Microsoft-Windows-Kernel-General
24 events across 2 channels
Event ID 1: The system time has changed to NewTime from OldTime.
#Description
The system time has changed to NewTime from OldTime.
Message #
Fields #
| Name | Description |
|---|---|
NewTime FILETIME | |
OldTime FILETIME | |
Reason UInt32 | Change Reason. |
ProcessName UnicodeString | |
ProcessID UInt32 | |
TimeDeltaInMs Int64 | Time Delta. |
CmosTime FILETIME | RTC time. |
TimeZoneBias Int32 | Current time zone bias. |
RealTimeIsUniversal Boolean | RTC time is in UTC. |
SystemInCmosMode Boolean | System time was based on RTC time. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}",
"event_source_name": "",
"event_id": 1,
"version": 2,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": -9223372036854775792,
"time_created": "2026-05-29T23:38:45.9335781+00:00",
"event_record_id": 6856,
"correlation": {},
"execution": {
"process_id": 5172,
"thread_id": 5420
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"NewTime": "2026-05-29T23:38:45.9329014Z",
"OldTime": "2026-05-29T23:38:45.9318452Z",
"Reason": "1",
"ProcessName": "\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe",
"ProcessID": "5172"
},
"message": "The system time has changed to 2026-05-29T23:38:45.932901400Z from 2026-05-29T23:38:45.931845200Z.\r\n\r\nChange Reason: An application or system component changed the time.\r\nProcess: '\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe' (PID 5172)."
}
Event ID 2: License policy-cache corruption detected.
#Description
License policy-cache corruption detected.
Message #
Event ID 3: License policy-cache corruption has been fixed.
#Description
License policy-cache corruption has been fixed.
Message #
Event ID 4: License policy-cache has expired because it was not updated within expected duration.
#Description
License policy-cache has expired because it was not updated within expected duration.
Message #
Event ID 5: {Registry Hive Recovered} Registry hive (file): 'ExtraString' was corrupted and it has been recovered.
#Description
{Registry Hive Recovered} Registry hive (file): 'ExtraString' was corrupted and it has been recovered. Some data might have been lost.
Message #
Fields #
| Name | Description |
|---|---|
FinalStatus HexInt32 | |
ExtraStringLength UInt16 | |
ExtraString UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}",
"event_source_name": "",
"event_id": 5,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-28T11:11:46.4378352+00:00",
"event_record_id": 1367,
"correlation": {},
"execution": {
"process_id": 636,
"thread_id": 1044
},
"channel": "System",
"computer": "telemetry-W11-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"FinalStatus": "0x8000002a",
"ExtraStringLength": "31",
"ExtraString": "\\SystemRoot\\System32\\Config\\BBI"
},
"message": "{Registry Hive Recovered} Registry hive (file): '\\SystemRoot\\System32\\Config\\BBI' was corrupted and it has been recovered. Some data might have been lost."
}
Event ID 6: An I/O operation initiated by the Registry failed unrecoverably.
#Event ID 7: The system failed to open transaction log {LogFile} for hive {HivePath}.
#Message #
Fields #
| Name | Description |
|---|---|
LogFile | |
HivePath | |
Status | NTSTATUS reference |
TmId | |
RmId | |
InternalCode |
Event ID 11: TxR init phase for hive ExtraString (TM: TmId, RM: RmId) finished with result=Status (Internal code=InternalCode).
#Description
TxR init phase for hive ExtraString (TM: TmId, RM: RmId) finished with result=Status (Internal code=InternalCode).
Message #
Fields #
| Name | Description |
|---|---|
ExtraStringLength UInt16 | |
ExtraString UnicodeString | |
TmId GUID | |
RmId GUID | |
Status HexInt32 | NTSTATUS reference |
InternalCode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D",
"event_source_name": "",
"event_id": 11,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T02:31:13.021540+00:00",
"event_record_id": 2588,
"correlation": {},
"execution": {
"process_id": 4888,
"thread_id": 1608
},
"channel": "System",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ExtraStringLength": 79,
"ExtraString": "\\??\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\System32\\config\\DRIVERS",
"TmId": "465845D7-1B56-11F1-9FBF-C6B26F270F0B",
"RmId": "465845D6-1B56-11F1-9FBF-C6B26F270F0B",
"Status": "0xc00000a2",
"InternalCode": 7
},
"message": ""
}
Event ID 12: The operating system started at system time StartTime.
