system.json

{
  "dataset": {
    "name": "EID Quick Reference - System",
    "version": "1.13.0",
    "generatedAt": "2026-05-10T00:00:00Z",
    "id": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/system.json",
    "schema": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/schema.json",
    "license": {
      "name": "Creative Commons Attribution 4.0 International",
      "spdx": "CC-BY-4.0",
      "notice": "Event descriptions are paraphrased summaries written for this dataset. Source links point to authoritative references."
    },
    "sources": [
      {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/",
        "type": "primary"
      }
    ]
  },
  "entries": [
    {
      "id": 12,
      "log": "System",
      "provider": "Microsoft-Windows-Kernel-General",
      "channel": "System",
      "level": "Information",
      "title": "The operating system started at system time",
      "summary": "System startup time recorded.",
      "details": "Generated by the kernel on system startup. Records the time Windows started.",
      "category": "System Lifecycle",
      "tags": [
        "startup",
        "boot"
      ],
      "relatedEventIds": [
        {
          "id": 13,
          "log": "System"
        },
        {
          "id": 41,
          "log": "System"
        },
        {
          "id": 6008,
          "log": "System"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "An EID 12 not preceded by EID 13 indicates an unexpected reboot — correlate with EID 41 and 6008 for root cause",
          "Unexpected reboots during an active incident may indicate attacker-initiated restarts to apply persistence or clear memory",
          "Use startup timestamps to identify gaps in log coverage that may represent evidence destruction windows"
        ],
        "commonFalsePositives": [
          "Normal system startups after planned reboots or shutdowns",
          "Windows Update-initiated reboots"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 13,
      "log": "System",
      "provider": "Microsoft-Windows-Kernel-General",
      "channel": "System",
      "level": "Information",
      "title": "The operating system is shutting down at system time",
      "summary": "Clean system shutdown recorded.",
      "details": "Generated by the kernel on clean shutdown. Absence of this event between two EID 12 (startup) events indicates an unexpected shutdown, crash, or forced reboot.",
      "category": "System Lifecycle",
      "tags": [
        "shutdown"
      ],
      "relatedEventIds": [
        {
          "id": 12,
          "log": "System"
        },
        {
          "id": 41,
          "log": "System"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Absence of EID 13 between two EID 12 events is the key signal — this pattern indicates an unclean shutdown",
          "Correlate shutdown time with user logon activity (Security EID 4634/4647) to determine if a user was active at the time"
        ],
        "commonFalsePositives": [
          "Normal planned shutdowns initiated by users or IT"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 41,
      "log": "System",
      "provider": "Microsoft-Windows-Kernel-Power",
      "channel": "System",
      "level": "Critical",
      "title": "The system has rebooted without cleanly shutting down first",
      "summary": "Unexpected reboot or crash detected.",
      "details": "Generated by Kernel-Power after an unexpected reset, BSOD, or power loss. May also fire after a forced hard reboot.",
      "category": "System Lifecycle",
      "tags": [
        "crash",
        "reboot",
        "power"
      ],
      "relatedEventIds": [
        {
          "id": 6008,
          "log": "System"
        },
        {
          "id": 12,
          "log": "System"
        },
        {
          "id": 13,
          "log": "System"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate with EID 6008 for the previous shutdown timestamp to establish when the unexpected reboot occurred",
          "Check %SystemRoot%\\Minidump for crash dump files — kernel-mode crashes (BSOD) leave minidumps that can identify the faulting driver or code",
          "An attacker-initiated hard reboot (e.g., via shutdown /r /f) generates this event — correlate with Security EID 4688 for shutdown.exe or equivalent"
        ],
        "commonFalsePositives": [
          "Power loss or hardware failure",
          "Kernel panic caused by a buggy driver or faulty hardware"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/event-id-41-restart"
      },
      "volumeIndicator": "rare",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 104,
      "log": "System",
      "provider": "Microsoft-Windows-Eventlog",
      "channel": "System",
      "level": "Information",
      "title": "The System log file was cleared",
      "summary": "System event log cleared.",
      "details": "Generated when the System event log is cleared.",
      "category": "Log Tampering",
      "tags": [
        "log-cleared",
        "defense-evasion"
      ],
      "relatedEventIds": [
        {
          "id": 1102,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1685.005",
          "techniqueName": "Disable or Modify Tools: Clear Windows Event Logs",
          "tactics": [
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Identify who cleared the log via concurrent Security EID 4624 and 4688 events around the same timestamp",
          "Correlate with Security EID 1102 — simultaneous clearing of both logs is a strong evidence destruction indicator",
          "Log clearing near the end of a timeline gap may indicate the attacker was covering tracks before departing"
        ],
