Microsoft-Windows-Threat-Intelligence
34 events across 1 channel
Event ID 1: Remote Virtual Memory Allocation
#Description
A process allocated virtual memory in another process via NtAllocateVirtualMemory. Remote memory allocation is the first step in classic process injection techniques such as CreateRemoteThread and APC injection.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
OriginalProcessId UInt32 | Process ID of the process that originally opened or inherited the handle used for this operation. Differs from CallingProcessId when a handle is duplicated or inherited. |
OriginalProcessCreateTime FILETIME | Creation timestamp of the original handle-owning process. |
OriginalProcessStartKey UInt64 | Kernel-assigned unique key for the original handle-owning process. |
OriginalProcessSignatureLevel UInt8 | Code integrity signing level of the original process. Bitmask flags
|
OriginalProcessSectionSignatureLevel UInt8 | Minimum DLL signing level of the original process. Bitmask flags
|
OriginalProcessProtection UInt8 | PS_PROTECTION byte of the original process. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
RegionSize Pointer | Size of the memory region in bytes. |
AllocationType UInt32 | Memory allocation type bitmask. MEM_RESERVE alone carves an address range without backing it with physical or pagefile pages; access to reserve-only memory raises an access violation, so code cannot execute there. MEM_COMMIT (typically OR'd with MEM_RESERVE for 0x3000) is the prerequisite for execution and is the meaningful injection signal. Filter on AllocationType & MEM_COMMIT (0x1000) to drop bare reservations. See Russinovich, Windows Internals Part 1, Ch 5 (Reserving and committing pages). Bitmask flags
|
ProtectionMask UInt32 | Memory page protection bitmask. Bitmask flags
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 1,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T19:08:54+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 2432,
"thread_id": 716
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"AllocationType": 12288,
"BaseAddress": "0x21893FD0000",
"CallingProcessCreateTime": "2026-06-09 19:08:27Z",
"CallingProcessId": 2432,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 7036874417766573,
"CallingThreadCreateTime": "2026-06-09 19:08:27Z",
"CallingThreadId": 716,
"OriginalProcessCreateTime": "2026-06-09 19:08:27Z",
"OriginalProcessId": 2432,
"OriginalProcessProtection": 0,
"OriginalProcessSectionSignatureLevel": 0,
"OriginalProcessSignatureLevel": 0,
"OriginalProcessStartKey": 7036874417766573,
"ProtectionMask": 64,
"RegionSize": "0x1000",
"TargetProcessCreateTime": "2026-06-09 19:08:53Z",
"TargetProcessId": 3924,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 7036874417766589
},
"message": ""
}
Detection Patterns #
Process Injection
Process Injection
Sysmon Event ID 8: CreateRemoteThreadORThreat-Intelligence Event ID 1: Remote Virtual Memory AllocationOREvent ID 2: Remote Virtual Memory Protection ChangeOREvent ID 3: Remote Section MapOREvent ID 4: Remote APC QueueOREvent ID 5: Remote Thread Context ChangeOREvent ID 11: Local Virtual Memory Read
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | in | CreateRemoteThreadApiCall | 2 rules | kusto |
EventType | in | NtAllocateVirtualMemoryRemoteApiCall | 2 rules | kusto |
EventType | in | NtMapViewOfSectionRemoteApiCall | 2 rules | kusto |
EventType | in | QueueUserApcRemoteApiCall | 2 rules | kusto |
EventType | in | SetThreadContextRemoteApiCall | 2 rules | kusto |
Detection Rules #
View all rules referencing this event →Kusto # view in coverage
References #
- ETW manifest XML (Windows 11 24H2, verified identical to 25H2 build 26200) https://raw.githubusercontent.com/nasbench/EVTX-ETW-Resources/main/ETWProvidersManifests/Windows11/24H2/W11_24H2_Pro_2024102_26100.1742/WEPExplorer/Microsoft-Windows-Threat-Intelligence.xml
- Peeling Back the Mask (Jonathan Johnson / jsecurity101): kernel access-check walkthrough (EtwpCheckNotificationAccess > EtwCheckSecurityLoggerAccess > RtlTestProtectedAccess) that gates the provider to PS_PROTECTION_ANTIMALWARE_LIGHT consumers. Explains why only MDE Sense or an ELAM-signed PPL collector can subscribe. https://jonny-johnson.medium.com/peeling-back-the-mask-how-the-threat-intelligence-provider-is-protected-9968c38c5481
- MDE Internals 0x02 (Olaf Hartong / FalconForce): documents the ELAM-signed PPL driver requirement to subscribe to Microsoft-Windows-Threat-Intelligence and enumerates the roughly 111 ETW providers MDE consumes. https://medium.com/falconforce/microsoft-defender-for-endpoint-internals-0x02-audit-settings-and-telemetry-1d0af3ebfb27
- ETW internals for security research and forensics (Trail of Bits, Yarden Shafir): provider/consumer/logger terminology and a GuidsForLoggerId walkthrough for enumerating which loggers a provider feeds. Background for how EtwTi sits among the security-related ETW channels EDRs consume. https://blog.trailofbits.com/2023/11/22/etw-internals-for-security-research-and-forensics/
- SealighterTI (pathtofile): research tool combining the Sealighter ETW logger with the PPLDump exploit to subscribe to Microsoft-Windows-Threat-Intelligence without a signed PPL driver. The PPLDump path is patched on Windows 10 21H2 19044.1826 and later; modern captures rely on a separately-signed ELAM driver such as pplrunner. https://github.com/pathtofile/SealighterTI
- Win32 VirtualAllocEx API reference: lpAddress, dwSize, flAllocationType (MEM_COMMIT / MEM_RESERVE / MEM_RESET / MEM_TOP_DOWN), flProtect (PAGE_* constants). The documented user-mode wrapper whose call into NtAllocateVirtualMemory triggers EID 1. https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex
Event ID 2: Remote Virtual Memory Protection Change
#Description
A process changed memory protection in another process via NtProtectVirtualMemory. Changing remote memory from RW to RX is a hallmark of shellcode injection, where an attacker writes payload bytes then marks them executable.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
OriginalProcessId UInt32 | Process ID of the process that originally opened or inherited the handle used for this operation. Differs from CallingProcessId when a handle is duplicated or inherited. |
OriginalProcessCreateTime FILETIME | Creation timestamp of the original handle-owning process. |
OriginalProcessStartKey UInt64 | Kernel-assigned unique key for the original handle-owning process. |
OriginalProcessSignatureLevel UInt8 | Code integrity signing level of the original process. Bitmask flags
|
OriginalProcessSectionSignatureLevel UInt8 | Minimum DLL signing level of the original process. Bitmask flags
|
OriginalProcessProtection UInt8 | PS_PROTECTION byte of the original process. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
RegionSize UInt64 | Size of the memory region in bytes. |
ProtectionMask UInt32 | Memory page protection bitmask. Bitmask flags
|
LastProtectionMask UInt32 | Previous memory page protection before this NtProtectVirtualMemory call. Compare with ProtectionMask to detect RW-to-RX transitions. Bitmask flags
|
VaVadQueryResult UInt32 | NTSTATUS result of the VAD probe for the target address. NTSTATUS reference |
VaVadAllocationBase Pointer | Base address of the VAD entry containing the target address. |
VaVadAllocationProtect UInt32 | Original protection flags from the VAD entry (PAGE_* constants from the initial allocation). Bitmask flags
|
VaVadRegionType UInt32 | Type of the VAD region (private, mapped, image). Known values
|
VaVadRegionSize Pointer | Total size of the VAD region. |
VaVadCommitSize Pointer | Amount of committed (backed by physical memory or pagefile) memory in the VAD region. |
VaVadMmfName UnicodeString | File path of the memory-mapped file backing this VAD region, if any. Empty for private (anonymous) allocations. |
TargetAddress Pointer | Target virtual address within the protection change region (PROTECTVM v3). |
FullRegionSize UInt64 | Full size of the containing memory region (PROTECTVM v3). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 2,
"version": 3,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T19:08:54+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 2432,
"thread_id": 716
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"BaseAddress": "0x21893FD0000",
"CallingProcessCreateTime": "2026-06-09 19:08:27Z",
"CallingProcessId": 2432,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 7036874417766573,
"CallingThreadCreateTime": "2026-06-09 19:08:27Z",
"CallingThreadId": 716,
"FullRegionSize": 4096,
"LastProtectionMask": 64,
"OriginalProcessCreateTime": "2026-06-09 19:08:27Z",
"OriginalProcessId": 2432,
"OriginalProcessProtection": 0,
"OriginalProcessSectionSignatureLevel": 0,
"OriginalProcessSignatureLevel": 0,
"OriginalProcessStartKey": 7036874417766573,
"ProtectionMask": 32,
"RegionSize": 4096,
"TargetAddress": "0x21893FD0000",
"TargetProcessCreateTime": "2026-06-09 19:08:53Z",
"TargetProcessId": 3924,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 7036874417766589,
"VaVadAllocationBase": "0x21893FD0000",
"VaVadAllocationProtect": 64,
"VaVadCommitSize": "0x1000",
"VaVadMmfName": "",
"VaVadQueryResult": 0,
"VaVadRegionSize": "0x1000",
"VaVadRegionType": 131072
},
"message": ""
}
Detection Patterns #
Stealth: Process Injection
Sysmon Event ID 8: CreateRemoteThreadORThreat-Intelligence Event ID 1: Remote Virtual Memory AllocationOREvent ID 2: Remote Virtual Memory Protection ChangeOREvent ID 3: Remote Section MapOREvent ID 4: Remote APC QueueOREvent ID 5: Remote Thread Context ChangeOREvent ID 11: Local Virtual Memory Read
1 rule
Community Notes #
This sample is a v3 record, which adds FullRegionSize, LastProtectionMask, TargetAddress, and the VaVad* fields. The provider also emits v1 records for the same event ID, which carry a reduced field set.
Detection Rules #
View all rules referencing this event →Kusto # view in coverage
References #
- ETW manifest XML (Windows 11 24H2, verified identical to 25H2 build 26200) https://raw.githubusercontent.com/nasbench/EVTX-ETW-Resources/main/ETWProvidersManifests/Windows11/24H2/W11_24H2_Pro_2024102_26100.1742/WEPExplorer/Microsoft-Windows-Threat-Intelligence.xml
- Introduction to Threat Intelligence ETW (undev.ninja): EtwTiLogProtectExecVm kernel callback, NtProtectVirtualMemory user-mode entry, and the MiMakeProtectionMask logging gate that fires when the new or current page protection has execute. https://undev.ninja/introduction-to-threat-intelligence-etw/
Event ID 3: Remote Section Map
#Description
A process mapped a section object into another process via NtMapViewOfSection. Section-based injection uses shared memory mappings to transfer code between processes without calling WriteProcessMemory. Section objects are the kernel primitive that both file mappings and executable images ride on; mapping a section with SECTION_MAP_EXECUTE into a foreign process is the kernel-side mechanism behind classic process hollowing and Module Stomping. See Russinovich, Windows Internals Part 1, Ch 5 (Section objects).
