Microsoft-Windows-Privacy-Auditing

33 events across 1 channel

Event	Title	Channel	Sample
1000	Allow access to SettingName on this device setting has successfully changed from …	Operational	Y
1001	Allow access to SettingName on this device setting has failed to change by …	Operational	N
1002	Allow apps to access your SettingName setting for user TargetUserSid …	Operational	N
1003	Allow apps to access your SettingName setting for user TargetUserSid failed to …	Operational	N
1004	User TargetUserSid setting for allow app AppPackageFamilyName access to …	Operational	N
1005	User TargetUserSid setting for allow app AppPackageFamilyName access to …	Operational	N
1006	Allow access to SettingName on this device default setting successfully created …	Operational	Y
1007	Allow access to SettingName on this device default setting failed creation.	Operational	N
1008	Allow apps to access your SettingName setting default for user TargetUserSid …	Operational	Y
1009	Allow apps to access your SettingName setting default for user TargetUserSid …	Operational	N
1010	User TargetUserSid setting for allow app AppPackageFamilyName access to …	Operational	Y
1011	User TargetUserSid setting for allow app AppPackageFamilyName access to …	Operational	N
1012	During app AppPackageFamilyName installation setting SettingName default set for …	Operational	Y
1013	During app AppPackageFamilyName installation setting SettingName default failed …	Operational	Y
1014	User TargetUserSid answered prompt successfully for capability SettingName and …	Operational	N
1015	User TargetUserSid could not be prompted for capability SettingName and app …	Operational	N
1016	During app AppPackageFamilyName installation for user TargetUserSid, secondary …	Operational	N
1017	During app AppPackageFamilyName installation for user TargetUserSid, secondary …	Operational	N
1018	Compliance database successfully created at version DatabaseVersion.	Operational	Y
1019	Compliance database could not be created at version DatabaseVersion.	Operational	N
1020	Database schema was successfully migrated in Duration UTC (unit 100NS).	Operational	N
1021	Database could not be migrated.	Operational	N
1022	Database was successfully recovered in Duration UTC (unit 100NS) - old data was …	Operational	N
1023	Database recovery could not be completed, database is in an unhealthy state.	Operational	N
1024	Package AppPackageFamilyName for user UserSid successfully deprovisioned.	Operational	Y
1025	Consent for Package AppPackageFamilyName and User UserSid has been deemed …	Operational	Y
1026	Settings Database was successfully recovered - ALL SETTINGS DATA was lost.	Operational	N
1027	Settings Database recovery could not be completed, database is in an unhealthy …	Operational	N
1028	Settings Database is in a corrupt state due to major version mismatch.	Operational	N
1029	Settings database successfully created at version DatabaseVersion.	Operational	N
1030	Settings database could not be created at version DatabaseVersion.	Operational	N
1031	Settings Database schema was successfully migrated.	Operational	N
1032	Settings Database could not be migrated.	Operational	N

Event ID 1000: Allow access to SettingName on this device setting has successfully changed from OldConsentValue to NewConsentValue by CallerProcessName.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Level: Informational
Task: ValueChanged

Description

Allow access to SettingName on this device setting has successfully changed from OldConsentValue to NewConsentValue by CallerProcessName.

Message #

Allow access to %12 on this device setting has successfully changed from %4 to %5 by %2.

