Microsoft-Windows-SEC

61 events across 1 channel

Event	Title	Channel	Sample
1	task_0	Operational	N
2	task_02	Operational	N
3	task_03	Operational	N
4	task_04	Operational	N
5	task_05_V1	Operational	N
6	task_06_V1	Operational	N
7	task_07_V1	Operational	N
8	task_08	Operational	N
9	task_09	Operational	N
10	task_010	Operational	N
11	task_011	Operational	N
12	task_012	Operational	N
13	task_013	Operational	N
14	task_014	Operational	N
15	task_015	Operational	N
16	task_016	Operational	N
17	task_017	Operational	N
18	task_018	Operational	N
19	task_019	Operational	N
20	task_020	Operational	N
21	task_021	Operational	N
22	task_022	Operational	N
23	task_023	Operational	N
24	task_024	Operational	N
25	task_025	Operational	N
26	task_026	Operational	N
27	task_027	Operational	N
28	task_028	Operational	N
29	task_029	Operational	N
30	task_030	Operational	N
31	task_031	Operational	N
32	task_032	Operational	N
33	task_033	Operational	N
34	task_034	Operational	N
35	task_035	Operational	N
36	task_036	Operational	N
37	task_037	Operational	N
38	task_038	Operational	N
39	task_039	Operational	N
40	task_040	Operational	N
41	task_041	Operational	N
42	task_042_V2	Operational	N
43	task_043_V1	Operational	N
44	task_044	Operational	N
45	task_045	Operational	N
46	task_046	Operational	N
47	task_047	Operational	N
48	task_048	Operational	N
49	task_049	Operational	N
50	task_050_V2	Operational	N
51	task_051_V1	Operational	N
52	task_052_V2	Operational	N
53	task_053	Operational	N
54	task_054	Operational	N
55	task_055	Operational	N
56	task_056_V2	Operational	N
57	task_057_V2	Operational	N
58	task_058	Operational	N
59	task_059	Operational	N
60	task_060	Operational	N
61	task_061	Operational	N

Event ID 1: task_0

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`CreatorProcessId` HexInt32
`CreatorProcessTime` Int64
`CreatorProcessName` UnicodeString
`ProcessName` UnicodeString
`CommandLine` UnicodeString
`ImageSHA256` Binary
`ImageSHA1` Binary
`ImageMD5` Binary
`PartialCRC1` HexInt32
`PartialCRC2` HexInt32
`PartialCRC3` HexInt32
`MotW` Boolean
`IntegrityLevel` HexInt32
`TokenElevationType` HexInt32	Token elevation type (1=Default, 2=Full, 3=Limited). Known values `%%1936` TokenElevationTypeDefault (1) `%%1937` TokenElevationTypeFull (2) `%%1938` TokenElevationTypeLimited (3) `1` TokenElevationTypeDefault `2` TokenElevationTypeFull `3` TokenElevationTypeLimited
`Elevated` Boolean
`Impersonation` Boolean
`SubjectLogonId` HexInt64	Logon session identifier (LUID) for the subject. Correlates with logon events (4624).
`ProcessStartKey` UInt64
`CreatorProcessStartKey` UInt64
`CommandLineTruncated` Boolean
`CommandLineSize` HexInt32
`ImageLSH` Binary
`MitigationPolicy` UInt64
`ProtectionLevel` UInt8
`EnterprisePolicy` HexInt32
`InferredParentProcessId` HexInt32
`InferredParentProcessTime` Int64
`InferredParentProcessName` UnicodeString
`InferredParentProcessStartKey` UInt64
`CiIsSigningChainValid` UInt32
`CiIsMicrosoftRoot` UInt32
`CiIsMicrosoftApplicationRoot` UInt32
`CiSigningLevel` UInt8
`ImageOriginalName` UnicodeString
`CreationAnomalies` UInt64
`InitialThreadId` HexInt32
`InitialThreadStartAddress` Pointer
`WindowFlags` HexInt32
`ShowWindowFlags` HexInt32
`StandardInputDeviceType` HexInt32
`StandardOutputDeviceType` HexInt32
`StandardErrorDeviceType` HexInt32
`DesktopInfo` UnicodeString