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
ViewSize Pointer | Size of the mapped view in bytes. |
AllocationType UInt32 | Memory allocation type bitmask. Bitmask flags
|
ProtectionMask UInt32 | Memory page protection bitmask. Bitmask flags
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 3,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T19:08:54+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 2432,
"thread_id": 716
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"AllocationType": 0,
"BaseAddress": "0x21893FE0000",
"CallingProcessCreateTime": "2026-06-09 19:08:27Z",
"CallingProcessId": 2432,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 7036874417766573,
"CallingThreadCreateTime": "2026-06-09 19:08:27Z",
"CallingThreadId": 716,
"ProtectionMask": 64,
"TargetProcessCreateTime": "2026-06-09 19:08:53Z",
"TargetProcessId": 3924,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 7036874417766589,
"ViewSize": "0x1000"
},
"message": ""
}
Detection Patterns #
Process Injection
Process Injection
Sysmon Event ID 8: CreateRemoteThreadORThreat-Intelligence Event ID 1: Remote Virtual Memory AllocationOREvent ID 2: Remote Virtual Memory Protection ChangeOREvent ID 3: Remote Section MapOREvent ID 4: Remote APC QueueOREvent ID 5: Remote Thread Context ChangeOREvent ID 11: Local Virtual Memory Read
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | in | CreateRemoteThreadApiCall | 2 rules | kusto |
EventType | in | NtAllocateVirtualMemoryRemoteApiCall | 2 rules | kusto |
EventType | in | NtMapViewOfSectionRemoteApiCall | 2 rules | kusto |
EventType | in | QueueUserApcRemoteApiCall | 2 rules | kusto |
EventType | in | SetThreadContextRemoteApiCall | 2 rules | kusto |
Event ID 4: Remote APC Queue
#Description
A process queued an asynchronous procedure call to a thread in another process via NtQueueApcThread. APC injection delivers shellcode by routing execution through the target thread's APC queue when it enters an alertable wait state.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
TargetThreadId UInt32 | Thread ID in the target process. |
TargetThreadCreateTime FILETIME | Creation timestamp of the target thread. |
OriginalProcessId UInt32 | Process ID of the process that originally opened or inherited the handle used for this operation. Differs from CallingProcessId when a handle is duplicated or inherited. |
OriginalProcessCreateTime FILETIME | Creation timestamp of the original handle-owning process. |
OriginalProcessStartKey UInt64 | Kernel-assigned unique key for the original handle-owning process. |
OriginalProcessSignatureLevel UInt8 | Code integrity signing level of the original process. Bitmask flags
|
OriginalProcessSectionSignatureLevel UInt8 | Minimum DLL signing level of the original process. Bitmask flags
|
OriginalProcessProtection UInt8 | PS_PROTECTION byte of the original process. Bitmask flags
|
TargetThreadAlertable UInt8 | Whether the target thread is in an alertable wait state (1=alertable). APCs only execute when the thread enters an alertable wait. Known values
|
ApcRoutine Pointer | Virtual address of the APC routine to execute in the target process. |
ApcArgument1 Pointer | First argument passed to the APC routine. |
ApcArgument2 Pointer | Second argument passed to the APC routine. |
ApcArgument3 Pointer | Third argument passed to the APC routine. |
RealEventTime FILETIME | Actual time the operation occurred. May differ from the ETW event timestamp due to buffering. |
ApcRoutineVadQueryResult UInt32 | NTSTATUS result of the VAD probe for the APC routine address. NTSTATUS reference |
ApcRoutineVadAllocationBase Pointer | Base address of the VAD entry containing the APC routine. |
ApcRoutineVadAllocationProtect UInt32 | Original protection of the VAD entry for the APC routine address. Bitmask flags
|
ApcRoutineVadRegionType UInt32 | VAD region type for the APC routine address. Known values
|
ApcRoutineVadRegionSize Pointer | VAD region size for the APC routine address. |
ApcRoutineVadCommitSize Pointer | Committed size in the VAD region for the APC routine address. |
ApcRoutineVadMmfName UnicodeString | Memory-mapped file path for the APC routine address, if any. |
ApcArgument1VadQueryResult UInt32 | NTSTATUS result of the VAD probe for ApcArgument1. NTSTATUS reference |
ApcArgument1VadAllocationBase Pointer | Base address of the VAD entry for ApcArgument1. |
ApcArgument1VadAllocationProtect UInt32 | Original protection of the VAD entry for ApcArgument1. Bitmask flags
|
ApcArgument1VadRegionType UInt32 | VAD region type for ApcArgument1. Known values
|
ApcArgument1VadRegionSize Pointer | VAD region size for ApcArgument1. |
ApcArgument1VadCommitSize Pointer | Committed size in the VAD region for ApcArgument1. |
ApcArgument1VadMmfName UnicodeString | Memory-mapped file path for ApcArgument1, if any. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 4,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T19:08:54+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 68
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"ApcArgument1": "0x21893FD0000",
"ApcArgument1VadAllocationBase": "0x21893FD0000",
"ApcArgument1VadAllocationProtect": 64,
"ApcArgument1VadCommitSize": "0x1000",
"ApcArgument1VadMmfName": "",
"ApcArgument1VadQueryResult": 0,
"ApcArgument1VadRegionSize": "0x1000",
"ApcArgument1VadRegionType": 131072,
"ApcArgument2": "0x0",
"ApcArgument3": "0x0",
"ApcRoutine": "0x7FFEAF713970",
"ApcRoutineVadAllocationBase": "0x7FFEAF6A0000",
"ApcRoutineVadAllocationProtect": 128,
"ApcRoutineVadCommitSize": "0xF000",
"ApcRoutineVadMmfName": "\\Device\\HarddiskVolume4\\Windows\\System32\\ntdll.dll",
"ApcRoutineVadQueryResult": 0,
"ApcRoutineVadRegionSize": "0x26C000",
"ApcRoutineVadRegionType": 16777216,
"CallingProcessCreateTime": "2026-06-09 19:08:27Z",
"CallingProcessId": 2432,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 7036874417766573,
"CallingThreadCreateTime": "2026-06-09 19:08:27Z",
"CallingThreadId": 716,
"OriginalProcessCreateTime": "2026-06-09 19:08:27Z",
"OriginalProcessId": 2432,
"OriginalProcessProtection": 0,
"OriginalProcessSectionSignatureLevel": 0,
"OriginalProcessSignatureLevel": 0,
"OriginalProcessStartKey": 7036874417766573,
"RealEventTime": "2026-06-09 19:08:54Z",
"TargetProcessCreateTime": "2026-06-09 19:08:53Z",
"TargetProcessId": 3924,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 7036874417766589,
"TargetThreadAlertable": 0,
"TargetThreadCreateTime": "2026-06-09 19:08:53Z",
"TargetThreadId": 6132
},
"message": ""
}
Detection Patterns #
Process Injection
Process Injection
Sysmon Event ID 8: CreateRemoteThreadORThreat-Intelligence Event ID 1: Remote Virtual Memory AllocationOREvent ID 2: Remote Virtual Memory Protection ChangeOREvent ID 3: Remote Section MapOREvent ID 4: Remote APC QueueOREvent ID 5: Remote Thread Context ChangeOREvent ID 11: Local Virtual Memory Read
Detection Rules #
View all rules referencing this event →Kusto # view in coverage
References #
- ETW manifest XML (Windows 11 24H2, verified identical to 25H2 build 26200) https://raw.githubusercontent.com/nasbench/EVTX-ETW-Resources/main/ETWProvidersManifests/Windows11/24H2/W11_24H2_Pro_2024102_26100.1742/WEPExplorer/Microsoft-Windows-Threat-Intelligence.xml
- Bypassing the EtwTi Kernel APC Injection Sensor (Philip Tsukerman): documents the THREATINT_QUEUEUSERAPC_REMOTE_KERNEL_CALLER firing condition (calling process != APC target process AND provider enabled AND either a user-mode APC or a kernel APC routed through KeSpecialUserApcKernelRoutine), and shows a kernel proxy-APC bypass that satisfies the same-process check from within the target. https://medium.com/@philiptsukerman/bypassing-the-microsoft-windows-threat-intelligence-kernel-apc-injection-sensor-92266433e0b0
- FalconFriday 0xFF-0088: Process injection via QueueUserApcRemoteApiCall by rare or unsigned processes. KQL on DeviceEvents.ActionType == "QueueUserApcRemoteApiCall", the Defender Advanced Hunting surface that mirrors EtwTi EID 4 (Remote APC Queue). https://github.com/FalconForceTeam/FalconFriday/blob/main/0xFF-0088-Process_injection_via_QueueUserApcRemoteApiCall_by_rare_or_unsigned_processes-Win.md
Event ID 5: Remote Thread Context Change
#Description
A process modified a thread's register context in another process via NtSetContextThread. Thread hijacking overwrites the instruction pointer to redirect execution to injected code.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
TargetThreadId UInt32 | Thread ID in the target process. |
TargetThreadCreateTime FILETIME | Creation timestamp of the target thread. |
ContextFlags UInt32 | CONTEXT_* bitmask indicating which register groups are being set (CONTEXT_CONTROL=0x100001, CONTEXT_INTEGER=0x100002, CONTEXT_FULL=0x10000B on AMD64). Bitmask flags
|
ContextMask UInt16 | Additional context mask for the operation. |
Pc Pointer | Program counter (RIP on x64) value being set on the target thread. |
Sp Pointer | Stack pointer (RSP on x64) value being set. |
Lr Pointer | Link register value (ARM). Zero on x64. |
Fp Pointer | Frame pointer value (RBP on x64). |
Reg0 Pointer | General-purpose register value (RAX on x64). |
Reg1 Pointer | General-purpose register value (RCX on x64). |
Reg2 Pointer | General-purpose register value (RDX on x64). |
Reg3 Pointer | General-purpose register value (RBX on x64). |
Reg4 Pointer | General-purpose register value (RSI on x64). |
Reg5 Pointer | General-purpose register value (RDI on x64). |
Reg6 Pointer | General-purpose register value (R8 on x64). |
Reg7 Pointer | General-purpose register value (R9 on x64). |
RealEventTime FILETIME | Actual time the operation occurred. May differ from the ETW event timestamp due to buffering. |
PcVadQueryResult UInt32 | NTSTATUS result of the VAD probe for the new instruction pointer address. NTSTATUS reference |
PcVadAllocationBase Pointer | Base address of the VAD entry containing the new instruction pointer. |
PcVadAllocationProtect UInt32 | Original protection of the VAD entry for the instruction pointer address. Bitmask flags
|
PcVadRegionType UInt32 | VAD region type for the instruction pointer address. Known values
|
PcVadRegionSize Pointer | VAD region size for the instruction pointer address. |
PcVadCommitSize Pointer | Committed size in the VAD region for the instruction pointer address. |
PcVadMmfName UnicodeString | Memory-mapped file path for the instruction pointer address, if any. Empty for unbacked (shellcode) regions. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 5,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T19:08:54+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 272
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CallingProcessCreateTime": "2026-06-09 19:08:27Z",
"CallingProcessId": 2432,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 7036874417766573,
"CallingThreadCreateTime": "2026-06-09 19:08:27Z",
"CallingThreadId": 716,
"ContextFlags": 1048607,
"ContextMask": 3,
"Fp": "0x0",
"Lr": "0x0",
"Pc": "0x7FFEAF8032B4",
"PcVadAllocationBase": "0x7FFEAF6A0000",
"PcVadAllocationProtect": 128,
"PcVadCommitSize": "0xF000",
"PcVadMmfName": "\\Device\\HarddiskVolume4\\Windows\\System32\\ntdll.dll",
"PcVadQueryResult": 0,
"PcVadRegionSize": "0x26C000",
"PcVadRegionType": 16777216,
"RealEventTime": "2026-06-09 19:08:54Z",
"Reg0": "0x4",
"Reg1": "0x300",
"Reg2": "0x0",
"Reg3": "0x300",
"Reg4": "0xBB8",
"Reg5": "0x0",
"Reg6": "0xF70B5EF668",
"Reg7": "0x4",
"Sp": "0xF70B5EF638",
"TargetProcessCreateTime": "2026-06-09 19:08:53Z",
"TargetProcessId": 3924,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 7036874417766589,
"TargetThreadCreateTime": "2026-06-09 19:08:53Z",
"TargetThreadId": 6132
},
"message": ""
}
Detection Patterns #
Process Injection
Process Injection
Sysmon Event ID 8: CreateRemoteThreadORThreat-Intelligence Event ID 1: Remote Virtual Memory AllocationOREvent ID 2: Remote Virtual Memory Protection ChangeOREvent ID 3: Remote Section MapOREvent ID 4: Remote APC QueueOREvent ID 5: Remote Thread Context ChangeOREvent ID 11: Local Virtual Memory Read
Community Notes #
ContextFlags 0x10001F (1048607) is CONTEXT_AMD64 | CONTROL | INTEGER | SEGMENTS | FLOATING_POINT | DEBUG_REGISTERS, i.e. CONTEXT_ALL on x64. Pc (0x7FFEAF8032B4, inside ntdll), Sp (0xF70B5EF638), and the Reg0-Reg7 integer registers are populated from the captured target thread's actual state. Fp and Lr read zero because those slots are ARM register names that the kernel does not populate for an AMD64 thread; they appear in the event schema for cross-architecture compatibility.