        "commonFalsePositives": [
          "IT administrators clearing logs for maintenance (rare, and should be documented in change records)"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "rare",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 219,
      "log": "System",
      "provider": "Microsoft-Windows-Kernel-PnP",
      "channel": "System",
      "level": "Warning",
      "title": "Driver failed to load for device",
      "summary": "A driver was blocked from loading for a device.",
      "details": "Generated when the Windows kernel Plug and Play manager fails to load a driver for a device. Most commonly fires when Code Integrity or Windows Defender Device Guard blocks an unsigned or revoked driver. This event records both blocked malicious kernel driver load attempts when HVCI is enforced, and legitimate but unsigned drivers that were blocked.",
      "category": "Driver Load Failure",
      "tags": [
        "driver",
        "code-integrity",
        "kernel",
        "device-guard",
        "rootkit"
      ],
      "relatedEventIds": [
        {
          "id": 7045,
          "log": "System"
        },
        {
          "id": 3001,
          "log": "CodeIntegrity"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1014",
          "techniqueName": "Rootkit",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        },
        {
          "techniqueId": "T1547.006",
          "techniqueName": "Kernel Modules and Extensions",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Review DriverName — unexpected .sys files in temp directories, user profile paths, or with random names are high-risk",
          "Correlate with EID 7045 (service installed) for the same driver to see if installation was also logged",
          "Check driver file hash against threat intelligence and verify Authenticode signature status",
          "Correlate with Security log Code Integrity events (EID 3001-3004) and the CodeIntegrity channel for the full driver block picture"
        ],
        "commonFalsePositives": [
          "Legitimate unsigned or older drivers for hardware peripherals blocked after enabling HVCI",
          "Development/test drivers not submitted for WHQL signing"
        ]
      },
      "keyFields": [
        {
          "name": "DriverName",
          "xpath": "EventData/Data[@Name='DriverName']",
          "description": "The .sys file path of the driver that failed to load"
        },
        {
          "name": "DeviceId",
          "xpath": "EventData/Data[@Name='DeviceId']",
          "description": "The device identifier the driver was intended for"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/windows-hardware/drivers/install/driver-signing"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 1014,
      "log": "System",
      "provider": "Microsoft-Windows-DNS-Client",
      "channel": "System",
      "level": "Warning",
      "title": "Name resolution for the name timed out",
      "summary": "DNS name resolution timed out after all configured DNS servers failed to respond.",
      "details": "Generated by the Microsoft-Windows-DNS-Client provider in the System log when all configured DNS servers fail to respond to a name resolution request. Written to the System log — does not require enabling the DNS Client Operational channel.",
      "category": "DNS",
      "tags": [
        "dns",
        "c2",
        "name-resolution",
        "timeout",
        "network"
      ],
      "relatedEventIds": [
        {
          "id": 3006,
          "log": "DNSClient"
        },
        {
          "id": 3008,
          "log": "DNSClient"
        },
        {
          "id": 4688,
          "log": "Security"
        },
        {
          "id": 22,
          "log": "Sysmon"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1071.004",
          "techniqueName": "Application Layer Protocol: DNS",
          "tactics": [
            {
              "tacticId": "TA0011",
              "tacticName": "Command and Control"
            }
          ]
        },
        {
          "techniqueId": "T1568.002",
          "techniqueName": "Dynamic Resolution: Domain Generation Algorithms",
          "tactics": [
            {
              "tacticId": "TA0011",
              "tacticName": "Command and Control"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "QueryName is the primary pivot — domains that appear only in 1014 events and nowhere else may be attacker C2 infrastructure that has been taken down or blocked",
          "High volume of 1014 events for the same QueryName over a short period indicates a beaconing process repeatedly failing to contact C2",
          "Correlate QueryName with threat intelligence — known malware family C2 patterns, DGA-style names, or recently sinkholen domains are high-confidence indicators",
          "Identify the process generating the failed DNS requests by correlating with Sysmon EID 22 (DnsQuery) or enabling DNS Client Operational logging (EID 3008)"
        ],
        "commonFalsePositives": [
          "Misconfigured application DNS settings pointing to non-existent internal hostnames",
          "Laptops connecting to Wi-Fi and attempting to resolve VPN split-tunnel or internal DNS names before the VPN is established",
          "Software update checks for products that have been decommissioned or whose update servers are offline"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/dns-troubleshooting"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "keyFields": [
        {
          "name": "QueryName",
          "xpath": "EventData/Data[@Name='QueryName']",
          "description": "The hostname that could not be resolved; correlate against threat intelligence and known C2 domain patterns"