Event ID 2: task_02

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`DriverUnloadTime` Int64

Event ID 3: task_03

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`DriverLoadTime` Int64

Event ID 4: task_04

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`FileName` UnicodeString
`FileAttributes` HexInt32
`Dispositon` HexInt32
`ProcessStartKey` UInt64
`RequestSource` UInt8
`ShareName` UnicodeString
`RemoteIpAddressLength` UInt32
`RemoteIpAddress` Binary

Event ID 5: task_05_V1

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`FileName` UnicodeString
`NewFileName` UnicodeString
`FileAttributes` HexInt32
`ProcessStartKey` UInt64
`RequestSource` UInt8
`ShareName` UnicodeString
`RemoteIpAddressLength` UInt32
`RemoteIpAddress` Binary

Event ID 6: task_06_V1

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`FileName` UnicodeString
`FileAttributes` HexInt32
`ProcessStartKey` UInt64
`IsSensitive` Boolean
`RequestSource` UInt8
`ShareName` UnicodeString
`RemoteIpAddressLength` UInt32
`RemoteIpAddress` Binary

Event ID 7: task_07_V1

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`FileName` UnicodeString
`FileAttributes` HexInt32
`ProcessStartKey` UInt64
`IsSensitive` Boolean
`RequestSource` UInt8
`ShareName` UnicodeString
`RemoteIpAddressLength` UInt32
`RemoteIpAddress` Binary

Event ID 8: task_08

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`Key` UnicodeString
`ProcessStartKey` UInt64

Event ID 9: task_09

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`Key` UnicodeString
`ProcessStartKey` UInt64

Event ID 10: task_010

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`Key` UnicodeString
`NewKey` UnicodeString
`ProcessStartKey` UInt64

Event ID 11: task_011

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`Key` UnicodeString
`Hive` UnicodeString
`RestoreFlags` HexInt32
`ProcessStartKey` UInt64

Event ID 12: task_012

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`Key` UnicodeString
`Hive` UnicodeString
`NewHive` UnicodeString
`ProcessStartKey` UInt64

Event ID 13: task_013

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`Key` UnicodeString
`Value` UnicodeString
`OldValueDataType` HexInt32
`OldValueDataSize` HexInt32
`OldValueCopiedSize` UInt32
`OldValueData` Binary
`NewValueDataType` HexInt32
`NewValueDataSize` HexInt32
`NewValueCopiedSize` UInt32
`NewValueData` Binary
`ProcessStartKey` UInt64

Event ID 14: task_014

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`VolumeName` UnicodeString
`VolReadOffset` HexInt64
`VolReadSize` HexInt64
`SystemVolume` Boolean
`ProcessStartKey` UInt64
`VolumeShadowCopy` Boolean

Event ID 15: task_015

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`VolumeName` UnicodeString
`AccessMask` HexInt32	Access mask reference
`SystemVolume` Boolean
`ProcessStartKey` UInt64
`VolumeShadowCopy` Boolean

Event ID 16: task_016

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`Key` UnicodeString
`Value` UnicodeString
`DataType` HexInt32
`ValueDataSize` HexInt32
`ValueCopiedSize` UInt32
`ValueData` Binary
`ProcessStartKey` UInt64

Event ID 17: task_017

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`PipeName` UnicodeString
`RemoteClientsAccess` UInt32
`NamedPipeEnd` UInt32
`DesiredAccess` HexInt32	Process access rights reference
`FileOperation` UInt32
`ProcessStartKey` UInt64
`ShareName` UnicodeString
`RemoteIpAddressLength` UInt32
`RemoteIpAddress` Binary