Detection Rules #
View all rules referencing this event →Kusto # view in coverage
References #
- MS Learn IMAGE_INFO (ImageSignatureLevel:4, ImageSignatureType:3) https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_image_info
- ETW manifest XML (Windows 11 24H2, verified identical to 25H2 build 26200) https://raw.githubusercontent.com/nasbench/EVTX-ETW-Resources/main/ETWProvidersManifests/Windows11/24H2/W11_24H2_Pro_2024102_26100.1742/WEPExplorer/Microsoft-Windows-Threat-Intelligence.xml
- EtwTi and hardware breakpoints (Praetorian): documents both syscalls that trigger EID 5. NtSetContextThread (the native API behind SetThreadContext) AND NtSetInformationThread called with ThreadWow64Context both raise this event. The WoW64 path is what attackers use to set hardware breakpoints in 32-bit subprocesses. https://www.praetorian.com/blog/etw-threat-intelligence-and-hardware-breakpoints/
Event ID 6: Local Virtual Memory Allocation
#Description
A process allocated virtual memory within its own address space via NtAllocateVirtualMemory. Logged when the allocation's protection attributes or the caller's protection level meets the provider's logging threshold.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
OriginalProcessId UInt32 | Process ID of the process that originally opened or inherited the handle used for this operation. Differs from CallingProcessId when a handle is duplicated or inherited. |
OriginalProcessCreateTime FILETIME | Creation timestamp of the original handle-owning process. |
OriginalProcessStartKey UInt64 | Kernel-assigned unique key for the original handle-owning process. |
OriginalProcessSignatureLevel UInt8 | Code integrity signing level of the original process. Bitmask flags
|
OriginalProcessSectionSignatureLevel UInt8 | Minimum DLL signing level of the original process. Bitmask flags
|
OriginalProcessProtection UInt8 | PS_PROTECTION byte of the original process. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
RegionSize Pointer | Size of the memory region in bytes. |
AllocationType UInt32 | Memory allocation type bitmask. Bitmask flags
|
ProtectionMask UInt32 | Memory page protection bitmask. Bitmask flags
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 6,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T19:09:23+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 5360,
"thread_id": 3736
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"AllocationType": 12288,
"BaseAddress": "0x20EB3370000",
"CallingProcessCreateTime": "2026-06-09 19:09:09Z",
"CallingProcessId": 5360,
"CallingProcessProtection": 49,
"CallingProcessSectionSignatureLevel": 7,
"CallingProcessSignatureLevel": 55,
"CallingProcessStartKey": 7036874417766617,
"CallingThreadCreateTime": "2026-06-09 19:09:09Z",
"CallingThreadId": 3736,
"OriginalProcessCreateTime": "2026-06-09 19:09:09Z",
"OriginalProcessId": 5360,
"OriginalProcessProtection": 49,
"OriginalProcessSectionSignatureLevel": 7,
"OriginalProcessSignatureLevel": 55,
"OriginalProcessStartKey": 7036874417766617,
"ProtectionMask": 64,
"RegionSize": "0x1000",
"TargetProcessCreateTime": "2026-06-09 19:09:09Z",
"TargetProcessId": 5360,
"TargetProcessProtection": 49,
"TargetProcessSectionSignatureLevel": 7,
"TargetProcessSignatureLevel": 55,
"TargetProcessStartKey": 7036874417766617
},
"message": ""
}
Detection Rules #
View all rules referencing this event →Kusto # view in coverage
References #
- MS Learn IMAGE_INFO (ImageSignatureLevel:4, ImageSignatureType:3) https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_image_info
Event ID 7: Local Virtual Memory Protection Change
#Description
A process changed memory protection within its own address space via NtProtectVirtualMemory. Local RW-to-RX transitions can indicate in-process shellcode staging or JIT compilation.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
OriginalProcessId UInt32 | Process ID of the process that originally opened or inherited the handle used for this operation. Differs from CallingProcessId when a handle is duplicated or inherited. |
OriginalProcessCreateTime FILETIME | Creation timestamp of the original handle-owning process. |
OriginalProcessStartKey UInt64 | Kernel-assigned unique key for the original handle-owning process. |
OriginalProcessSignatureLevel UInt8 | Code integrity signing level of the original process. Bitmask flags
|
OriginalProcessSectionSignatureLevel UInt8 | Minimum DLL signing level of the original process. Bitmask flags
|
OriginalProcessProtection UInt8 | PS_PROTECTION byte of the original process. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
RegionSize UInt64 | Size of the memory region in bytes. |
ProtectionMask UInt32 | Memory page protection bitmask. Bitmask flags
|
LastProtectionMask UInt32 | Previous memory page protection before this NtProtectVirtualMemory call. Compare with ProtectionMask to detect RW-to-RX transitions. Bitmask flags
|
VaVadQueryResult UInt32 | NTSTATUS result of the VAD probe for the target address. NTSTATUS reference |
VaVadAllocationBase Pointer | Base address of the VAD entry containing the target address. |
VaVadAllocationProtect UInt32 | Original protection flags from the VAD entry (PAGE_* constants from the initial allocation). Bitmask flags
|
VaVadRegionType UInt32 | Type of the VAD region (private, mapped, image). Known values
|
VaVadRegionSize Pointer | Total size of the VAD region. |
VaVadCommitSize Pointer | Amount of committed (backed by physical memory or pagefile) memory in the VAD region. |
VaVadMmfName UnicodeString | File path of the memory-mapped file backing this VAD region, if any. Empty for private (anonymous) allocations. |
TargetAddress Pointer | Target virtual address within the protection change region (PROTECTVM v3). |
FullRegionSize UInt64 | Full size of the containing memory region (PROTECTVM v3). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 7,
"version": 3,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T17:42:23+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4708,
"thread_id": 4388
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"BaseAddress": "0x7FFF2869E000",
"CallingProcessCreateTime": "2026-06-09 17:42:23Z",
"CallingProcessId": 4708,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 3377699720528255,
"CallingThreadCreateTime": "2026-06-09 17:42:23Z",
"CallingThreadId": 4388,
"FullRegionSize": 4096,
"LastProtectionMask": 32,
"OriginalProcessCreateTime": "2026-06-09 17:42:23Z",
"OriginalProcessId": 4708,
"OriginalProcessProtection": 0,
"OriginalProcessSectionSignatureLevel": 0,
"OriginalProcessSignatureLevel": 0,
"OriginalProcessStartKey": 3377699720528255,
"ProtectionMask": 64,
"RegionSize": 272,
"TargetAddress": "0x7FFF2869E020",
"TargetProcessCreateTime": "2026-06-09 17:42:23Z",
"TargetProcessId": 4708,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 3377699720528255,
"VaVadAllocationBase": "0x7FFF28510000",
"VaVadAllocationProtect": 128,
"VaVadCommitSize": "0x20000",
"VaVadMmfName": "\\Device\\HarddiskVolume4\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll",
"VaVadQueryResult": 0,
"VaVadRegionSize": "0x9A4000",
"VaVadRegionType": 16777216
},
"message": ""
}
Community Notes #
This sample is a v3 record, which adds FullRegionSize, LastProtectionMask, TargetAddress, and the VaVad* fields. The provider also emits v1 records for the same event ID, which carry a reduced field set.
References #
- MS Learn IMAGE_INFO (ImageSignatureLevel:4, ImageSignatureType:3) https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_image_info
Event ID 8: Local Section Map
#Description
A process mapped a section object into its own address space via NtMapViewOfSection. Logged when the mapping's protection attributes meet the provider's logging threshold.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
ViewSize Pointer | Size of the mapped view in bytes. |
AllocationType UInt32 | Memory allocation type bitmask. Bitmask flags
|
ProtectionMask UInt32 | Memory page protection bitmask. Bitmask flags
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 8,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T19:08:54+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 2432,
"thread_id": 716
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"AllocationType": 0,
"BaseAddress": "0x228B11E0000",
"CallingProcessCreateTime": "2026-06-09 19:08:27Z",
"CallingProcessId": 2432,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 7036874417766573,
"CallingThreadCreateTime": "2026-06-09 19:08:27Z",
"CallingThreadId": 716,
"ProtectionMask": 64,
"TargetProcessCreateTime": "2026-06-09 19:08:27Z",
"TargetProcessId": 2432,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 7036874417766573,
"ViewSize": "0x1000"
},
"message": ""
}
References #
- MS Learn IMAGE_INFO (ImageSignatureLevel:4, ImageSignatureType:3) https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_image_info
Event ID 11: Local Virtual Memory Read
#Description
A process read virtual memory via NtReadVirtualMemory. Logged for local reads when the caller or target protection level meets the provider's threshold.
Fields #
| Name | Description |
|---|---|
OperationStatus UInt32 | NTSTATUS return code. NTSTATUS reference |
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
BytesCopied Pointer | Number of bytes actually read or written by the operation. |
VaVadQueryResult UInt32 | NTSTATUS result of the VAD probe for the target address. NTSTATUS reference |
VaVadAllocationBase Pointer | Base address of the VAD entry containing the target address. |
VaVadAllocationProtect UInt32 | Original protection flags from the VAD entry (PAGE_* constants from the initial allocation). Bitmask flags
|
VaVadRegionType UInt32 | Type of the VAD region (private, mapped, image). Known values
|
VaVadRegionSize Pointer | Total size of the VAD region. |
VaVadCommitSize Pointer | Amount of committed (backed by physical memory or pagefile) memory in the VAD region. |
VaVadMmfName UnicodeString | File path of the memory-mapped file backing this VAD region, if any. Empty for private (anonymous) allocations. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 11,
"version": 2,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T15:50:02+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3604,
"thread_id": 5308
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "JD-WIN11-22H2-1",
"security": {
"user_id": ""
}
},
"event_data": {
"BaseAddress": "0x1027553010",
"BytesCopied": "0x8",
"CallingProcessCreateTime": "2026-06-09 15:50:02Z",
"CallingProcessId": 3604,
"CallingProcessProtection": 81,
"CallingProcessSectionSignatureLevel": 12,
"CallingProcessSignatureLevel": 60,
"CallingProcessStartKey": 7881299347899860,
"CallingThreadCreateTime": "2026-06-09 15:50:02Z",
"CallingThreadId": 5308,
"OperationStatus": 0,
"TargetProcessCreateTime": "2026-06-09 15:50:02Z",
"TargetProcessId": 3604,
"TargetProcessProtection": 81,
"TargetProcessSectionSignatureLevel": 12,
"TargetProcessSignatureLevel": 60,
"TargetProcessStartKey": 7881299347899860,
"VaVadAllocationBase": "0x0",
"VaVadAllocationProtect": 0,
"VaVadCommitSize": "0x0",
"VaVadMmfName": "",
"VaVadQueryResult": 0,
"VaVadRegionSize": "0x0",
"VaVadRegionType": 0
},
"message": ""
}
Detection Patterns #
Stealth: Process Injection
Sysmon Event ID 8: CreateRemoteThreadORThreat-Intelligence Event ID 1: Remote Virtual Memory AllocationOREvent ID 2: Remote Virtual Memory Protection ChangeOREvent ID 3: Remote Section MapOREvent ID 4: Remote APC QueueOREvent ID 5: Remote Thread Context ChangeOREvent ID 11: Local Virtual Memory Read
1 rule
Community Notes #
This sample comes from an earlier capture on a Windows 11 22H2 host, where the event fired during routine system background activity (Defender memory scanning is a common trigger). A later capture on Windows 11 25H2 did not catch a real local-read in the capture window, so the older record is kept here to show field layout.
