MsiInstaller
46 events across 1 channel
Event ID 1001: Detection of product '%1', feature '%2' failed during request for component '%3'
#Event ID 1002: Unexpected or missing value (name: '%1', value: '%2') in key '%3'
#Event ID 1003: Unexpected or missing subkey '%1' in key '%2'
#Event ID 1005: Install operation initiated a reboot
#Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 1005,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2014-11-26T23:25:02.000000Z",
"event_record_id": 1185,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE10Win7",
"security": {
"user_id": "S-1-5-21-3463664321-2923530833-3546627382-1000"
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1006: Verification of the digital signature for cabinet '%1' cannot be performed.
#Description
Verification of the digital signature for cabinet '%1' cannot be performed. WinVerifyTrust is not available on the computer.
Message #
Event ID 1008: The installation of %1 is not permitted due to an error in software restriction policy processing.
#Description
The installation of is not permitted due to an error in software restriction policy processing. The object cannot be trusted.
Message #
Event ID 1012: This version of Windows does not support deploying 64-bit packages.
#Description
This version of Windows does not support deploying 64-bit packages. The script '%1' is for a 64-bit package.
Message #
Event ID 1013: {Unhandled exception report}
#Event ID 1014: Windows Installer proxy information not registered correctly
#Event ID 1015: Failed to connect to server.
#Description
Failed to connect to server. Error: %d.
Message #
Event ID 1016: Detection of product '%1', feature '%2', component '%3' failed.
#Description
Detection of product '%1', feature '%2', component '%3' failed. The resource '%4' in a run-from-source component could not be located because no valid and accessible source could be found.
Message #
Event ID 1017: User SID had changed from '%1' to '%2' but the managed app and the user data keys cannot be updated.
#Description
User SID had changed from '%1' to '%2' but the managed app and the user data keys cannot be updated. Error = '%3'.
Message #
Event ID 1018: The application '%1' cannot be installed because it is not compatible with this version of Windows.
#Event ID 1019: Product: %1 - Update '%2' was successfully removed.
#Event ID 1020: Product: %1 - Update '%2' could not be removed.
#Description
Product: %1 - Update '%2' could not be removed. Error code %3. Additional information is available in the log file %4.
Message #
Event ID 1021: Product: %1 - Update '%2' could not be removed.
#Description
Product: %1 - Update '%2' could not be removed. Error code %3.
Message #
Event ID 1022: Product: Microsoft .
#Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 1022,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2013-10-23T18:31:57+00:00",
"event_record_id": 267,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data": [
"Microsoft .NET Framework 4 Client Profile",
"KB2789642",
"(NULL)",
"(NULL)",
"(NULL)",
"(NULL)"
],
"Binary": "ezNDMzkwMUM1LTM0NTUtM0UwQS1BMjE0LTBCMDkzQTUwNzBBNn0ge0I3QzIwRTE2LTlBM0EtM0YwNS1BNkI1LUUxNUFBMDkyMDBFMH0="
},
"message": "Product: Microsoft .NET Framework 4 Client Profile - Update 'KB2789642' installed successfully."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 1023: Product: %1 - Update '%2' could not be installed.
#Description
Product: %1 - Update '%2' could not be installed. Error code %3. Additional information is available in the log file %4.
Message #
Event ID 1024: Product: %1 - Update '%2' could not be installed.
#Description
Product: %1 - Update '%2' could not be installed. Error code %3.
Message #
Event ID 1025: Product: VMware Tools.
#Description
Product: . The file is being used by the following process: Name: , Id .
Message #
Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 1025,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-05T22:30:14.286069+00:00",
"event_record_id": 1510,
"correlation": {},
"execution": {
"process_id": 7244,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data": [
"VMware Tools",
"C:\\Program Files\\VMware\\VMware Tools\\plugins\\vmsvc\\vmbackup.dll",
"vmtoolsd",
"3188",
"(NULL)",
"(NULL)"
],
"Binary": "e0FGMTc0RTY0LTIyQ0YtNDM4Ni1BOUVDLTczRjI4NTczOTk5OH0="
},
"message": "Product: VMware Tools. The file C:\\Program Files\\VMware\\VMware Tools\\plugins\\vmsvc\\vmbackup.dll is being used by the following process: Name: vmtoolsd , Id 3188."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1026: Windows Installer has determined that its configuration data registry key was not secured properly.
#Message #
Event ID 1027: Windows Installer has determined that a registry sub key %1 within its configuration data was not secured properly.
#Message #
Event ID 1028: Windows Installer has determined that its configuration data cache folder was not secured properly.
#Message #
Event ID 1029: Product: VMware Tools.