Fields #

Name	Description
`CallerUserSid` UnicodeString
`CallerProcessName` UnicodeString
`CallerAppPackageFamilyName` UnicodeString
`OldConsentValue` UnicodeString
`NewConsentValue` UnicodeString
`SetByHigherAuthority` Boolean
`EffectiveConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`ConsentID` UnicodeString
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing",
    "guid": "D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62",
    "event_source_name": "",
    "event_id": 1000,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 9223372036854775809,
    "time_created": "2025-12-31T19:32:58.262536+00:00",
    "event_record_id": 4,
    "correlation": {},
    "execution": {
      "process_id": 3728,
      "thread_id": 3820
    },
    "channel": "Microsoft-Windows-Privacy-Auditing/Operational",
    "computer": "WIN11-22H2-X64",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "CallerUserSid": "S-1-5-18",
    "CallerProcessName": "msoobe.exe",
    "CallerAppPackageFamilyName": "",
    "OldConsentValue": "Undefined",
    "NewConsentValue": "Deny",
    "SetByHigherAuthority": false,
    "EffectiveConsentValue": "Deny",
    "TargetUserSid": "NULL",
    "ConsentID": "NULL",
    "AppPackageFamilyName": "NULL",
    "HResult": "0x0",
    "SettingName": "location"
  },
  "message": ""
}

Event ID 1001: Allow access to SettingName on this device setting has failed to change by CallerProcessName.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: ValueChanged

Description

Allow access to SettingName on this device setting has failed to change by CallerProcessName.

Message #

Allow access to %12 on this device setting has failed to change by %2.

Fields #

Name	Description
`CallerUserSid` UnicodeString
`CallerProcessName` UnicodeString
`CallerAppPackageFamilyName` UnicodeString
`OldConsentValue` UnicodeString
`NewConsentValue` UnicodeString
`SetByHigherAuthority` Boolean
`EffectiveConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`ConsentID` UnicodeString
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString

Event ID 1002: Allow apps to access your SettingName setting for user TargetUserSid successfully changed from OldConsentValue to NewConsentValue by CallerProcessName.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: ValueChanged

Description

Allow apps to access your SettingName setting for user TargetUserSid successfully changed from OldConsentValue to NewConsentValue by CallerProcessName.

Message #

Allow apps to access your %12 setting for user %8 successfully changed from %4 to %5 by %2.

Fields #

Name	Description
`CallerUserSid` UnicodeString
`CallerProcessName` UnicodeString
`CallerAppPackageFamilyName` UnicodeString
`OldConsentValue` UnicodeString
`NewConsentValue` UnicodeString
`SetByHigherAuthority` Boolean
`EffectiveConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`ConsentID` UnicodeString
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString

Event ID 1003: Allow apps to access your SettingName setting for user TargetUserSid failed to change by CallerProcessName.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: ValueChanged

Description

Allow apps to access your SettingName setting for user TargetUserSid failed to change by CallerProcessName.

Message #

Allow apps to access your %12 setting for user %8 failed to change by %2.

Fields #

Name	Description
`CallerUserSid` UnicodeString
`CallerProcessName` UnicodeString
`CallerAppPackageFamilyName` UnicodeString
`OldConsentValue` UnicodeString
`NewConsentValue` UnicodeString
`SetByHigherAuthority` Boolean
`EffectiveConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`ConsentID` UnicodeString
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString

Event ID 1004: User TargetUserSid setting for allow app AppPackageFamilyName access to SettingName successfully changed from OldConsentValue to NewConsentValue by CallerProcessName.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: ValueChanged

Description

User TargetUserSid setting for allow app AppPackageFamilyName access to SettingName successfully changed from OldConsentValue to NewConsentValue by CallerProcessName.

Message #

User %8 setting for allow app %10 access to %12 successfully changed from %4 to %5 by %2.

Fields #

Name	Description
`CallerUserSid` UnicodeString
`CallerProcessName` UnicodeString
`CallerAppPackageFamilyName` UnicodeString
`OldConsentValue` UnicodeString
`NewConsentValue` UnicodeString
`SetByHigherAuthority` Boolean
`EffectiveConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`ConsentID` UnicodeString
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString

Event ID 1005: User TargetUserSid setting for allow app AppPackageFamilyName access to SettingName failed to change by CallerProcessName.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: ValueChanged

Description

User TargetUserSid setting for allow app AppPackageFamilyName access to SettingName failed to change by CallerProcessName.

Message #

User %8 setting for allow app %10 access to %12 failed to change by %2.

