Microsoft-Antimalware-Scan-Interface
1 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 1101 | AmsiScanBuffer | Debug | Y |
Event ID 1101: AmsiScanBuffer
#Description
Fires on every AmsiScanBuffer call. The content field carries the full scanned buffer as UTF-16LE; appname encodes the calling process path and version (format: <product>_<path>_<version>). scanResult=1 is AMSI_RESULT_NOT_DETECTED; 32768 is AMSI_RESULT_DETECTED. Collected via opt-in ETW (provider {2A576B87-09A7-520E-C21A-4942F0271D67}, keyword 0x1, level 0x4); not a persistent .evtx channel.
Message #
Fields #
| Name | Description |
|---|---|
session Pointer | AMSI session handle |
scanStatus UInt8 | Reserved status field |
scanResult UInt32 | Scan result (1=AMSI_RESULT_NOT_DETECTED, 32768=AMSI_RESULT_DETECTED) |
appname UnicodeString | Calling application identifier in format <product>_<path>_<version> |
contentname UnicodeString | Name or path of the scanned content; empty for in-memory buffers |
contentsize UInt32 | Size of the buffer after any filtering |
originalsize UInt32 | Original buffer size before filtering |
content Binary | Raw scanned buffer (UTF-16LE for PowerShell content) |
hash Binary | SHA-256 hash of the scanned content |
contentFiltered Boolean | Whether the buffer was filtered before scanning |
hashoriginalcontent Binary | SHA-256 hash of the original unfiltered content |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Scan-Interface",
"guid": "{2A576B87-09A7-520E-C21A-4942F0271D67}",
"event_source_name": "",
"event_id": 1101,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000001",
"time_created": "2026-06-08T19:59:14.645+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": 3096,
"thread_id": 10604
},
"channel": "AMSI/Debug",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"session": "0x329",
"scanStatus": 1,
"scanResult": 1,
"appname": "PowerShell_C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe_10.0.26100.5074",
"contentname": "",
"contentsize": 60,
"originalsize": 60,
"content": "0x570072006900740065002D0048006F0073007400200061006D00730069002D00730061006D0070006C0065002D007400720069006700670065007200",
"hash": "0xE0370747157F731C639FCE8059397F3B6CCDF699FD9225CF3D7B52CA7F420D23",
"contentFiltered": "false"
},
"message": ""
}
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {2A576B87-09A7-520E-C21A-4942F0271D67}
Defined in amsi.dll, which carries the event manifest.
Observed on:
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.5074, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02