        }
      ],
      "lastReviewed": "2026-04-11"
    },
    {
      "id": 1074,
      "log": "System",
      "provider": "User32",
      "channel": "System",
      "level": "Information",
      "title": "System shutdown or restart initiated by process",
      "summary": "A process or user initiated a shutdown or restart.",
      "details": "Generated when a process calls a shutdown or restart API (ExitWindowsEx, InitiateSystemShutdown). This event captures intentional, process-initiated power actions, unlike EID 41 and 6008 which reflect unclean shutdowns.",
      "category": "System Lifecycle",
      "tags": [
        "shutdown",
        "restart"
      ],
      "relatedEventIds": [
        {
          "id": 13,
          "log": "System"
        },
        {
          "id": 12,
          "log": "System"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1529",
          "techniqueName": "System Shutdown/Reboot",
          "tactics": [
            {
              "tacticId": "TA0040",
              "tacticName": "Impact"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ImagePath identifies the initiating process — shutdowns from cmd.exe, powershell.exe, or unknown processes outside System32 are suspicious",
          "Reason code 'Other (Unplanned)' with no comment string may indicate an attacker-initiated reboot",
          "Correlate with Security EID 4688 to confirm the process ancestry of the initiating binary"
        ],
        "commonFalsePositives": [
          "Scheduled reboots initiated by Windows Update (wuauclt.exe, TrustedInstaller.exe)",
          "User-initiated shutdowns or restarts from the Start menu (initiated by explorer.exe)"
        ]
      },
      "keyFields": [
        {
          "name": "ImagePath",
          "xpath": "EventData/Data[@Name='param1']",
          "description": "The initiating process executable path"
        },
        {
          "name": "User",
          "xpath": "EventData/Data[@Name='param7']",
          "description": "The user context under which the shutdown was initiated"
        },
        {
          "name": "ReasonCode",
          "xpath": "EventData/Data[@Name='param3']",
          "description": "The shutdown reason code"
        },
        {
          "name": "ShutdownType",
          "xpath": "EventData/Data[@Name='param5']",
          "description": "Whether the action is a shutdown or restart"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 5827,
      "log": "System",
      "provider": "NETLOGON",
      "channel": "System",
      "level": "Error",
      "title": "The Netlogon service denied a vulnerable Netlogon secure channel connection",
      "summary": "ZeroLogon exploit attempt blocked by Netlogon enforcement mode.",
      "details": "Generated (System log, source NETLOGON) when the Netlogon service denies a connection from a machine account using a vulnerable, non-compliant Netlogon secure channel after the patch for CVE-2020-1472 (ZeroLogon) is applied in enforcement mode. ZeroLogon exploits a cryptographic flaw in the Netlogon authentication protocol (MS-NRPC) to allow an unauthenticated attacker to establish a session as a domain controller, reset the DC machine account password, and take over the domain. The patch adds enforcement mode that denies connections not using secure RPC. This event indicates either a ZeroLogon exploit attempt or a legacy device using an older Netlogon client that has not been patched.",
      "category": "Domain Controller/Authentication",
      "tags": [
        "zerologon",
        "cve-2020-1472",
        "netlogon",
        "domain-controller"
      ],
      "relatedEventIds": [
        {
          "id": 5828,
          "log": "System"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1210",
          "techniqueName": "Exploitation of Remote Services",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Requires the August 2020 or later security update (KB4557222) for CVE-2020-1472 (ZeroLogon). Must be in enforcement mode (FullSecureChannelProtection=1). Must be collected from domain controllers."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "The machine account name in the event identifies the device attempting the vulnerable channel — verify whether it is a known asset or a rogue attacker-controlled account",
          "Correlate with network traffic to the DC on port 49152+ (RPC dynamic ports) and port 135 from the source IP at the event timestamp",
          "If the account is a legitimate device that has not yet been patched, apply MS-NRPC updates — if it is unknown, treat as an active ZeroLogon attempt"
        ],
        "commonFalsePositives": [
          "Legitimate but unpatched Windows devices using an older Netlogon client (very old OS versions)",
          "Third-party devices (VPN appliances, Linux Samba DCs) not updated for ZeroLogon that use older Netlogon channels"
        ]
      },
      "keyFields": [
        {
          "name": "MachineAccountName",
          "xpath": "EventData/Data[@Name='MachineAccountName']",
          "description": "The machine account name attempting the vulnerable Netlogon connection"
        }
      ],
      "source": {
        "name": "Microsoft Security Advisory ADV200009 — CVE-2020-1472",
        "url": "https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d35-a3d3-a827264e1571"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 5828,
      "log": "System",
      "provider": "NETLOGON",
      "channel": "System",
      "level": "Error",
      "title": "The Netlogon service denied a vulnerable Netlogon secure channel connection from a trust account",