Fields #

Name	Description
`CallerUserSid` UnicodeString
`CallerProcessName` UnicodeString
`CallerAppPackageFamilyName` UnicodeString
`OldConsentValue` UnicodeString
`NewConsentValue` UnicodeString
`SetByHigherAuthority` Boolean
`EffectiveConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`ConsentID` UnicodeString
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString

Event ID 1006: Allow access to SettingName on this device default setting successfully created as NewConsentValue.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Level: Informational
Task: DefaultConsentCreated

Description

Allow access to SettingName on this device default setting successfully created as NewConsentValue.

Message #

Allow access to %6 on this device default setting successfully created as %1.

Fields #

Name	Description
`NewConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`ConsentID` UnicodeString
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString
`Migrated` Boolean
`Suppressed` Boolean

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing",
    "guid": "D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62",
    "event_source_name": "",
    "event_id": 1006,
    "version": 0,
    "level": 4,
    "task": 20,
    "opcode": 0,
    "keywords": 9223372036854775809,
    "time_created": "2023-10-25T21:24:02.614760+00:00",
    "event_record_id": 42,
    "correlation": {},
    "execution": {
      "process_id": 2376,
      "thread_id": 6016
    },
    "channel": "Microsoft-Windows-Privacy-Auditing/Operational",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NewConsentValue": "Allow",
    "TargetUserSid": "NULL",
    "ConsentID": "NULL",
    "AppPackageFamilyName": "NULL",
    "HResult": "0x0",
    "SettingName": "wiFiDirect",
    "Migrated": false,
    "Suppressed": false
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1007: Allow access to SettingName on this device default setting failed creation.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: DefaultConsentCreated

Description

Allow access to SettingName on this device default setting failed creation.

Message #

Allow access to %6 on this device default setting failed creation.

Fields #

Name	Description
`NewConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`ConsentID` UnicodeString
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString
`Migrated` Boolean
`Suppressed` Boolean

Event ID 1008: Allow apps to access your SettingName setting default for user TargetUserSid successfully created as NewConsentValue.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Level: Informational
Task: DefaultConsentCreated

Description

Allow apps to access your SettingName setting default for user TargetUserSid successfully created as NewConsentValue.

Message #

Allow apps to access your %6 setting default for user %2 successfully created as %1.

Fields #

Name	Description
`NewConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`ConsentID` UnicodeString
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString
`Migrated` Boolean
`Suppressed` Boolean

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing",
    "guid": "{D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62}",
    "event_source_name": "",
    "event_id": 1008,
    "version": 0,
    "level": 4,
    "task": 20,
    "opcode": 0,
    "keywords": -9223372036854775806,
    "time_created": "2026-05-28T18:23:43.5057207+00:00",
    "event_record_id": 109,
    "correlation": {},
    "execution": {
      "process_id": 3144,
      "thread_id": 2368
    },
    "channel": "Microsoft-Windows-Privacy-Auditing/Operational",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NewConsentValue": "Deny",
    "TargetUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "ConsentID": "",
    "AppPackageFamilyName": "NULL",
    "HResult": "0x0",
    "SettingName": "wiFiDirect",
    "Migrated": "false",
    "Suppressed": "false"
  },
  "message": "Allow apps to access your wiFiDirect setting default for user S-1-5-21-1006758700-2167138679-1475694448-1105 successfully created as Deny."
}

Event ID 1009: Allow apps to access your SettingName setting default for user TargetUserSid failed creation.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: DefaultConsentCreated

Description

Allow apps to access your SettingName setting default for user TargetUserSid failed creation.

Message #

Allow apps to access your %6 setting default for user %2 failed creation.

Fields #

Name	Description
`NewConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`ConsentID` UnicodeString
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString
`Migrated` Boolean
`Suppressed` Boolean

Event ID 1010: User TargetUserSid setting for allow app AppPackageFamilyName access to SettingName default successfully created as NewConsentValue.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Level: Informational
Task: DefaultConsentCreated

Description

User TargetUserSid setting for allow app AppPackageFamilyName access to SettingName default successfully created as NewConsentValue.

