Windows Telemetry
Telemetry generated by Windows about processes.
Relevant events are marked. These should give us some overview about what a process is doing.
Microsoft-Windows-Threat-Intelligence
GUID: {f4e1897c-bb5d-5668-f1d8-040f4d8dd344}
| Event Symbol Name | Arguments | Relevant |
|---|---|---|
| KERNEL_THREATINT_TASK_ALLOCVM_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, AllocationType, ProtectionMask | Y |
| KERNEL_THREATINT_TASK_PROTECTVM_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, ProtectionMask, LastProtectionMask | Y |
| KERNEL_THREATINT_TASK_PROTECTVM_V2 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, ProtectionMask, LastProtectionMask, VaVadQueryResult, VaVadAllocationBase, VaVadAllocationProtect, VaVadRegionType, VaVadRegionSize, VaVadCommitSize, VaVadMmfName | Y |
| KERNEL_THREATINT_TASK_PROTECTVM_V3 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, ProtectionMask, LastProtectionMask, VaVadQueryResult, VaVadAllocationBase, VaVadAllocationProtect, VaVadRegionType, VaVadRegionSize, VaVadCommitSize, VaVadMmfName, TargetAddress, FullRegionSize | Y |
| KERNEL_THREATINT_TASK_MAPVIEW_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, BaseAddress, ViewSize, AllocationType, ProtectionMask | Y |
| KERNEL_THREATINT_TASK_QUEUEUSERAPC_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, TargetThreadId, TargetThreadCreateTime, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, TargetThreadAlertable, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3, RealEventTime, ApcRoutineVadQueryResult, ApcRoutineVadAllocationBase, ApcRoutineVadAllocationProtect, ApcRoutineVadRegionType, ApcRoutineVadRegionSize, ApcRoutineVadCommitSize, ApcRoutineVadMmfName, ApcArgument1VadQueryResult, ApcArgument1VadAllocationBase, ApcArgument1VadAllocationProtect, ApcArgument1VadRegionType, ApcArgument1VadRegionSize, ApcArgument1VadCommitSize, ApcArgument1VadMmfName | Y |
| KERNEL_THREATINT_TASK_SETTHREADCONTEXT_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, TargetThreadId, TargetThreadCreateTime, ContextFlags, ContextMask, Pc, Sp, Lr, Fp, Reg0, Reg1, Reg2, Reg3, Reg4, Reg5, Reg6, Reg7, RealEventTime, PcVadQueryResult, PcVadAllocationBase, PcVadAllocationProtect, PcVadRegionType, PcVadRegionSize, PcVadCommitSize, PcVadMmfName | Y |
| KERNEL_THREATINT_TASK_ALLOCVM6_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, AllocationType, ProtectionMask | Y |
| KERNEL_THREATINT_TASK_PROTECTVM7_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, ProtectionMask, LastProtectionMask | Y |
| KERNEL_THREATINT_TASK_PROTECTVM7_V2 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, ProtectionMask, LastProtectionMask, VaVadQueryResult, VaVadAllocationBase, VaVadAllocationProtect, VaVadRegionType, VaVadRegionSize, VaVadCommitSize, VaVadMmfName | Y |
| KERNEL_THREATINT_TASK_PROTECTVM7_V3 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, ProtectionMask, LastProtectionMask, VaVadQueryResult, VaVadAllocationBase, VaVadAllocationProtect, VaVadRegionType, VaVadRegionSize, VaVadCommitSize, VaVadMmfName, TargetAddress, FullRegionSize | Y |
| KERNEL_THREATINT_TASK_MAPVIEW8_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, BaseAddress, ViewSize, AllocationType, ProtectionMask | Y |
| KERNEL_THREATINT_TASK_READVM_V1 | OperationStatus, CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, BaseAddress, BytesCopied | Y |
| KERNEL_THREATINT_TASK_READVM_V2 | OperationStatus, CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, BaseAddress, BytesCopied, VaVadQueryResult, VaVadAllocationBase, VaVadAllocationProtect, VaVadRegionType, VaVadRegionSize, VaVadCommitSize, VaVadMmfName | Y |
| KERNEL_THREATINT_TASK_WRITEVM_V1 | OperationStatus, CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, BaseAddress, BytesCopied | Y |
| KERNEL_THREATINT_TASK_WRITEVM_V2 | OperationStatus, CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, BaseAddress, BytesCopied, VaVadQueryResult, VaVadAllocationBase, VaVadAllocationProtect, VaVadRegionType, VaVadRegionSize, VaVadCommitSize, VaVadMmfName | Y |
| KERNEL_THREATINT_TASK_READVM13_V1 | OperationStatus, CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, BaseAddress, BytesCopied | Y |
| KERNEL_THREATINT_TASK_READVM13_V2 | OperationStatus, CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, BaseAddress, BytesCopied, VaVadQueryResult, VaVadAllocationBase, VaVadAllocationProtect, VaVadRegionType, VaVadRegionSize, VaVadCommitSize, VaVadMmfName | Y |
| KERNEL_THREATINT_TASK_WRITEVM14_V1 | OperationStatus, CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, BaseAddress, BytesCopied | Y |
| KERNEL_THREATINT_TASK_WRITEVM14_V2 | OperationStatus, CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, BaseAddress, BytesCopied, VaVadQueryResult, VaVadAllocationBase, VaVadAllocationProtect, VaVadRegionType, VaVadRegionSize, VaVadCommitSize, VaVadMmfName | Y |
