detection.wiki

Application Error

2 events across 1 channel

EventTitleChannelSample
1000Faulting application name: Faulting_application_name, version: version, time …ApplicationY
1005Windows cannot access the file File for one of the following reasons: there is a …ApplicationN

Event ID 1000: Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name.

#
Provider
Application Error
Channel
Application
Level
Error
Collection Priority
Recommended (Microsoft-WEF, others)
Task
ApplicationCrashingEvents

Description

Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name.

Message #

Faulting application name: %1, version: %2, time stamp: 0x%3
Faulting module name: %4, version: %5, time stamp: 0x%6
Exception code: 0x%7
Fault offset: 0x%8
Faulting process id: %9
Faulting application start time: %10
Faulting application path: %11
Faulting module path: %12
Report Id: %13
Faulting package full name: %14
Faulting package-relative application ID: %15

Fields #

NameDescriptionRules
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Data_7
Data_8
Data_9
Data_10
Data_11
Data_12
Data_13
Data_14
AppName3 detection rules
AppVersion5 detection rules
AppTimeStamp
ModuleName1 detection rule
ModuleVersion
ModuleTimeStamp
ExceptionCode2 detection rules
FaultingOffset
ProcessId
ProcessCreationTime
AppPath
ModulePath
IntegratorReportId
PackageFullName
PackageRelativeAppId

Example Event #

{
  "system": {
    "provider": "Application Error",
    "guid": "",
    "event_source_name": "",
    "event_id": 1000,
    "version": 0,
    "level": 2,
    "task": 100,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-28T19:24:06.1832880+00:00",
    "event_record_id": 306,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "kape.exe",
    "Data_1": "1.3.0.2",
    "Data_2": "89883a17",
    "Data_3": "KERNELBASE.dll",
    "Data_4": "10.0.20348.558",
    "Data_5": "827f29ba",
    "Data_6": "e0434352",
    "Data_7": "000000000001ff6c",
    "Data_8": "17e0",
    "Data_9": "01dceed7707604fd",
    "Data_10": "C:\\Tools\\KAPE\\kape.exe",
    "Data_11": "C:\\Windows\\System32\\KERNELBASE.dll",
    "Data_12": "707434bb-9bd5-4bbf-b8d2-6327601feefc",
    "Data_13": "",
    "Data_14": ""
  },
  "message": "Faulting application name: kape.exe, version: 1.3.0.2, time stamp: 0x89883a17\r\nFaulting module name: KERNELBASE.dll, version: 10.0.20348.558, time stamp: 0x827f29ba\r\nException code: 0xe0434352\r\nFault offset: 0x000000000001ff6c\r\nFaulting process id: 0x17e0\r\nFaulting application start time: 0x01dceed7707604fd\r\nFaulting application path: C:\\Tools\\KAPE\\kape.exe\r\nFaulting module path: C:\\Windows\\System32\\KERNELBASE.dll\r\nReport Id: 707434bb-9bd5-4bbf-b8d2-6327601feefc\r\nFaulting package full name: \r\nFaulting package-relative application ID: "
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
Provider_NameeqApplication Error5 rulessigma
AppNameeqlsass.exe2 rulessigma
Datacontainsmpengine.dll1 rulesigma
Datacontainsmsmpeng.exe1 rulesigma

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Show 2 more (5 total)
  • CVE-2024-49113 Exploitation Attempt - LDAP Nightmare source high: Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
  • LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089 source high: Detects a crash of the LSASS process where netlogon.dll is the faulting module and the exception code is STATUS_STACK_BUFFER_OVERRUN (0xc0000409). This crash, especially on Domain Controllers, might indicate the exploitation of CVE-2026-41089, a denial of service (DoS) vulnerability, which exists in the Netlogon component of Windows and can be triggered by sending specially crafted requests to the Netlogon service, leading to a stack-based buffer overflow and subsequent crash of the LSASS process.

Splunk # view in coverage

Event ID 1005: Windows cannot access the file File for one of the following reasons: there is a problem with the network connection, the disk that the file is store...

#
Provider
Application Error
Channel
Application
Task
ApplicationCrashingEvents

Description

Windows cannot access the file FilePath for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program AppName because of this error. Program: AppName File: FilePath The error value is listed in the Additional Data section. User Action 1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again. 2. If the file still cannot be accessed and - It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted. - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer. 3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER. 4. If the problem persists, restore the file from a backup copy. 5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance. Additional Data Error value: StatusCode Disk type: MediumType

Message #

Windows cannot access the file %1 for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program %2 because of this error.

Program: %2
File: %1

The error value is listed in the Additional Data section.
User Action
1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again.
2. If the file still cannot be accessed and
	- It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted.
	- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance.

Additional Data
Error value: %3
Disk type: %4

Fields #

NameDescription
FilePath UnicodeString
AppName UnicodeString
StatusCode HexInt32NTSTATUS reference
MediumType HexInt32

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID a0e9b465-b939-57d7-b27d-95d8e925ff57

Defined in wer.dll, which carries the event manifest.

Observed on:

  • Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02