Message #

User %2 setting for allow app %4 access to %6 default successfully created as %1.

Fields #

Name	Description
`NewConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`ConsentID` UnicodeString
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString
`Migrated` Boolean
`Suppressed` Boolean

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing",
    "guid": "D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62",
    "event_source_name": "",
    "event_id": 1010,
    "version": 0,
    "level": 4,
    "task": 20,
    "opcode": 0,
    "keywords": 9223372036854775812,
    "time_created": "2023-11-05T22:37:51.451442+00:00",
    "event_record_id": 161,
    "correlation": {},
    "execution": {
      "process_id": 5264,
      "thread_id": 5356
    },
    "channel": "Microsoft-Windows-Privacy-Auditing/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NewConsentValue": "Allow",
    "TargetUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
    "ConsentID": "",
    "AppPackageFamilyName": "MicrosoftWindows.Client.WebExperience_cw5n1h2txyewy",
    "HResult": "0x0",
    "SettingName": "location",
    "Migrated": false,
    "Suppressed": false
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1011: User TargetUserSid setting for allow app AppPackageFamilyName access to SettingName default failed creation.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: DefaultConsentCreated

Description

User TargetUserSid setting for allow app AppPackageFamilyName access to SettingName default failed creation.

Message #

User %2 setting for allow app %4 access to %6 default failed creation.

Fields #

Name	Description
`NewConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`ConsentID` UnicodeString
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString
`Migrated` Boolean
`Suppressed` Boolean

Event ID 1012: During app AppPackageFamilyName installation setting SettingName default set for user TargetUserSid as NewConsentValue.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Level: Informational
Task: CapabilityConsentProvisioned

Description

During app AppPackageFamilyName installation setting SettingName default set for user TargetUserSid as NewConsentValue.

Message #

During app %3 installation setting %5 default set for user %2 as %1.

Fields #

Name	Description
`NewConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString
`Migrated` Boolean

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing",
    "guid": "{D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62}",
    "event_source_name": "",
    "event_id": 1012,
    "version": 0,
    "level": 4,
    "task": 30,
    "opcode": 0,
    "keywords": -9223372036854775804,
    "time_created": "2026-05-28T18:29:48.0386761+00:00",
    "event_record_id": 119,
    "correlation": {
      "ActivityID": "{AFDF3271-EE92-0002-F45E-DFAF92EEDC01}"
    },
    "execution": {
      "process_id": 3144,
      "thread_id": 3564
    },
    "channel": "Microsoft-Windows-Privacy-Auditing/Operational",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NewConsentValue": "Prompt",
    "TargetUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "AppPackageFamilyName": "Microsoft.AccountsControl_cw5n1h2txyewy",
    "HResult": "0x0",
    "SettingName": "userAccountInformation",
    "Migrated": "false"
  },
  "message": "During app Microsoft.AccountsControl_cw5n1h2txyewy installation setting userAccountInformation default set for user S-1-5-21-1006758700-2167138679-1475694448-1105 as Prompt."
}

Event ID 1013: During app AppPackageFamilyName installation setting SettingName default failed to be set.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Level: Error
Task: CapabilityConsentProvisioned

Description

During app AppPackageFamilyName installation setting SettingName default failed to be set.

Message #

During app %3 installation setting %5 default failed to be set.

