Microsoft-Windows-Kernel-Audit-API-Calls
8 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 1 | task_0 | Operational | N |
| 2 | task_02 | Operational | Y |
| 3 | task_03 | Operational | N |
| 4 | task_04 | Operational | N |
| 5 | OpenProcess API call audited | Operational | Y |
| 6 | OpenThread API call audited | Operational | Y |
| 7 | task_07 | Operational | N |
| 8 | task_08 | Operational | N |
Event ID 2: task_02
#Fields #
| Name | Description |
|---|---|
TargetProcessId UInt32 | Process ID of the target process. |
ReturnCode UInt32 | |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessCreationTime FILETIME |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Audit-API-Calls",
"guid": "{E02A841C-75A3-4FA7-AFC8-AE09CF9B7F23}",
"event_source_name": "",
"event_id": 2,
"version": 1,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:54:07.805+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 2596,
"thread_id": 16456
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"ReturnCode": 3221225738,
"TargetProcessCreationTime": "2026-06-02 05:54:07.672Z",
"TargetProcessId": 17656,
"TargetProcessStartKey": 1970324837006743
},
"message": ""
}
Event ID 3: task_03
#Fields #
| Name | Description |
|---|---|
LinkSourceName UnicodeString | |
LinkTargetName UnicodeString | |
DesiredAccess UInt32 | Process access rights reference |
ReturnCode UInt32 |
Event ID 5: OpenProcess API call audited
#Description
Kernel audit of a process-handle open (OpenProcess/NtOpenProcess). The manifest carries no event names (task_05); identification is grounded in the payload shape: TargetProcessId + DesiredAccess + ReturnCode. This is the same kernel audit hook Microsoft Defender for Endpoint surfaces as the DeviceEvents OpenProcessApiCall ActionType. Collectible by any admin ETW session, but payloads are sparse: process ids and access mask only, no image paths or command lines.
Fields #
| Name | Description |
|---|---|
TargetProcessId UInt32 | Process ID of the target process. |
DesiredAccess UInt32 | Process access rights reference |
ReturnCode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Audit-API-Calls",
"guid": "{E02A841C-75A3-4FA7-AFC8-AE09CF9B7F23}",
"event_source_name": "",
"event_id": 5,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:25:24.188+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 15888,
"thread_id": 15800
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DesiredAccess": 0,
"ReturnCode": 0,
"TargetProcessId": 15888
},
"message": ""
}
Detection Patterns #
Event ID 6: OpenThread API call audited
#Description
Kernel audit of a thread-handle open (OpenThread/NtOpenThread). The manifest carries no event names (task_06); identification is grounded in the payload shape: TargetProcessId + TargetThreatId (sic) + DesiredAccess + ReturnCode. Sibling of event 5 (OpenProcess audit).
Fields #
| Name | Description |
|---|---|
TargetProcessId UInt32 | Process ID of the target process. |
TargetThreatId UInt32 | |
DesiredAccess UInt32 | Process access rights reference |
ReturnCode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Audit-API-Calls",
"guid": "{E02A841C-75A3-4FA7-AFC8-AE09CF9B7F23}",
"event_source_name": "",
"event_id": 6,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:25:24.309+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 952,
"thread_id": 4784
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DesiredAccess": 2097151,
"ReturnCode": 0,
"TargetProcessId": 13804,
"TargetThreatId": 15016
},
"message": ""
}
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {E02A841C-75A3-4FA7-AFC8-AE09CF9B7F23}
Defined in Microsoft-Windows-System-Events.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.3932, captured 2026-06-02
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.5074, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02