      "summary": "ZeroLogon exploit attempt via a trust account blocked.",
      "details": "Generated when the Netlogon service denies a vulnerable secure channel connection from a trust account, as opposed to EID 5827 which fires for machine accounts. ZeroLogon (CVE-2020-1472) attacks via trust accounts target the secure channel established between a child domain DC and a parent domain DC, or between trusting domains. An attacker who can impersonate a trust account and exploit the ZeroLogon flaw can compromise a parent domain DC without directly attacking it, gaining access to the entire forest. This event is rarer than EID 5827.",
      "category": "Domain Controller/Authentication",
      "tags": [
        "zerologon",
        "cve-2020-1472",
        "netlogon",
        "domain-trust",
        "domain-controller"
      ],
      "relatedEventIds": [
        {
          "id": 5827,
          "log": "System"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1210",
          "techniqueName": "Exploitation of Remote Services",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "policy",
          "description": "Requires the August 2020 or later security update (KB4557222) for CVE-2020-1472 (ZeroLogon). Must be in enforcement mode. Must be collected from domain controllers."
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "The trust account name identifies which domain trust is being abused — verify the trust relationship is still valid and authorized",
          "Correlate with EID 4706 and EID 4707 in security.json to check for any recent trust modifications that may have been attacker-established",
          "This event on a forest root DC targeting a child domain trust account indicates an attacker attempting cross-domain forest compromise"
        ],
        "commonFalsePositives": [
          "Unpatched partner or child domain DCs using older Netlogon implementations across a trust boundary"
        ]
      },
      "keyFields": [
        {
          "name": "TrustAccountName",
          "xpath": "EventData/Data[@Name='TrustAccountName']",
          "description": "The trust account name attempting the vulnerable Netlogon channel"
        }
      ],
      "source": {
        "name": "Microsoft Security Advisory ADV200009 — CVE-2020-1472",
        "url": "https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d35-a3d3-a827264e1571"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 6005,
      "log": "System",
      "provider": "EventLog",
      "channel": "System",
      "level": "Information",
      "title": "The Event Log service was started",
      "summary": "Windows Event Log service started (system boot marker).",
      "details": "Generated by the Event Log service when it starts, which occurs during system boot. Because this event is written before most other services initialize, its timestamp is commonly used as a precise system boot time marker. An EID 6005 with no preceding EID 6006 from the prior session indicates an unclean shutdown.",
      "category": "System Lifecycle",
      "tags": [
        "startup",
        "boot",
        "event-log"
      ],
      "relatedEventIds": [
        {
          "id": 6006,
          "log": "System"
        },
        {
          "id": 12,
          "log": "System"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Use EID 6005 timestamps to establish precise boot times for timeline analysis",
          "Absence of a preceding EID 6006 indicates the prior session ended uncleanly — correlate with EID 41 and 6008",
          "Unexpected boot times (e.g., middle of the night with no planned maintenance) warrant investigation"
        ],
        "commonFalsePositives": [
          "Normal system boot after any planned or unplanned restart"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 6006,
      "log": "System",
      "provider": "EventLog",
      "channel": "System",
      "level": "Information",
      "title": "The Event Log service was stopped",
      "summary": "Windows Event Log service stopped (clean shutdown marker).",
      "details": "Generated when the Event Log service stops, which occurs during a clean system shutdown. This is one of the last events written to the System log before a clean shutdown completes. An EID 6005 not preceded by EID 6006 from the prior session indicates an unclean shutdown.",
      "category": "System Lifecycle",
      "tags": [
        "shutdown",
        "event-log"
      ],
      "relatedEventIds": [
        {
          "id": 6005,
          "log": "System"
        },
        {
          "id": 13,
          "log": "System"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Presence of EID 6006 confirms a clean shutdown occurred — absence before the next EID 6005 indicates an unclean restart",
          "Correlate with EID 1074 to identify what process initiated the shutdown that produced this event",
          "Gap between EID 6006 and the next EID 6005 represents the system's downtime window"
        ],
        "commonFalsePositives": [
          "Normal clean shutdown after any planned restart or power-off"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 6008,
      "log": "System",
      "provider": "EventLog",
      "channel": "System",
      "level": "Error",
      "title": "The previous system shutdown was unexpected",
      "summary": "Unexpected shutdown detected.",
      "details": "Generated after an unexpected shutdown, recording the date and time of the previous unexpected shutdown. Indicates a crash, forced reboot, or power loss.",
      "category": "System Lifecycle",
      "tags": [
        "shutdown",
        "crash"
      ],
      "relatedEventIds": [
        {
          "id": 41,