Fields #

Name	Description
`NewConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString
`Migrated` Boolean

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing",
    "guid": "{D67FBB76-D18A-5AE3-24A3-8C1DB52D6C62}",
    "event_source_name": "",
    "event_id": 1013,
    "version": 0,
    "level": 2,
    "task": 30,
    "opcode": 0,
    "keywords": -9223372036854775740,
    "time_created": "2026-05-28T11:13:09.4906398+00:00",
    "event_record_id": 81,
    "correlation": {
      "ActivityID": "{AFDF3271-EE92-0003-6437-DFAF92EEDC01}"
    },
    "execution": {
      "process_id": 3144,
      "thread_id": 3620
    },
    "channel": "Microsoft-Windows-Privacy-Auditing/Operational",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NewConsentValue": "Allow",
    "TargetUserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "AppPackageFamilyName": "Microsoft.Windows.Search_cw5n1h2txyewy",
    "HResult": "0x8000ffff",
    "SettingName": "wifiData",
    "Migrated": "false"
  },
  "message": "During app Microsoft.Windows.Search_cw5n1h2txyewy installation setting wifiData default failed to be set."
}

Event ID 1014: User TargetUserSid answered prompt successfully for capability SettingName and app AppID.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: PromptAnswered

Description

User TargetUserSid answered prompt successfully for capability SettingName and app AppID. Response was NewConsentValue.

Message #

User %2 answered prompt successfully for capability %6 and app %4. Response was %1.

Fields #

Name	Description
`NewConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`ConsentID` UnicodeString
`AppID` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString
`AutoAccepted` Boolean
`FileID` UnicodeString
`ProgramID` UnicodeString

Event ID 1015: User TargetUserSid could not be prompted for capability SettingName and app AppID.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: PromptAnswered

Description

User TargetUserSid could not be prompted for capability SettingName and app AppID.

Message #

User %2 could not be prompted for capability %6 and app %4.

Fields #

Name	Description
`NewConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`ConsentID` UnicodeString
`AppID` UnicodeString
`HResult` HexInt32
`SettingName` UnicodeString
`AutoAccepted` Boolean
`FileID` UnicodeString
`ProgramID` UnicodeString

Event ID 1016: During app AppPackageFamilyName installation for user TargetUserSid, secondary setup for capability Capability with initial value NewConsentValue was successfully completed.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: ProvisioningHandlerCalled

Description

During app AppPackageFamilyName installation for user TargetUserSid, secondary setup for capability Capability with initial value NewConsentValue was successfully completed.

Message #

During app %3 installation for user %2, secondary setup for capability %5 with initial value %1 was successfully completed.

Fields #

Name	Description
`NewConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`Capability` UnicodeString

Event ID 1017: During app AppPackageFamilyName installation for user TargetUserSid, secondary setup for capability Capability with initial value NewConsentValue failed with error code HResult.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: ProvisioningHandlerCalled

Description

During app AppPackageFamilyName installation for user TargetUserSid, secondary setup for capability Capability with initial value NewConsentValue failed with error code HResult.

Message #

During app %3 installation for user %2, secondary setup for capability %5 with initial value %1 failed with error code %4.

Fields #

Name	Description
`NewConsentValue` UnicodeString
`TargetUserSid` UnicodeString	SID of the target account.
`AppPackageFamilyName` UnicodeString
`HResult` HexInt32
`Capability` UnicodeString

Event ID 1018: Compliance database successfully created at version DatabaseVersion.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Level: Informational
Task: DatabaseCreation

Description

Compliance database successfully created at version DatabaseVersion. Creation took Duration UTC (unit 100NS).

Message #

Compliance database successfully created at version %1. Creation took %2 UTC (unit 100NS)

Fields #

Name	Description
`DatabaseVersion` HexInt32
`Duration` HexInt64
`HResult` HexInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing",
    "event_id": 1018,
    "level": 4,
    "task": 60,
    "opcode": 0,
    "time_created": "2026-04-18T00:24:44.2938329+00:00",
    "computer": "USERUSE-I0E7KUG",
    "channel": "Microsoft-Windows-Privacy-Auditing"
  },
  "event_data": {
    "Duration": "0x17e78",
    "DatabaseVersion": "0x601",
    "HResult": "0x0"
  }
}

Event ID 1019: Compliance database could not be created at version DatabaseVersion.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: DatabaseCreation

Description

Compliance database could not be created at version DatabaseVersion. Result code: HResult.