References #
- MS Learn IMAGE_INFO (ImageSignatureLevel:4, ImageSignatureType:3) https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_image_info
- ETW manifest XML (Windows 11 24H2, verified identical to 25H2 build 26200) https://raw.githubusercontent.com/nasbench/EVTX-ETW-Resources/main/ETWProvidersManifests/Windows11/24H2/W11_24H2_Pro_2024102_26100.1742/WEPExplorer/Microsoft-Windows-Threat-Intelligence.xml
- Uncovering Windows Events. Threat Intelligence ETW (Jonathan Johnson). End-to-end RE of EIDs 11-14. NtReadVirtualMemory, NtReadVirtualMemoryEx, and NtWriteVirtualMemory all dispatch through MiReadWriteVirtualMemory, which emits via EtwTiLogReadWriteVm. PROCESS_VM_READ (0x10) selects the READVM family and PROCESS_VM_WRITE (0x20) selects the WRITEVM family. Consumer keyword mask 0x8000000000008000. https://jonny-johnson.medium.com/uncovering-windows-events-b4b9db7eac54
Event ID 12: Local Virtual Memory Write
#Description
A process wrote virtual memory via NtWriteVirtualMemory. Logged for local writes when the caller or target protection level meets the provider's threshold. Unlike the read variant (EID 11), this event additionally gates on a per-thread kernel instrumentation flag and does not fire from user-mode WriteProcessMemory; it is only accessible from kernel-mode callers (e.g. via direct EtwTiLogReadWriteVm calls in a driver).
Fields #
| Name | Description |
|---|---|
OperationStatus UInt32 | NTSTATUS return code. NTSTATUS reference |
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
BytesCopied Pointer | Number of bytes actually read or written by the operation. |
VaVadQueryResult UInt32 | NTSTATUS result of the VAD probe for the target address. NTSTATUS reference |
VaVadAllocationBase Pointer | Base address of the VAD entry containing the target address. |
VaVadAllocationProtect UInt32 | Original protection flags from the VAD entry (PAGE_* constants from the initial allocation). Bitmask flags
|
VaVadRegionType UInt32 | Type of the VAD region (private, mapped, image). Known values
|
VaVadRegionSize Pointer | Total size of the VAD region. |
VaVadCommitSize Pointer | Amount of committed (backed by physical memory or pagefile) memory in the VAD region. |
VaVadMmfName UnicodeString | File path of the memory-mapped file backing this VAD region, if any. Empty for private (anonymous) allocations. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 12,
"version": 2,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T19:08:58+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 2432,
"thread_id": 716
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"BaseAddress": "0xFFFFFE864DDE56B0",
"BytesCopied": "0x1",
"CallingProcessCreateTime": "2026-06-09 19:08:27Z",
"CallingProcessId": 2432,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 7036874417766573,
"CallingThreadCreateTime": "2026-06-09 19:08:27Z",
"CallingThreadId": 716,
"OperationStatus": 0,
"TargetProcessCreateTime": "2026-06-09 19:08:27Z",
"TargetProcessId": 2432,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 7036874417766573,
"VaVadAllocationBase": "0x0",
"VaVadAllocationProtect": 0,
"VaVadCommitSize": "0x0",
"VaVadMmfName": "",
"VaVadQueryResult": 0,
"VaVadRegionSize": "0x0",
"VaVadRegionType": 0
},
"message": ""
}
Community Notes #
A lab kernel driver called the kernel's own logging routine (EtwTiLogReadWriteVm) directly to produce this sample. WriteProcessMemory and ZwWriteVirtualMemory from user mode do not fire this event because the kernel checks a per-thread flag that user-mode callers do not set. The field structure matches the manifest, but the field values reflect the lab driver rather than an observed cross-process write.
References #
- ETW manifest XML (Windows 11 24H2, verified identical to 25H2 build 26200) https://raw.githubusercontent.com/nasbench/EVTX-ETW-Resources/main/ETWProvidersManifests/Windows11/24H2/W11_24H2_Pro_2024102_26100.1742/WEPExplorer/Microsoft-Windows-Threat-Intelligence.xml
- Uncovering Windows Events. Threat Intelligence ETW (Jonathan Johnson). End-to-end RE of EIDs 11-14. NtReadVirtualMemory, NtReadVirtualMemoryEx, and NtWriteVirtualMemory all dispatch through MiReadWriteVirtualMemory, which emits via EtwTiLogReadWriteVm. PROCESS_VM_READ (0x10) selects the READVM family and PROCESS_VM_WRITE (0x20) selects the WRITEVM family. Consumer keyword mask 0x8000000000008000. https://jonny-johnson.medium.com/uncovering-windows-events-b4b9db7eac54
Event ID 13: Remote Virtual Memory Read
#Description
A process read memory from another process via NtReadVirtualMemory (ReadProcessMemory). Remote memory reads are used to extract credentials, secrets, or process state from targets such as LSASS. ReadProcessMemory runs kernel-mode code attached to the target process and requires PROCESS_VM_READ on the target handle, or that the caller holds SeDebugPrivilege (granted to administrators by default).
Fields #
| Name | Description |
|---|---|
OperationStatus UInt32 | NTSTATUS return code. NTSTATUS reference |
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
BytesCopied Pointer | Number of bytes actually read or written by the operation. |
VaVadQueryResult UInt32 | NTSTATUS result of the VAD probe for the target address. NTSTATUS reference |
VaVadAllocationBase Pointer | Base address of the VAD entry containing the target address. |
VaVadAllocationProtect UInt32 | Original protection flags from the VAD entry (PAGE_* constants from the initial allocation). Bitmask flags
|
VaVadRegionType UInt32 | Type of the VAD region (private, mapped, image). Known values
|
VaVadRegionSize Pointer | Total size of the VAD region. |
VaVadCommitSize Pointer | Amount of committed (backed by physical memory or pagefile) memory in the VAD region. |
VaVadMmfName UnicodeString | File path of the memory-mapped file backing this VAD region, if any. Empty for private (anonymous) allocations. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 13,
"version": 2,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T04:59:46+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 940,
"thread_id": 1644
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "JD-WIN11-22H2-1",
"security": {
"user_id": ""
}
},
"event_data": {
"BaseAddress": "0x7FFF10995F40",
"BytesCopied": "0x17D",
"CallingProcessCreateTime": "2026-06-09 04:30:00Z",
"CallingProcessId": 940,
"CallingProcessProtection": 97,
"CallingProcessSectionSignatureLevel": 12,
"CallingProcessSignatureLevel": 62,
"CallingProcessStartKey": 7599824371187719,
"CallingThreadCreateTime": "2026-06-09 04:30:05Z",
"CallingThreadId": 1644,
"OperationStatus": 0,
"TargetProcessCreateTime": "2026-06-09 04:57:10Z",
"TargetProcessId": 3560,
"TargetProcessProtection": 81,
"TargetProcessSectionSignatureLevel": 12,
"TargetProcessSignatureLevel": 60,
"TargetProcessStartKey": 7599824371188788,
"VaVadAllocationBase": "0x7FFF0F7C0000",
"VaVadAllocationProtect": 128,
"VaVadCommitSize": "0x58000",
"VaVadMmfName": "\\Device\\HarddiskVolume4\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{3EAC0BBF-2E29-44F8-B3D8-FF2E7B54838B}\\mpengine.dll",
"VaVadQueryResult": 0,
"VaVadRegionSize": "0x11F1000",
"VaVadRegionType": 16777216
},
"message": ""
}
Community Notes #
This sample comes from an earlier capture on a Windows 11 22H2 host, where the event fired during routine system background activity (Defender scanning of another process is a common trigger). A later capture on Windows 11 25H2 did not catch a real remote read in the capture window, so the older record is kept here to show field layout.
References #
- MS Learn IMAGE_INFO (ImageSignatureLevel:4, ImageSignatureType:3) https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_image_info
- ETW manifest XML (Windows 11 24H2, verified identical to 25H2 build 26200) https://raw.githubusercontent.com/nasbench/EVTX-ETW-Resources/main/ETWProvidersManifests/Windows11/24H2/W11_24H2_Pro_2024102_26100.1742/WEPExplorer/Microsoft-Windows-Threat-Intelligence.xml
- Uncovering Windows Events. Threat Intelligence ETW (Jonathan Johnson). End-to-end RE of EIDs 11-14. NtReadVirtualMemory, NtReadVirtualMemoryEx, and NtWriteVirtualMemory all dispatch through MiReadWriteVirtualMemory, which emits via EtwTiLogReadWriteVm. PROCESS_VM_READ (0x10) selects the READVM family and PROCESS_VM_WRITE (0x20) selects the WRITEVM family. Consumer keyword mask 0x8000000000008000. https://jonny-johnson.medium.com/uncovering-windows-events-b4b9db7eac54
Event ID 14: Remote Virtual Memory Write
#Description
A process wrote memory into another process via NtWriteVirtualMemory (WriteProcessMemory). Remote memory writes deliver shellcode or patch code in the target process during injection. WriteProcessMemory runs kernel-mode code attached to the target process and requires PROCESS_VM_WRITE on the target handle, or that the caller holds SeDebugPrivilege.
Fields #
| Name | Description |
|---|---|
OperationStatus UInt32 | NTSTATUS return code. NTSTATUS reference |
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
BytesCopied Pointer | Number of bytes actually read or written by the operation. |
VaVadQueryResult UInt32 | NTSTATUS result of the VAD probe for the target address. NTSTATUS reference |
VaVadAllocationBase Pointer | Base address of the VAD entry containing the target address. |
VaVadAllocationProtect UInt32 | Original protection flags from the VAD entry (PAGE_* constants from the initial allocation). Bitmask flags
|
VaVadRegionType UInt32 | Type of the VAD region (private, mapped, image). Known values
|
VaVadRegionSize Pointer | Total size of the VAD region. |
VaVadCommitSize Pointer | Amount of committed (backed by physical memory or pagefile) memory in the VAD region. |
VaVadMmfName UnicodeString | File path of the memory-mapped file backing this VAD region, if any. Empty for private (anonymous) allocations. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 14,
"version": 2,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T17:42:25+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 728,
"thread_id": 884
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"BaseAddress": "0x5D7BE82308",
"BytesCopied": "0x8",
"CallingProcessCreateTime": "2026-06-09 04:17:19Z",
"CallingProcessId": 728,
"CallingProcessProtection": 97,
"CallingProcessSectionSignatureLevel": 12,
"CallingProcessSignatureLevel": 62,
"CallingProcessStartKey": 3377699720527879,
"CallingThreadCreateTime": "2026-06-09 04:17:19Z",
"CallingThreadId": 884,
"OperationStatus": 0,
"TargetProcessCreateTime": "2026-06-09 17:42:25Z",
"TargetProcessId": 4548,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 3377699720528256,
"VaVadAllocationBase": "0x5D7BE00000",
"VaVadAllocationProtect": 4,
"VaVadCommitSize": "0x3000",
"VaVadMmfName": "",
"VaVadQueryResult": 0,
"VaVadRegionSize": "0x200000",
"VaVadRegionType": 131072
},
"message": ""
}
References #
- MS Learn IMAGE_INFO (ImageSignatureLevel:4, ImageSignatureType:3) https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_image_info
- ETW manifest XML (Windows 11 24H2, verified identical to 25H2 build 26200) https://raw.githubusercontent.com/nasbench/EVTX-ETW-Resources/main/ETWProvidersManifests/Windows11/24H2/W11_24H2_Pro_2024102_26100.1742/WEPExplorer/Microsoft-Windows-Threat-Intelligence.xml
- Uncovering Windows Events. Threat Intelligence ETW (Jonathan Johnson). End-to-end RE of EIDs 11-14. NtReadVirtualMemory, NtReadVirtualMemoryEx, and NtWriteVirtualMemory all dispatch through MiReadWriteVirtualMemory, which emits via EtwTiLogReadWriteVm. PROCESS_VM_READ (0x10) selects the READVM family and PROCESS_VM_WRITE (0x20) selects the WRITEVM family. Consumer keyword mask 0x8000000000008000. https://jonny-johnson.medium.com/uncovering-windows-events-b4b9db7eac54
Event ID 15: Remote Thread Suspend
#Description
A process suspended a thread in another process via NtSuspendThread. Thread suspension is used during thread hijacking to safely modify the target thread's context before resuming execution at injected code.
