPAPI Activity,00000000-0000-0000-0000-000000000000 +SE_ADT_DETAILEDTRACKING_RPCCALL,13315,RPC Events,00000000-0000-0000-0000-000000000000 +SE_ADT_DETAILEDTRACKING_PNPACTIVITY,13316,Plug and Play Events,00000000-0000-0000-0000-000000000000 +SE_ADT_DETAILEDTRACKING_TOKENRIGHTADJ,13317,Token Right Adjusted Events,00000000-0000-0000-0000-000000000000 +SE_ADT_POLICYCHANGE_AUDITPOLICY,13568,Audit Policy Change,00000000-0000-0000-0000-000000000000 +SE_ADT_POLICYCHANGE_AUTHENTICATIONPOLICY,13569,Authentication Policy Change,00000000-0000-0000-0000-000000000000 +SE_ADT_POLICYCHANGE_AUTHORIZATIONPOLICY,13570,Authorization Policy Change,00000000-0000-0000-0000-000000000000 +SE_ADT_POLICYCHANGE_MPSSCVRULEPOLICY,13571,MPSSVC Rule-Level Policy Change,00000000-0000-0000-0000-000000000000 +SE_ADT_POLICYCHANGE_WFPIPSECPOLICY,13572,Filtering Platform Policy Change,00000000-0000-0000-0000-000000000000 +SE_ADT_POLICYCHANGE_OTHERS,13573,Other Policy Change Events,00000000-0000-0000-0000-000000000000 +SE_ADT_ACCOUNTMANAGEMENT_USERACCOUNT,13824,User Account Management,00000000-0000-0000-0000-000000000000 +SE_ADT_ACCOUNTMANAGEMENT_COMPUTERACCOUNT,13825,Computer Account Management,00000000-0000-0000-0000-000000000000 +SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP,13826,Security Group Management,00000000-0000-0000-0000-000000000000 +SE_ADT_ACCOUNTMANAGEMENT_DISTRIBUTIONGROUP,13827,Distribution Group Management,00000000-0000-0000-0000-000000000000 +SE_ADT_ACCOUNTMANAGEMENT_APPLICATIONGROUP,13828,Application Group Management,00000000-0000-0000-0000-000000000000 +SE_ADT_ACCOUNTMANAGEMENT_OTHERS,13829,Other Account Management Events,00000000-0000-0000-0000-000000000000 +SE_ADT_DSACCESS_DSACCESS,14080,Directory Service Access,00000000-0000-0000-0000-000000000000 +SE_ADT_DSACCESS_DSCHANGES,14081,Directory Service Changes,00000000-0000-0000-0000-000000000000 +SE_ADT_DS_REPLICATION,14082,Directory Service Replication,00000000-0000-0000-0000-000000000000 +SE_ADT_DS_DETAILED_REPLICATION,14083,Detailed Directory Service Replication,00000000-0000-0000-0000-000000000000 +SE_ADT_ACCOUNTLOGON_CREDENTIALVALIDATION,14336,Credential Validation,00000000-0000-0000-0000-000000000000 +SE_ADT_ACCOUNTLOGON_KERBEROS,14337,Kerberos Service Ticket Operations,00000000-0000-0000-0000-000000000000 +SE_ADT_ACCOUNTLOGON_OTHERS,14338,Other Account Logon Events,00000000-0000-0000-0000-000000000000 +SE_ADT_ACCOUNTLOGON_KERBCREDENTIALVALIDATION,14339,Kerberos Authentication Service,00000000-0000-0000-0000-000000000000 +SE_ADT_UNKNOWN_SUBCATEGORY,65280,Subcategory could not be determined,00000000-0000-0000-0000-000000000000 +SensPerf_Task_SensorAPI_GetProperty,1303,Sensor API call to get a sensor property value,00000000-0000-0000-0000-000000000000 +SensPerf_Task_SensorAPI_GetProperties,1304,Sensor API call to get sensor property values,00000000-0000-0000-0000-000000000000 +SensPerf_Task_SensorAPI_SetProperties,1305,Sensor API call to set sensor property values,00000000-0000-0000-0000-000000000000 +SensPerf_Task_SensorAPI_Fire_OnStateChanged,1306,Sensor API call to fire ISensorEvents::OnStateChanged event,00000000-0000-0000-0000-000000000000 +SensPerf_Task_ScreenAutoRotation_DCON,10002,PerfTrack measurement of auto-rotation,00000000-0000-0000-0000-000000000000 +Common_AddCredProvider,15009,,00000000-0000-0000-0000-000000000000 +Common_CreateCredProviderThread,15010,,00000000-0000-0000-0000-000000000000 +Common_CredProviderThreadProc,15011,,00000000-0000-0000-0000-000000000000 +Common_CredProviderThreadDestroy,15012,,00000000-0000-0000-0000-000000000000 +Common_SetUsageScenario,15013,,00000000-0000-0000-0000-000000000000 +Common_SetSerialization,15014,,00000000-0000-0000-0000-000000000000 +Common_GetCredentialAt,15015,,00000000-0000-0000-0000-000000000000 +Common_GetCredentialCount,15016,,00000000-0000-0000-0000-000000000000 +Common_GetFieldDescriptorCount,15017,,00000000-0000-0000-0000-000000000000 +Common_Credential_GetUserSid,15018,,00000000-0000-0000-0000-000000000000 +Common_SetSelected,15019,,00000000-0000-0000-0000-000000000000 +Common_SetDeSelected,15020,,00000000-0000-0000-0000-000000000000 +Common_GetSerialization,15021,,00000000-0000-0000-0000-000000000000 +Common_ReportResult,15022,,00000000-0000-0000-0000-000000000000 +Common_RegisterEnumeration,15023,,00000000-0000-0000-0000-000000000000 +Common_CreateEnumerationSyncReply,15024,,00000000-0000-0000-0000-000000000000 +Common_StartCredProvsForUsageScenario,15025,,00000000-0000-0000-0000-000000000000 +Logon_ServerCallback_Abort,25001,,00000000-0000-0000-0000-000000000000 +Logon_ServerCallback_DisplayLocked,25002,,00000000-0000-0000-0000-000000000000 +Logon_ServerCallback_DisplayMessage,25003,,00000000-0000-0000-0000-000000000000 +Logon_ServerCallback_DisplayRequestCredentialsError,25004,,00000000-0000-0000-0000-000000000000 +Logon_ServerCallback_DisplaySecurityOptions,25005,,00000000-0000-0000-0000-000000000000 +Logon_ServerCallback_DisplayStatus,25006,,00000000-0000-0000-0000-000000000000 +Logon_ServerCallback_DisplayWelcome,25007,,00000000-0000-0000-0000-000000000000 +Logon_ServerCallback_ReportResult,25008,,00000000-0000-0000-0000-000000000000 +Logon_ServerCallback_RequestCredentials,25009,,00000000-0000-0000-0000-000000000000 +Logon_ServerCallback_Shutdown,25010,,00000000-0000-0000-0000-000000000000 +Logon_ServerCallback_PromptForCredentials,25011,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_OnSwitchUser,25012,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_OnOtherTiles,25013,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_OnGetEnumeratedTilesReply,25014,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_OnEnumerationSyncReply,25015,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_OnSelectCredentialReply,25016,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_SetBackgroundGraphics,25017,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_InitializeFrame,25018,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_CreateStyleParser,25019,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_CreateFrameElement,25020,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_InitializeUserLists,25021,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_BrandingLoadImage,25022,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_InitializeSoftKeyboard,25024,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_WTSRegisterSessionNotification,25025,,00000000-0000-0000-0000-000000000000 +Logon_AutoLogon_IsSingleUserNoPassword,25026,,00000000-0000-0000-0000-000000000000 +Logon_AutoLogon_IsLocalNoPasswordUser,25027,,00000000-0000-0000-0000-000000000000 +Logon_ServerStartup,25028,,00000000-0000-0000-0000-000000000000 +Logon_LaunchToReadyForInput,25029,,00000000-0000-0000-0000-000000000000 +Logon_CredentialsToExit,25030,,00000000-0000-0000-0000-000000000000 +Logon_RequestCredentialsToReadyForCredentials,25031,,00000000-0000-0000-0000-000000000000 +Logon_LaunchToAnimationComplete,25032,,00000000-0000-0000-0000-000000000000 +Logon_RequestCredentialsToCancelAfterEnumerate,25033,,00000000-0000-0000-0000-000000000000 +Logon_LaunchToCancelAfterResume,25034,,00000000-0000-0000-0000-000000000000 +LogonUI_SubmitCredentialToExit,25038,,00000000-0000-0000-0000-000000000000 +LogonUI_PerfTrack_UserSwitching,25039,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_OnGetSerializationReply,25040,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_OnProviderCredentialsChanged,25041,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_DisplayStatusMessage,25042,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_LogonDialogCallback,25043,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_DisplayLogonDialog,25044,,00000000-0000-0000-0000-000000000000 +Logon_Background_GetBackgroundForUser,25045,,00000000-0000-0000-0000-000000000000 +Logon_Background_ShowUserBackground,25046,,00000000-0000-0000-0000-000000000000 +Logon_AccessPage_LoadBackgroundImage,25082,,00000000-0000-0000-0000-000000000000 +Logon_AutoLogon_QueryAutoLogon_Info,25083,,00000000-0000-0000-0000-000000000000 +Logon_AutoLogon_IgnoreAutoLogonMode_Info,25084,,00000000-0000-0000-0000-000000000000 +Logon_BSDR_Initialize,25086,,00000000-0000-0000-0000-000000000000 +Logon_BSDR_Shown,25089,,00000000-0000-0000-0000-000000000000 +Logon_BSDR_AddApplication,25090,,00000000-0000-0000-0000-000000000000 +Logon_BSDR_RemoveApplication,25092,,00000000-0000-0000-0000-000000000000 +LogonUI_PerfTrack_Lock,25093,,00000000-0000-0000-0000-000000000000 +Logon_LanguageProfile_SwitchInputMethods,25094,,00000000-0000-0000-0000-000000000000 +Logon_AccessPage_CancelFirstRunTasks,25095,,00000000-0000-0000-0000-000000000000 +Logon_AccessPage_TriggerFirstRunTasks,25096,,00000000-0000-0000-0000-000000000000 +Logon_AccessPage_WaitForFirstRunTasks,25097,,00000000-0000-0000-0000-000000000000 +Logon_BackButtonNotificationFlyout,25098,,00000000-0000-0000-0000-000000000000 +Logon_AccessPage_Unlock,25108,,00000000-0000-0000-0000-000000000000 +Logon_AccessPage_Lock,25110,,00000000-0000-0000-0000-000000000000 +Logon_AccessPage_Camera_ControlCreation,25111,,00000000-0000-0000-0000-000000000000 +Logon_AccessPage_Camera_ViewfinderInitialization,25112,,00000000-0000-0000-0000-000000000000 +Logon_AccessPage_Camera_ActiveDuration,25113,,00000000-0000-0000-0000-000000000000 +Logon_AccessPage_Camera_ShutdownDuration,25114,,00000000-0000-0000-0000-000000000000 +CredUI_Prompt_Called,35001,,00000000-0000-0000-0000-000000000000 +CredUI_Dialog_Created,35002,,00000000-0000-0000-0000-000000000000 +CredUI_UserList_TileEnumeration,35003,,00000000-0000-0000-0000-000000000000 +CredUI_Dialog_Destroyed,35004,,00000000-0000-0000-0000-000000000000 +CredUI_Dialog_DUIInitialize,35005,,00000000-0000-0000-0000-000000000000 +CredUI_Dialog_LoadStyleSheet,35006,,00000000-0000-0000-0000-000000000000 +CredUI_ModernDialog_Created,35007,,00000000-0000-0000-0000-000000000000 +CredUI_ModernDialog_DUIInitialize,35008,,00000000-0000-0000-0000-000000000000 +CredUI_ModernDialog_LoadStyleSheet,35009,,00000000-0000-0000-0000-000000000000 +CredUI_EnumerationSync,35010,,00000000-0000-0000-0000-000000000000 +Shutdown_ShutdownChoices_UserHasShutdownRights,45001,,00000000-0000-0000-0000-000000000000 +Shutdown_ShutdownFlyout_CreateAndShow,45003,,00000000-0000-0000-0000-000000000000 +Shutdown_ShutdownFlyout_PromptForReason,45005,,00000000-0000-0000-0000-000000000000 +Shutdown_ShutdownFlyout_PromptForConfirmation,45007,,00000000-0000-0000-0000-000000000000 +Shutdown_ShutdownFlyout_InitiatePowerTransition,45009,,00000000-0000-0000-0000-000000000000 +Shutdown_SlideToShutDownScreen_Initialize,45011,,00000000-0000-0000-0000-000000000000 +Shutdown_SlideToShutDownScreen_ShowModal,45013,,00000000-0000-0000-0000-000000000000 +Shutdown_SlideToShutDownScreen_SelfRevealAnimation,45015,,00000000-0000-0000-0000-000000000000 +Shutdown_SlideToShutDownScreen_Dismiss,45017,,00000000-0000-0000-0000-000000000000 +Shutdown_SlideToShutDownScreen_Timeout,45019,,00000000-0000-0000-0000-000000000000 +CredentialProviderUser_EnumerateLogonUsers,55001,,00000000-0000-0000-0000-000000000000 +CredentialProviderUser_EnumerateLastLoggedOnUser,55002,,00000000-0000-0000-0000-000000000000 +CredentialProviderUser_EnumerateAutoLogonUser,55003,,00000000-0000-0000-0000-000000000000 +CredentialProviderUser_EnumerateInSessionUser,55004,,00000000-0000-0000-0000-000000000000 +CredentialProviderUser_EnumerateLocalAdmins,55006,,00000000-0000-0000-0000-000000000000 +CredentialProviderUser_Init_CredentialProviderUserArray,55007,,00000000-0000-0000-0000-000000000000 +CredentialProviderUser_CloneUserArray,55008,,00000000-0000-0000-0000-000000000000 +CredentialProviderUser_SetProviderFilter,55009,,00000000-0000-0000-0000-000000000000 +CredentialProviderUser_GetAccountOptions,55010,,00000000-0000-0000-0000-000000000000 +PicturePassword_LaunchEnrollmentUX,61001,,00000000-0000-0000-0000-000000000000 +PicturePassword_EnrollmentUXTeachingShown,61002,,00000000-0000-0000-0000-000000000000 +PicturePassword_EnrollmentUXImageConfirmationShown,61003,,00000000-0000-0000-0000-000000000000 +PicturePassword_EnrollmentUXRelearnShown,61004,,00000000-0000-0000-0000-000000000000 +PicturePassword_EnrollmentUXGestureEntryShown,61005,,00000000-0000-0000-0000-000000000000 +PicturePassword_EnrollmentUXGestureConfirmationShown,61006,,00000000-0000-0000-0000-000000000000 +PicturePassword_EnrollmentUXEnrollmentConfirmationShown,61007,,00000000-0000-0000-0000-000000000000 +PicturePassword_EnrollmentUXErrorShown,61008,,00000000-0000-0000-0000-000000000000 +PicturePassword_RenderFeedback,61009,,00000000-0000-0000-0000-000000000000 +PicturePassword_FeedbackVisible,61010,,00000000-0000-0000-0000-000000000000 +PicturePassword_SubmitEnrollmentToSystem,61011,,00000000-0000-0000-0000-000000000000 +PicturePassword_SanitizeImage,61012,,00000000-0000-0000-0000-000000000000 +PicturePassword_EnrollmentHandlerCreate,61013,,00000000-0000-0000-0000-000000000000 +PicturePassword_EnrollmentHandlerGetEnrollmentStatus,61014,,00000000-0000-0000-0000-000000000000 +PicturePassword_EnrollmentHandlerGetEnrollmentGestures,61015,,00000000-0000-0000-0000-000000000000 +PicturePassword_EnrollmentHandlerSetEnrollment,61016,,00000000-0000-0000-0000-000000000000 +PicturePassword_EnrollmentHandlerClearEnrollment,61017,,00000000-0000-0000-0000-000000000000 +PicturePassword_CredentialCreate,61018,,00000000-0000-0000-0000-000000000000 +PicturePassword_CredentialSelected,61019,,00000000-0000-0000-0000-000000000000 +PicturePassword_CredentialDeselected,61020,,00000000-0000-0000-0000-000000000000 +PicturePassword_CredentialSetSubmitData,61021,,00000000-0000-0000-0000-000000000000 +PicturePassword_CredentialGetSerialization,61022,,00000000-0000-0000-0000-000000000000 +PicturePassword_SyncedImageLoading,61023,,00000000-0000-0000-0000-000000000000 +PicturePassword_EnrollmentImageSavingForRoaming,61024,,00000000-0000-0000-0000-000000000000 +PicturePassword_SyncedImageSelected,61025,,00000000-0000-0000-0000-000000000000 +PicturePassword_CheckRoamingImageAvailable,61026,,00000000-0000-0000-0000-000000000000 +LockScreenCall_AcceptCall,64001,,00000000-0000-0000-0000-000000000000 +LockScreenCall_QueueCall,64003,,00000000-0000-0000-0000-000000000000 +LockScreenCall_StartCall,64005,,00000000-0000-0000-0000-000000000000 +LockScreenCall_EndCall,64007,,00000000-0000-0000-0000-000000000000 +LockScreenCall_EvictCall,64009,,00000000-0000-0000-0000-000000000000 +LockScreenCallBroker_StartCall,64501,,00000000-0000-0000-0000-000000000000 +LockScreenCallBroker_EndCall,64503,,00000000-0000-0000-0000-000000000000 +LockScreenCallBroker_OnUnlocking,64505,,00000000-0000-0000-0000-000000000000 +LockScreenCallBroker_EventSignaled,64507,,00000000-0000-0000-0000-000000000000 +LockScreenCallBroker_HostExited,64508,,00000000-0000-0000-0000-000000000000 +LockScreenCallBroker_AccessibleNameChanged,64509,,00000000-0000-0000-0000-000000000000 +LockScreenCallBroker_AppExited,64510,,00000000-0000-0000-0000-000000000000 +Booting_Animation_DoPearlSync,65001,,00000000-0000-0000-0000-000000000000 +Booting_Animation_Init,65002,,00000000-0000-0000-0000-000000000000 +Booting_Animation_TimerProc,65003,,00000000-0000-0000-0000-000000000000 +Booting_Animation_LoadImg,65004,,00000000-0000-0000-0000-000000000000 +Booting_Animation_AnimationCompleteProc,65005,,00000000-0000-0000-0000-000000000000 +Booting_Animation_PlaySoundThread,65006,,00000000-0000-0000-0000-000000000000 +Booting_Animation_AnimCallbackObjLifetime,65007,,00000000-0000-0000-0000-000000000000 +Booting_Animation_InitAudioThread,65008,,00000000-0000-0000-0000-000000000000 +Booting_Animation_AttachToMMCSS,65009,,00000000-0000-0000-0000-000000000000 +Logon_LogonFrame_InitializeInputIndicator,65010,,00000000-0000-0000-0000-000000000000 +LockscreenNotifications_NotificationUpdated,65030,,00000000-0000-0000-0000-000000000000 +LockscreenNotifications_NotificationArrived,65031,,00000000-0000-0000-0000-000000000000 +DataLayer_ItemCompareItem,1146,,00000000-0000-0000-0000-000000000000 +DataLayer_ItemCompareItemIdentity,1148,,00000000-0000-0000-0000-000000000000 +DataLayer_AppItemsStateModifyCommitFailure,1152,,00000000-0000-0000-0000-000000000000 +OpenSearch_GetRowsAt,1403,,00000000-0000-0000-0000-000000000000 +OpenSearch_FillCachedPage,1405,,00000000-0000-0000-0000-000000000000 +OpenSearch_NormalizeResultsPage,1409,,00000000-0000-0000-0000-000000000000 +OpenSearch_ParseResultsPage,1411,,00000000-0000-0000-0000-000000000000 +OpenSearch_PreConnect,1413,,00000000-0000-0000-0000-000000000000 +OpenSearch_Http_Response,1415,,00000000-0000-0000-0000-000000000000 +OpenSearch_Description_Installed,1417,,00000000-0000-0000-0000-000000000000 +OpenSearch_Provider_Queried,1419,,00000000-0000-0000-0000-000000000000 +ShellTask_Encrypt_EncryptThread,1534,,00000000-0000-0000-0000-000000000000 +ShellTask_OpenContainingMenu_InvokeThread,1558,,00000000-0000-0000-0000-000000000000 +ShellTask_NamespaceWalk_AsyncWalkThread,1560,,00000000-0000-0000-0000-000000000000 +ShellTask_NetApi_NetConnectThread,1562,,00000000-0000-0000-0000-000000000000 +ShellTask_MulPropSheet_SizeThread,1564,,00000000-0000-0000-0000-000000000000 +ShellTask_MulPropSheet_ApplySingleThread,1566,,00000000-0000-0000-0000-000000000000 +ShellTask_MulPropSheet_AppluMultipleThread,1568,,00000000-0000-0000-0000-000000000000 +ShellTask_MountPointLocal_EjectThread,1570,,00000000-0000-0000-0000-000000000000 +ShellTask_Autorun_AutorunPromptThread,1572,,00000000-0000-0000-0000-000000000000 +ShellTask_MenuBand_FadeTaskThread,1574,,00000000-0000-0000-0000-000000000000 +ShellTask_LinkProp_LinkCheckThread,1576,,00000000-0000-0000-0000-000000000000 +ShellTask_Library_OpenLocationThread,1578,,00000000-0000-0000-0000-000000000000 +ShellTask_Library_RemoveLocationThread,1580,,00000000-0000-0000-0000-000000000000 +ShellTask_Library_RunTaskThread,1582,,00000000-0000-0000-0000-000000000000 +ShellTask_Library_SetPinUnpinThread,1584,,00000000-0000-0000-0000-000000000000 +ShellTask_Library_AddLocationThread,1586,,00000000-0000-0000-0000-000000000000 +ShellTask_ItemHandlerCache_MessagePumpThread,1588,,00000000-0000-0000-0000-000000000000 +ShellTask_FSDropTarget_DoDropThread,1590,,00000000-0000-0000-0000-000000000000 +ShellTask_CheckDiskDialog_DialogThread,1592,,00000000-0000-0000-0000-000000000000 +ShellTask_Enum_EnumThread,1594,,00000000-0000-0000-0000-000000000000 +ShellTask_DrvX_MakeConnectionThread,1596,,00000000-0000-0000-0000-000000000000 +ShellTask_DrvX_DrvSizeThread,1598,,00000000-0000-0000-0000-000000000000 +ShellTask_ResultSetFactory_EnumThread,1628,,00000000-0000-0000-0000-000000000000 +ShellTask_Notify_StartupThread,1634,,00000000-0000-0000-0000-000000000000 +ShellTask_PublishedItems_EnumItemsThread,1636,,00000000-0000-0000-0000-000000000000 +ShellTask_Library_ShareUnshareLocationThread,1640,,00000000-0000-0000-0000-000000000000 +ShellTask_ItemHandler_GetHandlerThread,1642,,00000000-0000-0000-0000-000000000000 +ShellTask_ItemHandler_SetHandlerThread,1644,,00000000-0000-0000-0000-000000000000 +ShellTask_SearchHelpers_InitIndexDataThread,1646,,00000000-0000-0000-0000-000000000000 +ShellTask_SearchHelpers_CheckCrawlScopeThread,1648,,00000000-0000-0000-0000-000000000000 +ShellTask_Library_CommitScopeChangesThread,1650,,00000000-0000-0000-0000-000000000000 +ShellTask_ItemsView_SendReentrancyReportThread,1652,,00000000-0000-0000-0000-000000000000 +ShellTask_MtPtRemote_UpdateInfoThread,1654,,00000000-0000-0000-0000-000000000000 +ShellTask_Timeout_CallwithTimeoutThread,1656,,00000000-0000-0000-0000-000000000000 +ShellTask_ShellBrowser_CancelNavigationReportThread,1658,,00000000-0000-0000-0000-000000000000 +ShellTask_PerfTrack_LogStartEventThread,1660,,00000000-0000-0000-0000-000000000000 +ShellTask_WSDPublisher_PublishMessageThread,1662,,00000000-0000-0000-0000-000000000000 +ShellTask_WSDPublisher_CleanUpThread,1664,,00000000-0000-0000-0000-000000000000 +ShellTask_WSDPublisher_InitThread,1666,,00000000-0000-0000-0000-000000000000 +ShellTask_ShellUrl_AsyncParseThread,1668,,00000000-0000-0000-0000-000000000000 +ShellTask_RecycleBin_CompactAndPurgeThread,1672,,00000000-0000-0000-0000-000000000000 +ShellTask_PublishedItems_UpdatePublishedItemsThread,1674,,00000000-0000-0000-0000-000000000000 +ShellTask_PublishedItems_UpdateLibrariesThread,1676,,00000000-0000-0000-0000-000000000000 +ShellTask_PrivateProfile_AsyncUpdateCacheThread,1678,,00000000-0000-0000-0000-000000000000 +ShellTask_MultiComplete_WorkThread,1680,,00000000-0000-0000-0000-000000000000 +ShellTask_MountPoint_InitLocalDriveThread,1682,,00000000-0000-0000-0000-000000000000 +ShellTask_Library_UpdateLocationSupportStatusThread,1684,,00000000-0000-0000-0000-000000000000 +ShellTask_LowDisk_WorkThread,1686,,00000000-0000-0000-0000-000000000000 +ShellTask_LowDisk_CheckDiskSpaceThread,1688,,00000000-0000-0000-0000-000000000000 +ShellTask_Library_UpdateScopeOnRenameThread,1690,,00000000-0000-0000-0000-000000000000 +ShellTask_Library_GetLibraryDescriptionThread,1692,,00000000-0000-0000-0000-000000000000 +ShellTask_Library_ValidateAndResolveLocationsThread,1694,,00000000-0000-0000-0000-000000000000 +ShellTask_EnumFiles_CheckDiskForInsertThread,1696,,00000000-0000-0000-0000-000000000000 +ShellTask_SearchIndexNotificationsQueue_FlushNotificationsThread,1698,,00000000-0000-0000-0000-000000000000 +Browseui_CAddressEditBox_OnEndEditA,2031,,00000000-0000-0000-0000-000000000000 +Browseui_Breadcrumb_Dropdown_Click,2033,,00000000-0000-0000-0000-000000000000 +Browseui_Breadcrumb_Dropdown_Show,2035,,00000000-0000-0000-0000-000000000000 +Browseui_WndProcBS_Restore,2037,,00000000-0000-0000-0000-000000000000 +Browseui_WndProcBS_Minimize,2039,,00000000-0000-0000-0000-000000000000 +Browseui_CShellBrowser2_BrowseObject,2043,,00000000-0000-0000-0000-000000000000 +Browseui_SearchControl_PositionChildWindows,2053,,00000000-0000-0000-0000-000000000000 +Browseui_AddressBand_OnBackgroundStateChanged,2055,,00000000-0000-0000-0000-000000000000 +Browseui_AutoComplete_StartCompletion,2057,,00000000-0000-0000-0000-000000000000 +Browseui_AutoComplete_UpdateCompletion,2059,,00000000-0000-0000-0000-000000000000 +Browseui_AutoComplete_StartSearch,2061,,00000000-0000-0000-0000-000000000000 +Browseui_AutoComplete_OnSearchComplete,2063,,00000000-0000-0000-0000-000000000000 +Browseui_AddressEditBox_ParsePath,2065,,00000000-0000-0000-0000-000000000000 +Browseui_FrameMessagePump_Activate,2067,,00000000-0000-0000-0000-000000000000 +Browseui_Browser_Navigate,2069,,00000000-0000-0000-0000-000000000000 +Browseui_Breadcrumb_RebuildToolbar,2071,,00000000-0000-0000-0000-000000000000 +ComCtl32_TaskDialog_Open,4009,,00000000-0000-0000-0000-000000000000 +ComCtl32_Wizard_Open,4011,,00000000-0000-0000-0000-000000000000 +ComCtl32_Wizard_UserDismiss,4013,,00000000-0000-0000-0000-000000000000 +Thumbnails_CacheLookup,6205,,00000000-0000-0000-0000-000000000000 +Thumbnails_Adornment,6207,,00000000-0000-0000-0000-000000000000 +Thumbnails_ExtractNoCache,6209,,00000000-0000-0000-0000-000000000000 +Thumbnails_FolderThumbnailRender,6211,,00000000-0000-0000-0000-000000000000 +Thumbnails_ResizeCache,6213,,00000000-0000-0000-0000-000000000000 +Thumbnails_Initialize,6215,,00000000-0000-0000-0000-000000000000 +Thumbnails_GetThumbnail,6217,,00000000-0000-0000-0000-000000000000 +Thumbnails_SetThumbnail,6219,,00000000-0000-0000-0000-000000000000 +Thumbnails_GetAspectRatio,6221,,00000000-0000-0000-0000-000000000000 +Thumbnails_DiskCleanup,6223,,00000000-0000-0000-0000-000000000000 +Thumbnails_ReadThumbsDB,6225,,00000000-0000-0000-0000-000000000000 +Thumbnails_LoadFromThumbsDB,6227,,00000000-0000-0000-0000-000000000000 +Thumbnails_WriteThumbsDB,6229,,00000000-0000-0000-0000-000000000000 +Thumbnails_CropLookupSize,6231,,00000000-0000-0000-0000-000000000000 +Thumbnails_HostSelfDestruct,6233,,00000000-0000-0000-0000-000000000000 +Thumbnails_ExtractionTimeout,6235,,00000000-0000-0000-0000-000000000000 +RemoteThumbsDb_SQM,6236,,00000000-0000-0000-0000-000000000000 +Thumbnails_FullExtractionFailed,6239,,00000000-0000-0000-0000-000000000000 +Thumbnails_CacheDataFile_GetThumbnail,6240,,00000000-0000-0000-0000-000000000000 +Thumbnails_GetThumbnailStream,6242,,00000000-0000-0000-0000-000000000000 +CommonFileDialog_ApplyProperties,6501,,00000000-0000-0000-0000-000000000000 +CommonFileDialog_ControlsChangeNotify,6503,,00000000-0000-0000-0000-000000000000 +CommonFileDialog_DetectSlowNetworkLocation,6505,,00000000-0000-0000-0000-000000000000 +CommonFileDialog_ExecuteOpen,6507,,00000000-0000-0000-0000-000000000000 +CommonFileDialog_Open,6509,,00000000-0000-0000-0000-000000000000 +CommonFileDialog_PlacesBar_Rendering,6511,,00000000-0000-0000-0000-000000000000 +CommonFileDialog_PopulateControls,6513,,00000000-0000-0000-0000-000000000000 +CommonFileDialog_SQM,6515,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Open,9501,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Ready,9503,,00000000-0000-0000-0000-000000000000 +Explorer_StartPane_AllProgram_Folder_Open,9505,,00000000-0000-0000-0000-000000000000 +Explorer_StartPane_AllPrograms_Show,9509,,00000000-0000-0000-0000-000000000000 +Explorer_StartPane_Cascade_Show,9511,,00000000-0000-0000-0000-000000000000 +Explorer_StartPane_OpenBox_Char,9513,,00000000-0000-0000-0000-000000000000 +Explorer_StartPane_OpenBox_Launch,9515,,00000000-0000-0000-0000-000000000000 +Explorer_StartPane_OpenBox_SearchReady,9517,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Show,9519,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Hide,9521,,00000000-0000-0000-0000-000000000000 +Explorer_StartPane_OpenBox_TopMatchReady,9523,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_ControlPanel_Launch,9525,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Favorites_Launch,9527,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_RecentItems_Launch,9529,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Help_Launch,9531,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Network_Launch,9533,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Printers_Launch,9535,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_SPAD_Launch,9539,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_AdminTools_Launch,9541,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Run_Launch,9543,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_MFU_Launch,9545,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Pinned_Launch,9547,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_ConnectTo_Launch,9549,,00000000-0000-0000-0000-000000000000 +Explorer_StartPane_AllPrograms_BackButton,9551,,00000000-0000-0000-0000-000000000000 +ExplorerFrame_OpenComputer,9553,,00000000-0000-0000-0000-000000000000 +ExplorerFrame_OpenDocuments,9555,,00000000-0000-0000-0000-000000000000 +ExplorerFrame_OpenMusic,9557,,00000000-0000-0000-0000-000000000000 +ExplorerFrame_OpenPictures,9559,,00000000-0000-0000-0000-000000000000 +ExplorerFrame_NavigateDataSource,9560,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Visible_Menu_Items,9561,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Mode,9563,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Pinned_Item_Added,9565,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Pinned_Item_Removed,9567,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Pinned_Items_Rearranged,9568,,00000000-0000-0000-0000-000000000000 +Explorer_StartPane_AllPrograms_Launched,9569,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Pinned_Count,9571,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_MFU_Count,9573,,00000000-0000-0000-0000-000000000000 +Explorer_StartPane_AllPrograms_Folder_Opened,9575,,00000000-0000-0000-0000-000000000000 +Explorer_StartPane_AllPrograms_Count,9577,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_NetworkCons_Launch,9581,,00000000-0000-0000-0000-000000000000 +Explorer_Is_Mobile_PC,9583,,00000000-0000-0000-0000-000000000000 +Explorer_Is_Joined_To_Domain,9585,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Cascading_Menu_Items,9587,,00000000-0000-0000-0000-000000000000 +Explorer_User_Account_Type,9589,,00000000-0000-0000-0000-000000000000 +Explorer_Breadcrumbbar_Selected_Navigation,9591,,00000000-0000-0000-0000-000000000000 +Explorer_Breadcrumbbar_Edited_Navigation,9593,,00000000-0000-0000-0000-000000000000 +Explorer_WordWheel_Activated,9595,,00000000-0000-0000-0000-000000000000 +ExplorerFrame_OpenProfile,9597,,00000000-0000-0000-0000-000000000000 +Explorer_Help_Launched,9599,,00000000-0000-0000-0000-000000000000 +Explorer_InitializingExplorer,9601,,00000000-0000-0000-0000-000000000000 +Explorer_CreateTray,9603,,00000000-0000-0000-0000-000000000000 +Explorer_CreateTrayWindow,9607,,00000000-0000-0000-0000-000000000000 +Explorer_InitStartButton,9609,,00000000-0000-0000-0000-000000000000 +Explorer_CreateDesktop,9611,,00000000-0000-0000-0000-000000000000 +Explorer_InitInstrumentation,9613,,00000000-0000-0000-0000-000000000000 +Explorer_FolderSettings,9615,,00000000-0000-0000-0000-000000000000 +Explorer_Start,9617,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_Games_Launch,9619,,00000000-0000-0000-0000-000000000000 +Explorer_MessageLoop,9621,,00000000-0000-0000-0000-000000000000 +Explorer_KickedOffDelayedBootWork,9623,,00000000-0000-0000-0000-000000000000 +Explorer_PlaySoundRequest,9625,,00000000-0000-0000-0000-000000000000 +Explorer_PlaySoundExecute,9627,,00000000-0000-0000-0000-000000000000 +Explorer_PlaySoundWait,9629,,00000000-0000-0000-0000-000000000000 +Explorer_SessionChangeMessage,9631,,00000000-0000-0000-0000-000000000000 +Explorer_PowerMessage,9633,,00000000-0000-0000-0000-000000000000 +Explorer_PowerBroadcastMessage,9635,,00000000-0000-0000-0000-000000000000 +Explorer_LoadingIconCache,9637,,00000000-0000-0000-0000-000000000000 +Explorer_IconCache_ImageListSize,9639,,00000000-0000-0000-0000-000000000000 +Explorer_IconCache_TableSize,9641,,00000000-0000-0000-0000-000000000000 +Explorer_Roaming_SyncAtLogon,9643,,00000000-0000-0000-0000-000000000000 +Explorer_Roaming_WaitAtLogon,9645,,00000000-0000-0000-0000-000000000000 +Explorer_Startup_PhaseReached,9647,,00000000-0000-0000-0000-000000000000 +Explorer_Startup_Step,9648,,00000000-0000-0000-0000-000000000000 +Explorer_Startup_SerializationWait,9650,,00000000-0000-0000-0000-000000000000 +Explorer_Startup_ParallelStep,9652,,00000000-0000-0000-0000-000000000000 +Explorer_Roaming_BootstrapRestore,9655,,00000000-0000-0000-0000-000000000000 +Explorer_WriteDataForOEMApp,9663,,00000000-0000-0000-0000-000000000000 +Explorer_WriteDataForOEMApp_ShellTask,9665,,00000000-0000-0000-0000-000000000000 +Explorer_Startup_InitializeDesktop,9699,,00000000-0000-0000-0000-000000000000 +Explorer_ProcessRunOnceEx,9701,,00000000-0000-0000-0000-000000000000 +Explorer_ProcessRunOnce,9703,,00000000-0000-0000-0000-000000000000 +Explorer_EnumeratingRunKey,9705,,00000000-0000-0000-0000-000000000000 +Explorer_ExecutingFromRunKey,9707,,00000000-0000-0000-0000-000000000000 +Explorer_ExecutingFromRunKeyAsJob,9709,,00000000-0000-0000-0000-000000000000 +Explorer_ExecutingFromStartupMenu,9711,,00000000-0000-0000-0000-000000000000 +Explorer_StartupAppName,9713,,00000000-0000-0000-0000-000000000000 +Explorer_BoxingProcess,9714,,00000000-0000-0000-0000-000000000000 +Explorer_Startup_Run6432_Stats,9716,,00000000-0000-0000-0000-000000000000 +Explorer_Startup_Run6432_Failed,9717,,00000000-0000-0000-0000-000000000000 +Explorer_MinimizeAllThread,9801,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_RunDialog,9802,,00000000-0000-0000-0000-000000000000 +Explorer_StartMenu_AppTile_Hover,9804,,00000000-0000-0000-0000-000000000000 +Explorer_DestinationList_Close,9805,,00000000-0000-0000-0000-000000000000 +Explorer_DestinationList_Launch,9806,,00000000-0000-0000-0000-000000000000 +EXPLORER_NAVIGATE,9808,,00000000-0000-0000-0000-000000000000 +EXPLORER_DRAG_DROP,9810,,00000000-0000-0000-0000-000000000000 +Explorer_PinDefaultItems_RetrievePidlFailure,9811,,00000000-0000-0000-0000-000000000000 +Explorer_PinnedListItemRemoved,9812,,00000000-0000-0000-0000-000000000000 +SearchFolder_StartMenu_BaseQuery,9901,,00000000-0000-0000-0000-000000000000 +ExplorerFrame_FirstPage_RealizeGroupPass1,9903,,00000000-0000-0000-0000-000000000000 +ExplorerFrame_FirstPage_RealizeGroupPass2,9905,,00000000-0000-0000-0000-000000000000 +ExplorerFrame_ExplorerLauncher_Launch_Failure,9907,,00000000-0000-0000-0000-000000000000 +SearchFolder_CreateItemCollection,9909,,00000000-0000-0000-0000-000000000000 +Shell32_ObservableCollection_OnCollectionChanged,9911,,00000000-0000-0000-0000-000000000000 +Shell32_ObservableCollection_OnGetCountDone,9912,,00000000-0000-0000-0000-000000000000 +Shell32_ObservableCollection_OnPrepareDone,9913,,00000000-0000-0000-0000-000000000000 +Shell32_ObservableCollection_OnItemsAdded,9914,,00000000-0000-0000-0000-000000000000 +Shell32_ObservableCollection_OnItemsDeleted,9915,,00000000-0000-0000-0000-000000000000 +Shell32_ObservableCollection_OnItemMoved,9916,,00000000-0000-0000-0000-000000000000 +Shell32_ObservableCollection_OnItemTranslated,9917,,00000000-0000-0000-0000-000000000000 +Shell32_ObservableCollection_OnUniqueLeafCountChanged,9918,,00000000-0000-0000-0000-000000000000 +Shell32_ObservableCollection_OnCancelled,9919,,00000000-0000-0000-0000-000000000000 +FilterControl_UserCheckedFilter,11007,,00000000-0000-0000-0000-000000000000 +FilterControl_InsertFilters,11009,,00000000-0000-0000-0000-000000000000 +ListViewPopup_SetRedraw,11013,,00000000-0000-0000-0000-000000000000 +ListViewPopup_SizeToContent,11015,,00000000-0000-0000-0000-000000000000 +FilterControl_Stack,11017,,00000000-0000-0000-0000-000000000000 +Shlwapi_SHRegisterValidateTemplate,12001,,00000000-0000-0000-0000-000000000000 +Shlwapi_SHGetSignatureInfo,12101,,00000000-0000-0000-0000-000000000000 +Shlwapi_SHGetSignatureInfo_Authenticode,12102,,00000000-0000-0000-0000-000000000000 +Shlwapi_SHGetSignatureInfo_Catalog,12103,,00000000-0000-0000-0000-000000000000 +Shlwapi_SHGetSignatureInfo_WinVerifyTrust,12104,,00000000-0000-0000-0000-000000000000 +Shlwapi_SHGetSignatureInfo_VersionInfo,12105,,00000000-0000-0000-0000-000000000000 +Shlwapi_SHGetSignatureInfo_OSCheck,12106,,00000000-0000-0000-0000-000000000000 +Shlwapi_SHGetSignatureInfo_CheckChainToMSRoot,12107,,00000000-0000-0000-0000-000000000000 +NamespaceControl_Expand,13003,,00000000-0000-0000-0000-000000000000 +NamespaceControl_Plus_Calculation,13005,,00000000-0000-0000-0000-000000000000 +NamespaceControl_Rendering,13007,,00000000-0000-0000-0000-000000000000 +Feed_Search,13101,,00000000-0000-0000-0000-000000000000 +Notification_UserDismiss,13501,,00000000-0000-0000-0000-000000000000 +Notification_Launch,13503,,00000000-0000-0000-0000-000000000000 +Notification_Displayed,13505,,00000000-0000-0000-0000-000000000000 +Notification_While_Busy,13507,,00000000-0000-0000-0000-000000000000 +Notification_While_Inactive,13509,,00000000-0000-0000-0000-000000000000 +Notification_Dismissed,13511,,00000000-0000-0000-0000-000000000000 +Notification_TimedOut,13513,,00000000-0000-0000-0000-000000000000 +Notification_Settings,13515,,00000000-0000-0000-0000-000000000000 +Notification_WrenchDismissed,13517,,00000000-0000-0000-0000-000000000000 +PreviewPane_UpdateSelection,14003,,00000000-0000-0000-0000-000000000000 +PreviewPane_MetadataExtractorDoWork,14005,,00000000-0000-0000-0000-000000000000 +PreviewPane_MetadataExtractorDispatch,14007,,00000000-0000-0000-0000-000000000000 +PreviewPane_SQM,14009,,00000000-0000-0000-0000-000000000000 +StatusBarModule_GetPropertiesWorkItemDoWork,14101,,00000000-0000-0000-0000-000000000000 +StatusBarModule_GetPropertiesWorkItemDispatch,14103,,00000000-0000-0000-0000-000000000000 +TypeAhead_SearchHistoryResults,14201,,00000000-0000-0000-0000-000000000000 +TypeAhead_LocalMetadataResults,14203,,00000000-0000-0000-0000-000000000000 +TypeAhead_ExternalResults,14205,,00000000-0000-0000-0000-000000000000 +TypeAhead_OnQuery,14207,,00000000-0000-0000-0000-000000000000 +TypeAhead_ResultsPrimary,14209,,00000000-0000-0000-0000-000000000000 +TypeAhead_ResultsSecondary,14211,,00000000-0000-0000-0000-000000000000 +TypeAhead_Timeout,14213,,00000000-0000-0000-0000-000000000000 +TypeAhead_SearchHistoryStore,14215,,00000000-0000-0000-0000-000000000000 +TypeAhead_SearchHistoryCleared,14217,,00000000-0000-0000-0000-000000000000 +TypeAhead_CancelQuery,14219,,00000000-0000-0000-0000-000000000000 +TypeAhead_Enabled,14220,,00000000-0000-0000-0000-000000000000 +Properties_BaseControl_Create,14501,,00000000-0000-0000-0000-000000000000 +Properties_BaseControl_WindowlessDraw,14503,,00000000-0000-0000-0000-000000000000 +Properties_CalendarControl_Create,14505,,00000000-0000-0000-0000-000000000000 +Properties_CalendarControl_GetValue,14507,,00000000-0000-0000-0000-000000000000 +Properties_CalendarControl_SetValue,14509,,00000000-0000-0000-0000-000000000000 +Properties_DrawPercentFull_WindowlessDraw,14511,,00000000-0000-0000-0000-000000000000 +Properties_DrawProgressBar_WindowlessDraw,14513,,00000000-0000-0000-0000-000000000000 +Properties_DropListControl_Create,14515,,00000000-0000-0000-0000-000000000000 +Properties_DropListControl_GetValue,14517,,00000000-0000-0000-0000-000000000000 +Properties_DropListControl_SetValue,14519,,00000000-0000-0000-0000-000000000000 +Properties_MVPControl_Create,14521,,00000000-0000-0000-0000-000000000000 +Properties_MVPControl_GetValue,14523,,00000000-0000-0000-0000-000000000000 +Properties_MVPControl_SetValue,14525,,00000000-0000-0000-0000-000000000000 +Properties_MVPControl_WindowlessDraw,14527,,00000000-0000-0000-0000-000000000000 +Properties_MultiLineEditControl_Create,14529,,00000000-0000-0000-0000-000000000000 +Properties_MultiLineEditControl_GetValue,14531,,00000000-0000-0000-0000-000000000000 +Properties_MultiLineEditControl_SetValue,14533,,00000000-0000-0000-0000-000000000000 +Properties_NavDropDownControl_Create,14535,,00000000-0000-0000-0000-000000000000 +Properties_NavDropDownControl_GetValue,14537,,00000000-0000-0000-0000-000000000000 +Properties_NavDropDownControl_SetValue,14539,,00000000-0000-0000-0000-000000000000 +Properties_RatingsControl_Create,14541,,00000000-0000-0000-0000-000000000000 +Properties_RatingsControl_GetValue,14543,,00000000-0000-0000-0000-000000000000 +Properties_RatingsControl_SetValue,14545,,00000000-0000-0000-0000-000000000000 +Properties_RatingsControl_WindowlessDraw,14547,,00000000-0000-0000-0000-000000000000 +Properties_SingleLineEditControl_Create,14549,,00000000-0000-0000-0000-000000000000 +Properties_SingleLineEditControl_GetValue,14551,,00000000-0000-0000-0000-000000000000 +Properties_SingleLineEditControl_SetValue,14553,,00000000-0000-0000-0000-000000000000 +Properties_MultiComplete_Populate,14555,,00000000-0000-0000-0000-000000000000 +Properties_MultiComplete_Query,14557,,00000000-0000-0000-0000-000000000000 +Properties_MultiComplete_Match,14559,,00000000-0000-0000-0000-000000000000 +Properties_PropVariantChangeType_Coercion,14561,,00000000-0000-0000-0000-000000000000 +Properties_PropVariantHelper_Coercion,14563,,00000000-0000-0000-0000-000000000000 +Properties_VariantHelper_Coercion,14565,,00000000-0000-0000-0000-000000000000 +PropertyDescription_FormatForDisplay,15501,,00000000-0000-0000-0000-000000000000 +PropertyDescription_SHFormatForDisplay,15503,,00000000-0000-0000-0000-000000000000 +PropertyDescription_SHGetPropertyDescription,15505,,00000000-0000-0000-0000-000000000000 +PropertyDescription_SHGetPropertyDescriptionByName,15507,,00000000-0000-0000-0000-000000000000 +PropertyDescription_SHGetPropertyDescriptionListFromString,15509,,00000000-0000-0000-0000-000000000000 +PropertyDescription_CoerceToCanonicalValue,15511,,00000000-0000-0000-0000-000000000000 +PropertyDescription_IsValueCanonical,15513,,00000000-0000-0000-0000-000000000000 +PropertySchema_LoadFromSavedBinaryForm,15515,,00000000-0000-0000-0000-000000000000 +PropertySchema_SaveAsBinaryForm,15517,,00000000-0000-0000-0000-000000000000 +SemanticType_PSGetSemanticTypeByName,15519,,00000000-0000-0000-0000-000000000000 +PropertyProvider_Commit,16501,,00000000-0000-0000-0000-000000000000 +PropertyProvider_GetValue,16503,,00000000-0000-0000-0000-000000000000 +PropertyProvider_GetValueObject,16505,,00000000-0000-0000-0000-000000000000 +PropertyProvider_SetValue,16507,,00000000-0000-0000-0000-000000000000 +PropertyStoreOverPropertySetStorage_GetValue,16509,,00000000-0000-0000-0000-000000000000 +PropertyStoreOverPropertySetStorage_SetValue,16511,,00000000-0000-0000-0000-000000000000 +PropertyStoreOverPropertySetStorage_Commit,16513,,00000000-0000-0000-0000-000000000000 +FilePropertyStoreFactory_GetPropertyHandler,16600,,00000000-0000-0000-0000-000000000000 +FilePropertyStoreFactory_GetInnateStore,16602,,00000000-0000-0000-0000-000000000000 +FilePropertyStoreFactory_GetFallbackStore,16604,,00000000-0000-0000-0000-000000000000 +FilePropertyStoreFactory_GetDesktopIniStore,16606,,00000000-0000-0000-0000-000000000000 +FileFolderInnateStore_GetValue,16608,,00000000-0000-0000-0000-000000000000 +FileFolderInnateStore_GetCount,16610,,00000000-0000-0000-0000-000000000000 +FileFolderInnateStore_GetAt,16612,,00000000-0000-0000-0000-000000000000 +FileFolderFallbackStore_GetValue,16614,,00000000-0000-0000-0000-000000000000 +FileFolderFallbackStore_GetCount,16616,,00000000-0000-0000-0000-000000000000 +FileFolderFallbackStore_GetAt,16618,,00000000-0000-0000-0000-000000000000 +FileFolder_UseItemCacheContext,16619,,00000000-0000-0000-0000-000000000000 +ShellItem_GetPropertyStore,16700,,00000000-0000-0000-0000-000000000000 +ShellItem_GetPropertyStoreForKeys,16702,,00000000-0000-0000-0000-000000000000 +ShellItem_GetPropertyStoreWithCreateObject,16704,,00000000-0000-0000-0000-000000000000 +ShellItem_GetPropertyDescriptionList,16706,,00000000-0000-0000-0000-000000000000 +ShellItem_CreatePropertyProviderHelper,16708,,00000000-0000-0000-0000-000000000000 +ShellItemArray_GetPropertyStore,16710,,00000000-0000-0000-0000-000000000000 +ShellItemArray_GetPropertyDescriptionList,16712,,00000000-0000-0000-0000-000000000000 +CachedShellItem_GetPropertyStore,16714,,00000000-0000-0000-0000-000000000000 +ItemFallbackStore_GetValue,16716,,00000000-0000-0000-0000-000000000000 +ItemFallbackStore_GetCount,16718,,00000000-0000-0000-0000-000000000000 +ItemFallbackStore_GetAt,16720,,00000000-0000-0000-0000-000000000000 +ItemStoreOverFolder_GetValue,16722,,00000000-0000-0000-0000-000000000000 +ItemStoreOverFolder_GetValueFromDetailsEx,16724,,00000000-0000-0000-0000-000000000000 +ItemStoreOverFolder_GetCount,16726,,00000000-0000-0000-0000-000000000000 +ItemStoreOverFolder_GetAt,16728,,00000000-0000-0000-0000-000000000000 +Library_SQM_CreateLibrary,16813,,00000000-0000-0000-0000-000000000000 +Library_SQM_AddFolder,16814,,00000000-0000-0000-0000-000000000000 +Library_Location_Count,16815,,00000000-0000-0000-0000-000000000000 +Library_InUsersRoot_Count,16816,,00000000-0000-0000-0000-000000000000 +Library_Save_Location,16817,,00000000-0000-0000-0000-000000000000 +Library_Add_Location,16818,,00000000-0000-0000-0000-000000000000 +Library_Remove_Location,16819,,00000000-0000-0000-0000-000000000000 +Library_Has_Reordered_Locations,16820,,00000000-0000-0000-0000-000000000000 +Add_Library_Location_EntryPoint,16821,,00000000-0000-0000-0000-000000000000 +PHLocationCreator_ScanSearchRoots,16901,,00000000-0000-0000-0000-000000000000 +PHLocationCreator_CreateSearchRootLocations,16903,,00000000-0000-0000-0000-000000000000 +PHLocationCreator_RemoveSearchRootLocations,16905,,00000000-0000-0000-0000-000000000000 +PHLocationCreator_SQM_CreateLibrary,16907,,00000000-0000-0000-0000-000000000000 +Scope_Flatten,17001,,00000000-0000-0000-0000-000000000000 +ScopePicker_Open,17003,,00000000-0000-0000-0000-000000000000 +ScopePicker_Folders_Rendering,17005,,00000000-0000-0000-0000-000000000000 +Scope_Load_From_XML,17007,,00000000-0000-0000-0000-000000000000 +Scope_Load_From_Stream,17009,,00000000-0000-0000-0000-000000000000 +ScopePicker_CScope_Load_From_Stream,17011,,00000000-0000-0000-0000-000000000000 +Shake_Minimize,17101,,00000000-0000-0000-0000-000000000000 +Shake_Restore,17103,,00000000-0000-0000-0000-000000000000 +Shake_MinimizeWorker,17105,,00000000-0000-0000-0000-000000000000 +Shake_RestoreWorker,17107,,00000000-0000-0000-0000-000000000000 +Shake_MinimizeEnabled,17109,,00000000-0000-0000-0000-000000000000 +Shake_DetectionCount,17111,,00000000-0000-0000-0000-000000000000 +ResolveUserNames_ResolveSids,17501,,00000000-0000-0000-0000-000000000000 +ResolveUserNames_ResolveStringSid,17503,,00000000-0000-0000-0000-000000000000 +ResolveUserNames_SHResolveUserNames,17505,,00000000-0000-0000-0000-000000000000 +ResolveUserNames_FriendlyNameLookup,17507,,00000000-0000-0000-0000-000000000000 +ResolveUserNames_SingleSidToNameLookup,17509,,00000000-0000-0000-0000-000000000000 +ResolveUserNames_MultipleSidsToNamesLookup,17511,,00000000-0000-0000-0000-000000000000 +ResolveUserNames_CachedFriendlyNameLookup,17513,,00000000-0000-0000-0000-000000000000 +GetCorrectOwnerSid_Lookup,17515,,00000000-0000-0000-0000-000000000000 +GetCorrectOwnerSid_LookupFromRegistry,17517,,00000000-0000-0000-0000-000000000000 +Shdocvw_BaseBrowser_DocumentComplete,18001,,00000000-0000-0000-0000-000000000000 +Shdocvw_BaseBrowser_ExplorerWindowReady,18003,,00000000-0000-0000-0000-000000000000 +Shdocvw_BaseBrowser_Navigate,18005,,00000000-0000-0000-0000-000000000000 +Shdocvw_PanningTool_ScrollElementBy,18007,,00000000-0000-0000-0000-000000000000 +Shdocvw_PanningTool_GetPanningProperties,18009,,00000000-0000-0000-0000-000000000000 +Shdocvw_PanningTool_SinglePan,18011,,00000000-0000-0000-0000-000000000000 +Shdocvw_PanningTool_Change_PanningMode,18012,,00000000-0000-0000-0000-000000000000 +Shdocvw_BaseBrowser_Explorer_Search_Query_Stream,18013,,00000000-0000-0000-0000-000000000000 +ExplorerFrame_FrameFirstVisible,18015,,00000000-0000-0000-0000-000000000000 +ExplorerFrame_FrameFirstRedraw,18017,,00000000-0000-0000-0000-000000000000 +Shell32_AutoListEditor_CommitSearch,18501,,00000000-0000-0000-0000-000000000000 +Shell32_AutoListEditor_Displayed,18503,,00000000-0000-0000-0000-000000000000 +Shell32_AutoListEditor_FillScopes,18505,,00000000-0000-0000-0000-000000000000 +Shell32_AutoListEditor_GetPropertyList,18507,,00000000-0000-0000-0000-000000000000 +Shell32_AutoListEditor_LaunchSearch,18509,,00000000-0000-0000-0000-000000000000 +Shell32_AutoPlay_IDynamicHWHandler,18511,,00000000-0000-0000-0000-000000000000 +Shell32_AutoPlay_IHWNotificationHandler,18513,,00000000-0000-0000-0000-000000000000 +Shell32_AutoPlay_IQueryCancelAutoPlay,18515,,00000000-0000-0000-0000-000000000000 +Shell32_AutoPlay_Logic,18517,,00000000-0000-0000-0000-000000000000 +Shell32_AutoPlay_DXP,18520,,00000000-0000-0000-0000-000000000000 +Shell32_AutoPlay_Sniff,18521,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_LButtonAction,18523,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_ShellReady,18524,,00000000-0000-0000-0000-000000000000 +Shell32_CExplorerBrowser_BrowseObjectInternal,18525,,00000000-0000-0000-0000-000000000000 +Shell32_CFindCmd_DoSearch,18527,,00000000-0000-0000-0000-000000000000 +Shell32_CGrepQuery_Crawl,18529,,00000000-0000-0000-0000-000000000000 +Shell32_CommandModule_SelectionChange,18531,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_CategoryView_Init,18533,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_CategoryView_LoadTasks,18535,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_CategoryView_Search,18537,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_NavPane_Init,18539,,00000000-0000-0000-0000-000000000000 +Shell32_PinnedApplications_SQMStream,18541,,00000000-0000-0000-0000-000000000000 +Shell32_AutoPlay_Proximity_Sniff,18543,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_LoadImage,18545,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_AutoSizeColumns,18547,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Enumeration,18549,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Filter,18551,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Filter_Generation,18553,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_FirstBatch,18555,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Group,18557,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Initial_Sort,18559,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_ListViewDone,18561,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_PropertiesDone,18563,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_RightClickContextMenu,18565,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Stack,18567,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Thumbnail_Extract,18569,,00000000-0000-0000-0000-000000000000 +Shell32_CollectionLock_GetSingleQueueItem,18571,,00000000-0000-0000-0000-000000000000 +Shell32_CollectionLock_GetQueueItems,18573,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Thumbnail_Update,18575,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Thumbnail_Updateview,18577,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_ViewModeChange,18579,,00000000-0000-0000-0000-000000000000 +Shell32_Defview_Sort,18581,,00000000-0000-0000-0000-000000000000 +Shell32_GeneratingContextMenu,18583,,00000000-0000-0000-0000-000000000000 +Shell32_InvokingContextMenu,18585,,00000000-0000-0000-0000-000000000000 +Shell32_KnownFolderManager_GetEnumKnownFolders,18587,,00000000-0000-0000-0000-000000000000 +Shell32_KnownFolder_GetLocation,18589,,00000000-0000-0000-0000-000000000000 +Shell32_KnownFolder_GetPath,18591,,00000000-0000-0000-0000-000000000000 +Shell32_KnownFolder_SetPath,18593,,00000000-0000-0000-0000-000000000000 +Shell32_List_Add,18595,,00000000-0000-0000-0000-000000000000 +Shell32_List_Enum,18597,,00000000-0000-0000-0000-000000000000 +Shell32_List_Remove,18599,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_SHHardwareEvent,18601,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_SHHardwareEvent_DeviceArrived,18603,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_SHHardwareEvent_DeviceRemoved,18605,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_SHHardwareEvent_DeviceUpdated,18607,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_SHHardwareEvent_MountPointArrived,18609,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_SHHardwareEvent_MountPointRemoved,18611,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_SHHardwareEvent_VolumeArrived,18613,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_SHHardwareEvent_VolumeDismounted,18615,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_SHHardwareEvent_VolumeMounted,18617,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_SHHardwareEvent_VolumeRemoved,18619,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_SHHardwareEvent_VolumeUpdated,18621,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_WMDeviceChange,18623,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_WMDeviceChange_MediaArrival,18625,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_WMDeviceChange_MediaRemoval,18627,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_WMDeviceChange_MountPointArrival,18629,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_WMDeviceChange_MountPointRemoval,18631,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_WMDeviceChange_NetShareArrival,18633,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_WMDeviceChange_NetShareRemoval,18635,,00000000-0000-0000-0000-000000000000 +Shell32_PSC_Autolist_Show,18637,,00000000-0000-0000-0000-000000000000 +Shell32_PSC_Explorer_Template_Change,18639,,00000000-0000-0000-0000-000000000000 +Shell32_SHGetFolderLocation,18641,,00000000-0000-0000-0000-000000000000 +Shell32_SHGetFolderPath,18645,,00000000-0000-0000-0000-000000000000 +Shell32_SHSetFolderPath,18649,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Keydown,18653,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_NoIShellFolder2,18654,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_SQM_LinkClicked,18657,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_SQM_ViewMode,18658,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_FloppyOrCD_Launch,18659,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_SQM_ViewChange,18660,,00000000-0000-0000-0000-000000000000 +Shell32_ExplorerBrowser_Ready,18661,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_HighQualityStretch,18663,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Scroll,18665,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Filtering_Clicked,18669,,00000000-0000-0000-0000-000000000000 +Shell32_Search_Index_Enabled,18675,,00000000-0000-0000-0000-000000000000 +Shell32_List_LaunchInBasket,18676,,00000000-0000-0000-0000-000000000000 +Shell32_ItemThumbnail_SetItems,18677,,00000000-0000-0000-0000-000000000000 +Shell32_ItemThumbnail_Prefetch,18679,,00000000-0000-0000-0000-000000000000 +Shell32_ItemThumbnail_Draw,18681,,00000000-0000-0000-0000-000000000000 +Shell32_NetFolder_ParseDisplayName,18683,,00000000-0000-0000-0000-000000000000 +Shell32_NetFolder_ParseUNCName,18685,,00000000-0000-0000-0000-000000000000 +Shell32_NetFolder_SHWNetGetResourceInformationAlloc,18687,,00000000-0000-0000-0000-000000000000 +Shell32_NetFolder_WNetGetResourceParent,18689,,00000000-0000-0000-0000-000000000000 +Shell32_NetFolder_WNetUseConnection,18691,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Property_Extraction,18693,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Property_Extract,18695,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Property_ReadAsOneBatch,18697,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_GetEnumerator,18699,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_Thumbnail_EnumLookup,18701,,00000000-0000-0000-0000-000000000000 +Shell32_Autoplay_Master_Switch,18703,,00000000-0000-0000-0000-000000000000 +Shell32_Autoplay_Default_Handler,18705,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_WaitForNextResult,18707,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_Programs,18709,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_Programs_Grep,18711,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_Programs_Run,18713,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_Programs_ControlPanels,18715,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_Internet,18717,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_Internet_Run,18719,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_Internet_Favorites,18721,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_Internet_History,18723,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_Files,18725,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_Files_Recent,18727,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_Files_DisplayName,18729,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_Files_FullText,18731,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_Communications,18733,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_Communications_Contacts,18735,,00000000-0000-0000-0000-000000000000 +Shell32_StartMenuQueryFactory_Communications_FullText,18737,,00000000-0000-0000-0000-000000000000 +Shell32_IsElevationRequired,18739,,00000000-0000-0000-0000-000000000000 +Shell32_IndexInfoCache_Refresh,18741,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_FireFolderChanged,18743,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_FireContentsChanged,18745,,00000000-0000-0000-0000-000000000000 +Shell32_DUIFrame_SendContentsChanged,18747,,00000000-0000-0000-0000-000000000000 +Shell32_DUIFrame_SendFolderChanged,18749,,00000000-0000-0000-0000-000000000000 +Shell32_SHExtCoCreateInstance_Valid,18751,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_AddColumn,18752,,00000000-0000-0000-0000-000000000000 +Shell32_ItemStore_ExtractProperty,18753,,00000000-0000-0000-0000-000000000000 +Shell32_KnownFolderManager_Redirect,18761,,00000000-0000-0000-0000-000000000000 +Shell32_KnownFolderManager_Redirect_Copy,18763,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_DesktopIconLayoutRestore,18765,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_DesktopAutoArrange,18768,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_DesktopAlignToGrid,18769,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_DesktopIconSize,18770,,00000000-0000-0000-0000-000000000000 +Shell32_PrivProf_CacheCount,18771,,00000000-0000-0000-0000-000000000000 +Shell32_CollectionLock_InsertQueueItem,18773,,00000000-0000-0000-0000-000000000000 +Shell32_CGrepQuery_EvaluateItem,18775,,00000000-0000-0000-0000-000000000000 +Shell32_CConditionEvaluator_DoesItemMatchCondition,18777,,00000000-0000-0000-0000-000000000000 +Shell32_CGrepConditionEvaluator_DoesContentMatchCondition,18779,,00000000-0000-0000-0000-000000000000 +Shell32_GrepDoesItemMatchCondition,18781,,00000000-0000-0000-0000-000000000000 +Shell32_SubCommandMenu_Enumerate,18783,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_InitLocalDrives,18787,,00000000-0000-0000-0000-000000000000 +CDesktopBrowser_WallpaperAnimation_Setup,18789,,00000000-0000-0000-0000-000000000000 +CDesktopBrowser_WallpaperAnimation_Cleanup,18791,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_SortyBy,18793,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_IconPositions,18794,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_WindowRegItem,18795,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_NonWindowRegItem,18796,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_ItemCount,18797,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_UsageTime,18798,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_LoadColumns,18799,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_FileOperation,18801,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_OverallOperation,18803,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_OverallTransfer,18805,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_ConfirmedDelete,18807,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_WillRecycleToBin,18809,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_RecycleItem,18811,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_FileOpen,18813,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_CallMoveFile,18815,,00000000-0000-0000-0000-000000000000 +Shell32_CommonPlaces_Drop,18817,,00000000-0000-0000-0000-000000000000 +Shell32_ReadingPaneModule_Load,18819,,00000000-0000-0000-0000-000000000000 +Shell32_LinkTracking,18821,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_SQMStream,18823,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_UAC_CopyEngine_Elevation,18887,,00000000-0000-0000-0000-000000000000 +Shell32_AppDestList_Custom_Commit,18825,,00000000-0000-0000-0000-000000000000 +Shell32_AppDestList_Custom_Load,18827,,00000000-0000-0000-0000-000000000000 +Shell32_AppDestList_Custom_LoadRemoved,18829,,00000000-0000-0000-0000-000000000000 +Shell32_AppDestList_Custom_RemoveDest,18831,,00000000-0000-0000-0000-000000000000 +Shell32_UA_FireEvent,18833,,00000000-0000-0000-0000-000000000000 +Shell32_UA_UpdateLoggerState,18835,,00000000-0000-0000-0000-000000000000 +Shell32_UA_SetEntry,18837,,00000000-0000-0000-0000-000000000000 +Shell32_UA_GarbageCollectScheduled,18841,,00000000-0000-0000-0000-000000000000 +Shell32_UA_GarbageCollect,18843,,00000000-0000-0000-0000-000000000000 +Shell32_UA_SnapRValuesScheduled,18845,,00000000-0000-0000-0000-000000000000 +Shell32_UA_SnapRValues,18847,,00000000-0000-0000-0000-000000000000 +Shell32_UA_DeleteEntry,18849,,00000000-0000-0000-0000-000000000000 +Shell32_UA_RenameEntry,18851,,00000000-0000-0000-0000-000000000000 +Shell32_UA_ReplaceNMaxCandidate,18853,,00000000-0000-0000-0000-000000000000 +Shell32_UA_RebuildSessionScheduled,18855,,00000000-0000-0000-0000-000000000000 +Shell32_UA_RebuildSession,18857,,00000000-0000-0000-0000-000000000000 +Shell32_AutoDestList_GetList,18859,,00000000-0000-0000-0000-000000000000 +Shell32_AutoDestList_AddUsagePoint,18861,,00000000-0000-0000-0000-000000000000 +Shell32_AutoDestList_PinItem,18863,,00000000-0000-0000-0000-000000000000 +Shell32_DragDropHelper_UpdateLayeredWindow,18865,,00000000-0000-0000-0000-000000000000 +Shell32_AutoDestList_IsPinned,18867,,00000000-0000-0000-0000-000000000000 +Shell32_AutoDestList_CalculateDecay,18869,,00000000-0000-0000-0000-000000000000 +Shell32_AutoDestList_GarbageCollecting,18871,,00000000-0000-0000-0000-000000000000 +Shell32_BrowserProgressAggregator_Register,18873,,00000000-0000-0000-0000-000000000000 +Shell32_BrowserProgressAggregator_Unregister,18875,,00000000-0000-0000-0000-000000000000 +Shell32_FilterDestByAssoc,18877,,00000000-0000-0000-0000-000000000000 +Shell32_AppDestList_Custom_AppendCategory,18879,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_CreateNewCollection,18881,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_ExecStop,18883,,00000000-0000-0000-0000-000000000000 +Shell32_DefView_ExecRefresh,18885,,00000000-0000-0000-0000-000000000000 +Shell32_ItemThumbnail_Prefetch_Dispatch,18889,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_FileCreate,18901,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_ProgressUpdate,18903,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_FileOperation_Info,18905,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_ProgressUpdateSkipped,18907,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_ProgressData,18909,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_ProgressEstimate,18911,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_ProgressSpeed,18913,,00000000-0000-0000-0000-000000000000 +Shell32_CopyEngine_MoveAsCopyDelete,18915,,00000000-0000-0000-0000-000000000000 +Shell32_DragDropHelper_AddInfoToWindow,18917,,00000000-0000-0000-0000-000000000000 +Shell32_DragDropHelper_ExtractThumbnail,18919,,00000000-0000-0000-0000-000000000000 +Shell32_SHDoDragDrop_Drop,18921,,00000000-0000-0000-0000-000000000000 +Shell32_PerfMarker1,18923,,00000000-0000-0000-0000-000000000000 +Shell32_PerfMarker2,18925,,00000000-0000-0000-0000-000000000000 +Shell32_PerfMarker3,18927,,00000000-0000-0000-0000-000000000000 +Shell32_NewMenu_Folder,18933,,00000000-0000-0000-0000-000000000000 +Shell32_NewMenu_Shortcut,18934,,00000000-0000-0000-0000-000000000000 +Shell32_NewMenu_Other,18935,,00000000-0000-0000-0000-000000000000 +Shell32_DesktopContextMenu_Personalize,18936,,00000000-0000-0000-0000-000000000000 +Shell32_DesktopContextMenu_Display,18937,,00000000-0000-0000-0000-000000000000 +Shell32_SCFFileUsage_SQM,18939,,00000000-0000-0000-0000-000000000000 +Shell32_ExternalOverlayDllLoad,18941,,00000000-0000-0000-0000-000000000000 +Shell32_RunFileDlgDisplayed,18943,,00000000-0000-0000-0000-000000000000 +Shell32_SHChangeNotify_Register_Client,18950,,00000000-0000-0000-0000-000000000000 +Shell32_SHChangeNotify_Register_NotifyThread,18952,,00000000-0000-0000-0000-000000000000 +Shell32_SHChangeNotify_Deregister_Client,18954,,00000000-0000-0000-0000-000000000000 +Shell32_SHChangeNotify_Deregister_NotifyThread,18956,,00000000-0000-0000-0000-000000000000 +Shell32_SHChangeNotify_Notify_Client,18958,,00000000-0000-0000-0000-000000000000 +Shell32_SHChangeNotify_Notify_NotifyThread,18960,,00000000-0000-0000-0000-000000000000 +Shell32_SHChangeNotify_SendNotification_NotifyThread,18962,,00000000-0000-0000-0000-000000000000 +Shell32_SHChangeNotify_HungApp,18964,,00000000-0000-0000-0000-000000000000 +UndoNode_PreItemChanged,18970,,00000000-0000-0000-0000-000000000000 +UndoNode_PostItemChanged,18972,,00000000-0000-0000-0000-000000000000 +UndoNode_PostLeave,18974,,00000000-0000-0000-0000-000000000000 +UndoNode_Cleanup,18976,,00000000-0000-0000-0000-000000000000 +CopyEngine_PerformUndo,18978,,00000000-0000-0000-0000-000000000000 +CopyEngine_ClearUndo,18980,,00000000-0000-0000-0000-000000000000 +ShellTraceId_TaskScheduler_ResumeTask,19001,,00000000-0000-0000-0000-000000000000 +ShellTraceId_TaskScheduler_RunTask,19003,,00000000-0000-0000-0000-000000000000 +ShellTraceId_TaskScheduler_PurgeTasks,19005,,00000000-0000-0000-0000-000000000000 +ShellTraceId_TaskScheduler_AddIdleTask,19007,,00000000-0000-0000-0000-000000000000 +ShellTraceId_TaskScheduler_AddTask,19009,,00000000-0000-0000-0000-000000000000 +Shell32_RecentDoc_Processed,19101,,00000000-0000-0000-0000-000000000000 +LUA_Elevation_Attempts,19201,,00000000-0000-0000-0000-000000000000 +FileClassStore_SetFileClassHandler,19401,,00000000-0000-0000-0000-000000000000 +FileClassStore_SetFileClassInt,19403,,00000000-0000-0000-0000-000000000000 +FileClassStore_SetFileClassString,19405,,00000000-0000-0000-0000-000000000000 +FileClassStore_LookupFileClassHandler,19407,,00000000-0000-0000-0000-000000000000 +FileClassStore_LookupFileClassString,19409,,00000000-0000-0000-0000-000000000000 +FileClassStore_LookupFileClassInt,19411,,00000000-0000-0000-0000-000000000000 +IconCache_LookupIcon,19413,,00000000-0000-0000-0000-000000000000 +IconCache_AddIcon,19415,,00000000-0000-0000-0000-000000000000 +IconCache_RemoveIcon,19417,,00000000-0000-0000-0000-000000000000 +IconCache_GetFileOverlayInfo,19419,,00000000-0000-0000-0000-000000000000 +IconCache_CacheMiss,19421,,00000000-0000-0000-0000-000000000000 +IconCache_ScaleImage,19423,,00000000-0000-0000-0000-000000000000 +CDesktopFolder_ParseDisplayName,19501,,00000000-0000-0000-0000-000000000000 +CDesktopFolder_GetDisplayNameOf,19503,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_HomePage_Init,19601,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_LoadApplets,19603,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_LoadTasks,19605,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_Search,19607,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_Search_NoResults,19611,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_SearchResults_Applet,19613,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_SearchResults_Task,19615,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_TaskStateCondition,19617,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_NavPane_Mode,19619,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_NavPane_TransitionAnimation,19621,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_NavPane_LinkAdded,19623,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_TypeAheadSearch_Timeout,19625,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_TypeAheadSearch_NotFound,19627,,00000000-0000-0000-0000-000000000000 +Shell32_ControlPanel_SlowAppletsLoaded,19628,,00000000-0000-0000-0000-000000000000 +Explorer_ControlPanel_Settings_Sync,19635,,00000000-0000-0000-0000-000000000000 +ShowDesktop_Usage,19801,,00000000-0000-0000-0000-000000000000 +ShowDesktop_RaiseDesktop,19803,,00000000-0000-0000-0000-000000000000 +ShowDesktop_RegistryWrite,19805,,00000000-0000-0000-0000-000000000000 +StartButton_ChangeState,19900,,00000000-0000-0000-0000-000000000000 +StartMenu_OpenContextMenu,20001,,00000000-0000-0000-0000-000000000000 +StartMenu_PinItemToMenu,20003,,00000000-0000-0000-0000-000000000000 +StartMenu_Fill_MenuCache,20005,,00000000-0000-0000-0000-000000000000 +StartMenu_Left_Control_Button_Split_Open,20007,,00000000-0000-0000-0000-000000000000 +StartMenu_Right_Control_Button_Split_Open,20009,,00000000-0000-0000-0000-000000000000 +StartMenu_Left_Control_Button_Label,20011,,00000000-0000-0000-0000-000000000000 +StartMenu_Right_Control_Button_Label,20013,,00000000-0000-0000-0000-000000000000 +StartMenu_Logoff_Usage_Stream,20015,,00000000-0000-0000-0000-000000000000 +StartMenu_Username_Clicked,20017,,00000000-0000-0000-0000-000000000000 +StartMenu_UserTile_Clicked,20019,,00000000-0000-0000-0000-000000000000 +StartMenu_Search_Usage,20021,,00000000-0000-0000-0000-000000000000 +StartMenu_AllPrograms_Search_Usage,20023,,00000000-0000-0000-0000-000000000000 +StartMenu_Search_TopResult_Launch,20025,,00000000-0000-0000-0000-000000000000 +StartMenu_Advanced_Search_Launch,20027,,00000000-0000-0000-0000-000000000000 +StartMenu_Search_Result_Launch,20029,,00000000-0000-0000-0000-000000000000 +StartMenu_Search_UNC_Path,20031,,00000000-0000-0000-0000-000000000000 +StartMenu_WordWheel_Activated,20033,,00000000-0000-0000-0000-000000000000 +StartMenu_Search_Computer_Count,20035,,00000000-0000-0000-0000-000000000000 +StartMenu_Search_Internet_Count,20037,,00000000-0000-0000-0000-000000000000 +StartMenu_Search_URL_Count,20039,,00000000-0000-0000-0000-000000000000 +StartMenu_Search_Dropdown_Count,20041,,00000000-0000-0000-0000-000000000000 +StartMenu_Search_Group_Usage,20043,,00000000-0000-0000-0000-000000000000 +StartMenu_Applications_Launched,20045,,00000000-0000-0000-0000-000000000000 +Rearranging_StartMenuTaskbar,20047,,00000000-0000-0000-0000-000000000000 +Pinned_Applications,20049,,00000000-0000-0000-0000-000000000000 +DestinationRemoval_StartMenuTaskbar,20051,,00000000-0000-0000-0000-000000000000 +Pinned_Destinations_StartMenuTaskbar,20053,,00000000-0000-0000-0000-000000000000 +Destination_Menu_Usage_StartMenuTaskbar,20055,,00000000-0000-0000-0000-000000000000 +Start_Menu_Recent_Items_Menu,20057,,00000000-0000-0000-0000-000000000000 +StartMenu_MFU_Application_Removal,20059,,00000000-0000-0000-0000-000000000000 +Application_Launches_StartMenuTaskbar,20061,,00000000-0000-0000-0000-000000000000 +TurnOffUsageTrackingStartMenuTaskbar,20063,,00000000-0000-0000-0000-000000000000 +Taskbar_DestinationList_Prepopulate,20065,,00000000-0000-0000-0000-000000000000 +StartMenu_DestinationList_Refresh,20067,,00000000-0000-0000-0000-000000000000 +StartMenu_DestinationList_EnumData,20069,,00000000-0000-0000-0000-000000000000 +Destination_Menu_Action_StartMenuTaskbar,20071,,00000000-0000-0000-0000-000000000000 +Destination_Menu_Layout_StartMenuTaskbar,20072,,00000000-0000-0000-0000-000000000000 +Destination_Removal_StartMenuTaskbar,20073,,00000000-0000-0000-0000-000000000000 +StartMenu_Animation,20075,,00000000-0000-0000-0000-000000000000 +StartMenuCPL_Load,20102,,00000000-0000-0000-0000-000000000000 +StartMenuCPL_Apply,20104,,00000000-0000-0000-0000-000000000000 +TaskbarCPL_Load,20106,,00000000-0000-0000-0000-000000000000 +TaskbarCPL_Apply,20108,,00000000-0000-0000-0000-000000000000 +StartMenu_ByUsage_EnumItems,20111,,00000000-0000-0000-0000-000000000000 +UserTile_Taskbar_Control_Initialize,20900,,00000000-0000-0000-0000-000000000000 +UserTile_Store_Commit,20902,,00000000-0000-0000-0000-000000000000 +UserTile_Store_GetImage,20905,,00000000-0000-0000-0000-000000000000 +UserTile_Store_SetImageFromFile,20907,,00000000-0000-0000-0000-000000000000 +UserTile_Store_SetImageFromStream,20909,,00000000-0000-0000-0000-000000000000 +UserTile_Store_SetImageFromBitmap,20911,,00000000-0000-0000-0000-000000000000 +UserTile_DynamicTile_Init,20914,,00000000-0000-0000-0000-000000000000 +UserTile_DynamicTile_Playback,20916,,00000000-0000-0000-0000-000000000000 +UserTile_Taskbar_Control_DelayInitialize,20918,,00000000-0000-0000-0000-000000000000 +UserInfo_GetUserName,20920,,00000000-0000-0000-0000-000000000000 +SystemTray_ChangeNotify,21001,,00000000-0000-0000-0000-000000000000 +SystemTray_UserClickedChevon_ChangeNotify,21003,,00000000-0000-0000-0000-000000000000 +SystemTray_OverflowShown,21005,,00000000-0000-0000-0000-000000000000 +SystemTray_IconAdded,21007,,00000000-0000-0000-0000-000000000000 +SystemTray_IconRemoved,21009,,00000000-0000-0000-0000-000000000000 +SystemTray_IconModified,21011,,00000000-0000-0000-0000-000000000000 +SystemTray_SystemPromote,21013,,00000000-0000-0000-0000-000000000000 +SystemTray_ShowBalloon,21015,,00000000-0000-0000-0000-000000000000 +SystemTray_RearrangeIcon,21017,,00000000-0000-0000-0000-000000000000 +Taskbar_GroupState_ChangeNotify,22001,,00000000-0000-0000-0000-000000000000 +Taskbar_LockState_ChangeNotify,22003,,00000000-0000-0000-0000-000000000000 +Taskbar_Click,22005,,00000000-0000-0000-0000-000000000000 +StarterEdition_AppLimitViolations,22006,,00000000-0000-0000-0000-000000000000 +Taskbar_Settings,22007,,00000000-0000-0000-0000-000000000000 +Taskbar_Location,22009,,00000000-0000-0000-0000-000000000000 +Taskbar_Size,22011,,00000000-0000-0000-0000-000000000000 +Taskbar_Quicklaunch_Item_Launch,22013,,00000000-0000-0000-0000-000000000000 +New_Taskbar_Pinned_Items_Rearranged,22014,,00000000-0000-0000-0000-000000000000 +Taskbar_Glomming_Enabled,22015,,00000000-0000-0000-0000-000000000000 +Taskbar_Quicklaunch_Enabled,22017,,00000000-0000-0000-0000-000000000000 +Taskbar_RegisterThumbnail,22019,,00000000-0000-0000-0000-000000000000 +Taskbar_ShowThumbnail,22021,,00000000-0000-0000-0000-000000000000 +Taskbar_Glomming_Count,22023,,00000000-0000-0000-0000-000000000000 +Taskbar_Window_Count,22025,,00000000-0000-0000-0000-000000000000 +Taskbar_SetProgress,22027,,00000000-0000-0000-0000-000000000000 +Taskbar_SetProgressState,22029,,00000000-0000-0000-0000-000000000000 +Taskbar_ButtonGroup_Added,22030,,00000000-0000-0000-0000-000000000000 +Taskbar_ButtonGroup_GlomStateChange,22031,,00000000-0000-0000-0000-000000000000 +Taskbar_ButtonGroup_Removed,22032,,00000000-0000-0000-0000-000000000000 +Taskbar_Window_Added,22033,,00000000-0000-0000-0000-000000000000 +Taskbar_Window_Active,22034,,00000000-0000-0000-0000-000000000000 +Taskbar_Window_Removed,22035,,00000000-0000-0000-0000-000000000000 +Taskbar_HoverUIShow,22036,,00000000-0000-0000-0000-000000000000 +Taskbar_Item_Created,22037,,00000000-0000-0000-0000-000000000000 +Taskbar_Item_Destroyed,22038,,00000000-0000-0000-0000-000000000000 +Taskbar_Group_Created,22039,,00000000-0000-0000-0000-000000000000 +Taskbar_Group_Destroyed,22040,,00000000-0000-0000-0000-000000000000 +Taskbar_Group_AddItem,22041,,00000000-0000-0000-0000-000000000000 +Taskbar_Group_RemoveItem,22042,,00000000-0000-0000-0000-000000000000 +Taskbar_Animation,22043,,00000000-0000-0000-0000-000000000000 +Taskbar_AnimFrame,22044,,00000000-0000-0000-0000-000000000000 +Taskbar_ComputeLayout,22045,,00000000-0000-0000-0000-000000000000 +Taskbar_Compute_Row_Layout,22046,,00000000-0000-0000-0000-000000000000 +Taskbar_ButtonGroup_Rearranged,22047,,00000000-0000-0000-0000-000000000000 +Taskbar_Switcher_Context_Menu,22048,,00000000-0000-0000-0000-000000000000 +Taskbar_Scrolling_Stream,22049,,00000000-0000-0000-0000-000000000000 +Taskbar_Window_Picker_Triggers,22050,,00000000-0000-0000-0000-000000000000 +Thumbnail_Window_Picker_Interaction_Stream,22051,,00000000-0000-0000-0000-000000000000 +Legacy_Glom_Interaction_Stream,22052,,00000000-0000-0000-0000-000000000000 +Taskbar_Compute_Column_Layout,22053,,00000000-0000-0000-0000-000000000000 +Taskbar_Taskband_Icon_Size,22054,,00000000-0000-0000-0000-000000000000 +Progress_Bars_Customers,22055,,00000000-0000-0000-0000-000000000000 +Progress_Bars_Glom_Count,22056,,00000000-0000-0000-0000-000000000000 +Progress_Bars_Paused_Count,22057,,00000000-0000-0000-0000-000000000000 +Taskbar_ThumbBar_AddButtons,22058,,00000000-0000-0000-0000-000000000000 +Taskbar_ThumbBar_UpdateButton,22059,,00000000-0000-0000-0000-000000000000 +Taskbar_ThumbBar_Create,22060,,00000000-0000-0000-0000-000000000000 +Taskbar_ThumbBar_Click,22062,,00000000-0000-0000-0000-000000000000 +Taskbar_OverlayIcon,22063,,00000000-0000-0000-0000-000000000000 +Taskbar_Item_Flashing,22064,,00000000-0000-0000-0000-000000000000 +Taskbar_OpenWindowContextMenu,22065,,00000000-0000-0000-0000-000000000000 +Taskbar_UserActivityTracker,22067,,00000000-0000-0000-0000-000000000000 +Taskbar_RunAsAdmin_ShiftCtrl_Count,22068,,00000000-0000-0000-0000-000000000000 +Taskbar_NewInstanceContextMenu_Count,22069,,00000000-0000-0000-0000-000000000000 +Taskbar_NewInstanceContextMenu_RunAsAdmin_Count,22070,,00000000-0000-0000-0000-000000000000 +Taskbar_DeskbandStream,22071,,00000000-0000-0000-0000-000000000000 +Thumbnail_Toolbar_Stream,22072,,00000000-0000-0000-0000-000000000000 +Taskbar_NumberOfRows,22073,,00000000-0000-0000-0000-000000000000 +ApplicationOverlays,22074,,00000000-0000-0000-0000-000000000000 +Taskbar_Secondary_Glomming_Enabled,22075,,00000000-0000-0000-0000-000000000000 +Taskbar_Multimon_Configuration,22076,,00000000-0000-0000-0000-000000000000 +Number_Of_Displays,22077,,00000000-0000-0000-0000-000000000000 +Taskbar_Multimon_Window_Count,22078,,00000000-0000-0000-0000-000000000000 +Taskbar_Settings_Changed,22079,,00000000-0000-0000-0000-000000000000 +Taskbar_Immersive_Show,22080,,00000000-0000-0000-0000-000000000000 +Taskbar_Immersive_Hide,22081,,00000000-0000-0000-0000-000000000000 +Taskbar_PinInitialItems,22082,,00000000-0000-0000-0000-000000000000 +ViewControl_UserSplitButtonClick,23001,,00000000-0000-0000-0000-000000000000 +ViewControl_UserViewModeSelect,23003,,00000000-0000-0000-0000-000000000000 +ViewControl_ViewModeChangeNotify,23005,,00000000-0000-0000-0000-000000000000 +ViewControl_SQMStream,23007,,00000000-0000-0000-0000-000000000000 +TopView_Usage,23008,,00000000-0000-0000-0000-000000000000 +TopView_Save,23009,,00000000-0000-0000-0000-000000000000 +ViewMode_Change,23010,,00000000-0000-0000-0000-000000000000 +Sort_Change,23011,,00000000-0000-0000-0000-000000000000 +Stack_Change,23012,,00000000-0000-0000-0000-000000000000 +Group_Change,23013,,00000000-0000-0000-0000-000000000000 +WordWheel_UserKeypress_ChangeNotify,23101,,00000000-0000-0000-0000-000000000000 +SendTo_Populate,23111,,00000000-0000-0000-0000-000000000000 +Glass_Colorization,23201,,00000000-0000-0000-0000-000000000000 +Glass_Composition_Enabled,23203,,00000000-0000-0000-0000-000000000000 +Glass_Theme_Active,23205,,00000000-0000-0000-0000-000000000000 +CTrackEvents_OperationEventStart,26001,,00000000-0000-0000-0000-000000000000 +CTrackEvents_OperationQueueInfo,26002,,00000000-0000-0000-0000-000000000000 +CTrackEvents_StartTimedOperation,26003,,00000000-0000-0000-0000-000000000000 +CTrackEvents_StopTimedOperation,26005,,00000000-0000-0000-0000-000000000000 +CTrackEvents_OperationEventEnd,26007,,00000000-0000-0000-0000-000000000000 +Shell32_AdviseCollection,26009,,00000000-0000-0000-0000-000000000000 +Shell32_CDefViewSink_PostMessage,26011,,00000000-0000-0000-0000-000000000000 +PerfTrack_DesktopBackgroundCpl,27001,,00000000-0000-0000-0000-000000000000 +PerfTrack_ColorSchemeCpl,27003,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartPane_AllPrograms_Show,27005,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartPane_AllPrograms_BackButton,27007,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartPane_ShowItem,27009,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartPane_SearchItem,27011,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartPane_LogOffMenu,27013,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartPane_TopMatchReady,27015,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_DocumentsLibrary_Local_PageDisplayed,27017,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_DocumentsLibrary_Local_PageCompleted,27019,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_DocumentsLibrary_Network_PageDisplayed,27021,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_DocumentsLibrary_Network_PageCompleted,27023,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_DocumentsLibrary_OpenSearch_PageDisplayed,27025,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_DocumentsLibrary_OpenSearch_PageCompleted,27027,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_PicturesLibrary_Local_PageDisplayed,27029,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_PicturesLibrary_Local_PageCompleted,27031,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_PicturesLibrary_Network_PageDisplayed,27033,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_PicturesLibrary_Network_PageCompleted,27035,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_PicturesLibrary_OpenSearch_PageDisplayed,27037,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_PicturesLibrary_OpenSearch_PageCompleted,27039,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_MusicLibrary_Local_PageDisplayed,27041,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_MusicLibrary_Local_PageCompleted,27043,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_MusicLibrary_Network_PageDisplayed,27045,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_MusicLibrary_Network_PageCompleted,27047,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_MusicLibrary_OpenSearch_PageDisplayed,27049,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_MusicLibrary_OpenSearch_PageCompleted,27051,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_VideosLibrary_Local_PageDisplayed,27053,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_VideosLibrary_Local_PageCompleted,27055,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_VideosLibrary_Network_PageDisplayed,27057,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_VideosLibrary_Network_PageCompleted,27059,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_VideosLibrary_OpenSearch_PageDisplayed,27061,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_VideosLibrary_OpenSearch_PageCompleted,27063,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_Invoke_Cancelled,27065,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_UsersFiles_PageDisplayed,27077,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_UsersFiles_PageCompleted,27079,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_DocumentsLibrary_Local_PageDisplayed,27081,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_DocumentsLibrary_Local_PageCompleted,27083,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_DocumentsLibrary_Network_PageDisplayed,27085,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_DocumentsLibrary_Network_PageCompleted,27087,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_DocumentsLibrary_OpenSearch_PageDisplayed,27089,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_DocumentsLibrary_OpenSearch_PageCompleted,27091,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_PicturesLibrary_Local_PageDisplayed,27093,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_PicturesLibrary_Local_PageCompleted,27095,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_PicturesLibrary_Network_PageDisplayed,27097,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_PicturesLibrary_Network_PageCompleted,27099,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_PicturesLibrary_OpenSearch_PageDisplayed,27101,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_PicturesLibrary_OpenSearch_PageCompleted,27103,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_MusicLibrary_Local_PageDisplayed,27105,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_MusicLibrary_Local_PageCompleted,27107,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_MusicLibrary_Network_PageDisplayed,27109,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_MusicLibrary_Network_PageCompleted,27111,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_MusicLibrary_OpenSearch_PageDisplayed,27113,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_MusicLibrary_OpenSearch_PageCompleted,27115,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_VideosLibrary_Local_PageDisplayed,27117,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_VideosLibrary_Local_PageCompleted,27119,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_VideosLibrary_Network_PageDisplayed,27121,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_VideosLibrary_Network_PageCompleted,27123,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_VideosLibrary_OpenSearch_PageDisplayed,27125,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_VideosLibrary_OpenSearch_PageCompleted,27127,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_UsersFiles_PageDisplayed,27141,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_UsersFiles_PageCompleted,27143,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartMenu_Search_PageDisplayed,27145,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartMenu_Search_PageCompleted,27147,,00000000-0000-0000-0000-000000000000 +PerfTrack_Taskbar_Launch,27149,,00000000-0000-0000-0000-000000000000 +PerfTrack_HoverUI_FadeIn,27151,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartMenu_ControlPanel,27153,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartMenu_Pictures,27155,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartMenu_Pictures_Network,27156,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartMenu_Music,27157,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartMenu_Music_Network,27158,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartMenu_Documents,27159,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartMenu_Documents_Network,27160,,00000000-0000-0000-0000-000000000000 +PerfTrack_SearchBox_CharactersTyped,27161,,00000000-0000-0000-0000-000000000000 +PerfTrack_Taskbar_DestinationList_Up,27163,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartMenu_DestinationList_Up,27165,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_NetworkFileFolderView,27167,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_NetworkFolderHighDPI,27169,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_LocalFolderHighDPI,27171,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_FrameClose,27173,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_Templates_GroupedView,27175,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_Templates_StackedView,27177,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_Templates_ThumbnailView,27179,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_Templates_SearchGroupedView,27181,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_Templates_SearchStackedView,27183,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_Templates_SearchThumbnailView,27185,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_Templates_SearchGrepView,27187,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_Templates_OpenSearchView,27189,,00000000-0000-0000-0000-000000000000 +PerfTrack_FilterMenu_EnumeratesTypeValues,27191,,00000000-0000-0000-0000-000000000000 +PerfTrack_FilterMenu_ListEnumeratesRange,27193,,00000000-0000-0000-0000-000000000000 +PerfTrack_FilterMenu_MRUEnumerateValues,27195,,00000000-0000-0000-0000-000000000000 +PerfTrack_FilterMenu_MRUListEnumeratesRanges,27197,,00000000-0000-0000-0000-000000000000 +PerfTrack_FilterMenu_MRUControlRenders,27199,,00000000-0000-0000-0000-000000000000 +PerfTrack_HomeGroup_EnumInView,27201,,00000000-0000-0000-0000-000000000000 +PerfTrack_HomeGroup_EnumInNavPane,27203,,00000000-0000-0000-0000-000000000000 +PerfTrack_HomeGroup_RemotePC_EnumInView,27205,,00000000-0000-0000-0000-000000000000 +PerfTrack_HomeGroup_PublishedItem_PageDisplayed,27207,,00000000-0000-0000-0000-000000000000 +PerfTrack_OpenSearch_QueryServer,27209,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_ItemsView_PageScroll,27211,,00000000-0000-0000-0000-000000000000 +PerfTrack_Shell32_CopyEngine_CancelDlg,27213,,00000000-0000-0000-0000-000000000000 +PerfTrack_LibraryLocation_AddedToLib,27215,,00000000-0000-0000-0000-000000000000 +PerfTrack_InspectorGadget,27217,,00000000-0000-0000-0000-000000000000 +PerfTrack_InspectorWindow,27219,,00000000-0000-0000-0000-000000000000 +PerfTrack_FilterMenu_FilterSuggestInitial,27221,,00000000-0000-0000-0000-000000000000 +PerfTrack_FilterMenu_FilterSuggestFinal,27223,,00000000-0000-0000-0000-000000000000 +PerfTrack_Taskbar_Launch_Explorer,27225,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_Templates_SearchIndexedView,27228,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_ExplorerStartToDesktopReady,27230,,00000000-0000-0000-0000-000000000000 +PerfTrack_HomeGroup_PublishedItem_PageComplete,27232,,00000000-0000-0000-0000-000000000000 +Delayed_Filter_Contents,27234,,00000000-0000-0000-0000-000000000000 +PerfTrack_ControlPanel_CategoryNavigation,27235,,00000000-0000-0000-0000-000000000000 +PerfTrack_StartMenu_SystemControlPanel_Launch,27236,,00000000-0000-0000-0000-000000000000 +PerfTrack_Explorer_Navigation,27243,,00000000-0000-0000-0000-000000000000 +PerfTrack_CFD_Navigation,27244,,00000000-0000-0000-0000-000000000000 +PerfTrack_HomeGroup_User_EnumInView,27247,,00000000-0000-0000-0000-000000000000 +PerfTrack_HomeGroup_KnownLibrary_PageComplete,27249,,00000000-0000-0000-0000-000000000000 +PerfTrack_HomeGroup_KnownLibrary_PageDisplayed,27251,,00000000-0000-0000-0000-000000000000 +PerfTrack_HomeGroup_LocalPC_EnumInView,27253,,00000000-0000-0000-0000-000000000000 +PerfTrack_Launcher_Login,27255,,00000000-0000-0000-0000-000000000000 +PerfTrack_DeviceUX_DeviceCenter_EnumInView,27257,,00000000-0000-0000-0000-000000000000 +Shell32_AppResolverCache_DevTrace,28001,,00000000-0000-0000-0000-000000000000 +Shell32_StateStoreCommitRetry,28129,,00000000-0000-0000-0000-000000000000 +Shell32_AppResolver_InitialDefaultLayout,28131,,00000000-0000-0000-0000-000000000000 +Shell32_AppResolver_UpdateLayout,28135,,00000000-0000-0000-0000-000000000000 +Shell32_AppResolver_RefreshCache,28137,,00000000-0000-0000-0000-000000000000 +Shell32_AppResolverCache_AddShortcut,28141,,00000000-0000-0000-0000-000000000000 +Shell32_AppResolverCache_RemoveShortcut,28142,,00000000-0000-0000-0000-000000000000 +Shell32_AppResolverCache_UpdateShortcut,28143,,00000000-0000-0000-0000-000000000000 +Shell32_RegistryPackageChangeListener_AppStateChange,28145,,00000000-0000-0000-0000-000000000000 +Shell32_RegistryPackageChangeListener_AppStateReset,28147,,00000000-0000-0000-0000-000000000000 +Shell32_AppResolver_DualModeDisallowed,28149,,00000000-0000-0000-0000-000000000000 +Shell32_RegistryPackageChangeListener_Rescan,28151,,00000000-0000-0000-0000-000000000000 +Shell32_RegistryPackageChangeListener_ApplyChange,28153,,00000000-0000-0000-0000-000000000000 +Shell32_LauncherLayoutManager_ChangeNotify,28155,,00000000-0000-0000-0000-000000000000 +Shell32_AppResolverCache_ImportShortcut,28157,,00000000-0000-0000-0000-000000000000 +Shell32_AppResolver_GetAppIDForWindow,28163,,00000000-0000-0000-0000-000000000000 +Shell32_AppResolver_ScanScheduled,28175,,00000000-0000-0000-0000-000000000000 +Shell32_AppResolver_Scan,28177,,00000000-0000-0000-0000-000000000000 +Shell32_AppResolver_CacheCommitted,28179,,00000000-0000-0000-0000-000000000000 +Shell32_AppResolver_ParseVisualElementsManifest,28180,,00000000-0000-0000-0000-000000000000 +Shell32_WindowPropStore_SetValue,28183,,00000000-0000-0000-0000-000000000000 +Shell32_WindowPropStore_GetValue,28185,,00000000-0000-0000-0000-000000000000 +Shell32_WindowPropStore_ValueRemoved,28187,,00000000-0000-0000-0000-000000000000 +AppResolver_AppInstallation,28189,,00000000-0000-0000-0000-000000000000 +Shell32_OperationTile_SQMStream,28191,,00000000-0000-0000-0000-000000000000 +Shell32_OperationManager_SQMStream,28193,,00000000-0000-0000-0000-000000000000 +Shell32_ConflictUI_SQMStream,28195,,00000000-0000-0000-0000-000000000000 +ShellLib_AdjustImage,50001,,00000000-0000-0000-0000-000000000000 +ShutdownUX_ShowMenu,50101,,00000000-0000-0000-0000-000000000000 +ShutdownUX_DefaultButtonPress,50103,,00000000-0000-0000-0000-000000000000 +ShutdownUX_SelectMenuItem,50105,,00000000-0000-0000-0000-000000000000 +ShutdownUX_StartMenuCriticalPath,50107,,00000000-0000-0000-0000-000000000000 +CDBurn_SQM_PrepareDisc_Launch,50201,,00000000-0000-0000-0000-000000000000 +CDBurn_SQM_PrepareDisc_Mastered,50203,,00000000-0000-0000-0000-000000000000 +CDBurn_SQM_PrepareDisc_LiveFS,50205,,00000000-0000-0000-0000-000000000000 +CDBurn_SQM_Mastered_Session,50207,,00000000-0000-0000-0000-000000000000 +CDBurn_SQM_SessionOpenOnEject_Multi,50209,,00000000-0000-0000-0000-000000000000 +CDBurn_SQM_SessionOpenOnEject_Single,50211,,00000000-0000-0000-0000-000000000000 +CDBurn_SQM_IsoBurn_Session,50213,,00000000-0000-0000-0000-000000000000 +CDBurn_SQM_CloseSession_Command,50215,,00000000-0000-0000-0000-000000000000 +CDBurn_IsoBurn_Launch,50217,,00000000-0000-0000-0000-000000000000 +CDBurn_IsoBurn_Task,50219,,00000000-0000-0000-0000-000000000000 +IE_EnumHistoryRecords,60009,,00000000-0000-0000-0000-000000000000 +IE_LegacyHistoryAdd,60011,,00000000-0000-0000-0000-000000000000 +IE_LegacyHistoryQuery,60013,,00000000-0000-0000-0000-000000000000 +IE_LegacyHistoryEnum,60015,,00000000-0000-0000-0000-000000000000 +IE_CreateThumbnail,60017,,00000000-0000-0000-0000-000000000000 +IE_ScaleThumbnail,60019,,00000000-0000-0000-0000-000000000000 +IE_CompressThumbnail,60021,,00000000-0000-0000-0000-000000000000 +IE_GenerateThumbnail,60023,,00000000-0000-0000-0000-000000000000 +IE_LButtonAction,60025,,00000000-0000-0000-0000-000000000000 +IE_ExtensionCreate,60027,,00000000-0000-0000-0000-000000000000 +IE_ExtensionSetSite,60029,,00000000-0000-0000-0000-000000000000 +IE_ExtensionShowDW,60031,,00000000-0000-0000-0000-000000000000 +IE_ExtensionCloseDW,60033,,00000000-0000-0000-0000-000000000000 +IE_ExtensionSetSiteNull,60035,,00000000-0000-0000-0000-000000000000 +IE_ExtensionRelease,60037,,00000000-0000-0000-0000-000000000000 +SearchBox_ColorAQS,60201,,00000000-0000-0000-0000-000000000000 +SearchBox_Popup_Show,60203,,00000000-0000-0000-0000-000000000000 +SearchBox_MRU_Populate,60205,,00000000-0000-0000-0000-000000000000 +SEARCHBOX_USAGE,60207,,00000000-0000-0000-0000-000000000000 +SearchBox_PropertyValues_Populate,60213,,00000000-0000-0000-0000-000000000000 +SearchBox_Acquired_Focus,60215,,00000000-0000-0000-0000-000000000000 +SearchBox_LinguisticAlternativeGenerator_GenerateAlternatives,60216,,00000000-0000-0000-0000-000000000000 +SearchBox_SearchConversionList_Animation,60218,,00000000-0000-0000-0000-000000000000 +SearchBox_SearchConversionList_BeginUIElement,60220,,00000000-0000-0000-0000-000000000000 +SearchBox_SearchConversionList_UpdateUIElement,60221,,00000000-0000-0000-0000-000000000000 +SearchBox_SearchConversionList_EndUIElement,60222,,00000000-0000-0000-0000-000000000000 +TryHarder_Draw_All,60301,,00000000-0000-0000-0000-000000000000 +TryHarder_Calculate_Scopes,60303,,00000000-0000-0000-0000-000000000000 +TryHarder_Calculate_Search_File_Contents,60305,,00000000-0000-0000-0000-000000000000 +TryHarder_Calculate_Search_Subfolders,60307,,00000000-0000-0000-0000-000000000000 +TryHarder_Start_New_Search,60309,,00000000-0000-0000-0000-000000000000 +TryHarder_Internet_Rollover,60311,,00000000-0000-0000-0000-000000000000 +NetworkUX_NewNetCountMaxReached,60401,,00000000-0000-0000-0000-000000000000 +NAVPANE_ACTION,60501,,00000000-0000-0000-0000-000000000000 +NAVIGATIONPANE_ITEMCOUNTS,60503,,00000000-0000-0000-0000-000000000000 +ItemsView_UIItemsView_BatchFirstEvent,60601,,00000000-0000-0000-0000-000000000000 +ItemsView_UIItemsView_BatchTimer,60603,,00000000-0000-0000-0000-000000000000 +ItemsView_UIItemsView_FlushBatch,60605,,00000000-0000-0000-0000-000000000000 +ItemsView_UIItemsView_EndBatching,60607,,00000000-0000-0000-0000-000000000000 +ItemsView_UIItemsView_NotifyContentsChanged,60609,,00000000-0000-0000-0000-000000000000 +ItemsView_UIItemsView_PreProcessEventQueue,60611,,00000000-0000-0000-0000-000000000000 +ItemsView_UIItem_OnItemEvent,60613,,00000000-0000-0000-0000-000000000000 +ItemsView_UICollection_OnCollectionEvent,60615,,00000000-0000-0000-0000-000000000000 +ItemsView_UIItemsView_Paint,60617,,00000000-0000-0000-0000-000000000000 +ItemsView_LineScroller_RealizeContent,60619,,00000000-0000-0000-0000-000000000000 +ItemsView_LineScroller_LayoutPass,60621,,00000000-0000-0000-0000-000000000000 +ItemsView_LineScroller_DesiredSizePass,60623,,00000000-0000-0000-0000-000000000000 +ItemsView_ItemDevirtualizer_ForegroundFullDevirtualization,60625,,00000000-0000-0000-0000-000000000000 +ItemsView_UIColumnHeader_SortColumn,60627,,00000000-0000-0000-0000-000000000000 +ItemsView_SelectionState_SelectionChange,60629,,00000000-0000-0000-0000-000000000000 +ItemsView_AnimationManager_SetupAnimation,60631,,00000000-0000-0000-0000-000000000000 +ItemsView_AnimationManager_FinishAnimationSetup,60633,,00000000-0000-0000-0000-000000000000 +ItemsView_AnimationManager_AllocateHBITMAP,60635,,00000000-0000-0000-0000-000000000000 +ItemsView_AnimationManager_AnimationLoop,60637,,00000000-0000-0000-0000-000000000000 +ItemsView_AnimationManager_Paint,60639,,00000000-0000-0000-0000-000000000000 +ItemsView_SQM,60641,,00000000-0000-0000-0000-000000000000 +ItemsView_UIItemsView_Prefetch,60643,,00000000-0000-0000-0000-000000000000 +ItemsView_UIItemsView_PreparePrefetch,60645,,00000000-0000-0000-0000-000000000000 +ItemsView_UIItemsView_BlockRedraw,60647,,00000000-0000-0000-0000-000000000000 +ItemsView_UIItemsView_RunFirstPageResults,60649,,00000000-0000-0000-0000-000000000000 +ItemsView_ItemDevirtualizer_FullDevirtualization,60651,,00000000-0000-0000-0000-000000000000 +ItemsView_ItemDevirtualizer_PartialDevirtualization,60652,,00000000-0000-0000-0000-000000000000 +ItemsView_FirstPage_UpdateCountReport,60653,,00000000-0000-0000-0000-000000000000 +ItemsView_UIItemsView_StartBatchTimer,60655,,00000000-0000-0000-0000-000000000000 +ItemsView_UIItemsView_PostEvent,60657,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_PaintWallpaper,60659,,00000000-0000-0000-0000-000000000000 +Shell32_CWallpaperWindow_CaptureWallpaper,60661,,00000000-0000-0000-0000-000000000000 +Shell_DesktopBackgroundSlideshow_Tick,60701,,00000000-0000-0000-0000-000000000000 +Shell_DesktopBackgroundSlideshow_Workitem,60705,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_Slideshow_IsRunning,60706,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_Slideshow_Refresh,60707,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_Slideshow_Tick_Timer,60708,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_Slideshow_Tick_Manual,60709,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopBrowser_Slideshow_Enable,60710,,00000000-0000-0000-0000-000000000000 +Shell32_AutoColorization_ColorChosen,60711,,00000000-0000-0000-0000-000000000000 +Shell32_AutoColorization_Analysis,60712,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopWallpaper_AutoSpan,60714,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopWallpaper_AutoDecision,60715,,00000000-0000-0000-0000-000000000000 +Shell32_CDesktopWallpaper_WallpaperPosition,60716,,00000000-0000-0000-0000-000000000000 +Shell32_ActiveSetup,60751,,00000000-0000-0000-0000-000000000000 +Shell32_ActiveSetup_RunInstallUninstallStubsWorker,60753,,00000000-0000-0000-0000-000000000000 +Shell32_ActiveSetup_RunOneInstallStub,60755,,00000000-0000-0000-0000-000000000000 +Shell32_ActiveSetup_RunPendingGPOs,60757,,00000000-0000-0000-0000-000000000000 +Shell32_ActiveSetup_RunSetupCommand,60759,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_Show,60801,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_Hide,60802,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_DataSourceChanged,60803,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_UIReady,60804,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_PageChanged,60805,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_CandidateFocusChanged,60806,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_CloseButtonPressed,60807,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_Finalize,60808,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_FillInterrupted,60809,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_ResumeFill,60810,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_ForcedPageBreak,60811,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_RealizePage,60812,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_PageLayout,60814,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_RealizationComplete,60816,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_RedoPaging,60817,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_PagingComplete,60818,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_ButtonPressed,60819,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_ButtonReleased,60820,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_PagingAnimation,60821,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_TouchPan,60823,,00000000-0000-0000-0000-000000000000 +ShellLib_DUIControls_CandidateList_ViewRender,60825,,00000000-0000-0000-0000-000000000000 +ShellTask_ExecAssoc_ReputationCheck,60901,,00000000-0000-0000-0000-000000000000 +ShellTask_ExecAssoc_ReputationTelemetry,60903,,00000000-0000-0000-0000-000000000000 +ShellTask_ExecAssoc_ScrubZoneIdentifier,60905,,00000000-0000-0000-0000-000000000000 +ShellTask_ExecAssoc_ZoneCheckFile,60907,,00000000-0000-0000-0000-000000000000 +ShellTask_Download_SafeOpenPromptForShellExec,60914,,00000000-0000-0000-0000-000000000000 +ShellTask_SmartScreen_CheckReputation,60915,,00000000-0000-0000-0000-000000000000 +Shell32_SyncIntegration_Manager_Initialize,61201,,00000000-0000-0000-0000-000000000000 +Shell32_SyncIntegration_Manager_Notifications,61210,,00000000-0000-0000-0000-000000000000 +Shell32_SyncIntegration_Manager_GetStatus,61220,,00000000-0000-0000-0000-000000000000 +Shell32_DiscImage_MountVerb,61300,,00000000-0000-0000-0000-000000000000 +Shell32_DiscImage_MountVerb_SQMStream,61301,,00000000-0000-0000-0000-000000000000 +Shell32_LibraryManagementDialog_CreateIcon,61320,,00000000-0000-0000-0000-000000000000 +Shell32_LibraryManagementDialog_SaveChanges,61322,,00000000-0000-0000-0000-000000000000 +Shell32_LibraryGroupPolicy_EnforceInSSO,61324,,00000000-0000-0000-0000-000000000000 +Shell32_LibraryGroupPolicy_CreateKnownFolder,61326,,00000000-0000-0000-0000-000000000000 +OperationManager_TileAdded,61340,,00000000-0000-0000-0000-000000000000 +OperationManager_TileRemoved,61341,,00000000-0000-0000-0000-000000000000 +OperationManager_TileStateChanged,61342,,00000000-0000-0000-0000-000000000000 +OperationManager_TileCancelled,61343,,00000000-0000-0000-0000-000000000000 +OperationManager_ServiceModeChange,61344,,00000000-0000-0000-0000-000000000000 +OperationManager_EnthusiastMode_TileRateChartProgressStart,61345,,00000000-0000-0000-0000-000000000000 +OperationManager_EnthusiastMode_TileRateChartRescale,61346,,00000000-0000-0000-0000-000000000000 +OperationManager_EnthusiastMode_TileRateChartUpdate,61347,,00000000-0000-0000-0000-000000000000 +OperationManager_ConfirmationCreated,61348,,00000000-0000-0000-0000-000000000000 +OperationManager_ConfirmationFinished,61349,,00000000-0000-0000-0000-000000000000 +OperationManager_ConflictCreated,61350,,00000000-0000-0000-0000-000000000000 +OperationManager_ConflictFinished,61351,,00000000-0000-0000-0000-000000000000 +OperationManager_Discovering,61352,,00000000-0000-0000-0000-000000000000 +OperationManager_Paused,61353,,00000000-0000-0000-0000-000000000000 +OperationManager_Executing,61354,,00000000-0000-0000-0000-000000000000 +OperationManager_Cancelled,61355,,00000000-0000-0000-0000-000000000000 +OperationManager_Interrupted,61356,,00000000-0000-0000-0000-000000000000 +OperationManager_Pausing,61357,,00000000-0000-0000-0000-000000000000 +OperationManager_Resuming,61358,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_Enumeration,61360,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_Enumeration_GetView,61364,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_Enumeration_GetAt,61366,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_Enumeration_GetCount,61368,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_StreamAccess_GetStream,61370,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_StreamAccess_Read,61372,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_StreamAccess_Write,61374,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_StreamAccess_Commit,61376,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_PropertyAccess_GetProperties,61380,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_PropertyAccess_Commit,61386,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_GetKnownItem,61390,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_GetThumbnail,61400,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_Create,61410,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_Delete,61412,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_Rename,61414,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_AddPersistedItem,61420,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_AddReplacePersistedItem,61422,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_RemovePersistedItem,61424,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_ClearAllPersistedItems,61426,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_GetPersistedItem,61428,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_EnumeratePersistedItemTokens,61430,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_GetItemFromPath,61432,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_GetMusicProperties,61434,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_GetVideoProperties,61436,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_GetImageProperties,61438,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_GetDocumentProperties,61440,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_StreamedFile_DataRequest,61442,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_StreamedFile_WriteStream,61444,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_StreamedFile_Abandoned,61446,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_Copy,61448,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_Move,61450,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_GetBasicProperties,61452,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_ValidatePath,61454,,00000000-0000-0000-0000-000000000000 +FileAccessAPI_CacheFlush,61456,,00000000-0000-0000-0000-000000000000 +DataLayerCacheFlush,61457,,00000000-0000-0000-0000-000000000000 +ShellOplocks_NotGranted,61460,,00000000-0000-0000-0000-000000000000 +ShellOplocks_Broken,61461,,00000000-0000-0000-0000-000000000000 +ShellOplocks_BrokenAndWaiting,61462,,00000000-0000-0000-0000-000000000000 +ShellOplocks_Acknowledged,61464,,00000000-0000-0000-0000-000000000000 +SetUserDefaults_ProgramListPopulated,61501,,00000000-0000-0000-0000-000000000000 +SetUserDefaults_ProgramAssociationsPopulated,61503,,00000000-0000-0000-0000-000000000000 +SetUserDefaults_DefaultSet,61505,,00000000-0000-0000-0000-000000000000 +DataPackage_GetProperties,61600,,00000000-0000-0000-0000-000000000000 +DataPackage_GetAvailableFormats,61602,,00000000-0000-0000-0000-000000000000 +DataPackage_Contains,61604,,00000000-0000-0000-0000-000000000000 +DataPackage_GetDataAsync,61606,,00000000-0000-0000-0000-000000000000 +DataPackage_GetResourceMapAsync,61608,,00000000-0000-0000-0000-000000000000 +DataPackage_SetData,61610,,00000000-0000-0000-0000-000000000000 +DataPackage_InvokeDataProviderHandler,61612,,00000000-0000-0000-0000-000000000000 +DataPackage_GetText,61614,,00000000-0000-0000-0000-000000000000 +DataPackage_SetText,61616,,00000000-0000-0000-0000-000000000000 +DataPackage_GetCustomText,61618,,00000000-0000-0000-0000-000000000000 +DataPackage_SetCustomText,61620,,00000000-0000-0000-0000-000000000000 +DataPackage_GetHtml,61622,,00000000-0000-0000-0000-000000000000 +DataPackage_SetHtml,61624,,00000000-0000-0000-0000-000000000000 +DataPackage_GetUri,61626,,00000000-0000-0000-0000-000000000000 +DataPackage_SetUri,61628,,00000000-0000-0000-0000-000000000000 +DataPackage_GetRtf,61630,,00000000-0000-0000-0000-000000000000 +DataPackage_SetRtf,61632,,00000000-0000-0000-0000-000000000000 +DataPackage_GetBitmap,61634,,00000000-0000-0000-0000-000000000000 +DataPackage_SetBitmap,61636,,00000000-0000-0000-0000-000000000000 +DataPackage_GetStorageItemsAsync,61638,,00000000-0000-0000-0000-000000000000 +HtmlFormatHelper_GetStaticFragment,61640,,00000000-0000-0000-0000-000000000000 +DataPackage_SetStorageItems,61642,,00000000-0000-0000-0000-000000000000 +DataObjectProvider_GetDataObject,61644,,00000000-0000-0000-0000-000000000000 +DataObjectProvider_SetDataObject,61646,,00000000-0000-0000-0000-000000000000 +HtmlFormatHelper_CreateHtmlFormat,61648,,00000000-0000-0000-0000-000000000000 +Clipboard_GetContent,61650,,00000000-0000-0000-0000-000000000000 +Clipboard_SetContent,61652,,00000000-0000-0000-0000-000000000000 +PlaylistFolder_DataSource_Created,62000,,00000000-0000-0000-0000-000000000000 +PlaylistFolder_DataSource_ItemEnumeration,62001,,00000000-0000-0000-0000-000000000000 +PlaylistFolder_DataSource_DocumentParse,62002,,00000000-0000-0000-0000-000000000000 +PlaylistFolder_Document_Load,62020,,00000000-0000-0000-0000-000000000000 +PlaylistFolder_Document_GetItem,62021,,00000000-0000-0000-0000-000000000000 +PlaylistFolder_Document_Insert,62022,,00000000-0000-0000-0000-000000000000 +PlaylistFolder_Document_Remove,62023,,00000000-0000-0000-0000-000000000000 +PlaylistFolder_Document_Move,62024,,00000000-0000-0000-0000-000000000000 +PlaylistFolder_Document_Commit,62025,,00000000-0000-0000-0000-000000000000 +PlaylistFolder_Document_Save,62026,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_VolumeAddedOrUpdated,62050,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_VolumeRemoved,62052,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_CreateEventForVolumeArrival,62054,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_GetAndRemoveVolumeAndItsMtPts,62056,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_UpdateVolumeRegInfo,62058,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_CreateVolumeObject,62060,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_GetLabel,62062,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_MountPointAdded,62064,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_CreateMtPtLocalWithVolume,62066,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_OnMountPointArrival,62068,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_GetMountPoint,62070,,00000000-0000-0000-0000-000000000000 +OperationManager_TileAnimation_Started,62072,,00000000-0000-0000-0000-000000000000 +OperationManager_TileAnimation_Frame_Updated,62073,,00000000-0000-0000-0000-000000000000 +OperationManager_TileAnimation_Terminated,62074,,00000000-0000-0000-0000-000000000000 +OperationManager_TileAnimation_Frame_Skipped,62075,,00000000-0000-0000-0000-000000000000 +Shell32_MountPoint_SendQueryCancelAutoPlayMessage,62078,,00000000-0000-0000-0000-000000000000 +Shell_Scaling_Cache_Updated,62100,,00000000-0000-0000-0000-000000000000 +TileManagement_PackageInfo_LoadFromManifest,62120,,00000000-0000-0000-0000-000000000000 +TileManagement_PackageInfo_LoadFromDisk,62121,,00000000-0000-0000-0000-000000000000 +TileManagement_PackageInfo_VerifyInformation,62122,,00000000-0000-0000-0000-000000000000 +TileManagement_PackageInfo_Revert,62123,,00000000-0000-0000-0000-000000000000 +TileManagement_PackageInfo_Commit,62124,,00000000-0000-0000-0000-000000000000 +TileManagement_PackageInfo_Commit_InstallTile,62125,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_InitContentTileRoaming,62126,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_VerifyInformation,62127,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_Revert,62128,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_Commit,62129,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_PopulateShortcut,62130,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_CommitShortcut,62131,,00000000-0000-0000-0000-000000000000 +TileManagement_PackageInfo_InstallStateChange,62132,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_Commit_Create,62133,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_Commit_Update,62134,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_Commit_Delete,62135,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_Commit_Temporary,62136,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_Commit_ChangePropValue,62137,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_Revert_Create,62138,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_Revert_Update,62139,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_Revert_Delete,62140,,00000000-0000-0000-0000-000000000000 +TileManagement_PackageInfo_Remove_Folder,62141,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_Increment_LastWriteTime,62142,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_UpdateLSN_Badge,62143,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_RevertUpdateLSN_Badge,62144,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_RemoveLSN_Badge,62145,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_UpdateLSN_Tile,62146,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_RevertUpdateLSN_Tile,62147,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_RemoveLSN_Tile,62148,,00000000-0000-0000-0000-000000000000 +TileManagement_PackageInfo_MergePriFailed,62149,,00000000-0000-0000-0000-000000000000 +FilePicker_NamespaceExtensionFilter_Allow,62150,,00000000-0000-0000-0000-000000000000 +FilePicker_NamespaceExtensionFilter_Deny,62151,,00000000-0000-0000-0000-000000000000 +LogonPerformance_TaskRunTime,62170,,00000000-0000-0000-0000-000000000000 +Activation_Watermark_Register_Licensing_Event_Error,62200,,00000000-0000-0000-0000-000000000000 +Activation_Watermark_Window_Creation_Error,62201,,00000000-0000-0000-0000-000000000000 +Activation_Watermark_Render_Error,62202,,00000000-0000-0000-0000-000000000000 +Activation_Watermark_Failed_To_Get_Genuine_Status,62203,,00000000-0000-0000-0000-000000000000 +Activation_Watermark_Init,62204,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_UpdateLSN_Alarm,62250,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_RevertUpdateLSN_Alarm,62251,,00000000-0000-0000-0000-000000000000 +TileManagement_AppTileInfo_RemoveLSN_Alarm,62252,,00000000-0000-0000-0000-000000000000 +DataPackage_GetApplicationLink,62300,,00000000-0000-0000-0000-000000000000 +DataPackage_SetApplicationLink,62302,,00000000-0000-0000-0000-000000000000 +FilePlaceholder_Save,62320,,00000000-0000-0000-0000-000000000000 +FilePlaceholder_ClearPrimaryStream,62322,,00000000-0000-0000-0000-000000000000 +FilePlaceholder_SetPlaceholderStates,62324,,00000000-0000-0000-0000-000000000000 +ExtrinsicPropertyStore_Commit,62326,,00000000-0000-0000-0000-000000000000 +FilePlaceholder_StreamResolver_VerifyFileVersion,62328,,00000000-0000-0000-0000-000000000000 +FilePlaceholder_StreamResolver_RetrievePrimaryStream,62330,,00000000-0000-0000-0000-000000000000 +FileChunkMap_Create,62332,,00000000-0000-0000-0000-000000000000 +FileChunkMap_Delete,62334,,00000000-0000-0000-0000-000000000000 +FileChunkMap_SetFileCompletionState,62335,,00000000-0000-0000-0000-000000000000 +FilePlaceholder_Hydration_Timeout,62337,,00000000-0000-0000-0000-000000000000 +TileManagement_PackageInfo_InstallFailed,62350,,00000000-0000-0000-0000-000000000000 +StartMenuFeedback,62380,,00000000-0000-0000-0000-000000000000 +CloudExperienceHost_AppActivity,62400,,00000000-0000-0000-0000-000000000000 +CloudExperienceHost_AppEvent1,62402,,00000000-0000-0000-0000-000000000000 +CloudExperienceHost_AppEvent2,62403,,00000000-0000-0000-0000-000000000000 +CloudExperienceHost_WebAppActivity,62404,,00000000-0000-0000-0000-000000000000 +CloudExperienceHost_WebAppEvent1,62406,,00000000-0000-0000-0000-000000000000 +CloudExperienceHost_WebAppEvent2,62407,,00000000-0000-0000-0000-000000000000 +Explorer_ExecutingPackagedStartupApp,62408,,00000000-0000-0000-0000-000000000000 +LogonTask_Restore,62420,,00000000-0000-0000-0000-000000000000 +AppDefaults_UserChoiceHashMismatch,62440,,00000000-0000-0000-0000-000000000000 +AppDefaults_ResetToRecommended,62441,,00000000-0000-0000-0000-000000000000 +AppDefaults_UpgradeToRecommendedApp,62442,,00000000-0000-0000-0000-000000000000 +AppDefaults_Info,62443,,00000000-0000-0000-0000-000000000000 +AppDefaults_HashNotFound,62444,,00000000-0000-0000-0000-000000000000 +OOBEHealth_Progress,62460,,00000000-0000-0000-0000-000000000000 +HDSrv_Service_Start,11501,,00000000-0000-0000-0000-000000000000 +HDSrv_Service_Stop,11503,,00000000-0000-0000-0000-000000000000 +HDSrv_Volume_Arrived_Updated,11505,,00000000-0000-0000-0000-000000000000 +HDSrv_Volume_Removed,11507,,00000000-0000-0000-0000-000000000000 +HDSrv_NonVolume_NotifyShell,11509,,00000000-0000-0000-0000-000000000000 +HDSrv_ProcessInterfaceCallback,11511,,00000000-0000-0000-0000-000000000000 +HDSrv_CreateSafeFileHandle,11513,,00000000-0000-0000-0000-000000000000 +Smb2FileSuspend,653,,00000000-0000-0000-0000-000000000000 +Smb2FileClose,654,,00000000-0000-0000-0000-000000000000 +Smb2FileTimeout,655,,00000000-0000-0000-0000-000000000000 +Smb2FileTerminate,656,,00000000-0000-0000-0000-000000000000 +Smb2FileCCFClose,657,,00000000-0000-0000-0000-000000000000 +Smb2FileCCFCloseAudit,658,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_OutputManager_InsertionFailed,630,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_OutputManager_CommitKeyPress_OriginalCharacter,632,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_OutputManager_CancelKeyPress,634,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_OutputManager_CharacterSelectedByLM,636,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_OutputManager_GetContextTimerFired,642,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_OutputManager_CallLM_KeyPress,643,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_OutputManager_CallLM_KeyUnPress,645,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_OutputManager_CallLM_GetTypedCandidates,647,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_OutputManager_CallLM_SetContext,649,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_OutputManager_TypedAlternatesProcessed,659,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_OutputManager_RemoveTrailingSpaceTimerFired,660,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_OutputManager_RemoveTrailingSpaceTimerDiscarded,661,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_OutputManager_SuppressingOnAutoRepeat,662,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_OutputManager_EndAutoRepeat,663,,00000000-0000-0000-0000-000000000000 +Perftrack_OutputManager_KeyUp,664,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_Prediction_Prediction_Show,680,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_Prediction_Prediction_Hide,681,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_Prediction_Prediction_Insert,682,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_Prediction_Prediction_Timeout,683,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_Prediction_RequestTextPosition,684,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_Prediction_AlignPrediction,685,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_Prediction_AlignNextWordPrediction,686,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_Prediction_SetPredictionPosition,687,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_Prediction_Popup_Pressed,688,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_TypingEfficiency_DetectedDoubleTapSpace,690,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_TypingEfficiency_ReplacingDoubleSpace,691,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_TypingEfficiency_DetectedStartOfSentence,692,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_TypingEfficiency_FocusChangeDetected,693,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_Prediction_Key_Pressed,694,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_Prediction_Current_Word_UI_Updated,695,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_Prediction_Next_Word_UI_Updated,696,,00000000-0000-0000-0000-000000000000 +KeyboardUI_Optimized_Thumb_Resize,726,,00000000-0000-0000-0000-000000000000 +KeyboardUI_Optimized_Emoji_Category_Switch,727,,00000000-0000-0000-0000-000000000000 +KeyboardUI_Optimized_Emoji_Page_Switch,729,,00000000-0000-0000-0000-000000000000 +KeyboardUI_Optimized_Layout_XML_Parsing,731,,00000000-0000-0000-0000-000000000000 +KeyboardUI_Optimized_Emoji_XML_Parsing,733,,00000000-0000-0000-0000-000000000000 +KeyboardUI_Optimized_Mapping_XML_Parsing,735,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_CandidatePane_PerfTrack_PredictionOpen_JPN,924,,00000000-0000-0000-0000-000000000000 +SoftKeyboard_CandidatePane_PerfTrack_NextWordOpen_CHS,932,,00000000-0000-0000-0000-000000000000 +PKMWin32kCallout,1153,,00000000-0000-0000-0000-000000000000 +PKMRegisteredWithWin32k,1154,,00000000-0000-0000-0000-000000000000 +PKMUIAction,1155,,00000000-0000-0000-0000-000000000000 +PKMInputSubscription,1156,,00000000-0000-0000-0000-000000000000 +PKMProcessDelayedInsertion,1157,,00000000-0000-0000-0000-000000000000 +task:OpChannelDisabled,719,TaskScheduler Operational log was disabled,00000000-0000-0000-0000-000000000000 +task:MethodFailure,998,Method Failure,00000000-0000-0000-0000-000000000000 +task:Debug,999,Debug,00000000-0000-0000-0000-000000000000 +IpRoutePropertyChange,1147,,00000000-0000-0000-0000-000000000000 +IpNeighborReachable,1149,,00000000-0000-0000-0000-000000000000 +TcpDeliverySatisfied,1158,,00000000-0000-0000-0000-000000000000 +TcpSendPosted,1159,,00000000-0000-0000-0000-000000000000 +TcpSendAdvance,1161,,00000000-0000-0000-0000-000000000000 +TcpCTcpDelayWndwInactive,1162,,00000000-0000-0000-0000-000000000000 +TcpCTcpAssignedBlocks,1163,,00000000-0000-0000-0000-000000000000 +TcpCTcpCongestionWndw,1164,,00000000-0000-0000-0000-000000000000 +TcpCTcpGamma,1165,,00000000-0000-0000-0000-000000000000 +TcpSrttMeasurementStarted,1166,,00000000-0000-0000-0000-000000000000 +TcpSrttMeasurementComplete,1167,,00000000-0000-0000-0000-000000000000 +TcpSrttMeasurementCancelled,1168,,00000000-0000-0000-0000-000000000000 +UdpEndpointSendMessages,1169,,00000000-0000-0000-0000-000000000000 +TcpDeliveryFlush,1171,,00000000-0000-0000-0000-000000000000 +TcpDeliveryInjectingData,1173,,00000000-0000-0000-0000-000000000000 +TcpDeliveryPush,1178,,00000000-0000-0000-0000-000000000000 +TcpTcbInjectFinComplete,1180,,00000000-0000-0000-0000-000000000000 +TcpDeliveryCompleting,1181,,00000000-0000-0000-0000-000000000000 +TcpInitiateSynRstValidation,1182,,00000000-0000-0000-0000-000000000000 +TcpConnectTcbFailedRcvdRst,1183,,00000000-0000-0000-0000-000000000000 +TcpConnectionTerminatedRcvdRst,1184,,00000000-0000-0000-0000-000000000000 +TcpConnectionTerminatedRcvdSyn,1185,,00000000-0000-0000-0000-000000000000 +TcpConnectRestransmit,1186,,00000000-0000-0000-0000-000000000000 +TcpDataTransferRestransmit,1187,,00000000-0000-0000-0000-000000000000 +TcpConnectionKeepAlive,1188,,00000000-0000-0000-0000-000000000000 +TcpDeliveryStateChange,1189,,00000000-0000-0000-0000-000000000000 +TcpAcquirePort,1191,,00000000-0000-0000-0000-000000000000 +TcpAcquireWeakRefPort,1192,,00000000-0000-0000-0000-000000000000 +TcpReleasePort,1193,,00000000-0000-0000-0000-000000000000 +TcpReplacePort,1194,,00000000-0000-0000-0000-000000000000 +TcpAssignedWeakReferencePort,1195,,00000000-0000-0000-0000-000000000000 +TcpBhDetectFullSizeAck,1196,,00000000-0000-0000-0000-000000000000 +TcpFlushSack,1197,,00000000-0000-0000-0000-000000000000 +TcpReassemblyEntry,1198,,00000000-0000-0000-0000-000000000000 +TcpReassemblyExit,1199,,00000000-0000-0000-0000-000000000000 +TcpipNetworkPacketDrops,1215,,00000000-0000-0000-0000-000000000000 +TcpMppNppEvaluation,1216,,00000000-0000-0000-0000-000000000000 +TcpMppStartEpisode,1217,,00000000-0000-0000-0000-000000000000 +TcpMppStopEpisode,1218,,00000000-0000-0000-0000-000000000000 +TcpMppStartEpoch,1219,,00000000-0000-0000-0000-000000000000 +TcpTemplateParameters,1223,,00000000-0000-0000-0000-000000000000 +TcpTemplateChanged,1224,,00000000-0000-0000-0000-000000000000 +TcpDataTransferEcnAlpha,1225,,00000000-0000-0000-0000-000000000000 +TcpInterfaceRscStateChange,1226,,00000000-0000-0000-0000-000000000000 +TcpRscNblOobInfo,1227,,00000000-0000-0000-0000-000000000000 +TcpLoopbackFastPathFailReason,1228,,00000000-0000-0000-0000-000000000000 +TcpSendIdleBegin,1229,,00000000-0000-0000-0000-000000000000 +RssBindingChange,1230,,00000000-0000-0000-0000-000000000000 +RssPortChange,1231,,00000000-0000-0000-0000-000000000000 +RssPortReference,1232,,00000000-0000-0000-0000-000000000000 +RssPortCapabilities,1233,,00000000-0000-0000-0000-000000000000 +RssPortProcessors,1234,,00000000-0000-0000-0000-000000000000 +RssProcessorAssignment,1235,,00000000-0000-0000-0000-000000000000 +RssProcessorUnassignment,1236,,00000000-0000-0000-0000-000000000000 +RssIndirectionChange,1237,,00000000-0000-0000-0000-000000000000 +RssProcessorConsolidation,1238,,00000000-0000-0000-0000-000000000000 +RssConfigurationChange,1239,,00000000-0000-0000-0000-000000000000 +RssFailure,1240,,00000000-0000-0000-0000-000000000000 +RssBindingBindComplete,1241,,00000000-0000-0000-0000-000000000000 +RssPortBindComplete,1242,,00000000-0000-0000-0000-000000000000 +RssPortNotSupported,1243,,00000000-0000-0000-0000-000000000000 +RssInitializeIndirectionTable,1244,,00000000-0000-0000-0000-000000000000 +RssBindingRundown,1245,,00000000-0000-0000-0000-000000000000 +RssPortRundown,1246,,00000000-0000-0000-0000-000000000000 +RssBindingCapability,1247,,00000000-0000-0000-0000-000000000000 +Ndkpi_Create_Cq,1248,,00000000-0000-0000-0000-000000000000 +Ndkpi_Create_Completion,1249,,00000000-0000-0000-0000-000000000000 +Ndkpi_Close_Obj,1250,,00000000-0000-0000-0000-000000000000 +Ndkpi_Close_Completion,1251,,00000000-0000-0000-0000-000000000000 +Ndkpi_Resize_Cq,1252,,00000000-0000-0000-0000-000000000000 +Ndkpi_Request_Completion,1253,,00000000-0000-0000-0000-000000000000 +Ndkpi_Arm_Cq,1254,,00000000-0000-0000-0000-000000000000 +Ndkpi_Cq_Result,1255,,00000000-0000-0000-0000-000000000000 +Ndkpi_Create_Mr,1256,,00000000-0000-0000-0000-000000000000 +Ndkpi_Flush,1257,,00000000-0000-0000-0000-000000000000 +Ndkpi_Send,1258,,00000000-0000-0000-0000-000000000000 +Ndkpi_Receive,1259,,00000000-0000-0000-0000-000000000000 +Ndkpi_Register_Mr,1260,,00000000-0000-0000-0000-000000000000 +Ndkpi_Deregister_Mr,1261,,00000000-0000-0000-0000-000000000000 +Ndkpi_Initialize_Fast_Register_Mr,1262,,00000000-0000-0000-0000-000000000000 +Ndkpi_Modify_Srq,1263,,00000000-0000-0000-0000-000000000000 +Ndkpi_Connect,1264,,00000000-0000-0000-0000-000000000000 +Ndkpi_Connect_Shared_Endpoint,1265,,00000000-0000-0000-0000-000000000000 +Ndkpi_Complete_Connect,1266,,00000000-0000-0000-0000-000000000000 +Ndkpi_Accept,1267,,00000000-0000-0000-0000-000000000000 +Ndkpi_Disconnect,1268,,00000000-0000-0000-0000-000000000000 +Ndkpi_Listen,1269,,00000000-0000-0000-0000-000000000000 +Ndkpi_Create_Mw,1270,,00000000-0000-0000-0000-000000000000 +Ndkpi_Create_Srq,1271,,00000000-0000-0000-0000-000000000000 +Ndkpi_Create_Qp,1272,,00000000-0000-0000-0000-000000000000 +Ndkpi_Create_Qp_Srq,1273,,00000000-0000-0000-0000-000000000000 +Ndkpi_Create_Pd,1274,,00000000-0000-0000-0000-000000000000 +Ndkpi_Create_Shared_Endpoint,1275,,00000000-0000-0000-0000-000000000000 +Ndkpi_Create_Connector,1276,,00000000-0000-0000-0000-000000000000 +Ndkpi_Create_Listener,1277,,00000000-0000-0000-0000-000000000000 +Ndkpi_Build_Lam,1278,,00000000-0000-0000-0000-000000000000 +Ndkpi_Release_Lam,1279,,00000000-0000-0000-0000-000000000000 +Ndkpi_Cq_Notification_Callback,1280,,00000000-0000-0000-0000-000000000000 +Ndkpi_Srq_Notification_Callback,1281,,00000000-0000-0000-0000-000000000000 +Ndkpi_Disconnect_Event_Callback,1282,,00000000-0000-0000-0000-000000000000 +Ndkpi_Connect_Event_Callback,1283,,00000000-0000-0000-0000-000000000000 +Ndkpi_Get_Token,1284,,00000000-0000-0000-0000-000000000000 +Ndkpi_Get_Sockaddr,1285,,00000000-0000-0000-0000-000000000000 +Ndkpi_Get_Sockaddr_Failure,1286,,00000000-0000-0000-0000-000000000000 +Ndkpi_Reject,1287,,00000000-0000-0000-0000-000000000000 +Ndkpi_Get_Connect_Data,1288,,00000000-0000-0000-0000-000000000000 +Ndkpi_Work_Request_Inline_Failure,1289,,00000000-0000-0000-0000-000000000000 +Ndkpi_Bind,1290,,00000000-0000-0000-0000-000000000000 +Ndkpi_Fast_Register,1291,,00000000-0000-0000-0000-000000000000 +Ndkpi_Invalidate,1292,,00000000-0000-0000-0000-000000000000 +Ndkpi_Read,1293,,00000000-0000-0000-0000-000000000000 +Ndkpi_Write,1294,,00000000-0000-0000-0000-000000000000 +Ndkpi_SrqReceive,1295,,00000000-0000-0000-0000-000000000000 +Ndkpi_Srq_Work_Request_Inline_Failure,1296,,00000000-0000-0000-0000-000000000000 +Ndkpi_Open_Adapter,1297,,00000000-0000-0000-0000-000000000000 +Ndkpi_Close_Adapter_Enter,1298,,00000000-0000-0000-0000-000000000000 +Ndkpi_Close_Adapter_Exit,1299,,00000000-0000-0000-0000-000000000000 +TcpCreateNotificationChannelRequestProcessed,1307,,00000000-0000-0000-0000-000000000000 +TcpSignalNotificationChannelEvent,1308,,00000000-0000-0000-0000-000000000000 +TcpDetachNotificationChannel,1309,,00000000-0000-0000-0000-000000000000 +TcpPlumbWakePattern,1311,,00000000-0000-0000-0000-000000000000 +TcpDeplumbWakePattern,1312,,00000000-0000-0000-0000-000000000000 +TcpipPlumbWakePatternOnInterface,1313,,00000000-0000-0000-0000-000000000000 +Ndkpi_Control_Cq_Im,1314,,00000000-0000-0000-0000-000000000000 +TcpipMediaConnect,1321,,00000000-0000-0000-0000-000000000000 +TcpipLimitedLinkConnectivity,1323,,00000000-0000-0000-0000-000000000000 +IpNeighborState,1324,,00000000-0000-0000-0000-000000000000 +IpNeighborDiscovery,1325,,00000000-0000-0000-0000-000000000000 +IpSourceAddressSelection,1326,,00000000-0000-0000-0000-000000000000 +IpSortedAddressPairs,1327,,00000000-0000-0000-0000-000000000000 +Ndkpi_Cq_Result_Ex,1328,,00000000-0000-0000-0000-000000000000 +Ndkpi_Send_Invalidate,1329,,00000000-0000-0000-0000-000000000000 +UdpCreateNotificationChannelRequest,1334,,00000000-0000-0000-0000-000000000000 +UdpQueryNotificationChannelStatusRequest,1335,,00000000-0000-0000-0000-000000000000 +UdpCreateNotificationChannelRequestProcessed,1336,,00000000-0000-0000-0000-000000000000 +UdpSignalNotificationChannelEvent,1337,,00000000-0000-0000-0000-000000000000 +UdpDetachNotificationChannel,1338,,00000000-0000-0000-0000-000000000000 +UdpUnlinkNotificationChannel,1339,,00000000-0000-0000-0000-000000000000 +UdpCreateNotificationChannelRequestProcessing,1340,,00000000-0000-0000-0000-000000000000 +TcpConnectionSummary,1341,,00000000-0000-0000-0000-000000000000 +TcpipGeneric,1342,,00000000-0000-0000-0000-000000000000 +TcpSackUpdate,1343,,00000000-0000-0000-0000-000000000000 +TcpIsPatternCoalescingRequired,1344,,00000000-0000-0000-0000-000000000000 +TcpRtcPortRangeAssignment,1345,,00000000-0000-0000-0000-000000000000 +TcpipUpdateInterfaceConfigFlags,1346,,00000000-0000-0000-0000-000000000000 +TcpipAoacFailFast,1357,,00000000-0000-0000-0000-000000000000 +TcpCreateNotificationChannelUnmarkRequest,1358,,00000000-0000-0000-0000-000000000000 +TcpipNblClonedForRaw,1360,,00000000-0000-0000-0000-000000000000 +TcpipCloneDropped,1361,,00000000-0000-0000-0000-000000000000 +IpAddressWolStateChange,1362,,00000000-0000-0000-0000-000000000000 +IpWolContextChange,1363,,00000000-0000-0000-0000-000000000000 +TcpInsertConnectionTuple,1364,,00000000-0000-0000-0000-000000000000 +TcpRemoveConnectionTuple,1365,,00000000-0000-0000-0000-000000000000 +TcpDeferPortSelection,1366,,00000000-0000-0000-0000-000000000000 +TcpipNblOob,1367,,00000000-0000-0000-0000-000000000000 +TcpipTeredoOpen,1368,,00000000-0000-0000-0000-000000000000 +TcpipTeredoClose,1369,,00000000-0000-0000-0000-000000000000 +TcpipRouteLookup,1370,,00000000-0000-0000-0000-000000000000 +TcpipSrcAddrLookup,1371,,00000000-0000-0000-0000-000000000000 +RemoteEndpoint,1372,,00000000-0000-0000-0000-000000000000 +Memory,1373,,00000000-0000-0000-0000-000000000000 +Partition,1374,,00000000-0000-0000-0000-000000000000 +TcpLedbatState,1375,,00000000-0000-0000-0000-000000000000 +TcpAssociateNameResContext,1376,,00000000-0000-0000-0000-000000000000 +TcpInspectConnectWithNameResContext,1377,,00000000-0000-0000-0000-000000000000 +IpRouteSelection,1378,,00000000-0000-0000-0000-000000000000 +IpRouteBlocked,1379,,00000000-0000-0000-0000-000000000000 +TcpTailLossProbe,1380,,00000000-0000-0000-0000-000000000000 +TcpRack,1381,,00000000-0000-0000-0000-000000000000 +TcpFastopenStateChange,1382,,00000000-0000-0000-0000-000000000000 +UdpCreateEndpointAfFailure,1383,,00000000-0000-0000-0000-000000000000 +UdpCreateEndpointCompartmentFailure,1384,,00000000-0000-0000-0000-000000000000 +UdpCreateEndpointComplete,1385,,00000000-0000-0000-0000-000000000000 +UdpCreateEndpointInspectionFailure,1386,,00000000-0000-0000-0000-000000000000 +UdpBindEndpointResolutionFailure,1387,,00000000-0000-0000-0000-000000000000 +UdpBindEndpointPortFailure,1388,,00000000-0000-0000-0000-000000000000 +UdpBindEndpointInspectionFailure,1389,,00000000-0000-0000-0000-000000000000 +UdpBindEndpointComplete,1390,,00000000-0000-0000-0000-000000000000 +UdpCloseEndpointBound,1391,,00000000-0000-0000-0000-000000000000 +UdpCloseEndpointUnBound,1392,,00000000-0000-0000-0000-000000000000 +UdpSendMessagesResolutionFailure,1393,,00000000-0000-0000-0000-000000000000 +UdpSendMessagesValidationFailure,1394,,00000000-0000-0000-0000-000000000000 +UdpSendMessagesSrcAddrSelectionFailure,1395,,00000000-0000-0000-0000-000000000000 +UdpGlobalAddInterface,1397,,00000000-0000-0000-0000-000000000000 +UdpGlobalDeleteInterface,1398,,00000000-0000-0000-0000-000000000000 +UdpStartInetModuleFailure,1399,,00000000-0000-0000-0000-000000000000 +UdpSendMessagesPathAfFailure,1406,,00000000-0000-0000-0000-000000000000 +UdpSendMessagesPathNextHopAddrFailure,1408,,00000000-0000-0000-0000-000000000000 +TcpFastopenSynRcvdLimit,1410,,00000000-0000-0000-0000-000000000000 +TcpLossRecoverySend,1412,,00000000-0000-0000-0000-000000000000 +IcmpPacketDrops,1414,,00000000-0000-0000-0000-000000000000 +TcpipTimerStateChange,1416,,00000000-0000-0000-0000-000000000000 +IpCompartmentCreation,1418,,00000000-0000-0000-0000-000000000000 +TcpCubicDataTransferCumAck,1420,,00000000-0000-0000-0000-000000000000 +TcpCubicDataTransferDupAck,1421,,00000000-0000-0000-0000-000000000000 +IpCompartmentCleanup,1422,,00000000-0000-0000-0000-000000000000 +IpUpdateInterfaceNetworkCategoryState,1423,,00000000-0000-0000-0000-000000000000 +IpInterfaceCreation,1424,,00000000-0000-0000-0000-000000000000 +IpInterfaceDeletion,1425,,00000000-0000-0000-0000-000000000000 +IpInterfaceCleanup,1426,,00000000-0000-0000-0000-000000000000 +IpSubInterfaceCreation,1427,,00000000-0000-0000-0000-000000000000 +IpSubInterfaceDeletion,1428,,00000000-0000-0000-0000-000000000000 +IpSubInterfaceCleanup,1429,,00000000-0000-0000-0000-000000000000 +IpInterfaceChangeNotification,1430,,00000000-0000-0000-0000-000000000000 +IpInterfaceInternetConnectivityStatus,1431,,00000000-0000-0000-0000-000000000000 +IpAddressChangeNotification,1432,,00000000-0000-0000-0000-000000000000 +IpRouteChangeNotification,1433,,00000000-0000-0000-0000-000000000000 +IpNeighborChangeNotification,1434,,00000000-0000-0000-0000-000000000000 +IpAddressDadStateChange,1435,,00000000-0000-0000-0000-000000000000 +IpRouteDGDStateChange,1436,,00000000-0000-0000-0000-000000000000 +IpInterfaceDisconnect,1437,,00000000-0000-0000-0000-000000000000 +TcpPacingSend,1438,,00000000-0000-0000-0000-000000000000 +FeatureFallback,1439,,00000000-0000-0000-0000-000000000000 +TcpLoopbackFastPathSuccess,1440,,00000000-0000-0000-0000-000000000000 +IpRouterInformationChangeNotification,1441,,00000000-0000-0000-0000-000000000000 +IpRaDnsEvent,1442,,00000000-0000-0000-0000-000000000000 +IpRouteRundown,1443,,00000000-0000-0000-0000-000000000000 +TcpCubicDataTransferEcn,1444,,00000000-0000-0000-0000-000000000000 +InetInspect,1445,,00000000-0000-0000-0000-000000000000 +TcpFastopenFallbackUpdate,1446,,00000000-0000-0000-0000-000000000000 +FeatureFallbackNcsiNoConnectivity,1447,,00000000-0000-0000-0000-000000000000 +FeatureFallbackLoopback,1448,,00000000-0000-0000-0000-000000000000 +TcpFastopenIncompatCallout,1449,,00000000-0000-0000-0000-000000000000 +TcpipSourceConstraint,1450,,00000000-0000-0000-0000-000000000000 +TcpSystemAbortTcb,1451,,00000000-0000-0000-0000-000000000000 +FeatureFallbackNoNextHop,1452,,00000000-0000-0000-0000-000000000000 +TcpBindEndpointWakeFailure,1453,,00000000-0000-0000-0000-000000000000 +UdpBindEndpointWakeFailure,1454,,00000000-0000-0000-0000-000000000000 +InetWakeAcquirePort,1455,,00000000-0000-0000-0000-000000000000 +TcpSackUpdateLimitReached,1456,,00000000-0000-0000-0000-000000000000 +TcpipIpAddressLifetime,1457,,00000000-0000-0000-0000-000000000000 +TcpRepartitionEvent,1458,,00000000-0000-0000-0000-000000000000 +TcpipPowerStateTransitionEvent,1459,,00000000-0000-0000-0000-000000000000 +TcpipLoopbackPacketTransmit,1464,,00000000-0000-0000-0000-000000000000 +TcpipFramingPacketDrops,1465,,00000000-0000-0000-0000-000000000000 +TcpRstSend,1466,,00000000-0000-0000-0000-000000000000 +TcpRecentConnectionFailure,1467,,00000000-0000-0000-0000-000000000000 +TcpPrrSend,1468,,00000000-0000-0000-0000-000000000000 +UdpSegmentMessage,1469,,00000000-0000-0000-0000-000000000000 +IpSessionMulticastOperation,1475,,00000000-0000-0000-0000-000000000000 +IpFlUpdateAddressList,1478,,00000000-0000-0000-0000-000000000000 +IpTemporaryAddressCreation,1479,,00000000-0000-0000-0000-000000000000 +TcpipMediaReconnect,1480,,00000000-0000-0000-0000-000000000000 +TcpipRegSyncInterface,1481,,00000000-0000-0000-0000-000000000000 +TcpipActiveRefFailure,1482,,00000000-0000-0000-0000-000000000000 +TcpipIpRedirectPath,1483,,00000000-0000-0000-0000-000000000000 +IpAncillaryData,1484,,00000000-0000-0000-0000-000000000000 +UdpUroNblOobInfo,1485,,00000000-0000-0000-0000-000000000000 +SoftwareReceiveOffloadGlobalState,1486,,00000000-0000-0000-0000-000000000000 +UdpGlobalParameters,1487,,00000000-0000-0000-0000-000000000000 +TcpipFramingTunnels,1488,,00000000-0000-0000-0000-000000000000 +TcpipFramingIsolation,1489,,00000000-0000-0000-0000-000000000000 +TcpipFramingPatterns,1490,,00000000-0000-0000-0000-000000000000 +TcpipFramingInterfaceMgmt,1491,,00000000-0000-0000-0000-000000000000 +TcpipFramingPnp,1492,,00000000-0000-0000-0000-000000000000 +RawEndpoint,1493,,00000000-0000-0000-0000-000000000000 +IcmpRouterAdvertisement,1494,,00000000-0000-0000-0000-000000000000 +ArpPacketDrops,1495,,00000000-0000-0000-0000-000000000000 +UpperLayerProtocolFailure,1496,,00000000-0000-0000-0000-000000000000 +NeighborRundown,1497,,00000000-0000-0000-0000-000000000000 +TcpipSetSockOpt,1498,,00000000-0000-0000-0000-000000000000 +RawCloseEndpoint,1499,,00000000-0000-0000-0000-000000000000 +DocumentContentChange,2052,,00000000-0000-0000-0000-000000000000 +CandidateListEvents,2054,,00000000-0000-0000-0000-000000000000 +GetSearchLaunchModeForWindow_Result,1836,,00000000-0000-0000-0000-000000000000 +SearchPane_QueryChanged,1851,,00000000-0000-0000-0000-000000000000 +UserAccount_ConnectLocalAccount_Completed,8012,,00000000-0000-0000-0000-000000000000 +UserAccount_ConnectLocalAccountOpened,8014,,00000000-0000-0000-0000-000000000000 +UserAccount_DisconnectDomainAccount_Completed,8015,,00000000-0000-0000-0000-000000000000 +UserAccount_DisconnectDomainAccountOpened,8016,,00000000-0000-0000-0000-000000000000 +UserAccount_DisconnectOnlineAccount_Completed,8017,,00000000-0000-0000-0000-000000000000 +UserAccount_DisconnectOnlineAccountOpened,8018,,00000000-0000-0000-0000-000000000000 +UserAccount_AddUserDialogOpened,8019,,00000000-0000-0000-0000-000000000000 +UserAccount_AddUserDialog_NewOnlineUserAdded,8020,,00000000-0000-0000-0000-000000000000 +UserAccount_AddUserDialog_ExistingOnlineUserAdded,8021,,00000000-0000-0000-0000-000000000000 +UserAccount_AddUserDialog_LocalUserAdded,8022,,00000000-0000-0000-0000-000000000000 +UserAccount_AddUserDialog_OnlineWizardError,8023,,00000000-0000-0000-0000-000000000000 +PerfTrack_UAM_TaskFlowPageChange,25000,,00000000-0000-0000-0000-000000000000 +FOLDER_COPYFOLDER,4008,,00000000-0000-0000-0000-000000000000 +CTX_LOADDEFAULTMESSAGESTORE,4306,,00000000-0000-0000-0000-000000000000 +CTX_CREATEMESSAGESTORE,4307,,00000000-0000-0000-0000-000000000000 +CTX_OPENENTRY,4308,,00000000-0000-0000-0000-000000000000 +CTX_ADVISE,4309,,00000000-0000-0000-0000-000000000000 +CTX_UNADVISE,4310,,00000000-0000-0000-0000-000000000000 +CTX_INITSTORESINK,4311,,00000000-0000-0000-0000-000000000000 +CTX_GETSTOREFROMDATABASE,4313,,00000000-0000-0000-0000-000000000000 +CTX_OPENMSGSTORE,4314,,00000000-0000-0000-0000-000000000000 +CTX_DELETEMSGSTORE,4315,,00000000-0000-0000-0000-000000000000 +MSG_DELETEATTACH,4401,,00000000-0000-0000-0000-000000000000 +MSG_OPENATTACH,4402,,00000000-0000-0000-0000-000000000000 +MSG_GETATTACHTABLE,4403,,00000000-0000-0000-0000-000000000000 +MSG_MODIFYRECIPIENTS,4404,,00000000-0000-0000-0000-000000000000 +MSG_SUBMITMESSAGE,4405,,00000000-0000-0000-0000-000000000000 +MSG_DELETERECIPIENTS,4406,,00000000-0000-0000-0000-000000000000 +MSG_ADDRECIPIENTS,4407,,00000000-0000-0000-0000-000000000000 +MSG_UPDATERECIPIENTTABLE,4408,,00000000-0000-0000-0000-000000000000 +MSG_PREPROCESSWRITE,4409,,00000000-0000-0000-0000-000000000000 +MSG_POSTPROCESSWRITE,4410,,00000000-0000-0000-0000-000000000000 +RUNRULE,4504,,00000000-0000-0000-0000-000000000000 +SESSION_GETSTORESTABLE,4505,,00000000-0000-0000-0000-000000000000 +SINK_ONNOTIFY,4506,,00000000-0000-0000-0000-000000000000 +SINK_ONNOTIFYWRAPPER,4507,,00000000-0000-0000-0000-000000000000 +CONVERSATION_DELETE,4600,,00000000-0000-0000-0000-000000000000 +CONVERSATION_SOFTDELETE,4601,,00000000-0000-0000-0000-000000000000 +CONVERSATION_MSGPROPSET,4602,,00000000-0000-0000-0000-000000000000 +CONVERSATION_MSGPROPDELETE,4603,,00000000-0000-0000-0000-000000000000 +CONVERSATION_DELETEMESSAGES,4604,,00000000-0000-0000-0000-000000000000 +CONVERSATIONID_SET,4605,,00000000-0000-0000-0000-000000000000 +CONVERSATIONID_CREATEHASH,4606,,00000000-0000-0000-0000-000000000000 +SHARECONTENT,4700,,00000000-0000-0000-0000-000000000000 +tracemessage,4800,Trace,00000000-0000-0000-0000-000000000000 +PnP_SetupAPI_CallClassInstaller,7040,,00000000-0000-0000-0000-000000000000 +PnP_SetupAPI_StageDriverPackage,7041,,00000000-0000-0000-0000-000000000000 +PnP_SetupAPI_BuildDriverInfoList,7042,,00000000-0000-0000-0000-000000000000 +PnP_SetupAPI_PublishedInfDriverSearch,7043,,00000000-0000-0000-0000-000000000000 +PnP_SetupAPI_DevicePathDriverSearch,7044,,00000000-0000-0000-0000-000000000000 +PnP_SetupAPI_CDM_WUDriverSearch,7045,,00000000-0000-0000-0000-000000000000 +PnP_SetupAPI_FolderDriverSearch,7046,,00000000-0000-0000-0000-000000000000 +PnP_DMRC_SearchWMIS,7060,,00000000-0000-0000-0000-000000000000 +PnP_DMRC_DownloadPackage,7061,,00000000-0000-0000-0000-000000000000 +PnP_DMRC_SearchLocalIndex,7062,,00000000-0000-0000-0000-000000000000 +PnP_DMRC_UnpackPackage,7063,,00000000-0000-0000-0000-000000000000 +PnP_DMRC_ParsePackageInfo,7064,,00000000-0000-0000-0000-000000000000 +PnP_DMRC_ScanLocalStore,7065,,00000000-0000-0000-0000-000000000000 +PnP_DMRC_Initialize,7066,,00000000-0000-0000-0000-000000000000 +PnP_DMRC_Uninitialize,7067,,00000000-0000-0000-0000-000000000000 +PnP_DMRC_ParseMetadata,7068,,00000000-0000-0000-0000-000000000000 +PnP_DMRC_Query,7069,,00000000-0000-0000-0000-000000000000 +PopupAnimation,2700,,00000000-0000-0000-0000-000000000000 +PopupStartup,2710,,00000000-0000-0000-0000-000000000000 +PopupDisplayScenario,2714,,00000000-0000-0000-0000-000000000000 +PopupDismiss,2720,,00000000-0000-0000-0000-000000000000 +PopupGeneral,8700,,00000000-0000-0000-0000-000000000000 +PopupShow,8711,,00000000-0000-0000-0000-000000000000 +PopupProgrammaticHide,8713,,00000000-0000-0000-0000-000000000000 +PopupChangeContent,8715,,00000000-0000-0000-0000-000000000000 +PopupReposition,8717,,00000000-0000-0000-0000-000000000000 +PopupLightDismiss,8720,,00000000-0000-0000-0000-000000000000 +LightDismiss,8740,,00000000-0000-0000-0000-000000000000 +LightDismissOverlay,8750,,00000000-0000-0000-0000-000000000000 +AfdRioRegisterBuffer,4010,,00000000-0000-0000-0000-000000000000 +AfdRioCleanupBuffer,4012,,00000000-0000-0000-0000-000000000000 +AfdRioRangeCheck,4014,,00000000-0000-0000-0000-000000000000 +ThreadShutdown_SentMessage,12003,,00000000-0000-0000-0000-000000000000 +TerminateProcess,12005,,00000000-0000-0000-0000-000000000000 +WaitForProcess,12007,,00000000-0000-0000-0000-000000000000 +ShutdownProcess,12009,,00000000-0000-0000-0000-000000000000 +NotificationEvent,12010,,00000000-0000-0000-0000-000000000000 +WLAN_TASK_ACM_CONNECTION,24010,AcmConnection,00000000-0000-0000-0000-000000000000 +WLAN_TASK_MSM_ASSOCIATION,24011,MsmAssociation,00000000-0000-0000-0000-000000000000 +WLAN_TASK_MSM_SECURITY,24012,MsmSecurity,00000000-0000-0000-0000-000000000000 +WLAN_TASK_IHV_SECURITY,24013,IhvSecurity,00000000-0000-0000-0000-000000000000 +WLAN_TASK_ONEX_SECURITY,24014,OneXAuthentication,00000000-0000-0000-0000-000000000000 +Perftrack-SoftAPStart,24015,Start the device network,00000000-0000-0000-0000-000000000000 +Perftrack-SoftAPStop,24016,Stop the device network,00000000-0000-0000-0000-000000000000 +Perftrack-MSAMAuthentication,24017,Authenticate the peers associated to the hosted network,00000000-0000-0000-0000-000000000000 +Perftrack-WfdDiscover,24018,,00000000-0000-0000-0000-000000000000 +Perftrack-WfdPair,24019,,00000000-0000-0000-0000-000000000000 +WLAN_TASK_COST,24100,Connection Cost,00000000-0000-0000-0000-000000000000 +HME_SERVER_EXECUTE_QUERY,648,,00000000-0000-0000-0000-000000000000 +HME_UPnPDiscoveryEnd,665,,00000000-0000-0000-0000-000000000000 +HME_UPnPDeviceAddedCallback,666,,00000000-0000-0000-0000-000000000000 +HME_UPnPDeviceRemovedCallback,667,,00000000-0000-0000-0000-000000000000 +HME_InitCDSThread,668,,00000000-0000-0000-0000-000000000000 +HME_InitCDS,669,,00000000-0000-0000-0000-000000000000 +HME_ServiceAdded,671,,00000000-0000-0000-0000-000000000000 +HME_CDSUPnPInitialize,672,,00000000-0000-0000-0000-000000000000 +HME_ProviderAddToRAMCache,673,,00000000-0000-0000-0000-000000000000 +HME_ProviderShutdown,674,,00000000-0000-0000-0000-000000000000 +HME_ProviderUpdateMessage,675,,00000000-0000-0000-0000-000000000000 +HME_SERVER_CONTAINER_UPDATE_IDS,676,,00000000-0000-0000-0000-000000000000 +STREAMING_MENUITEM_AUTOALLOWDEVICES_CHECKSTATE,716,,6ec21152-0ddf-4182-ac89-28dcd8b59cd6 +ALLOW_ALL_DEVICES_MENU_ACTION,718,,1a1d946a-424a-43cf-9aac-ee56ad7cad70 +PLAYSINGLE_PH_BROWSECDS,851,,00000000-0000-0000-0000-000000000000 +CDDVD_LAUNCH,860,,0511faf7-9f24-4b54-b839-2acf1cc4a918 diff --git a/apps/Splunk_TA_windows/metadata/default.meta b/apps/Splunk_TA_windows/metadata/default.meta new file mode 100644 index 00000000..744f4a22 --- /dev/null +++ b/apps/Splunk_TA_windows/metadata/default.meta @@ -0,0 +1,5 @@ +# Application-level permissions + +[] +access = read : [ * ], write : [ admin, sc_admin ] +export = system diff --git a/apps/Splunk_TA_windows/static/appIcon.png b/apps/Splunk_TA_windows/static/appIcon.png new file mode 100644 index 00000000..88f67e72 Binary files /dev/null and b/apps/Splunk_TA_windows/static/appIcon.png differ diff --git a/apps/Splunk_TA_windows/static/appIconAlt.png b/apps/Splunk_TA_windows/static/appIconAlt.png new file mode 100644 index 00000000..88f67e72 Binary files /dev/null and b/apps/Splunk_TA_windows/static/appIconAlt.png differ diff --git a/apps/Splunk_TA_windows/static/appIconAlt_2x.png b/apps/Splunk_TA_windows/static/appIconAlt_2x.png new file mode 100644 index 00000000..c638b3f1 Binary files /dev/null and b/apps/Splunk_TA_windows/static/appIconAlt_2x.png differ diff --git a/apps/Splunk_TA_windows/static/appIconLg.png b/apps/Splunk_TA_windows/static/appIconLg.png new file mode 100644 index 00000000..c638b3f1 Binary files /dev/null and b/apps/Splunk_TA_windows/static/appIconLg.png differ diff --git a/apps/Splunk_TA_windows/static/appIconLg_2x.png b/apps/Splunk_TA_windows/static/appIconLg_2x.png new file mode 100644 index 00000000..b67ed66d Binary files /dev/null and b/apps/Splunk_TA_windows/static/appIconLg_2x.png differ diff --git a/apps/Splunk_TA_windows/static/appIcon_2x.png b/apps/Splunk_TA_windows/static/appIcon_2x.png new file mode 100644 index 00000000..c638b3f1 Binary files /dev/null and b/apps/Splunk_TA_windows/static/appIcon_2x.png differ