Microsoft-Windows-IIS-IISReset

14 events across 2 channels

Event	Title	Channel	Sample
3201	IIS start command received from user	Operational	Y
3201	IIS start command received from user	System	Y
3202	IIS stop command received from user	Operational	Y
3202	IIS stop command received from user	System	Y
3203	IIS reboot command received from user	Operational	N
3204	IIS kill command received from user	Operational	N
3205	Your computer is being shut down by	Operational	N
3206	IIS Reset encountered an error while stopping services, which was requested by	Operational	N
1073745025	IIS start command received from user UserName.	Operational	Y
1073745026	IIS stop command received from user UserName.	Operational	Y
1073745027	IIS reboot command received from user UserName.	Operational	N
1073745028	IIS kill command received from user UserName.	Operational	N
1073745029	Your computer is being shut down by UserName.	Operational	N
1073745030	IIS Reset encountered an error while stopping services, which was requested by …	Operational	N

Event ID 3201: IIS start command received from user

Provider: Microsoft-Windows-IIS-IISReset
Channel: Operational

Fields #

Name	Description
`UserName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IIS-IISReset",
    "event_id": 3201,
    "level": "Information",
    "task": null,
    "opcode": null,
    "time_created": "2026-03-13T20:45:41.4969504+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "UserName": "ludus\\domainadmin"
  }
}

Event ID 3201: IIS start command received from user

Provider: Microsoft-Windows-IIS-IISReset
Channel: System
Level: Informational

Fields #

Name	Description
`UserName`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IIS-IISReset",
    "guid": "{DA9A85BB-563D-40FB-A164-8E982EA6844B}",
    "event_source_name": "IISCTLS",
    "event_id": 3201,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T20:23:47.508059+00:00",
    "event_record_id": 11805,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "UserName": "ludus\\domainadmin"
  },
  "message": ""
}

Event ID 3202: IIS stop command received from user

Provider: Microsoft-Windows-IIS-IISReset
Channel: Operational

Fields #

Name	Description
`UserName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IIS-IISReset",
    "event_id": 3202,
    "level": "Information",
    "task": null,
    "opcode": null,
    "time_created": "2026-03-13T20:45:35.8942279+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "UserName": "ludus\\domainadmin"
  }
}

Event ID 3202: IIS stop command received from user

Provider: Microsoft-Windows-IIS-IISReset
Channel: System
Level: Informational

Fields #

Name	Description
`UserName`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IIS-IISReset",
    "guid": "{DA9A85BB-563D-40FB-A164-8E982EA6844B}",
    "event_source_name": "IISCTLS",
    "event_id": 3202,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T20:45:35.894227+00:00",
    "event_record_id": 11876,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "UserName": "ludus\\domainadmin"
  },
  "message": ""
}

Event ID 3203: IIS reboot command received from user

Provider: Microsoft-Windows-IIS-IISReset
Channel: Operational

Fields #

Name	Description
`UserName` UnicodeString

Event ID 3204: IIS kill command received from user

Provider: Microsoft-Windows-IIS-IISReset
Channel: Operational

Fields #

Name	Description
`UserName` UnicodeString

Event ID 3205: Your computer is being shut down by

Provider: Microsoft-Windows-IIS-IISReset
Channel: Operational

Fields #

Name	Description
`UserName` UnicodeString

Event ID 3206: IIS Reset encountered an error while stopping services, which was requested by

Provider: Microsoft-Windows-IIS-IISReset
Channel: Operational

Fields #

Name	Description
`UserName` UnicodeString

Event ID 1073745025: IIS start command received from user UserName.

Provider: Microsoft-Windows-IIS-IISReset
Channel: Operational

Description

IIS start command received from user UserName. The logged data is the status code.

Message #

IIS start command received from user %1. The logged data is the status code.

Fields #

Name	Description
`UserName` UnicodeString → string

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IIS-IISReset",
    "event_id": 3201,
    "level": "Information",
    "task": null,
    "opcode": null,
    "time_created": "2026-03-13T20:45:41.4969504+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "UserName": "ludus\\domainadmin"
  }
}

Event ID 1073745026: IIS stop command received from user UserName.

Provider: Microsoft-Windows-IIS-IISReset
Channel: Operational

Description

IIS stop command received from user UserName. The logged data is the status code.

Message #

IIS stop command received from user %1. The logged data is the status code.

Fields #

Name	Description
`UserName` UnicodeString → string

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IIS-IISReset",
    "event_id": 3202,
    "level": "Information",
    "task": null,
    "opcode": null,
    "time_created": "2026-03-13T20:45:35.8942279+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "UserName": "ludus\\domainadmin"
  }
}

Event ID 1073745027: IIS reboot command received from user UserName.

Provider: Microsoft-Windows-IIS-IISReset
Channel: Operational

Description

IIS reboot command received from user UserName. The logged data is the status code.

Message #

IIS reboot command received from user %1. The logged data is the status code.

Fields #

Name	Description
`UserName` UnicodeString → string

Event ID 1073745028: IIS kill command received from user UserName.

Provider: Microsoft-Windows-IIS-IISReset
Channel: Operational

Description

IIS kill command received from user UserName. The logged data is the status code.

Message #

IIS kill command received from user %1. The logged data is the status code.

Fields #

Name	Description
`UserName` UnicodeString → string

Event ID 1073745029: Your computer is being shut down by UserName.

Provider: Microsoft-Windows-IIS-IISReset
Channel: Operational

Description

Your computer is being shut down by UserName. Save any work that may be lost!

Message #

Your computer is being shut down by %1. Save any work that may be lost!

Fields #

Name	Description
`UserName` UnicodeString → string

Event ID 1073745030: IIS Reset encountered an error while stopping services, which was requested by UserName.

Provider: Microsoft-Windows-IIS-IISReset
Channel: Operational

Description

IIS Reset encountered an error while stopping services, which was requested by UserName. The logged data is the status code. Since the force option is on, IIS Reset will now terminate the services' processes. This may cause SCM to report errors about the services exiting.

Message #

IIS Reset encountered an error while stopping services, which was requested by %1.  The logged data is the status code.  Since the force option is on, IIS Reset will now terminate the services' processes.  This may cause SCM to report errors about the services exiting.

Fields #

Name	Description
`UserName` UnicodeString → string

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID da9a85bb-563d-40fb-a164-8e982ea6844b

Defined in iisres.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02

Downloads

Microsoft-Windows-IIS-IISReset registered manifest XML (in the WS2022-20348.4893 manifest pack, 1.9 MB) manifest-xml

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)