Fields #
| Name | Description |
|---|---|
OperationStatus UInt32 | NTSTATUS return code. NTSTATUS reference |
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
TargetThreadId UInt32 | Thread ID in the target process. |
TargetThreadCreateTime FILETIME | Creation timestamp of the target thread. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 15,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T19:08:58+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 2432,
"thread_id": 716
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CallingProcessCreateTime": "2026-06-09 19:08:27Z",
"CallingProcessId": 2432,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 7036874417766573,
"CallingThreadCreateTime": "2026-06-09 19:08:27Z",
"CallingThreadId": 716,
"OperationStatus": 0,
"TargetProcessCreateTime": "2026-06-09 19:08:27Z",
"TargetProcessId": 2432,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 7036874417766573,
"TargetThreadCreateTime": "2026-06-09 19:08:27Z",
"TargetThreadId": 716
},
"message": ""
}
Community Notes #
A lab kernel driver called the kernel's own logging routine (EtwTiLogSuspendResumeThread) directly to produce this sample. NtSuspendThread from user mode does not fire this event because the kernel checks a per-thread flag that user-mode callers do not set. The field structure matches the manifest, but the field values reflect the lab driver rather than an observed thread suspend.
Event ID 16: Remote Thread Resume
#Description
A process resumed a suspended thread in another process via NtResumeThread. Often the final step in thread-hijacking injection, triggering execution of the redirected code.
Fields #
| Name | Description |
|---|---|
OperationStatus UInt32 | NTSTATUS return code. NTSTATUS reference |
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
TargetThreadId UInt32 | Thread ID in the target process. |
TargetThreadCreateTime FILETIME | Creation timestamp of the target thread. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 16,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T19:08:58+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 2432,
"thread_id": 716
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CallingProcessCreateTime": "2026-06-09 19:08:27Z",
"CallingProcessId": 2432,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 7036874417766573,
"CallingThreadCreateTime": "2026-06-09 19:08:27Z",
"CallingThreadId": 716,
"OperationStatus": 0,
"TargetProcessCreateTime": "2026-06-09 19:08:27Z",
"TargetProcessId": 2432,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 7036874417766573,
"TargetThreadCreateTime": "2026-06-09 19:08:27Z",
"TargetThreadId": 716
},
"message": ""
}
Community Notes #
A lab kernel driver called the kernel's own logging routine (EtwTiLogSuspendResumeThread, resume operation) to produce this sample. NtResumeThread from user mode does not fire this event because the kernel checks a per-thread flag that user-mode callers do not set. The field structure matches the manifest, but the field values reflect the lab driver rather than an observed thread resume.
Event ID 17: Process Suspend
#Description
A process suspended all threads in another process via NtSuspendProcess. Whole-process suspension can be used to freeze a target before tampering with its memory or handles. NtSuspendProcess suspends every thread in the target by queuing a kernel APC to each (Russinovich, Windows Internals Part 1, Ch 4, Thread suspension). The event fires once per call rather than once per thread because the kernel logger runs at the process-level entry point rather than inside the per-thread APC delivery path.
Fields #
| Name | Description |
|---|---|
OperationStatus UInt32 | NTSTATUS return code. NTSTATUS reference |
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 17,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T19:08:58+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 2432,
"thread_id": 716
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CallingProcessCreateTime": "2026-06-09 19:08:27Z",
"CallingProcessId": 2432,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 7036874417766573,
"CallingThreadCreateTime": "2026-06-09 19:08:27Z",
"CallingThreadId": 716,
"OperationStatus": 0,
"TargetProcessCreateTime": "2026-06-09 19:08:27Z",
"TargetProcessId": 2432,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 7036874417766573
},
"message": ""
}
Community Notes #
A lab kernel driver called the kernel's own logging routine (EtwTiLogSuspendResumeProcess, suspend operation) to produce this sample. NtSuspendProcess from user mode does not fire this event because the kernel checks a per-thread flag that user-mode callers do not set. The field structure matches the manifest, but the field values reflect the lab driver rather than an observed process suspend.
Event ID 18: Process Resume
#Description
A process resumed all threads in another suspended process via NtResumeProcess. NtResumeProcess walks the target's thread list and decrements each thread's suspend count via the per-thread resume path; the event fires once per call (Russinovich, Windows Internals Part 1, Ch 4, Thread suspension).
Fields #
| Name | Description |
|---|---|
OperationStatus UInt32 | NTSTATUS return code. NTSTATUS reference |
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 18,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T19:08:58+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 2432,
"thread_id": 716
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CallingProcessCreateTime": "2026-06-09 19:08:27Z",
"CallingProcessId": 2432,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 7036874417766573,
"CallingThreadCreateTime": "2026-06-09 19:08:27Z",
"CallingThreadId": 716,
"OperationStatus": 0,
"TargetProcessCreateTime": "2026-06-09 19:08:27Z",
"TargetProcessId": 2432,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 7036874417766573
},
"message": ""
}
Community Notes #
A lab kernel driver called the kernel's own logging routine (EtwTiLogSuspendResumeProcess, resume operation) to produce this sample. NtResumeProcess from user mode does not fire this event because the kernel checks a per-thread flag that user-mode callers do not set. The field structure matches the manifest, but the field values reflect the lab driver rather than an observed process resume.
Event ID 19: Process Freeze
#Description
A process froze another process via the kernel process-freeze mechanism. Process freezing is a deeper suspension primitive than NtSuspendProcess. PsFreezeProcess is the kernel routine; the legitimate caller is the Process State Manager (PSM) service freezing UWP and packaged apps for background suspension. ResumeThread on a frozen process does not wake it. Only PsThawProcess (EID 20) does. Third-party freeze and thaw is rare in legitimate code and is a meaningful injection signal (Russinovich, Windows Internals Part 1, Ch 4).
Fields #
| Name | Description |
|---|---|
OperationStatus UInt32 | NTSTATUS return code. NTSTATUS reference |
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 19,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T19:08:58+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 2432,
"thread_id": 716
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CallingProcessCreateTime": "2026-06-09 19:08:27Z",
"CallingProcessId": 2432,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 7036874417766573,
"CallingThreadCreateTime": "2026-06-09 19:08:27Z",
"CallingThreadId": 716,
"OperationStatus": 0,
"TargetProcessCreateTime": "2026-06-09 19:08:27Z",
"TargetProcessId": 2432,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 7036874417766573
},
"message": ""
}
Community Notes #
A lab kernel driver called the kernel's own logging routine (EtwTiLogSuspendResumeProcess, freeze operation) to produce this sample. The freeze operation is an internal kernel path that user-mode and Zw* callers cannot reach. The field structure matches the manifest, but the field values reflect the lab driver rather than an observed process freeze.
Event ID 20: Process Thaw
#Description
A process thawed a previously frozen process, allowing its threads to resume execution. PsThawProcess is the only path that wakes a process frozen via PsFreezeProcess (EID 19); NtResumeProcess and ResumeThread do not reverse the freeze.
Fields #
| Name | Description |
|---|---|
OperationStatus UInt32 | NTSTATUS return code. NTSTATUS reference |
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 20,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T19:08:58+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 2432,
"thread_id": 716
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CallingProcessCreateTime": "2026-06-09 19:08:27Z",
"CallingProcessId": 2432,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 7036874417766573,
"CallingThreadCreateTime": "2026-06-09 19:08:27Z",
"CallingThreadId": 716,
"OperationStatus": 0,
"TargetProcessCreateTime": "2026-06-09 19:08:27Z",
"TargetProcessId": 2432,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 7036874417766573
},
"message": ""
}
Community Notes #
A lab kernel driver called the kernel's own logging routine (EtwTiLogSuspendResumeProcess, thaw operation) to produce this sample. The thaw operation is an internal kernel path that user-mode and Zw* callers cannot reach. The field structure matches the manifest, but the field values reflect the lab driver rather than an observed process thaw.
Event ID 21: Remote Virtual Memory Allocation (Kernel Caller)
#Description
A kernel-mode driver allocated virtual memory in a process via NtAllocateVirtualMemory. Identical to event 1 but the caller is a kernel-mode component rather than a user-mode process.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
OriginalProcessId UInt32 | Process ID of the process that originally opened or inherited the handle used for this operation. Differs from CallingProcessId when a handle is duplicated or inherited. |
OriginalProcessCreateTime FILETIME | Creation timestamp of the original handle-owning process. |
OriginalProcessStartKey UInt64 | Kernel-assigned unique key for the original handle-owning process. |
OriginalProcessSignatureLevel UInt8 | Code integrity signing level of the original process. Bitmask flags
|
OriginalProcessSectionSignatureLevel UInt8 | Minimum DLL signing level of the original process. Bitmask flags
|
OriginalProcessProtection UInt8 | PS_PROTECTION byte of the original process. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
RegionSize Pointer | Size of the memory region in bytes. |
AllocationType UInt32 | Memory allocation type bitmask. Bitmask flags
|
ProtectionMask UInt32 | Memory page protection bitmask. Bitmask flags
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 21,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T15:46:16+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 13344,
"thread_id": 14284
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "JD-WIN11-22H2-1",
"security": {
"user_id": ""
}
},
"event_data": {
"AllocationType": 12288,
"BaseAddress": "0x7FFE0000",
"CallingProcessCreateTime": "1601-01-01 00:00:00Z",
"CallingProcessId": 13344,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 0,
"CallingThreadCreateTime": "1601-01-01 00:00:00Z",
"CallingThreadId": 14284,
"OriginalProcessCreateTime": "1601-01-01 00:00:00Z",
"OriginalProcessId": 13344,
"OriginalProcessProtection": 0,
"OriginalProcessSectionSignatureLevel": 0,
"OriginalProcessSignatureLevel": 0,
"OriginalProcessStartKey": 0,
"ProtectionMask": 64,
"RegionSize": "0x1000",
"TargetProcessCreateTime": "1601-01-01 00:00:00Z",
"TargetProcessId": 1604,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 0
},
"message": ""
}
Community Notes #
This is the kernel-caller variant of NtAllocateVirtualMemory. User-mode remote allocations log as event ID 1 and local allocations as event ID 6; only kernel-mode allocations from inside ntoskrnl reach this event ID, and the kernel restricts that logging to its own ETW registration. To produce a sample, a lab kernel driver registered against the same provider GUID and called EtwWrite directly, which yields the correct manifest layout with placeholder values (zeroed timestamps and start keys). The sample comes from an earlier capture on a Windows 11 22H2 host.