#Description
Product: . Restart required.
Message #
Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 1029,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-05T22:30:57.687962+00:00",
"event_record_id": 1527,
"correlation": {},
"execution": {
"process_id": 7244,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data": [
"VMware Tools",
"(NULL)",
"(NULL)",
"(NULL)",
"(NULL)",
"(NULL)"
],
"Binary": "e0FGMTc0RTY0LTIyQ0YtNDM4Ni1BOUVDLTczRjI4NTczOTk5OH0sIDMwMTA="
},
"message": "Product: VMware Tools. Restart required. The installation or update for the product required a restart for all changes to take effect. The restart was deferred to a later time."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1031: Product assembly component in use
#Description
Product: %1. The assembly '%2' for component '%3' is in use.
Message #
Event ID 1032: An error occurred while refreshing environment variables updated during the installation of 'Data_0'.
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Data_3 | |
Data_4 | |
Data_5 | |
Data_6 | |
Binary |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 1032,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T00:29:59.405233+00:00",
"event_record_id": 1937,
"correlation": {},
"execution": {
"process_id": 11432,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"Data_0": "",
"Data_1": "(NULL)",
"Data_2": "(NULL)",
"Data_3": "(NULL)",
"Data_4": "(NULL)",
"Data_5": "(NULL)",
"Data_6": "",
"Binary": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1033: Windows Installer installed the product.
#Description
Product: . Version: . Language: . Installation completed with status: . Manufacturer: .
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
Data_0 | ||
Data_1 | ||
Data_2 | ||
Data_3 | ||
Data_4 | ||
Data_5 | ||
Data_6 | ||
Data | 1 detection rule | |
Binary |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 1033,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-28T02:32:08.3090211+00:00",
"event_record_id": 218,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1000"
}
},
"event_data": {
"Data_0": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35211",
"Data_1": "14.44.35211",
"Data_2": "1033",
"Data_3": "0",
"Data_4": "Microsoft Corporation",
"Data_5": "(NULL)",
"Data_6": ""
},
"message": "Windows Installer installed the product. Product Name: Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35211. Product Version: 14.44.35211. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 0."
}
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Provider_Name | eq | MsiInstaller | 2 rules | sigma |
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Splunk # view in coverage
Event ID 1034: Product: Data_0.
#Description
Product: Data_0. Version: Data_1. Language: Data_2. Removal completed with status: Data_3. Manufacturer: Data_4.
Message #
Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Data_3 | |
Data_4 | |
Data_5 | |
Data_6 | |
Binary |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 1034,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T00:55:30.989129+00:00",
"event_record_id": 1972,
"correlation": {},
"execution": {
"process_id": 12792,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data_0": "Avira",
"Data_1": "1.2.166.28430",
"Data_2": "1033",
"Data_3": "0",
"Data_4": "Avira Operations GmbH & Co. KG",
"Data_5": "(NULL)",
"Data_6": "",
"Binary": "7B36463131434143332D443333442D343336302D423133392D3733463332373641324239417D3030303032646464353631343830653530323239613162623366626534343539323961643030303030393034"
},
"message": ""
}
Detection Patterns #
Impact: Service Stop
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Provider_Name | eq | MsiInstaller | 1 rule | sigma |
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1035: Windows Installer reconfigured the product.
#Description
Product: . Version: . Language: . Configuration change completed with status: . Manufacturer: .
Message #
Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 1035,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2025-12-31T19:37:29.772246+00:00",
"event_record_id": 135,
"correlation": {},
"execution": {
"process_id": 6696,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"Data": [
"Virtio-win-driver-installer",
"0.1.240",
"1033",
"0",
"Red Hat, Inc.",
"(NULL)"
],
"Binary": "ezhDQUNCNjU3LTA4RTEtNDlEMS1BMTAwLUZCRUI3NTkxNTJFNX0wMDAwMDkzYjVmYjVmOGEwYjRhYTNjNzllNWI2MDRlYmQ4M2QwMDAwMDkwNA=="
},
"message": "Windows Installer reconfigured the product. Product Name: Virtio-win-driver-installer. Product Version: 0.1.240. Product Language: 1033. Manufacturer: Red Hat, Inc.. Reconfiguration success or error status: 0."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 1036: Windows Installer installed an update.
#Description
Product: . Version: . Language: . Update: . Update installation completed with status: . Manufacturer: .