Event ID 18: task_018

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`TargetProcessId` HexInt32	Process ID of the target process.
`TargetProcessTime` Int64
`TargetProcessName` UnicodeString
`TargetThreadId` HexInt32	Thread ID in the target process.
`TargetThreadStartAddress` Pointer
`StartAddressVadQueryResult` UInt32
`StartAddressVadAllocationBase` Pointer
`StartAddressVadAllocationProtect` UInt32
`StartAddressVadRegionType` UInt32
`StartAddressVadRegionSize` Pointer
`StartAddressVadProtect` UInt32
`SourceProcessStartKey` UInt64
`TargetProcessStartKey` UInt64	Kernel-assigned unique key for the target process.
`MappedModuleName` UnicodeString

Event ID 19: task_019

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`TargetProcessId` HexInt32	Process ID of the target process.
`TargetProcessTime` Int64
`TargetProcess` UnicodeString
`Access` HexInt32
`SourceProcessStartKey` UInt64
`TargetProcessStartKey` UInt64	Kernel-assigned unique key for the target process.

Event ID 20: task_020

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`Desktop` UnicodeString
`Access` HexInt32
`Duplicate` Boolean
`Kernel` Boolean
`ProcessStartKey` UInt64

Event ID 21: task_021

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`VolumeName` UnicodeString
`VolWriteOffset` HexInt64
`VolWriteSize` HexInt64
`SystemVolume` Boolean
`ProcessStartKey` UInt64
`VolumeShadowCopy` Boolean

Event ID 22: task_022

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`ProcessName` UnicodeString
`CommandLine` UnicodeString
`ProcessStartKey` UInt64
`CommandLineTruncated` Boolean
`CommandLineSize` HexInt32

Event ID 23: task_023

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`ImageName` UnicodeString
`MotW` Boolean
`ImageSHA256` Binary
`ImageSHA1` Binary
`ImageMD5` Binary
`PartialCRC1` HexInt32
`PartialCRC2` HexInt32
`PartialCRC3` HexInt32
`SystemModeImage` Boolean
`LoadImageAddress` Pointer
`ProcessStartKey` UInt64
`LoadImageSize` UInt64
`ImageLSH` Binary
`CiIsSigningChainValid` UInt32
`CiIsMicrosoftRoot` UInt32
`CiIsMicrosoftApplicationRoot` UInt32
`CiSigningLevel` UInt8
`ImageOriginalName` UnicodeString
`ImageSignatureLevel` UInt32
`ImageDeviceType` UInt32
`ImageDeviceCharacteristics` UInt32
`ImageDeviceFlags` UInt32

Event ID 24: task_024

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`ImageName` UnicodeString
`MotW` Boolean
`ImageSHA256` Binary
`ImageSHA1` Binary
`ImageMD5` Binary
`PartialCRC1` HexInt32
`PartialCRC2` HexInt32
`PartialCRC3` HexInt32
`ImageSignatureLevel` UInt32
`ImageSignatureType` UInt32
`CurrentCodeIntegrityOptions` UInt32
`OriginalCodeIntegrityOptions` UInt32
`ProcessStartKey` UInt64
`ImageBase` Pointer
`ImageSize` UInt64
`ImageLSH` Binary