Message #

Compliance database could not be created at version %1. Result code: %3

Fields #

Name	Description
`DatabaseVersion` HexInt32
`Duration` HexInt64
`HResult` HexInt32

Event ID 1020: Database schema was successfully migrated in Duration UTC (unit 100NS).

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: DatabaseMigration

Description

Database schema was successfully migrated in Duration UTC (unit 100NS). Old Version: OldDatabaseVersion. New Version NewDatabaseVersion.

Message #

Database schema was successfully migrated in %3 UTC (unit 100NS). Old Version: %1. New Version %2

Fields #

Name	Description
`OldDatabaseVersion` HexInt32
`NewDatabaseVersion` HexInt32
`Duration` HexInt64
`HResult` HexInt32

Event ID 1021: Database could not be migrated.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: DatabaseMigration

Description

Database could not be migrated. Old Version: OldDatabaseVersion. New Version: NewDatabaseVersion. Result code: HResult.

Message #

Database could not be migrated. Old Version: %1. New Version: %2. Result code: %4

Fields #

Name	Description
`OldDatabaseVersion` HexInt32
`NewDatabaseVersion` HexInt32
`Duration` HexInt64
`HResult` HexInt32

Event ID 1022: Database was successfully recovered in Duration UTC (unit 100NS) - old data was lost.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: DatabaseRecovery

Description

Database was successfully recovered in Duration UTC (unit 100NS) - old data was lost. Old database version: DatabaseVersion. Runtime version: RuntimeVersion. Justification string: Justification.

Message #

Database was successfully recovered in %4 UTC (unit 100NS) - old data was lost. Old database version: %1. Runtime version: %2. Justification string: %3

Fields #

Name	Description
`DatabaseVersion` HexInt32
`RuntimeVersion` HexInt32
`Justification` UnicodeString
`Duration` HexInt64
`HResult` HexInt32

Event ID 1023: Database recovery could not be completed, database is in an unhealthy state.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: DatabaseRecovery

Description

Database recovery could not be completed, database is in an unhealthy state. Database version: DatabaseVersion. Runtime version: RuntimeVersion. Justification string: Justification. Result code: HResult.

Message #

Database recovery could not be completed, database is in an unhealthy state. Database version: %1. Runtime version: %2. Justification string: %3. Result code: %5

Fields #

Name	Description
`DatabaseVersion` HexInt32
`RuntimeVersion` HexInt32
`Justification` UnicodeString
`Duration` HexInt64
`HResult` HexInt32

Event ID 1024: Package AppPackageFamilyName for user UserSid successfully deprovisioned.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Level: Informational
Task: PackageDeprovisioned

Description

Package AppPackageFamilyName for user UserSid successfully deprovisioned.

Message #

Package %2 for user %1 successfully deprovisioned

Fields #

Name	Description
`UserSid` UnicodeString
`AppPackageFamilyName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing",
    "event_id": 1024,
    "level": 4,
    "task": 90,
    "opcode": 0,
    "time_created": "2026-04-28T02:28:38.9769922+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Microsoft-Windows-Privacy-Auditing"
  },
  "event_data": {
    "AppPackageFamilyName": "Microsoft.WindowsAppRuntime.1.3_8wekyb3d8bbwe",
    "UserSid": "S-1-5-21-3798294047-1846905762-1150995898-1000"
  }
}

Event ID 1025: Consent for Package AppPackageFamilyName and User UserSid has been deemed invalid for capability Capability.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Level: Informational
Task: InvalidConsent

Description

Consent for Package AppPackageFamilyName and User UserSid has been deemed invalid for capability Capability. Removing consent. Justification: Justification.