Message #
Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 1036,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2013-10-23T18:31:57+00:00",
"event_record_id": 268,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data": [
"Microsoft .NET Framework 4 Client Profile",
"4.0.30319",
"0",
"KB2789642",
"0",
"Microsoft Corporation"
],
"Binary": "ezNDMzkwMUM1LTM0NTUtM0UwQS1BMjE0LTBCMDkzQTUwNzBBNn0wMDAwZDJlYmY0NjgzMWQyY2IzMjlhZjc2NzI5M2ViMjBjZmQwMDAwMDAwMA=="
},
"message": "Windows Installer installed an update. Product Name: Microsoft .NET Framework 4 Client Profile. Product Version: 4.0.30319. Product Language: 0. Manufacturer: Microsoft Corporation. Update Name: KB2789642. Installation success or error status: 0."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 1037: Product update removal completed
#Description
Product: . Version: . Language: . Update: . Update removal completed with status: . Manufacturer: .
Message #
Event ID 1038: Windows Installer requires a system restart.
#Description
Product: . Version: . Language: . Reboot required. Reboot Type: . Reboot Reason: . Manufacturer: .
Message #
Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 1038,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-05T22:30:57.687221+00:00",
"event_record_id": 1526,
"correlation": {},
"execution": {
"process_id": 7244,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data": [
"VMware Tools",
"12.3.0.22234872",
"1033",
"2",
"1",
"VMware, Inc."
],
"Binary": "e0FGMTc0RTY0LTIyQ0YtNDM4Ni1BOUVDLTczRjI4NTczOTk5OH0wMDAwMDU3NWRlNDhkMWMwMDc0MzgxYmNjODViZDhmNzNlMDYwMDAwMDkwNA=="
},
"message": "Windows Installer requires a system restart. Product Name: VMware Tools. Product Version: 12.3.0.22234872. Product Language: 1033. Manufacturer: VMware, Inc.. Type of System Restart: 2. Reason for Restart: 1."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1040: Beginning a Windows Installer transaction: %0
#Fields #
| Name | Description | Rules |
|---|---|---|
Data_0 | ||
Data_1 | ||
Data_2 | ||
Data_3 | ||
Data_4 | ||
Data_5 | ||
Data_6 | ||
Data | 8 detection rules |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 1040,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-06-13T13:56:24.8742908+00:00",
"event_record_id": 736,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data_0": "{BDD79957-5801-4A2D-B09E-852E7FA64D01}",
"Data_1": "3648",
"Data_2": "(NULL)",
"Data_3": "(NULL)",
"Data_4": "(NULL)",
"Data_5": "(NULL)",
"Data_6": ""
},
"message": "Beginning a Windows Installer transaction: {BDD79957-5801-4A2D-B09E-852E7FA64D01}. Client Process Id: 3648."
}
Detection Patterns #
Remote Msi Installation
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
CommandLine | is_not_null | | 1 rule | elastic, kusto, splunk |
CommandLine | match | (?i)\w+tps?://\S+\.msi | 2 rules | splunk |
Provider_Name | eq | MsiInstaller | 2 rules | sigma |
message | match | (?i)\w+tps?://\S+\.msi | 2 rules | splunk |
signature_id | contains | 1040|1042 | 2 rules | splunk |
signature_id | contains | 4688 | 2 rules | splunk |
Data | contains | \desktop\ | 1 rule | sigma |
Data | contains | \perflogs\ | 1 rule | sigma |
Data | contains | \users\public\ | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Splunk # view in coverage
Event ID 1042: Ending a Windows Installer transaction: %0
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Data_3 | |
Data_4 | |
Data_5 | |
Data_6 | |
Data |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 1042,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-06-13T13:56:24.8899212+00:00",
"event_record_id": 737,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data_0": "{BDD79957-5801-4A2D-B09E-852E7FA64D01}",
"Data_1": "3648",
"Data_2": "(NULL)",
"Data_3": "(NULL)",
"Data_4": "(NULL)",
"Data_5": "(NULL)",
"Data_6": ""
},
"message": "Ending a Windows Installer transaction: {BDD79957-5801-4A2D-B09E-852E7FA64D01}. Client Process Id: 3648."
}
Detection Patterns #
Remote Msi Installation
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
CommandLine | match | (?i)\w+tps?://\S+\.msi | 2 rules | splunk |
Provider_Name | eq | MsiInstaller | 2 rules | sigma |
message | match | (?i)\w+tps?://\S+\.msi | 2 rules | splunk |
signature_id | contains | 1040|1042 | 2 rules | splunk |
signature_id | contains | 4688 | 2 rules | splunk |
Data | contains | \desktop\ | 1 rule | sigma |
Data | contains | \perflogs\ | 1 rule | sigma |
Data | contains | \users\public\ | 1 rule | sigma |
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Event ID 1044: %1 is not Microsoft signed.