Event ID 22: Remote Virtual Memory Protection Change (Kernel Caller)
#Description
A kernel-mode driver changed memory protection in a process via NtProtectVirtualMemory. Identical to event 2 but the caller is a kernel-mode component.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
OriginalProcessId UInt32 | Process ID of the process that originally opened or inherited the handle used for this operation. Differs from CallingProcessId when a handle is duplicated or inherited. |
OriginalProcessCreateTime FILETIME | Creation timestamp of the original handle-owning process. |
OriginalProcessStartKey UInt64 | Kernel-assigned unique key for the original handle-owning process. |
OriginalProcessSignatureLevel UInt8 | Code integrity signing level of the original process. Bitmask flags
|
OriginalProcessSectionSignatureLevel UInt8 | Minimum DLL signing level of the original process. Bitmask flags
|
OriginalProcessProtection UInt8 | PS_PROTECTION byte of the original process. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
RegionSize UInt64 | Size of the memory region in bytes. |
ProtectionMask UInt32 | Memory page protection bitmask. Bitmask flags
|
LastProtectionMask UInt32 | Previous memory page protection before this NtProtectVirtualMemory call. Compare with ProtectionMask to detect RW-to-RX transitions. Bitmask flags
|
VaVadQueryResult UInt32 | NTSTATUS result of the VAD probe for the target address. NTSTATUS reference |
VaVadAllocationBase Pointer | Base address of the VAD entry containing the target address. |
VaVadAllocationProtect UInt32 | Original protection flags from the VAD entry (PAGE_* constants from the initial allocation). Bitmask flags
|
VaVadRegionType UInt32 | Type of the VAD region (private, mapped, image). Known values
|
VaVadRegionSize Pointer | Total size of the VAD region. |
VaVadCommitSize Pointer | Amount of committed (backed by physical memory or pagefile) memory in the VAD region. |
VaVadMmfName UnicodeString | File path of the memory-mapped file backing this VAD region, if any. Empty for private (anonymous) allocations. |
TargetAddress Pointer | Target virtual address within the protection change region (PROTECTVM v3). |
FullRegionSize UInt64 | Full size of the containing memory region (PROTECTVM v3). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 22,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T15:46:16+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 13344,
"thread_id": 14284
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "JD-WIN11-22H2-1",
"security": {
"user_id": ""
}
},
"event_data": {
"BaseAddress": "0x7FFE0000",
"CallingProcessCreateTime": "1601-01-01 00:00:00Z",
"CallingProcessId": 13344,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 0,
"CallingThreadCreateTime": "1601-01-01 00:00:00Z",
"CallingThreadId": 14284,
"LastProtectionMask": 32,
"OriginalProcessCreateTime": "1601-01-01 00:00:00Z",
"OriginalProcessId": 13344,
"OriginalProcessProtection": 0,
"OriginalProcessSectionSignatureLevel": 0,
"OriginalProcessSignatureLevel": 0,
"OriginalProcessStartKey": 0,
"ProtectionMask": 0,
"RegionSize": "0x1000",
"TargetProcessCreateTime": "1601-01-01 00:00:00Z",
"TargetProcessId": 1604,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 0
},
"message": ""
}
Community Notes #
This is the kernel-caller variant of NtProtectVirtualMemory. User-mode remote protection changes log as Event ID 2 and local changes as Event ID 7; only kernel-mode protection changes from inside ntoskrnl reach this Event ID, and the kernel restricts that logging to its own ETW registration. To produce a sample, a lab kernel driver registered against the same provider GUID and called EtwWrite directly, which yields placeholder values (zeroed timestamps and start keys) and an abbreviated field set. FullRegionSize, TargetAddress, and the VaVad* fields are absent in this sample; LastProtectionMask is the only v3 carry-over present. The sample comes from an earlier capture on a Windows 11 22H2 host.
Event ID 23: Remote Section Map (Kernel Caller)
#Description
A kernel-mode driver mapped a section object into a process via NtMapViewOfSection. Identical to event 3 but the caller is a kernel-mode component.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
ViewSize Pointer | Size of the mapped view in bytes. |
AllocationType UInt32 | Memory allocation type bitmask. Bitmask flags
|
ProtectionMask UInt32 | Memory page protection bitmask. Bitmask flags
|
Community Notes #
Stub. This is the kernel-caller variant of NtMapViewOfSection; user-mode remote section maps log as event ID 3 instead, and only kernel-mode mappings from inside ntoskrnl reach this event ID. Two lab attempts (Windows 11 22H2 and 25H2) registered a separate driver against the same provider GUID and called EtwWrite, but neither lab consumer could decode the resulting records, so no sample is shown.
Event ID 24: Remote APC Queue (Kernel Caller)
#Description
A kernel-mode driver queued an APC to a thread in a process via NtQueueApcThread. Identical to event 4 but the caller is a kernel-mode component.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
TargetThreadId UInt32 | Thread ID in the target process. |
TargetThreadCreateTime FILETIME | Creation timestamp of the target thread. |
OriginalProcessId UInt32 | Process ID of the process that originally opened or inherited the handle used for this operation. Differs from CallingProcessId when a handle is duplicated or inherited. |
OriginalProcessCreateTime FILETIME | Creation timestamp of the original handle-owning process. |
OriginalProcessStartKey UInt64 | Kernel-assigned unique key for the original handle-owning process. |
OriginalProcessSignatureLevel UInt8 | Code integrity signing level of the original process. Bitmask flags
|
OriginalProcessSectionSignatureLevel UInt8 | Minimum DLL signing level of the original process. Bitmask flags
|
OriginalProcessProtection UInt8 | PS_PROTECTION byte of the original process. Bitmask flags
|
TargetThreadAlertable UInt8 | Whether the target thread is in an alertable wait state (1=alertable). APCs only execute when the thread enters an alertable wait. Known values
|
ApcRoutine Pointer | Virtual address of the APC routine to execute in the target process. |
ApcArgument1 Pointer | First argument passed to the APC routine. |
ApcArgument2 Pointer | Second argument passed to the APC routine. |
ApcArgument3 Pointer | Third argument passed to the APC routine. |
RealEventTime FILETIME | Actual time the operation occurred. May differ from the ETW event timestamp due to buffering. |
ApcRoutineVadQueryResult UInt32 | NTSTATUS result of the VAD probe for the APC routine address. NTSTATUS reference |
ApcRoutineVadAllocationBase Pointer | Base address of the VAD entry containing the APC routine. |
ApcRoutineVadAllocationProtect UInt32 | Original protection of the VAD entry for the APC routine address. Bitmask flags
|
ApcRoutineVadRegionType UInt32 | VAD region type for the APC routine address. Known values
|
ApcRoutineVadRegionSize Pointer | VAD region size for the APC routine address. |
ApcRoutineVadCommitSize Pointer | Committed size in the VAD region for the APC routine address. |
ApcRoutineVadMmfName UnicodeString | Memory-mapped file path for the APC routine address, if any. |
ApcArgument1VadQueryResult UInt32 | NTSTATUS result of the VAD probe for ApcArgument1. NTSTATUS reference |
ApcArgument1VadAllocationBase Pointer | Base address of the VAD entry for ApcArgument1. |
ApcArgument1VadAllocationProtect UInt32 | Original protection of the VAD entry for ApcArgument1. Bitmask flags
|
ApcArgument1VadRegionType UInt32 | VAD region type for ApcArgument1. Known values
|
ApcArgument1VadRegionSize Pointer | VAD region size for ApcArgument1. |
ApcArgument1VadCommitSize Pointer | Committed size in the VAD region for ApcArgument1. |
ApcArgument1VadMmfName UnicodeString | Memory-mapped file path for ApcArgument1, if any. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 24,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T17:40:13+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4688
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"ApcArgument1": "0x127E1163148",
"ApcArgument1VadAllocationBase": "0x127E1000000",
"ApcArgument1VadAllocationProtect": 4,
"ApcArgument1VadCommitSize": "0x264000",
"ApcArgument1VadMmfName": "",
"ApcArgument1VadQueryResult": 0,
"ApcArgument1VadRegionSize": "0x1000000",
"ApcArgument1VadRegionType": 131072,
"ApcArgument2": "0x6AAA5F3",
"ApcArgument3": "0x1DCF837",
"ApcRoutine": "0x7FFF39CE58F0",
"ApcRoutineVadAllocationBase": "0x7FFF39CD0000",
"ApcRoutineVadAllocationProtect": 128,
"ApcRoutineVadCommitSize": "0x5000",
"ApcRoutineVadMmfName": "\\Device\\HarddiskVolume4\\Windows\\System32\\energyprov.dll",
"ApcRoutineVadQueryResult": 0,
"ApcRoutineVadRegionSize": "0x66000",
"ApcRoutineVadRegionType": 16777216,
"CallingProcessCreateTime": "2026-06-09 04:17:10Z",
"CallingProcessId": 4,
"CallingProcessProtection": 114,
"CallingProcessSectionSignatureLevel": 28,
"CallingProcessSignatureLevel": 30,
"CallingProcessStartKey": 3377699720527873,
"CallingThreadCreateTime": "1601-01-01 00:00:00Z",
"CallingThreadId": 0,
"OriginalProcessCreateTime": "2026-06-09 04:17:10Z",
"OriginalProcessId": 0,
"OriginalProcessProtection": 0,
"OriginalProcessSectionSignatureLevel": 0,
"OriginalProcessSignatureLevel": 0,
"OriginalProcessStartKey": 3377699720527872,
"RealEventTime": "2026-06-09 17:40:13Z",
"TargetProcessCreateTime": "2026-06-09 04:17:29Z",
"TargetProcessId": 3456,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 3377699720527954,
"TargetThreadAlertable": 1,
"TargetThreadCreateTime": "2026-06-09 04:17:31Z",
"TargetThreadId": 4988
},
"message": ""
}
References #
- MS Learn IMAGE_INFO (ImageSignatureLevel:4, ImageSignatureType:3) https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_image_info
Event ID 25: Remote Thread Context Change (Kernel Caller)
#Description
A kernel-mode driver modified a thread's register context in a process via NtSetContextThread. Identical to event 5 but the caller is a kernel-mode component.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
TargetThreadId UInt32 | Thread ID in the target process. |
TargetThreadCreateTime FILETIME | Creation timestamp of the target thread. |
ContextFlags UInt32 | CONTEXT_* bitmask indicating which register groups are being set (CONTEXT_CONTROL=0x100001, CONTEXT_INTEGER=0x100002, CONTEXT_FULL=0x10000B on AMD64). Bitmask flags
|
ContextMask UInt16 | Additional context mask for the operation. |
Pc Pointer | Program counter (RIP on x64) value being set on the target thread. |
Sp Pointer | Stack pointer (RSP on x64) value being set. |
Lr Pointer | Link register value (ARM). Zero on x64. |
Fp Pointer | Frame pointer value (RBP on x64). |
Reg0 Pointer | General-purpose register value (RAX on x64). |
Reg1 Pointer | General-purpose register value (RCX on x64). |
Reg2 Pointer | General-purpose register value (RDX on x64). |
Reg3 Pointer | General-purpose register value (RBX on x64). |
Reg4 Pointer | General-purpose register value (RSI on x64). |
Reg5 Pointer | General-purpose register value (RDI on x64). |
Reg6 Pointer | General-purpose register value (R8 on x64). |
Reg7 Pointer | General-purpose register value (R9 on x64). |
RealEventTime FILETIME | Actual time the operation occurred. May differ from the ETW event timestamp due to buffering. |
PcVadQueryResult UInt32 | NTSTATUS result of the VAD probe for the new instruction pointer address. NTSTATUS reference |
PcVadAllocationBase Pointer | Base address of the VAD entry containing the new instruction pointer. |
PcVadAllocationProtect UInt32 | Original protection of the VAD entry for the instruction pointer address. Bitmask flags
|
PcVadRegionType UInt32 | VAD region type for the instruction pointer address. Known values
|
PcVadRegionSize Pointer | VAD region size for the instruction pointer address. |
PcVadCommitSize Pointer | Committed size in the VAD region for the instruction pointer address. |
PcVadMmfName UnicodeString | Memory-mapped file path for the instruction pointer address, if any. Empty for unbacked (shellcode) regions. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 25,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T15:46:16+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 13344,
"thread_id": 14284
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "JD-WIN11-22H2-1",
"security": {
"user_id": ""
}
},
"event_data": {
"CallingProcessCreateTime": "1601-01-01 00:00:00Z",
"CallingProcessId": 0,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 0,
"CallingThreadCreateTime": "1601-01-01 00:00:00Z",
"CallingThreadId": 0,
"TargetProcessCreateTime": "1601-01-01 00:00:00Z",
"TargetProcessId": 0,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 0,
"TargetThreadId": 0
},
"message": ""
}
Community Notes #
This is the kernel-caller variant of NtSetContextThread. User-mode context changes log as event ID 5; only kernel-mode context changes from inside ntoskrnl reach this event ID, and the kernel restricts that logging to its own ETW registration. To produce a sample, a lab kernel driver registered against the same provider GUID and called EtwWrite directly, which yields placeholder values (zeroed identifiers) and an abbreviated field set (the thread-context registers and PcVad* fields are absent). The sample comes from an earlier capture on a Windows 11 22H2 host.