Event ID 25: task_025

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`AffectedProcessId` HexInt32
`AffectedProcessTime` Int64
`CurrentTokenPointer` Pointer
`CurrentTokenSource` Binary
`CurrentTokenPrivPresent` UInt64
`CurrentTokenPrivEnabled` UInt64
`CurrentTokenPrivEnabledByDefault` UInt64
`CurrentTokenIntegrityLevel` UInt32
`CurrentTokenUserSid` SID
`PreviousTokenPointer` Pointer
`PreviousTokenSource` Binary
`PreviousTokenPrivPresent` UInt64
`PreviousTokenPrivEnabled` UInt64
`PreviousTokenPrivEnabledByDefault` UInt64
`PreviousTokenIntegrityLevel` UInt32
`PreviousTokenUserSid` SID
`OriginalTokenPointer` Pointer
`OriginalTokenSource` Binary
`OriginalTokenPrivPresent` UInt64
`OriginalTokenPrivEnabled` UInt64
`OriginalTokenPrivEnabledByDefault` UInt64
`OriginalTokenIntegrityLevel` UInt32
`OriginalTokenUserSid` SID
`SystemTokenPointer` Pointer
`InlineCheck` Boolean
`AffectedProcessStartKey` UInt64
`PrimaryTokenFrozen` Boolean
`ParentTokenIntegrityLevel` UInt32

Event ID 26: task_026

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ProcessStartKey` UInt64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`NormalizedSharePath` UnicodeString
`ShareName` UnicodeString
`SocketAddress` UnicodeString
`OpenDirection` UInt8

Event ID 27: task_027

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`AffectedProcessId` HexInt32
`AffectedProcessStartKey` UInt64
`AffectedProcessTime` Int64
`InlineCheck` Boolean
`CurrentDaclPointer` Pointer
`CurrentDaclValidAceList` Boolean
`CurrentDaclAceCount` UInt32
`CurrentDaclSids` UnicodeString
`CurrentDaclAccessMaskBlobSize` UInt32
`CurrentDaclAccessMasks` Binary
`PreviousDaclPointer` Pointer
`PreviousDaclValidAceList` Boolean
`PreviousDaclAceCount` UInt32
`PreviousDaclSids` UnicodeString
`PreviousDaclAccessMaskBlobSize` UInt32
`PreviousDaclAccessMasks` Binary
`OriginalDaclPointer` Pointer
`OriginalDaclValidAceList` Boolean
`OriginalDaclAceCount` UInt32
`OriginalDaclSids` UnicodeString
`OriginalDaclAccessMaskBlobSize` UInt32
`OriginalDaclAccessMasks` Binary

Event ID 28: task_028

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessStartKey` UInt64
`Flags` UInt32
`ThreadId` HexInt32
`CallerAddress` Pointer
`StartAddress` Pointer
`BackTraceSize` UInt32
`BackTrace` Binary
`TargetCodeSize` UInt32
`TargetCode` Binary
`CallerCodeSize` UInt32
`CallerCode` Binary

Event ID 29: task_029

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`CurrentValue` Pointer
`OriginalValue` Pointer
`IsSynchronous` Boolean

Event ID 30: task_030

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`CurrentValue` Pointer
`PreviousValue` Pointer
`OriginalValue` Pointer
`IsSynchronous` Boolean

Event ID 31: task_031

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ProcessStartKey` UInt64
`ThreadId` HexInt32
`UserSid` SID
`RequestSource` UInt8
`ShareName` UnicodeString
`RemoteIpAddressLength` UInt32
`RemoteIpAddress` Binary

Event ID 32: task_032

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`SuspiciousPointerIndex` UInt32
`TableSize` UInt32
`Table` Binary
`CodeSize` UInt32
`Code` Binary

Event ID 33: task_033

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`SuspiciousPointerIndex` UInt32
`TableSize` UInt32
`Table` Binary
`CodeSize` UInt32
`Code` Binary

Event ID 34: task_034

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`TargetProcessId` HexInt32	Process ID of the target process.
`TargetProcessTime` Int64
`TargetProcess` UnicodeString
`Access` HexInt32
`SourceProcessStartKey` UInt64
`TargetProcessStartKey` UInt64	Kernel-assigned unique key for the target process.