          "log": "System"
        },
        {
          "id": 12,
          "log": "System"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "The timestamp in this event indicates when the previous unexpected shutdown occurred — use it to anchor your investigation timeline",
          "Correlate with EID 41 on the same boot to cross-validate the crash timing",
          "An unexpected shutdown immediately following a period of suspicious activity is a strong indicator of attacker-initiated reboot"
        ],
        "commonFalsePositives": [
          "Power outage or UPS failure",
          "Hardware failure causing unexpected system halt"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 6013,
      "log": "System",
      "provider": "EventLog",
      "channel": "System",
      "level": "Information",
      "title": "System uptime",
      "summary": "System uptime recorded (logged daily at midnight).",
      "details": "Generated daily at midnight by the Event Log service, recording the system's total uptime in seconds. Primarily a diagnostic event, EID 6013 serves as a useful timeline anchor.",
      "category": "System Lifecycle",
      "tags": [
        "uptime",
        "event-log"
      ],
      "relatedEventIds": [
        {
          "id": 6005,
          "log": "System"
        },
        {
          "id": 12,
          "log": "System"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Use the uptime value to cross-validate the boot time derived from EID 6005 or EID 12",
          "Missing expected 6013 entries (e.g., no entry for a day the system should have been online) may indicate log gaps or tampering",
          "Uptime inconsistent with the last known boot time may indicate a clock change — correlate with Security EID 4616"
        ],
        "commonFalsePositives": [
          "Any online system will generate this event daily — high volume is expected"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 7000,
      "log": "System",
      "provider": "Service Control Manager",
      "channel": "System",
      "level": "Error",
      "title": "A service failed to start",
      "summary": "Service Control Manager failed to start a service.",
      "details": "Generated when Service Control Manager fails to start a service. Common causes include a missing executable, access denied on the binary, or a dependency failure. A malicious service registered for persistence (EID 7045) whose payload has been removed or blocked will generate this event on the next boot.",
      "category": "Persistence/Services",
      "tags": [
        "service",
        "error",
        "persistence"
      ],
      "relatedEventIds": [
        {
          "id": 7001,
          "log": "System"
        },
        {
          "id": 7045,
          "log": "System"
        },
        {
          "id": 7036,
          "log": "System"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate ServiceName with EID 7045 to determine when the service was installed and review its ImagePath",
          "Error 2 (file not found) on a recently installed service may indicate the payload was removed by a security tool",
          "Recurring EID 7000 on boot for the same service indicates a persistent failed service registration that should be investigated"
        ],
        "commonFalsePositives": [
          "Legitimate services that fail to start due to dependency issues or misconfiguration after OS updates",
          "Trial software leaving service registrations behind after uninstallation"
        ]
      },
      "keyFields": [
        {
          "name": "ServiceName",
          "xpath": "EventData/Data[@Name='param1']",
          "description": "The name of the service that failed to start"
        },
        {
          "name": "ErrorCode",
          "xpath": "EventData/Data[@Name='param2']",
          "description": "The error code returned by the failed start attempt"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 7001,
      "log": "System",
      "provider": "Service Control Manager",
      "channel": "System",
      "level": "Error",
      "title": "A service depends on another service that failed to start",
      "summary": "Service failed because a dependency service did not start.",
      "details": "Generated when a service fails to start because one of its dependencies did not start. Cascading service failures can reveal a disrupted critical dependency preventing a security tool from starting.",
      "category": "Persistence/Services",
      "tags": [
        "service",
        "error"
      ],
      "relatedEventIds": [
        {
          "id": 7000,
          "log": "System"
        },
        {
          "id": 7036,
          "log": "System"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Identify the dependency service that failed — trace it back with EID 7000 to find the root failure",
          "If the dependency is a security product driver or agent, investigate whether it was deliberately disabled or its binary tampered with",
          "Cascading failures starting from an unusual or recently installed service warrant a full service dependency chain review"
        ],
        "commonFalsePositives": [
          "Network-dependent services failing to start before network initialization completes on boot",
          "Services with optional dependencies that are not installed on all configurations"
        ]
      },
      "keyFields": [
        {
          "name": "ServiceName",
          "xpath": "EventData/Data[@Name='param1']",
          "description": "The service that failed to start"
        },
        {
          "name": "DependencyService",
          "xpath": "EventData/Data[@Name='param2']",