#Description
The operating system started at system time StartTime.
Message #
Fields #
| Name | Description |
|---|---|
MajorVersion UInt32 | |
MinorVersion UInt32 | |
BuildVersion UInt32 | |
QfeVersion UInt32 | |
ServiceVersion UInt16 | |
BootMode UInt32 | |
StartTime FILETIME |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}",
"event_source_name": "",
"event_id": 12,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": -9223372036854775680,
"time_created": "2026-05-29T16:32:43.9802317+00:00",
"event_record_id": 6660,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"MajorVersion": "10",
"MinorVersion": "0",
"BuildVersion": "20348",
"QfeVersion": "587",
"ServiceVersion": "0",
"BootMode": "0",
"StartTime": "2026-05-29T16:32:43.5000000Z"
},
"message": "The operating system started at system time 2026-05-29T16:32:43.500000000Z."
}
References #
Event ID 13: The operating system is shutting down at system time StopTime.
#Description
The operating system is shutting down at system time StopTime.
Message #
Fields #
| Name | Description |
|---|---|
StopTime FILETIME |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}",
"event_source_name": "",
"event_id": 13,
"version": 0,
"level": 4,
"task": 2,
"opcode": 0,
"keywords": -9223372036854775680,
"time_created": "2026-06-13T05:22:40.0809672+00:00",
"event_record_id": 7416,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8144
},
"channel": "System",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"StopTime": "2026-06-13T05:22:40.0809646Z"
},
"message": "The operating system is shutting down at system time 2026-06-13T05:22:40.080964600Z."
}
References #
Event ID 14: task_014
#Fields #
| Name | Description |
|---|---|
Mode UnicodeString | |
ObjectType UnicodeString | |
ObjectName UnicodeString | |
ProcessName UnicodeString | |
ObjectCreatorProcessName UnicodeString | |
AccessMask HexInt32 | Access mask reference |
TokenType UInt32 | |
ImpersonationLevel UInt32 | Impersonation level (SecurityAnonymous=0, SecurityIdentification=1, SecurityImpersonation=2, SecurityDelegation=3). Known values
|
SessionId UInt32 | |
LowBoxNumber UInt32 | |
TokenGroupsCount UInt32 | |
TokenGroups 28 | |
TokenPackageCount UInt32 | |
TokenPackage 30 | |
TokenCapabilityCount UInt32 | |
TokenCapabilities 31 | |
TokenTrustLevelCount UInt32 | |
TokenTrustLevel 33 | |
SecurityDescriptorRevision UInt8 | |
SecurityDescriptorControl UInt16 | |
SecurityDescriptorOwner SID | |
SecurityDescriptorGroup SID | |
DaclRevision UInt8 | |
DaclAceCount UInt16 | |
DaclAce 34 | |
SaclRevision UInt8 | |
SaclAceCount UInt16 | |
SaclAce 38 |
Event ID 15: Hive HiveName was reorganized with a starting size of OriginalSize bytes and an ending size of NewSize bytes.
#Description
Hive HiveName was reorganized with a starting size of OriginalSize bytes and an ending size of NewSize bytes.
Message #
Fields #
| Name | Description |
|---|---|
HiveNameLength UInt16 | |
HiveName UnicodeString | |
OriginalSize UInt32 | |
NewSize UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}",
"event_source_name": "",
"event_id": 15,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T05:22:51.6711715+00:00",
"event_record_id": 7443,
"correlation": {},
"execution": {
"process_id": 172,
"thread_id": 584
},
"channel": "System",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HiveNameLength": "36",
"HiveName": "\\SystemRoot\\System32\\Config\\SOFTWARE",
"OriginalSize": "75931648",
"NewSize": "75091968"
},
"message": "Hive \\SystemRoot\\System32\\Config\\SOFTWARE was reorganized with a starting size of 75931648 bytes and an ending size of 75091968 bytes."