#Description
is not Microsoft signed. So, rejecting per the Windows Lockdown Policy.
Message #
Event ID 10005: The installer has encountered an unexpected error installing this package.
#Description
The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is [1]. {{The arguments are: [2], [3], [4]}}.
Message #
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 10005,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2016-08-30T15:21:35.000000Z",
"event_record_id": 1723,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE10Win7",
"security": {
"user_id": "S-1-5-21-3463664321-2923530833-3546627382-1000"
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 11704: Product: VMware Tools -- Error 1704.
#Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 11704,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-05T22:29:54.331227+00:00",
"event_record_id": 1487,
"correlation": {},
"execution": {
"process_id": 7244,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data": [
"Product: VMware Tools -- Error 1704. An installation for VMware Tools is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes?",
"(NULL)",
"(NULL)",
"(NULL)",
"(NULL)",
"(NULL)"
],
"Binary": "e0FGMTc0RTY0LTIyQ0YtNDM4Ni1BOUVDLTczRjI4NTczOTk5OH0="
},
"message": "Product: VMware Tools -- Error 1704. An installation for VMware Tools is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes?"
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 11707: Product: Python 3.
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Data_3 | |
Data_4 | |
Data_5 | |
Data_6 | |
Data | |
Binary |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 11707,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-28T02:32:08.3090211+00:00",
"event_record_id": 217,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1000"
}
},
"event_data": {
"Data_0": "Product: Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35211 -- Installation completed successfully.",
"Data_1": "(NULL)",
"Data_2": "(NULL)",
"Data_3": "(NULL)",
"Data_4": "(NULL)",
"Data_5": "(NULL)",
"Data_6": ""
},
"message": "Product: Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35211 -- Installation completed successfully."
}
Event ID 11708: Product [2] - Installation operation failed
#Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 11708,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2016-08-30T15:21:37.000000Z",
"event_record_id": 1724,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE10Win7",
"security": {
"user_id": "S-1-5-21-3463664321-2923530833-3546627382-1000"
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 11724
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Data_3 | |
Data_4 | |
Data_5 | |
Data_6 | |
Binary |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 11724,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T00:55:30.987658+00:00",
"event_record_id": 1971,
"correlation": {},
"execution": {
"process_id": 12792,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data_0": "Product: Avira -- Removal completed successfully.",
"Data_1": "(NULL)",
"Data_2": "(NULL)",
"Data_3": "(NULL)",
"Data_4": "(NULL)",
"Data_5": "(NULL)",
"Data_6": "",
"Binary": "7B36463131434143332D443333442D343336302D423133392D3733463332373641324239417D"
},
"message": ""
}
Detection Patterns #
Impact: Service Stop
1 rule
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Provider_Name | eq | MsiInstaller | 1 rule | sigma |
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 11728: Product: Virtio-win-driver-installer -- Configuration completed successfully.
#Fields #
| Name | Description |
|---|---|
Data | |
Binary |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 11728,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2025-12-31T19:37:29.771787+00:00",
"event_record_id": 134,
"correlation": {},
"execution": {
"process_id": 6696,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"Data": [
"Product: Virtio-win-driver-installer -- Configuration completed successfully.",
"(NULL)",
"(NULL)",
"(NULL)",
"(NULL)",
"(NULL)"
],
"Binary": "ezhDQUNCNjU3LTA4RTEtNDlEMS1BMTAwLUZCRUI3NTkxNTJFNX0="
},
"message": "Product: Virtio-win-driver-installer -- Configuration completed successfully."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 11729
#Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 11729,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2016-08-18T16:33:01.000000Z",
"event_record_id": 1434,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE10Win7",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 11925
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Data_2 | |
Data_3 | |
Data_4 | |
Data_5 | |
Data_6 | |
Binary |
Example Event #
{
"system": {
"provider": "MsiInstaller",
"guid": "",
"event_source_name": "",
"event_id": 11925,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-02-11T01:36:24.136228+00:00",
"event_record_id": 533,
"correlation": {},
"execution": {
"process_id": 1800,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1104"
}
},
"event_data": {
"Data_0": "Product: ScreenConnect Client (207d3896f8faaf5e) -- Error 1925. You do not have sufficient privileges to complete this installation for all users of the machine. Log on as administrator and then retry this installation.",
"Data_1": "(NULL)",
"Data_2": "(NULL)",
"Data_3": "(NULL)",
"Data_4": "(NULL)",
"Data_5": "(NULL)",
"Data_6": "",
"Binary": "7B37424537424331302D323733392D373944412D314642372D3231383934363230313145467D"
},
"message": ""
}