          "description": "The dependency service that it requires"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 7009,
      "log": "System",
      "provider": "Service Control Manager",
      "channel": "System",
      "level": "Error",
      "title": "Service startup timeout",
      "summary": "The Service Control Manager timed out waiting for a service to connect during startup.",
      "details": "Generated when the Service Control Manager waits longer than the configured timeout (default 30 seconds) for a service to complete its startup initialization and call StartServiceCtrlDispatcher. Malware-installed services that hang, crash, or are intentionally slow-starting generate this event. A sequence of EID 7045 (service installed), EID 7000/7001 (service failed), and EID 7009 (timeout) for an unfamiliar service name is a persistence detection pattern.",
      "category": "Service Control",
      "tags": [
        "service",
        "startup",
        "timeout",
        "persistence"
      ],
      "relatedEventIds": [
        {
          "id": 7000,
          "log": "System"
        },
        {
          "id": 7045,
          "log": "System"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1543.003",
          "techniqueName": "Create or Modify System Process: Windows Service",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            },
            {
              "tacticId": "TA0004",
              "tacticName": "Privilege Escalation"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate ServiceName with EID 7045 to find when the service was installed and by which process",
          "Check the service binary path for the timed-out service — unexpected paths or random filenames warrant investigation",
          "Repeated timeout events for the same service across multiple hosts suggest a lateral movement payload that fails to initialize"
        ],
        "commonFalsePositives": [
          "Legitimate services with long initialization times (database engines, AV products) on slow or resource-constrained systems",
          "Services that depend on network resources unavailable during startup (e.g., mapped drive paths)"
        ]
      },
      "keyFields": [
        {
          "name": "ServiceName",
          "xpath": "EventData/Data[@Name='param1']",
          "description": "The name of the service that timed out during startup"
        },
        {
          "name": "TimeoutDuration",
          "xpath": "EventData/Data[@Name='param2']",
          "description": "The timeout duration that was exceeded"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/windows/win32/services/service-control-manager"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 7023,
      "log": "System",
      "provider": "Service Control Manager",
      "channel": "System",
      "level": "Error",
      "title": "A service terminated with an error",
      "summary": "Service terminated with error code.",
      "details": "Generated when a service terminates with a non-zero error code.",
      "category": "Persistence/Services",
      "tags": [
        "service",
        "crash",
        "error"
      ],
      "relatedEventIds": [
        {
          "id": 7031,
          "log": "System"
        },
        {
          "id": 7034,
          "log": "System"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Service name is the primary pivot — errors in security products (AV, EDR, audit log service) warrant immediate investigation",
          "Error code can indicate access denied (0x5), which may mean an attacker modified permissions to prevent restart",
          "Correlate with EID 7036 to confirm whether the service entered the stopped state"
        ],
        "commonFalsePositives": [
          "Misconfigured third-party services terminating due to dependency or configuration errors"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 7031,
      "log": "System",
      "provider": "Service Control Manager",
      "channel": "System",
      "level": "Error",
      "title": "A service terminated unexpectedly",
      "summary": "Service crashed with recovery action.",
      "details": "Generated when a service terminates unexpectedly and a recovery action is configured. Records the number of times the service has crashed and the corrective action taken.",
      "category": "Persistence/Services",
      "tags": [
        "service",
        "crash",
        "error"
      ],
      "relatedEventIds": [
        {
          "id": 7034,
          "log": "System"
        },
        {
          "id": 7023,
          "log": "System"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Crash count field — a high or incrementing count may indicate an attacker repeatedly killing a service that auto-restarts",
          "Corrective action field — 'Restart the service' means the service came back; 'Run a program' may reveal a recovery command",
          "Correlate with Security EID 4688 to identify processes that may have terminated the service"
        ],
        "commonFalsePositives": [
          "Buggy or resource-starved third-party services entering crash loops",
          "Services crashing due to OS patching or dependency changes"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 7034,
      "log": "System",
      "provider": "Service Control Manager",
      "channel": "System",
      "level": "Error",
      "title": "A service crashed unexpectedly",
      "summary": "Service crashed without recovery action.",
      "details": "Generated when a service terminates unexpectedly and no recovery action is configured. Records the crash count. Similar to 7031 but without a configured recovery response.",
