Microsoft-Windows-AppID
8 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 4001 | AppID failed to compute FilePathBuffer process attributes. | Operational | N |
| 4002 | AppID Driver failed to start. | Operational | N |
| 4003 | AppID Service failed to start. | Operational | N |
| 4004 | AppID Service is called to verify FilePathBuffer signature. | Operational | Y |
| 4005 | AppID certificate store verification failed. | Operational | N |
| 4006 | AppID certificate store is verified. | Operational | Y |
| 4007 | AppID encountered a failure from discache. | Operational | N |
| 4008 | Function call error: CallingFunctionName called FunctionCallName which returned … | Operational | Y |
Event ID 4001: AppID failed to compute FilePathBuffer process attributes.
#Description
AppID failed to compute FilePathBuffer process attributes. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
FilePathLength UInt16 | |
FilePathBuffer UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 4002: AppID Driver failed to start.
#Description
AppID Driver failed to start. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 4003: AppID Service failed to start.
#Description
AppID Service failed to start. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 4004: AppID Service is called to verify FilePathBuffer signature.
#Description
AppID Service is called to verify FilePathBuffer signature. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
FilePathLength UInt16 | |
FilePathBuffer UnicodeString | |
PublisherNameLength UInt16 | |
PublisherNameBuffer UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppID",
"guid": "{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}",
"event_source_name": "",
"event_id": 4004,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T17:34:50.660+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{AE3ADFDF-F2B5-0001-06F3-3AAEB5F2DC01}"
},
"execution": {
"process_id": 1364,
"thread_id": 5032
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"FilePathBuffer": "\\\\?\\C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.Pb378ec07#\\6dd817c34159569e35bf90aa10a69db0\\Microsoft.PowerShell.ConsoleHost.ni.dll",
"FilePathLength": 144,
"PublisherNameBuffer": "",
"PublisherNameLength": 0,
"Status": "FEFFFFFF"
},
"message": ""
}
Event ID 4005: AppID certificate store verification failed.
#Description
AppID certificate store verification failed. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 4006: AppID certificate store is verified.
#Description
AppID certificate store is verified.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppID",
"guid": "3CB2A168-FE19-4A4E-BDAD-DCF422F13473",
"event_source_name": "",
"event_id": 4006,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:45:55.746206+00:00",
"event_record_id": 50,
"correlation": {},
"execution": {
"process_id": 18240,
"thread_id": 4544
},
"channel": "Microsoft-Windows-AppID/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4007: AppID encountered a failure from discache.
#Description
AppID encountered a failure from discache.sys. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 4008: Function call error: CallingFunctionName called FunctionCallName which returned unsuccessfully (Error code: Status).
#Description
Function call error: CallingFunctionName called FunctionCallName which returned unsuccessfully (Error code: Status).
Message #
Fields #
| Name | Description |
|---|---|
CallingFunctionNameLength UInt16 | |
CallingFunctionName UnicodeString | |
FunctionCallNameLength UInt16 | |
FunctionCallName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppID",
"guid": "{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}",
"event_source_name": "",
"event_id": 4008,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T17:34:50.546+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{AE3ADFDF-F2B5-0001-06F3-3AAEB5F2DC01}"
},
"execution": {
"process_id": 1364,
"thread_id": 5032
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CallingFunctionName": "AipGetFileSignature",
"CallingFunctionNameLength": 19,
"FunctionCallName": "WinVerifyTrust(WTD_CHOICE_FILE)",
"FunctionCallNameLength": 31,
"Status": "00010B80"
},
"message": ""
}
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {3CB2A168-FE19-4A4E-BDAD-DCF422F13473}
Defined in srpapi.dll, which carries the event manifest.
Observed on:
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.4647, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02