}
Event ID 16: The access history in hive HiveName was cleared updating KeysUpdated keys and creating DirtyPages modified pages.
#Description
The access history in hive HiveName was cleared updating KeysUpdated keys and creating DirtyPages modified pages.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
HiveNameLength UInt16 | ||
HiveName UnicodeString | 2 detection rules | |
KeysUpdated UInt32 | ||
DirtyPages UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}",
"event_source_name": "",
"event_id": 16,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T05:39:38.4698698+00:00",
"event_record_id": 6934,
"correlation": {},
"execution": {
"process_id": 1208,
"thread_id": 4424
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HiveNameLength": "41",
"HiveName": "\\??\\C:\\Windows\\System32\\config\\components",
"KeysUpdated": "69803",
"DirtyPages": "8545"
},
"message": "The access history in hive \\??\\C:\\Windows\\System32\\config\\components was cleared updating 69803 keys and creating 8545 modified pages."
}
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Event ID 17: task_017
#Fields #
| Name | Description |
|---|---|
ActionName UnicodeString | |
ProcessName UnicodeString | |
AccountName UnicodeString | |
AuthorityName UnicodeString | |
TokenId HexInt64 | |
AuthenticationId HexInt64 | |
TokenType UInt32 | |
ImpersonationLevel UInt32 | Impersonation level (SecurityAnonymous=0, SecurityIdentification=1, SecurityImpersonation=2, SecurityDelegation=3). Known values
|
TokenFlags HexInt32 | |
SidValuesReferenceCount Int64 | |
SidValuesCount UInt32 | |
SidValues GUID | |
SharedSidValuesReferenceCount Int64 | |
SharedSidValuesCount UInt32 | |
SharedSidValues Pointer |
Event ID 18: The operating system is starting after soft restart.
#Event ID 19: BootPerformanceData_V3
#Fields #
| Name | Description |
|---|---|
MmPhase0Start UInt64 | |
MmPhase0Stop UInt64 | |
Phase1Start UInt64 | |
KsrExtensionStart UInt64 | |
KsrExtensionStop UInt64 | |
StartProcessorsStart UInt64 | |
StartProcessorsStop UInt64 | |
AutoLoggerInitStart UInt64 | |
AutoLoggerInitStop UInt64 | |
MmPhase1Start UInt64 | |
MmPhase1Stop UInt64 | |
HalPhase0StartCycleTime UInt64 | |
HalPhase0StopCycleTime UInt64 | |
MmMark UInt64 |
Event ID 20: The leap second configuration has been updated.
#Description
The leap second configuration has been updated.
Message #
Fields #
| Name | Description |
|---|---|
UpdateReason UInt32 | Reason. |
EnabledNew Boolean | Leap seconds enabled. |
CountNew UInt32 | New leap second count. |
CountOld UInt32 | Old leap second count. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}",
"event_source_name": "",
"event_id": 20,
"version": 0,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": -9223372036854775792,
"time_created": "2026-05-29T16:32:43.9847457+00:00",
"event_record_id": 6667,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UpdateReason": "0",
"EnabledNew": "true",
"CountNew": "0",
"CountOld": "0"
},
"message": "The leap second configuration has been updated.\r\nReason: Leap second data initialized from registry during boot\r\nLeap seconds enabled: true\r\nNew leap second count: 0\r\nOld leap second count: 0"
}
Event ID 21: Failed to update leap second data from the registry.
#Event ID 22: The time zone bias has changed to NewBias from OldBias.
#Description
The time zone bias has changed to NewBias from OldBias.
