detection.wiki

Windows Error Reporting

1 events across 1 channel

EventTitleChannelSample
1001Fault bucket , type.ApplicationY

Event ID 1001: Fault bucket , type.

#
Provider
Windows Error Reporting
Channel
Application
Level
Informational
Collection Priority
Recommended (ASD)

Description

Fault bucket , type.

Message #

Fault bucket %1, type %2
Event Name: %3
Response: %4
Cab Id: %5

Problem signature:
P1: %6
P2: %7
P3: %8
P4: %9
P5: %10
P6: %11
P7: %12
P8: %13
P9: %14
P10: %15

Attached files:%16

These files may be available here:
%17

Analysis symbol: %18
Rechecking for solution: %19
Report Id: %20
Report Status: %21
Hashed bucket: %22
Cab Guid: %23

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Data_7
Data_8
Data_9
Data_10
Data_11
Data_12
Data_13
Data_14
Data_15
Data_16
Data_17
Data_18
Data_19
Data_20
Data_21
Data_22
Bucket
BucketType
EventName
Response
CabId
P1
P2
P3
P4
P5
P6
P7
P8
P9
P10
AttachedFiles
StorePath
AnalysisSymbol
Rechecking
ReportId
ReportStatus
HashedBucket
CabGuid

Example Event #

{
  "system": {
    "provider": "Windows Error Reporting",
    "guid": "",
    "event_source_name": "",
    "event_id": 1001,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T05:43:13.4623796+00:00",
    "event_record_id": 769,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "",
    "Data_1": "0",
    "Data_2": "crashpad_log",
    "Data_3": "Not available",
    "Data_4": "0",
    "Data_5": "MicrosoftEdgeUpdate.exe",
    "Data_6": "1.3.239.19",
    "Data_7": "InstallError|copilot",
    "Data_8": "0x80040902",
    "Data_9": "545",
    "Data_10": "",
    "Data_11": "",
    "Data_12": "",
    "Data_13": "",
    "Data_14": "",
    "Data_15": "\n\\\\?\\C:\\ProgramData\\Microsoft\\EdgeUpdate\\Log\\MicrosoftEdgeUpdate.log\n\\\\?\\C:\\Windows\\SystemTemp\\msedge_installer.log",
    "Data_16": "",
    "Data_17": "",
    "Data_18": "0",
    "Data_19": "9314e8ec-f1eb-406e-abd8-09b7144ff1b8",
    "Data_20": "268697600",
    "Data_21": "",
    "Data_22": "0"
  },
  "message": "Fault bucket , type 0\r\nEvent Name: crashpad_log\r\nResponse: Not available\r\nCab Id: 0\r\n\r\nProblem signature:\r\nP1: MicrosoftEdgeUpdate.exe\r\nP2: 1.3.239.19\r\nP3: InstallError|copilot\r\nP4: 0x80040902\r\nP5: 545\r\nP6: \r\nP7: \r\nP8: \r\nP9: \r\nP10: \r\n\r\nAttached files:\r\n\\\\?\\C:\\ProgramData\\Microsoft\\EdgeUpdate\\Log\\MicrosoftEdgeUpdate.log\r\n\\\\?\\C:\\Windows\\SystemTemp\\msedge_installer.log\r\n\r\nThese files may be available here:\r\n\r\n\r\nAnalysis symbol: \r\nRechecking for solution: 0\r\nReport Id: 9314e8ec-f1eb-406e-abd8-09b7144ff1b8\r\nReport Status: 268697600\r\nHashed bucket: \r\nCab Guid: 0"
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
Datacontainsmpengine.dll1 rulesigma
Datacontainsmsmpeng.exe1 rulesigma

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

References #

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 0ead09bd-2157-539a-8d6d-c87f95b64d70

Defined in wer.dll, which carries the event manifest.

Observed on:

  • Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02