Event ID 26: Local Virtual Memory Allocation (Kernel Caller)
#Description
A kernel-mode driver allocated virtual memory in a process's own address space via NtAllocateVirtualMemory. Identical to event 6 but the caller is a kernel-mode component.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
OriginalProcessId UInt32 | Process ID of the process that originally opened or inherited the handle used for this operation. Differs from CallingProcessId when a handle is duplicated or inherited. |
OriginalProcessCreateTime FILETIME | Creation timestamp of the original handle-owning process. |
OriginalProcessStartKey UInt64 | Kernel-assigned unique key for the original handle-owning process. |
OriginalProcessSignatureLevel UInt8 | Code integrity signing level of the original process. Bitmask flags
|
OriginalProcessSectionSignatureLevel UInt8 | Minimum DLL signing level of the original process. Bitmask flags
|
OriginalProcessProtection UInt8 | PS_PROTECTION byte of the original process. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
RegionSize Pointer | Size of the memory region in bytes. |
AllocationType UInt32 | Memory allocation type bitmask. Bitmask flags
|
ProtectionMask UInt32 | Memory page protection bitmask. Bitmask flags
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 26,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T15:46:16+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 13344,
"thread_id": 14284
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "JD-WIN11-22H2-1",
"security": {
"user_id": ""
}
},
"event_data": {
"AllocationType": 12288,
"BaseAddress": "0x7FFE0000",
"CallingProcessCreateTime": "1601-01-01 00:00:00Z",
"CallingProcessId": 13344,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 0,
"CallingThreadCreateTime": "1601-01-01 00:00:00Z",
"CallingThreadId": 14284,
"OriginalProcessCreateTime": "1601-01-01 00:00:00Z",
"OriginalProcessId": 13344,
"OriginalProcessProtection": 0,
"OriginalProcessSectionSignatureLevel": 0,
"OriginalProcessSignatureLevel": 0,
"OriginalProcessStartKey": 0,
"ProtectionMask": 64,
"RegionSize": "0x1000",
"TargetProcessCreateTime": "1601-01-01 00:00:00Z",
"TargetProcessId": 13344,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 0
},
"message": ""
}
Community Notes #
This is the kernel-caller variant of NtAllocateVirtualMemory in the calling process's own address space. User-mode local allocations log as event ID 6; only kernel-mode allocations from inside ntoskrnl reach this event ID, and the kernel restricts that logging to its own ETW registration. To produce a sample, a lab kernel driver registered against the same provider GUID and called EtwWrite directly, which yields the correct manifest layout with placeholder values (zeroed timestamps and start keys). The sample comes from an earlier capture on a Windows 11 22H2 host.
Event ID 27: Local Virtual Memory Protection Change (Kernel Caller)
#Description
A kernel-mode driver changed memory protection in a process's own address space via NtProtectVirtualMemory. Identical to event 7 but the caller is a kernel-mode component.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
OriginalProcessId UInt32 | Process ID of the process that originally opened or inherited the handle used for this operation. Differs from CallingProcessId when a handle is duplicated or inherited. |
OriginalProcessCreateTime FILETIME | Creation timestamp of the original handle-owning process. |
OriginalProcessStartKey UInt64 | Kernel-assigned unique key for the original handle-owning process. |
OriginalProcessSignatureLevel UInt8 | Code integrity signing level of the original process. Bitmask flags
|
OriginalProcessSectionSignatureLevel UInt8 | Minimum DLL signing level of the original process. Bitmask flags
|
OriginalProcessProtection UInt8 | PS_PROTECTION byte of the original process. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
RegionSize UInt64 | Size of the memory region in bytes. |
ProtectionMask UInt32 | Memory page protection bitmask. Bitmask flags
|
LastProtectionMask UInt32 | Previous memory page protection before this NtProtectVirtualMemory call. Compare with ProtectionMask to detect RW-to-RX transitions. Bitmask flags
|
VaVadQueryResult UInt32 | NTSTATUS result of the VAD probe for the target address. NTSTATUS reference |
VaVadAllocationBase Pointer | Base address of the VAD entry containing the target address. |
VaVadAllocationProtect UInt32 | Original protection flags from the VAD entry (PAGE_* constants from the initial allocation). Bitmask flags
|
VaVadRegionType UInt32 | Type of the VAD region (private, mapped, image). Known values
|
VaVadRegionSize Pointer | Total size of the VAD region. |
VaVadCommitSize Pointer | Amount of committed (backed by physical memory or pagefile) memory in the VAD region. |
VaVadMmfName UnicodeString | File path of the memory-mapped file backing this VAD region, if any. Empty for private (anonymous) allocations. |
TargetAddress Pointer | Target virtual address within the protection change region (PROTECTVM v3). |
FullRegionSize UInt64 | Full size of the containing memory region (PROTECTVM v3). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 27,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T15:46:16+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 13344,
"thread_id": 14284
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "JD-WIN11-22H2-1",
"security": {
"user_id": ""
}
},
"event_data": {
"BaseAddress": "0x7FFE0000",
"CallingProcessCreateTime": "1601-01-01 00:00:00Z",
"CallingProcessId": 13344,
"CallingProcessProtection": 0,
"CallingProcessSectionSignatureLevel": 0,
"CallingProcessSignatureLevel": 0,
"CallingProcessStartKey": 0,
"CallingThreadCreateTime": "1601-01-01 00:00:00Z",
"CallingThreadId": 14284,
"LastProtectionMask": 32,
"OriginalProcessCreateTime": "1601-01-01 00:00:00Z",
"OriginalProcessId": 13344,
"OriginalProcessProtection": 0,
"OriginalProcessSectionSignatureLevel": 0,
"OriginalProcessSignatureLevel": 0,
"OriginalProcessStartKey": 0,
"ProtectionMask": 0,
"RegionSize": "0x1000",
"TargetProcessCreateTime": "1601-01-01 00:00:00Z",
"TargetProcessId": 13344,
"TargetProcessProtection": 0,
"TargetProcessSectionSignatureLevel": 0,
"TargetProcessSignatureLevel": 0,
"TargetProcessStartKey": 0
},
"message": ""
}
Community Notes #
This is the kernel-caller variant of NtProtectVirtualMemory in the calling process's own address space. User-mode local protection changes log as event ID 7; only kernel-mode changes from inside ntoskrnl reach this event ID, and the kernel restricts that logging to its own ETW registration. To produce a sample, a lab kernel driver registered against the same provider GUID and called EtwWrite directly, which yields placeholder values (zeroed timestamps and start keys) and an abbreviated field set (FullRegionSize, TargetAddress, and the VaVad* fields are absent). The sample comes from an earlier capture on a Windows 11 22H2 host.
Event ID 28: Local Section Map (Kernel Caller)
#Description
A kernel-mode driver mapped a section object into a process's own address space via NtMapViewOfSection. Identical to event 8 but the caller is a kernel-mode component.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
TargetProcessId UInt32 | Process ID of the target process whose memory or threads are being accessed. |
TargetProcessCreateTime FILETIME | Creation timestamp of the target process. |
TargetProcessStartKey UInt64 | Kernel-assigned unique key for the target process. |
TargetProcessSignatureLevel UInt8 | Code integrity signing level of the target process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
TargetProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the target process. Bitmask flags
|
TargetProcessProtection UInt8 | PS_PROTECTION byte of the target process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
BaseAddress Pointer | Virtual address of the memory region being allocated, protected, read, or written. |
ViewSize Pointer | Size of the mapped view in bytes. |
AllocationType UInt32 | Memory allocation type bitmask. Bitmask flags
|
ProtectionMask UInt32 | Memory page protection bitmask. Bitmask flags
|
Community Notes #
Stub. This is the kernel-caller variant of NtMapViewOfSection in the calling process's own address space; user-mode local section maps log as event ID 8 instead, and only kernel-mode mappings from inside ntoskrnl reach this event ID. Two lab attempts (Windows 11 22H2 and 25H2) registered a separate driver against the same provider GUID and called EtwWrite, but neither lab consumer could decode the resulting records, so no sample is shown.
Event ID 29: Driver Object Patch
#Description
A driver object's dispatch table or other critical structure was written. Fires both for initial DriverEntry dispatch-table registration and for post-load patches that modify the table. The CodeIntegrityOption field indicates the code integrity policy in effect when the write was registered.
Fields #
| Name | Description |
|---|---|
DriverNameLength UInt16 | Length of the DriverName string in bytes. |
DriverName UnicodeString | Full kernel path of the driver (e.g. \Driver\Foo). |
CodeIntegrityOption UInt32 | Code integrity enforcement flag in effect for this driver operation. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 29,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T17:41:01+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 508
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CodeIntegrityOption": 2630147,
"DriverName": "\\Driver\\ti_trigger",
"DriverNameLength": 18
},
"message": ""
}
Event ID 30: Driver Load
#Description
A driver was loaded into the kernel. Provides the driver file path for integrity and allowlist checks.
Fields #
| Name | Description |
|---|---|
DriverNameLength UInt16 | Length of the DriverName string in bytes. |
DriverName UnicodeString | Full kernel path of the driver (e.g. \Driver\Foo). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 30,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T17:42:13+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 952,
"thread_id": 3020
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"DriverName": "\\Driver\\WdNisDrv",
"DriverNameLength": 16
},
"message": ""
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
EventType | eq | DriverLoad | 2 rules | kusto |
dcount_DeviceId | le | 5 | 1 rule | kusto |
Detection Rules #
View all rules referencing this event →Kusto # view in coverage
References #
- ETW manifest XML (Windows 11 24H2, verified identical to 25H2 build 26200) https://raw.githubusercontent.com/nasbench/EVTX-ETW-Resources/main/ETWProvidersManifests/Windows11/24H2/W11_24H2_Pro_2024102_26100.1742/WEPExplorer/Microsoft-Windows-Threat-Intelligence.xml
- Microsoft Recommended Driver Block Rules (WDAC vulnerable-driver blocklist; enforced by HVCI and Smart App Control). Authoritative list to evaluate Driver Load (EID 30) DriverName against for BYOVD detection. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
- Living Off The Land Drivers (LOLDrivers). Community catalog of vulnerable and malicious drivers with SHA256 hashes and Authenticode metadata for cross-referencing EID 30 DriverName and load events. https://www.loldrivers.io/
Event ID 31: Device Object Create
#Description
A device object was created by a driver. Provides the driver name and the new device object name.
Fields #
| Name | Description |
|---|---|
DriverNameLength UInt16 | Length of the DriverName string in bytes. |
DriverName UnicodeString | Full kernel path of the driver (e.g. \Driver\Foo). |
DeviceNameLength UInt16 | Length of the DeviceName string in bytes. |
DeviceName UnicodeString | Name of the device object (e.g. \Device\Foo). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 31,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T17:41:01+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 508
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"DeviceName": "\\Device\\TiTrigger",
"DeviceNameLength": 17,
"DriverName": "\\Driver\\ti_trigger",
"DriverNameLength": 18
},
"message": ""
}
Event ID 32: Device Object Delete
#Description
A device object was deleted. Provides the driver name and the removed device object name.
Fields #
| Name | Description |
|---|---|
DriverNameLength UInt16 | Length of the DriverName string in bytes. |
DriverName UnicodeString | Full kernel path of the driver (e.g. \Driver\Foo). |
DeviceNameLength UInt16 | Length of the DeviceName string in bytes. |
DeviceName UnicodeString | Name of the device object (e.g. \Device\Foo). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Threat-Intelligence",
"guid": "",
"event_source_name": "",
"event_id": 32,
"version": 1,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2026-06-09T17:42:13+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 368
},
"channel": "Microsoft-Windows-Threat-Intelligence/Analytic",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"DeviceName": "\\Device\\wdnisdrv",
"DeviceNameLength": 16,
"DriverName": "\\Driver\\WdNisDrv",
"DriverNameLength": 16
},
"message": ""
}
Event ID 33: Thread Token Impersonation (Elevation)
#Description
A thread applied an impersonation token with a higher integrity level than its own. Tracks the full token state before and after the impersonation. Requires EnableProcessImpersonationLogging to be set on the process. The impersonation token is stored per-thread on the kernel thread-control structure (ETHREAD), not on the process, so a single process can have multiple threads carrying different impersonation tokens at the same time. Correlate a matched 33 with its 34 revert using the tuple (CallingProcessId, CallingThreadId, CallingThreadCreateTime); PID alone is insufficient (Russinovich, Windows Internals Part 1, Ch 7, Tokens and impersonation).