Message #

Consent for Package %2 and User %1 has been deemed invalid for capability %3. Removing consent. Justification: %4

Fields #

Name	Description
`UserSid` UnicodeString
`AppPackageFamilyName` UnicodeString
`Capability` UnicodeString
`Justification` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing",
    "event_id": 1025,
    "level": 4,
    "task": 100,
    "opcode": 0,
    "time_created": "2026-05-27T20:01:14.7300182+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Microsoft-Windows-Privacy-Auditing"
  },
  "event_data": {
    "UserSid": "S-1-5-21-3798294047-1846905762-1150995898-1000",
    "Justification": "Capability does not support Full Trust consent",
    "Capability": "userAccountInformation",
    "AppPackageFamilyName": "NonPackaged"
  }
}

Event ID 1026: Settings Database was successfully recovered - ALL SETTINGS DATA was lost.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: SettingsDatabaseRecovery

Description

Settings Database was successfully recovered - ALL SETTINGS DATA was lost. Runtime version: RuntimeVersion. Context string: ContextString.

Message #

Settings Database was successfully recovered - ALL SETTINGS DATA was lost. Runtime version: %1. Context string: %2

Fields #

Name	Description
`RuntimeVersion` HexInt32
`ContextString` UnicodeString
`HResult` HexInt32

Event ID 1027: Settings Database recovery could not be completed, database is in an unhealthy state.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: SettingsDatabaseRecovery

Description

Settings Database recovery could not be completed, database is in an unhealthy state. Runtime version: RuntimeVersion. Context string: ContextString. Result code: HResult.

Message #

Settings Database recovery could not be completed, database is in an unhealthy state. Runtime version: %1. Context string: %2. Result code: %3

Fields #

Name	Description
`RuntimeVersion` HexInt32
`ContextString` UnicodeString
`HResult` HexInt32

Event ID 1028: Settings Database is in a corrupt state due to major version mismatch.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: SettingsDatabaseMajorVersionMismatch

Description

Settings Database is in a corrupt state due to major version mismatch. Runtime expects major version: RuntimeMajorVersion, database major version: DatabaseMajorVersion.

Message #

Settings Database is in a corrupt state due to major version mismatch. Runtime expects major version: %1, database major version: %2

Fields #

Name	Description
`RuntimeMajorVersion` HexInt32
`DatabaseMajorVersion` HexInt32

Event ID 1029: Settings database successfully created at version DatabaseVersion.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: SettingsDatabaseCreation

Description

Settings database successfully created at version DatabaseVersion.

Message #

Settings database successfully created at version %1

Fields #

Name	Description
`DatabaseVersion` HexInt32
`HResult` HexInt32

Event ID 1030: Settings database could not be created at version DatabaseVersion.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: SettingsDatabaseCreation

Description

Settings database could not be created at version DatabaseVersion. Result code: HResult.

Message #

Settings database could not be created at version %1. Result code: %2

Fields #

Name	Description
`DatabaseVersion` HexInt32
`HResult` HexInt32

Event ID 1031: Settings Database schema was successfully migrated.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: SettingsDatabaseMigration

Description

Settings Database schema was successfully migrated. Old Version: OldDatabaseVersion. New Version NewDatabaseVersion.

Message #

Settings Database schema was successfully migrated. Old Version: %1. New Version %2

Fields #

Name	Description
`OldDatabaseVersion` HexInt32
`NewDatabaseVersion` HexInt32
`HResult` HexInt32

Event ID 1032: Settings Database could not be migrated.

Provider: Microsoft-Windows-Privacy-Auditing
Channel: Operational
Task: SettingsDatabaseMigration

Description

Settings Database could not be migrated. Old Version: OldDatabaseVersion. New Version: NewDatabaseVersion. Result code: HResult.

Message #

Settings Database could not be migrated. Old Version: %1. New Version: %2. Result code: %3

Fields #

Name	Description
`OldDatabaseVersion` HexInt32
`NewDatabaseVersion` HexInt32
`HResult` HexInt32

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID d67fbb76-d18a-5ae3-24a3-8c1db52d6c62

Defined in CapabilityAccessManager.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4484, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)