Message #
Fields #
| Name | Description |
|---|---|
NewBias Int32 | |
OldBias Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}",
"event_source_name": "",
"event_id": 22,
"version": 0,
"level": 4,
"task": 8,
"opcode": 0,
"keywords": -9223372036854775792,
"time_created": "2026-05-27T21:37:08.8715227+00:00",
"event_record_id": 1039,
"correlation": {},
"execution": {
"process_id": 7348,
"thread_id": 9984
},
"channel": "System",
"computer": "WIN11-25H2-X64",
"security": {
"user_id": "S-1-5-21-3798294047-1846905762-1150995898-1000"
}
},
"event_data": {
"NewBias": "0",
"OldBias": "240"
},
"message": "The time zone bias has changed to 0 from 240."
}
Event ID 23: VsmPerformanceData
#Fields #
| Name | Description |
|---|---|
VsmCleanupTime UInt64 | |
Mark0 UInt64 | |
Mark1 UInt64 | |
Mark2 UInt64 | |
Mark3 UInt64 | |
Mark4 UInt64 | |
Mark5 UInt64 | |
Mark6 UInt64 | |
Mark7 UInt64 | |
VsmCleanupTimeFrequency UInt64 |
Event ID 24: The time zone information was refreshed with exit reason ExitReason.
#Description
The time zone information was refreshed with exit reason ExitReason. Current time zone bias is CurrentBias.
Message #
Fields #
| Name | Description |
|---|---|
ExitReason UInt32 | |
CurrentBias Int32 | |
CurrentTimeZoneID UInt32 | |
TimeZoneInfoCacheUpdated UInt8 | |
FirstRefresh UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}",
"event_source_name": "",
"event_id": 24,
"version": 0,
"level": 4,
"task": 11,
"opcode": 0,
"keywords": -9223372036854775792,
"time_created": "2026-05-29T23:38:45.9331273+00:00",
"event_record_id": 6855,
"correlation": {},
"execution": {
"process_id": 5172,
"thread_id": 5420
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ExitReason": "0",
"CurrentBias": "0",
"CurrentTimeZoneID": "0",
"TimeZoneInfoCacheUpdated": "0",
"FirstRefresh": "0"
},
"message": "The time zone information was refreshed with exit reason 0. Current time zone bias is 0."
}
Event ID 25: The system time was initialized to SystemTime.
#Description
The system time was initialized to SystemTime.
Message #
Fields #
| Name | Description |
|---|---|
SystemTime FILETIME | |
LoaderTime FILETIME | |
InternalBootFlags UInt64 | |
HalRtcErrorCode UInt32 | |
RealTimeIsUniversal Boolean | |
IsSoftBoot Boolean | |
Success Boolean | |
Phase UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-General",
"guid": "{a68ca8b7-004f-d7b6-a698-07e2de0f1f5d}",
"event_source_name": "",
"event_id": 25,
"version": 0,
"level": 4,
"task": 12,
"opcode": 0,
"keywords": 9223372036854775824,
"time_created": "2026-04-18 00:24:00.564163+00:00",
"event_record_id": 5,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 4,
"thread_id": 8
},
"channel": "System",
"computer": "USERUSE-I0E7KUG",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SystemTime": "2026-04-18 01:24:00.500000+00:00",
"LoaderTime": "2026-04-18 01:23:59+00:00",
"InternalBootFlags": "2",
"HalRtcErrorCode": "0",
"RealTimeIsUniversal": "False",
"IsSoftBoot": "False",
"Success": "True",
"Phase": "0"
},
"message": "The system time was initialized to ?2026?-?04?-?18T01:24:00.500000000Z. \r\n\r\nLoader time: ?2026?-?04?-?18T01:23:59.000000000Z\r\nInternal boot flags: 0x2\r\nHAL RTC error code: 0x0\r\nRTC time is in UTC: false\r\nSoft boot: false\r\nSuccess: true\r\nPhase: 0"
}
Event ID 26: Token information was queried for TokenIsAppContainer
#Description
Token information was queried for TokenIsAppContainer.
Fields #
| Name | Description |
|---|---|
ProcessName UnicodeString | |
PackageSid SID |
Event ID 26: Token information was queried for TokenIsAppContainer.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID a68ca8b7-004f-d7b6-a698-07e2de0f1f5d
Defined in Microsoft-Windows-System-Events.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02