      "category": "Persistence/Services",
      "tags": [
        "service",
        "crash",
        "error"
      ],
      "relatedEventIds": [
        {
          "id": 7031,
          "log": "System"
        },
        {
          "id": 7023,
          "log": "System"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "No recovery action means the service stays stopped — if it is a security product, the system may be unprotected",
          "Crash count distinguishes a one-time failure from a repeating pattern — repeated crashes without recovery may indicate deliberate termination",
          "Correlate with Security EID 4688 around the same timestamp to check for suspicious process activity"
        ],
        "commonFalsePositives": [
          "Services that crash due to bugs and are not configured with recovery actions"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 7036,
      "log": "System",
      "provider": "Service Control Manager",
      "channel": "System",
      "level": "Information",
      "title": "The service entered the running/stopped state",
      "summary": "Service started or stopped.",
      "details": "Generated when a service enters the running or stopped state. High-volume informational event.",
      "category": "Persistence/Services",
      "tags": [
        "service",
        "service-state"
      ],
      "relatedEventIds": [
        {
          "id": 7045,
          "log": "System"
        },
        {
          "id": 7040,
          "log": "System"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Filter on security-relevant service names (e.g., WinDefend, Sense, EventLog, wuauserv) — unexpected stops are high priority",
          "Correlate unexpected service stops with Security EID 4688 to identify what process triggered the state change",
          "A service entering stopped state without a preceding EID 7023/7031/7034 may indicate a graceful but unauthorized stop"
        ],
        "commonFalsePositives": [
          "Normal service state changes during Windows Update, patch application, or system maintenance"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 7040,
      "log": "System",
      "provider": "Service Control Manager",
      "channel": "System",
      "level": "Information",
      "title": "The start type of a service was changed",
      "summary": "Service start type modified.",
      "details": "Generated when a service's start type is changed (e.g., from Disabled to Automatic). Changing a service start type to auto-start or boot-start is a persistence mechanism.",
      "category": "Persistence/Services",
      "tags": [
        "service",
        "persistence",
        "service-config"
      ],
      "relatedEventIds": [
        {
          "id": 7045,
          "log": "System"
        },
        {
          "id": 7036,
          "log": "System"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1543.003",
          "techniqueName": "Create or Modify System Process: Windows Service",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "The old and new start type values are the key pivot — a change from Disabled or Manual to Automatic or Boot Start is a persistence indicator",
          "Changes to defensive service start types (e.g., disabling WinDefend auto-start) are defense evasion",
          "Correlate with Security EID 4688 to identify the process that made the change"
        ],
        "commonFalsePositives": [
          "Software installers configuring their service start types during installation",
          "Group Policy applying service configuration changes"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 7045,
      "log": "System",
      "provider": "Service Control Manager",
      "channel": "System",
      "level": "Information",
      "title": "A service was installed in the system",
      "summary": "New service installation recorded.",
      "details": "Generated when a new service is installed on the system.",
      "category": "Persistence/Services",
      "tags": [
        "service",
        "persistence"
      ],
      "relatedEventIds": [
        {
          "id": 4697,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1543.003",
          "techniqueName": "Create or Modify System Process: Windows Service",
          "tactics": [
            {
              "tacticId": "TA0003",
              "tacticName": "Persistence"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "ImagePath is the primary pivot — flag paths outside System32 or known application directories, especially user-writable locations or temp directories",
          "ImagePath containing cmd.exe, powershell.exe, or scripting engines indicates a script-based service (common attacker technique)",
          "Correlate with Security EID 4697 to identify the account that installed the service",
          "StartType of Boot Start or System Start means the service runs before most security tooling"
        ],
        "commonFalsePositives": [
          "Legitimate software installing services during setup",
          "Windows Update and driver installations adding new services"
        ]
      },
      "keyFields": [
        {
          "name": "ServiceName",
          "xpath": "EventData/Data[@Name='ServiceName']",
          "description": "The name assigned to the new service"
        },
        {
          "name": "ImagePath",
          "xpath": "EventData/Data[@Name='ImagePath']",
          "description": "The executable path for the service binary"
        },
        {
          "name": "ServiceType",
          "xpath": "EventData/Data[@Name='ServiceType']",
          "description": "The type of service (kernel driver, user-mode, etc.)"