Event ID 35: task_035

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`FileName` UnicodeString
`OriginalCreationTime` Int64
`OriginalLastAccessTime` Int64
`OriginalLastWriteTime` Int64
`OriginalChangeTime` Int64
`ModifiedCreationTime` Int64
`ModifiedLastAccessTime` Int64
`ModifiedLastWriteTime` Int64
`ModifiedChangeTime` Int64
`FileAttributes` HexInt32
`ProcessStartKey` UInt64

Event ID 36: task_036

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`AffectedProcessId` HexInt32
`AffectedProcessTime` Int64
`AffectedProcessStartKey` UInt64
`InlineCheck` Boolean

Event ID 37: task_037

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ImageName` UnicodeString
`ImageBase` Pointer
`ImageSize` UInt64
`DriverName` UnicodeString
`DriverObject` Pointer
`DriverInit` Pointer
`DriverStartIo` Pointer
`DriverUnload` Pointer
`MajorFunctionArraySize` UInt32
`MajorFunctionArray` Binary
`FastIoDispatchArraySize` UInt32
`FastIoDispatchArray` Binary
`SuspiciousDispatchBitmap` UInt64
`ContextInfoArraySize` UInt32
`ContextInfoArray` Binary

Event ID 38: task_038

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ProcessStartKey` UInt64
`OldFlags` UInt64
`NewFlags` UInt64

Event ID 39: task_039

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`SourceThreadId` HexInt32
`TargetThreadId` HexInt32	Thread ID in the target process.
`UserSid` SID
`TargetProcessId` HexInt32	Process ID of the target process.
`TargetProcessTime` Int64
`AccessMask` HexInt32	Access mask reference
`ProcessStartKey` UInt64
`TargetProcessStartKey` UInt64	Kernel-assigned unique key for the target process.

Event ID 40: task_040

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`FileName` UnicodeString
`FileAttributes` HexInt32
`ProcessStartKey` UInt64
`IsSensitive` Boolean
`RequestSource` UInt8
`ShareName` UnicodeString
`RemoteIpAddressLength` UInt32
`RemoteIpAddress` Binary

Event ID 41: task_041

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`Key` UnicodeString
`Value` UnicodeString
`ProcessStartKey` UInt64

Event ID 42: task_042_V2

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`FileName` UnicodeString
`FileAttributes` HexInt32
`DesiredAccess` HexInt32	Process access rights reference
`Dispositon` HexInt32
`ProcessStartKey` UInt64
`VolumeShadowCopy` Boolean
`FileOpenSource` HexInt32
`ShareAccess` UInt16
`RequestSource` UInt8
`ShareName` UnicodeString
`RemoteIpAddressLength` UInt32
`RemoteIpAddress` Binary

Event ID 43: task_043_V1

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`FileName` UnicodeString
`NewFileName` UnicodeString
`FileAttributes` HexInt32
`ProcessStartKey` UInt64
`RequestSource` UInt8
`ShareName` UnicodeString
`RemoteIpAddressLength` UInt32
`RemoteIpAddress` Binary

Event ID 44: task_044

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`Key` UnicodeString
`FileName` UnicodeString
`ProcessStartKey` UInt64

Event ID 45: task_045

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`Key` UnicodeString
`ProcessStartKey` UInt64
`SecurityInformation` HexInt32
`OriginalSecurityDescriptor` UnicodeString
`NewSecurityDescriptor` UnicodeString

Event ID 46: task_046

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`AffectedProcessId` HexInt32
`AffectedProcessTime` Int64
`AffectedProcessStartKey` UInt64
`InlineCheck` Boolean
`OriginalCommandLine` UnicodeString
`ModifiedCommandLine` UnicodeString
`CorruptedCommandLine` Boolean

Event ID 47: task_047

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ProcessStartKey` UInt64
`IoControlCode` HexInt32
`DeviceName` UnicodeString
`VolumeName` UnicodeString
`MaximumVolumeSpace` UInt64
`ApplicationGuid` GUID

Event ID 48: task_048

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ProcessStartKey` UInt64
`DriverName` UnicodeString
`DriverOriginalName` UnicodeString
`FunctionName` UnicodeString
`IsEnforced` Boolean