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
PreviousTokenQueryResult UInt32 | NTSTATUS result of querying the thread's token before the impersonation change. NTSTATUS reference |
PreviousTokenType UInt32 | Token type before the change. Known values
|
PreviousTokenElevation UInt32 | Whether the previous token was elevated (1=elevated). Known values
|
PreviousTokenElevationType UInt32 | Elevation type of the previous token. Known values
|
PreviousTokenImpersonationLevel UInt32 | Impersonation level of the previous token. Known values
|
PreviousTokenUser SID | SID of the user associated with the previous token. |
PreviousTokenTrustLevelCount UInt32 | Number of trust-level SIDs in the previous token. |
PreviousTokenTrustLevel SID | Trust level SID of the previous token. |
PreviousTokenIntegrityLevel UInt32 | Integrity level RID of the previous token. Known values
|
PreviousTokenSessionId UInt32 | Windows session ID of the previous token. |
PreviousTokenLowBoxNumber UInt32 | AppContainer LowBox number of the previous token. 0 if not an AppContainer. |
PreviousTokenAuthenticationId HexInt64 | Logon session identifier (LUID) of the previous token. |
PreviousTokenGroupsCount UInt32 | Number of group SIDs in the previous token. |
PreviousTokenGroups SID | Group SIDs in the previous token. |
CurrentTokenQueryResult UInt32 | NTSTATUS result of querying the thread's token after the impersonation change. NTSTATUS reference |
CurrentTokenType UInt32 | Token type after the change. Known values
|
CurrentTokenElevation UInt32 | Whether the current token is elevated (1=elevated). Known values
|
CurrentTokenElevationType UInt32 | Elevation type of the current token. Known values
|
CurrentTokenImpersonationLevel UInt32 | Impersonation level of the current token. Known values
|
CurrentTokenUser SID | SID of the user associated with the current token. |
CurrentTokenTrustLevelCount UInt32 | Number of trust-level SIDs in the current token. |
CurrentTokenTrustLevel SID | Trust level SID of the current token. |
CurrentTokenIntegrityLevel UInt32 | Integrity level RID of the current token. Known values
|
CurrentTokenSessionId UInt32 | Windows session ID of the current token. |
CurrentTokenLowBoxNumber UInt32 | AppContainer LowBox number of the current token. |
CurrentTokenAuthenticationId HexInt64 | Logon session identifier (LUID) of the current token. |
CurrentTokenGroupsCount UInt32 | Number of group SIDs in the current token. |
CurrentTokenGroups SID | Group SIDs in the current token. |
Community Notes #
The lab capture's ETW consumer subscribed to keyword bits 0-27 (keywords_any=0x0FFFFFFF), but this event's keyword lives at bit 38, so the lab driver's test emission did not reach the consumer and no sample is shown. Natural emission also requires the per-process EnableProcessImpersonationLogging policy to be set on the target process.
References #
- ETW manifest XML (Windows 11 24H2). Manifest definition for event IDs 33-36 is sourced from a live 25H2 build 26200 host (the 24H2 26100 manifest does not include them). https://raw.githubusercontent.com/nasbench/EVTX-ETW-Resources/main/ETWProvidersManifests/Windows11/24H2/W11_24H2_Pro_2024102_26100.1742/WEPExplorer/Microsoft-Windows-Threat-Intelligence.xml
- Behind the Mask: Unpacking Impersonation Events (Jonathan Johnson) https://jonny-johnson.medium.com/behind-the-mask-unpacking-impersonation-events-fca909e08d00
- MS Learn Mandatory Integrity Control RIDs https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
Event ID 34: Thread Impersonation Revert
#Description
A thread reverted to its original token by calling RevertToSelf, removing the impersonation token. Correlate with events 33 or 36 using CallingProcessId and CallingThreadId.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
Community Notes #
The lab capture's ETW consumer subscribed to keyword bits 0-27 (keywords_any=0x0FFFFFFF), but this event's keyword lives at bit 39, so the lab driver's test emission did not reach the consumer and no sample is shown. Pair this event with event ID 33 or 36 by CallingProcessId and CallingThreadId to close out an impersonation window.
References #
- ETW manifest XML (Windows 11 24H2). Manifest definition for event IDs 33-36 is sourced from a live 25H2 build 26200 host (the 24H2 26100 manifest does not include them). https://raw.githubusercontent.com/nasbench/EVTX-ETW-Resources/main/ETWProvidersManifests/Windows11/24H2/W11_24H2_Pro_2024102_26100.1742/WEPExplorer/Microsoft-Windows-Threat-Intelligence.xml
- Behind the Mask: Unpacking Impersonation Events (Jonathan Johnson) https://jonny-johnson.medium.com/behind-the-mask-unpacking-impersonation-events-fca909e08d00
Event ID 35: Syscall from Sandboxed Token
#Description
A thread with a sandboxed (AppContainer or LowBox) token invoked a monitored system call. The SyscallEnum field identifies the specific syscall.
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
SessionId UInt32 | Windows session ID of the calling process. |
SyscallEnum UInt32 | System call number being invoked by the sandboxed process. |
IsSandboxedToken Boolean | Whether the calling thread's token is sandboxed (AppContainer/LowBox). |
Community Notes #
The lab capture's ETW consumer subscribed to keyword bits 0-27 (keywords_any=0x0FFFFFFF), but this event's keyword lives at bit 40, so the lab driver's test emission did not reach the consumer and no sample is shown. Natural emission also requires the per-process sandbox-syscall instrumentation policy to be enabled and a syscall in the kernel's monitored set.
References #
- ETW manifest XML (Windows 11 24H2). Manifest definition for event IDs 33-36 is sourced from a live 25H2 build 26200 host (the 24H2 26100 manifest does not include them). https://raw.githubusercontent.com/nasbench/EVTX-ETW-Resources/main/ETWProvidersManifests/Windows11/24H2/W11_24H2_Pro_2024102_26100.1742/WEPExplorer/Microsoft-Windows-Threat-Intelligence.xml
- Behind the Mask: Unpacking Impersonation Events (Jonathan Johnson) https://jonny-johnson.medium.com/behind-the-mask-unpacking-impersonation-events-fca909e08d00
- j00ru Windows x64 NT syscall table. Maps the SyscallEnum integer to NtXxx function names per Windows build for decoding what the sandboxed process actually attempted. https://j00ru.vexillium.org/syscalls/nt/64/
Event ID 36: Thread Token Impersonation (De-escalation)
#Description
A thread applied an impersonation token with a lower integrity level than its own. Tracks the full token state before and after the impersonation. Requires EnableProcessImpersonationLogging to be set on the process. The impersonation token is stored per-thread on the kernel thread-control structure (ETHREAD), not on the process, so a single process can have multiple threads carrying different impersonation tokens at the same time. Correlate a matched 36 with its 34 revert using the tuple (CallingProcessId, CallingThreadId, CallingThreadCreateTime); PID alone is insufficient (Russinovich, Windows Internals Part 1, Ch 7, Tokens and impersonation).
Fields #
| Name | Description |
|---|---|
CallingProcessId UInt32 | Process ID of the process initiating the operation. |
CallingProcessCreateTime FILETIME | Creation timestamp of the calling process. With CallingProcessId, uniquely identifies the process instance. |
CallingProcessStartKey UInt64 | Kernel-assigned unique key for the calling process. Survives PID reuse. |
CallingProcessSignatureLevel UInt8 | Code integrity signing level of the calling process executable. Packed byte where the low 4 bits hold the SE_SIGNING_LEVEL enum, bits 4-6 hold the SignatureType (3-bit field per WDK IMAGE_INFO ImageSignatureType:3; values None, Embedded, Cached, CatalogCached, CatalogNotCached, CatalogHint, PackageCatalog, PplMitigated), and bit 7 stays reserved. A real value such as 60 (0x3C) decodes as Windows level (0x0C) with CatalogCached signature type (bits 4-6 = 0x3, packed as 0x30). Bitmask flags
|
CallingProcessSectionSignatureLevel UInt8 | Minimum signing level required for DLLs loaded into the calling process. Bitmask flags
|
CallingProcessProtection UInt8 | PS_PROTECTION byte of the calling process. Packed _PS_PROTECTION struct where bits 0-2 hold the type (PPL or PP), bit 3 the audit flag, and bits 4-7 the signer. A real value such as 49 (0x31) decodes as Antimalware signer with PPL type. Bitmask flags
|
CallingThreadId UInt32 | Thread ID within the calling process that initiated the operation. |
CallingThreadCreateTime FILETIME | Creation timestamp of the calling thread. |
PreviousTokenQueryResult UInt32 | NTSTATUS result of querying the thread's token before the impersonation change. NTSTATUS reference |
PreviousTokenType UInt32 | Token type before the change. Known values
|
PreviousTokenElevation UInt32 | Whether the previous token was elevated (1=elevated). Known values
|
PreviousTokenElevationType UInt32 | Elevation type of the previous token. Known values
|
PreviousTokenImpersonationLevel UInt32 | Impersonation level of the previous token. Known values
|
PreviousTokenUser SID | SID of the user associated with the previous token. |
PreviousTokenTrustLevelCount UInt32 | Number of trust-level SIDs in the previous token. |
PreviousTokenTrustLevel SID | Trust level SID of the previous token. |
PreviousTokenIntegrityLevel UInt32 | Integrity level RID of the previous token. Known values
|
PreviousTokenSessionId UInt32 | Windows session ID of the previous token. |
PreviousTokenLowBoxNumber UInt32 | AppContainer LowBox number of the previous token. 0 if not an AppContainer. |
PreviousTokenAuthenticationId HexInt64 | Logon session identifier (LUID) of the previous token. |
PreviousTokenGroupsCount UInt32 | Number of group SIDs in the previous token. |
PreviousTokenGroups SID | Group SIDs in the previous token. |
CurrentTokenQueryResult UInt32 | NTSTATUS result of querying the thread's token after the impersonation change. NTSTATUS reference |
CurrentTokenType UInt32 | Token type after the change. Known values
|
CurrentTokenElevation UInt32 | Whether the current token is elevated (1=elevated). Known values
|
CurrentTokenElevationType UInt32 | Elevation type of the current token. Known values
|
CurrentTokenImpersonationLevel UInt32 | Impersonation level of the current token. Known values
|
CurrentTokenUser SID | SID of the user associated with the current token. |
CurrentTokenTrustLevelCount UInt32 | Number of trust-level SIDs in the current token. |
CurrentTokenTrustLevel SID | Trust level SID of the current token. |
CurrentTokenIntegrityLevel UInt32 | Integrity level RID of the current token. Known values
|
CurrentTokenSessionId UInt32 | Windows session ID of the current token. |
CurrentTokenLowBoxNumber UInt32 | AppContainer LowBox number of the current token. |
CurrentTokenAuthenticationId HexInt64 | Logon session identifier (LUID) of the current token. |
CurrentTokenGroupsCount UInt32 | Number of group SIDs in the current token. |
CurrentTokenGroups SID | Group SIDs in the current token. |
Community Notes #
The lab capture's ETW consumer subscribed to keyword bits 0-27 (keywords_any=0x0FFFFFFF), but this event's keyword lives at bit 42, so the lab driver's test emission did not reach the consumer and no sample is shown. Natural emission also requires the per-process EnableProcessImpersonationLogging policy to be set on the target process.
References #
- ETW manifest XML (Windows 11 24H2). Manifest definition for event IDs 33-36 is sourced from a live 25H2 build 26200 host (the 24H2 26100 manifest does not include them). https://raw.githubusercontent.com/nasbench/EVTX-ETW-Resources/main/ETWProvidersManifests/Windows11/24H2/W11_24H2_Pro_2024102_26100.1742/WEPExplorer/Microsoft-Windows-Threat-Intelligence.xml
- Behind the Mask: Unpacking Impersonation Events (Jonathan Johnson) https://jonny-johnson.medium.com/behind-the-mask-unpacking-impersonation-events-fca909e08d00
- MS Learn Mandatory Integrity Control RIDs https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID f4e1897c-bb5d-5668-f1d8-040f4d8dd344
Defined in Microsoft-Windows-System-Events.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02
- Win11-26200, sample captured from a live trace, captured 2026-06-09
Lab capture on Windows 11 25H2 (build 26200). Captured using SealighterTI and PPLRunner.