        },
        {
          "name": "StartType",
          "xpath": "EventData/Data[@Name='StartType']",
          "description": "The start type configured for the service (Boot, System, Automatic, Manual, Disabled)"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/troubleshoot-unexpected-reboots-system-event-logs"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-02"
    },
    {
      "id": 10010,
      "log": "System",
      "provider": "DistributedCOM",
      "channel": "System",
      "level": "Error",
      "title": "DCOM server did not register within timeout",
      "summary": "A DCOM server process was activated but failed to register with the DCOM service within the required timeout period.",
      "details": "Generated when the DCOM Service Control Manager activates (launches) a COM server process but that process fails to call back and register with DCOM before the timeout expires (default: 60 seconds). This differs from EID 10016 (permission denied before activation) -- EID 10010 means activation was permitted but the server process crashed, hung, or was terminated before registering. DCOM-based lateral movement techniques that activate COM servers on remote hosts can generate this event when the targeted COM component fails to start on the victim host. Also fires when malware replaces or disrupts a legitimate COM server binary, causing the activation to fail.",
      "category": "DCOM / COM Security",
      "tags": [
        "dcom",
        "com",
        "lateral-movement",
        "rpc",
        "activation-failure"
      ],
      "relatedEventIds": [
        {
          "id": 10016,
          "log": "System"
        },
        {
          "id": 7000,
          "log": "System"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1021.003",
          "techniqueName": "Remote Services: Distributed Component Object Model",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate the AppId/CLSID with known high-value COM servers (MMC, WMI, shell objects) — failures on these may indicate tampering with COM server binaries",
          "Check the process that was launched for the COM server — unexpected executable paths for a known AppId indicate COM hijacking",
          "Pair with EID 10016 from the same time window: 10016 (denied) followed by 10010 (activated but failed) may indicate a race condition or privilege escalation attempt"
        ],
        "commonFalsePositives": [
          "COM servers that crash during initialization due to application bugs or missing dependencies",
          "COM servers whose dependencies (e.g., specific DLLs or registry keys) were modified by a failed software update"
        ]
      },
      "keyFields": [
        {
          "name": "AppId",
          "xpath": "EventData/Data[@Name='param1']",
          "description": "The COM AppId/CLSID of the server that failed to register"
        },
        {
          "name": "ProcessName",
          "xpath": "EventData/Data[@Name='param2']",
          "description": "The process that was launched for the COM server"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/windows/win32/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    },
    {
      "id": 10016,
      "log": "System",
      "provider": "DistributedCOM",
      "channel": "System",
      "level": "Error",
      "title": "DCOM application permission denied",
      "summary": "DCOM denied a process permission to activate or call a COM server due to insufficient permissions.",
      "details": "Generated when a process is denied Local Activation, Local Launch, Remote Activation, or Remote Launch permission for a COM application due to application-specific or machine-wide DCOM security settings. DCOM is used in lateral movement via WMI, MMC snap-ins, and various RPC-based execution techniques. EID 10016 fires when these access attempts are denied, providing visibility into blocked COM-based lateral movement and privilege escalation attempts.",
      "category": "DCOM / COM Security",
      "tags": [
        "dcom",
        "com",
        "lateral-movement",
        "privilege-escalation",
        "rpc"
      ],
      "relatedEventIds": [
        {
          "id": 5857,
          "log": "WMI"
        },
        {
          "id": 4624,
          "log": "Security"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1021.003",
          "techniqueName": "Remote Services: Distributed Component Object Model",
          "tactics": [
            {
              "tacticId": "TA0008",
              "tacticName": "Lateral Movement"
            }
          ]
        },
        {
          "techniqueId": "T1047",
          "techniqueName": "Windows Management Instrumentation",
          "tactics": [
            {
              "tacticId": "TA0002",
              "tacticName": "Execution"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Remote Activation denials originating from another host (non-local process) are highest priority — indicates lateral movement attempt",
          "Identify the COM AppId/CLSID to determine which component was targeted — WMI, MMC, or shell extension CLSIDs are common attack targets",
          "Correlate with Security EID 4624/4625 on this host from the same remote source to understand the authentication context"
        ],
        "commonFalsePositives": [
          "Services running under low-privilege accounts that attempt to access COM components requiring higher privileges — very common and largely benign",
          "Windows Update and software management agents accessing COM objects during system maintenance"
        ]
      },
      "keyFields": [
        {
          "name": "AppId",
          "xpath": "EventData/Data[@Name='param1']",
          "description": "The COM AppId (CLSID/AppID) of the targeted application"
        },
        {
          "name": "UserSID",
          "xpath": "EventData/Data[@Name='param4']",
          "description": "The SID of the user requesting access"
        },
        {
          "name": "ProcessName",
          "xpath": "EventData/Data[@Name='param5']",
          "description": "The process requesting COM activation"
        },
        {
          "name": "PermissionType",
          "xpath": "EventData/Data[@Name='param2']",
          "description": "The type of permission denied (Local Activation, Remote Activation, etc.)"
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/windows/win32/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Windows Vista / Server 2008"
      },
      "lastReviewed": "2026-04-04"
    }
  ]
}