Event ID 49: task_049

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ProcessStartKey` UInt64
`DriverName` UnicodeString
`DriverOriginalName` UnicodeString
`TargetDevice` UnicodeString
`MajorFunction` HexInt32
`IoControlCode` HexInt32
`IsEnforced` Boolean

Event ID 50: task_050_V2

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ProcessStartKey` UInt64
`FileName` UnicodeString
`OperationBlocked` Boolean
`UserSid` SID
`ShareName` UnicodeString
`RemoteIpAddressLength` UInt32
`RemoteIpAddress` Binary
`Tag` UInt32

Event ID 51: task_051_V1

Provider: Microsoft-Windows-SEC
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ProcessStartKey` UInt64
`KeyName` UnicodeString
`ValueName` UnicodeString
`RegistryOperations` UInt32
`OperationBlocked` Boolean

Event ID 52: task_052_V2

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ProcessStartKey` UInt64
`FileName` UnicodeString
`OperationBlocked` Boolean
`UserSid` SID
`ShareName` UnicodeString
`RemoteIpAddressLength` UInt32
`RemoteIpAddress` Binary
`Tag` UInt32

Event ID 53: task_053

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64
`TimeBeforeAcquiringLock` UInt64
`TimeAfterAcquiringLock` UInt64
`TimeBeforeReleasingLock` UInt64
`StatusOplockAcquiring` UInt32
`StatusFileOpening` UInt32
`StatusDuplicateHandle` UInt32
`FileName` UnicodeString
`Access` HexInt32
`ShareMode` HexInt32
`OpenFlags` HexInt32

Event ID 54: task_054

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64
`TimeBeforeAcquiringLock` UInt64
`TimeAfterAcquiringLock` UInt64
`TimeBeforeReleasingLock` UInt64
`StatusBeforeRetry` UInt32
`StatusOfRetry` UInt32
`StatusAfterRetry` UInt32
`FileName` UnicodeString
`ProcessId` HexInt32
`ProcessStartKey` UInt64
`ProcessCreationTime` Int64
`IoFunction` UInt16
`Access` HexInt32
`ShareMode` HexInt32
`OpenFlags` HexInt32

Event ID 55: task_055

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`Key` UnicodeString
`Value` UnicodeString
`ProcessStartKey` UInt64

Event ID 56: task_056_V2

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ProcessStartKey` UInt64
`FileName` UnicodeString
`OperationBlocked` Boolean
`UserSid` SID
`ShareName` UnicodeString
`RemoteIpAddressLength` UInt32
`RemoteIpAddress` Binary
`Tag` UInt32

Event ID 57: task_057_V2

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ProcessStartKey` UInt64
`FileName` UnicodeString
`OperationBlocked` Boolean
`UserSid` SID
`ShareName` UnicodeString
`RemoteIpAddressLength` UInt32
`RemoteIpAddress` Binary
`Tag` UInt32

Event ID 58: task_058

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64
`ProcessId` HexInt32
`ProcessTime` Int64
`ThreadId` HexInt32
`UserSid` SID
`SessionId` HexInt32
`Key` UnicodeString
`ProcessStartKey` UInt64

Event ID 59: task_059

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64
`SuspiciousEntryIndex` UInt32
`TableSize` UInt32
`Table` Binary
`CodeSize` UInt32
`Code` Binary

Event ID 60: task_060

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64
`CurrentValue` Pointer
`OriginalValue` Pointer
`IsSynchronous` Boolean

Event ID 61: task_061

Provider: Microsoft-Windows-SEC
Channel: Operational

Fields #

Name	Description
`SequenceNumber` UInt64
`CurrentValue` Pointer
`OriginalValue` Pointer
`IsSynchronous` Boolean

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 16c6501a-ff2d-46ea-868d-8f96cb0cb52d

Defined in mssecflt.sys, the binary that emits these events.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.8821.27906.1000, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.8798.25857.1000, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)