| KERNEL_THREATINT_TASK_SUSPENDRESUME_THREAD_V1 | OperationStatus, CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, TargetThreadId, TargetThreadCreateTime | Y |
| KERNEL_THREATINT_TASK_SUSPENDRESUME_THREAD16_V1 | OperationStatus, CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, TargetThreadId, TargetThreadCreateTime | Y |
| KERNEL_THREATINT_TASK_SUSPENDRESUME_PROCESS_V1 | OperationStatus, CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection | Y |
| KERNEL_THREATINT_TASK_SUSPENDRESUME_PROCESS18_V1 | OperationStatus, CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection | Y |
| KERNEL_THREATINT_TASK_SUSPENDRESUME_PROCESS19_V1 | OperationStatus, CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection | Y |
| KERNEL_THREATINT_TASK_SUSPENDRESUME_PROCESS20_V1 | OperationStatus, CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection | Y |
| KERNEL_THREATINT_TASK_ALLOCVM21_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, AllocationType, ProtectionMask | Y |
| KERNEL_THREATINT_TASK_PROTECTVM22_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, ProtectionMask, LastProtectionMask | Y |
| KERNEL_THREATINT_TASK_PROTECTVM22_V2 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, ProtectionMask, LastProtectionMask, VaVadQueryResult, VaVadAllocationBase, VaVadAllocationProtect, VaVadRegionType, VaVadRegionSize, VaVadCommitSize, VaVadMmfName | Y |
| KERNEL_THREATINT_TASK_PROTECTVM22_V3 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, ProtectionMask, LastProtectionMask, VaVadQueryResult, VaVadAllocationBase, VaVadAllocationProtect, VaVadRegionType, VaVadRegionSize, VaVadCommitSize, VaVadMmfName, TargetAddress, FullRegionSize | Y |
| KERNEL_THREATINT_TASK_MAPVIEW23_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, BaseAddress, ViewSize, AllocationType, ProtectionMask | Y |
| KERNEL_THREATINT_TASK_QUEUEUSERAPC24_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, TargetThreadId, TargetThreadCreateTime, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, TargetThreadAlertable, ApcRoutine, ApcArgument1, ApcArgument2, ApcArgument3, RealEventTime, ApcRoutineVadQueryResult, ApcRoutineVadAllocationBase, ApcRoutineVadAllocationProtect, ApcRoutineVadRegionType, ApcRoutineVadRegionSize, ApcRoutineVadCommitSize, ApcRoutineVadMmfName, ApcArgument1VadQueryResult, ApcArgument1VadAllocationBase, ApcArgument1VadAllocationProtect, ApcArgument1VadRegionType, ApcArgument1VadRegionSize, ApcArgument1VadCommitSize, ApcArgument1VadMmfName | Y |
| KERNEL_THREATINT_TASK_SETTHREADCONTEXT25_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, TargetThreadId, TargetThreadCreateTime, ContextFlags, ContextMask, Pc, Sp, Lr, Fp, Reg0, Reg1, Reg2, Reg3, Reg4, Reg5, Reg6, Reg7, RealEventTime, PcVadQueryResult, PcVadAllocationBase, PcVadAllocationProtect, PcVadRegionType, PcVadRegionSize, PcVadCommitSize, PcVadMmfName | Y |
| KERNEL_THREATINT_TASK_ALLOCVM26_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, AllocationType, ProtectionMask | Y |
| KERNEL_THREATINT_TASK_PROTECTVM27_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, ProtectionMask, LastProtectionMask | Y |
| KERNEL_THREATINT_TASK_PROTECTVM27_V2 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, ProtectionMask, LastProtectionMask, VaVadQueryResult, VaVadAllocationBase, VaVadAllocationProtect, VaVadRegionType, VaVadRegionSize, VaVadCommitSize, VaVadMmfName | Y |
| KERNEL_THREATINT_TASK_PROTECTVM27_V3 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, OriginalProcessId, OriginalProcessCreateTime, OriginalProcessStartKey, OriginalProcessSignatureLevel, OriginalProcessSectionSignatureLevel, OriginalProcessProtection, BaseAddress, RegionSize, ProtectionMask, LastProtectionMask, VaVadQueryResult, VaVadAllocationBase, VaVadAllocationProtect, VaVadRegionType, VaVadRegionSize, VaVadCommitSize, VaVadMmfName, TargetAddress, FullRegionSize | Y |
| KERNEL_THREATINT_TASK_MAPVIEW28_V1 | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, TargetProcessId, TargetProcessCreateTime, TargetProcessStartKey, TargetProcessSignatureLevel, TargetProcessSectionSignatureLevel, TargetProcessProtection, BaseAddress, ViewSize, AllocationType, ProtectionMask | Y |
| KERNEL_THREATINT_TASK_DRIVER_DEVICE_V1 | DriverNameLength, DriverName, CodeIntegrityOption | Y |
| KERNEL_THREATINT_TASK_DRIVER_DEVICE30_V1 | DriverNameLength, DriverName | Y |
| KERNEL_THREATINT_TASK_DRIVER_DEVICE31_V1 | DriverNameLength, DriverName, DeviceNameLength, DeviceName | Y |
| KERNEL_THREATINT_TASK_DRIVER_DEVICE32_V1 | DriverNameLength, DriverName, DeviceNameLength, DeviceName | Y |
| KERNEL_THREATINT_PROCESS_IMPERSONATION_UP | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, PreviousTokenQueryResult, PreviousTokenType, PreviousTokenElevation, PreviousTokenElevationType, PreviousTokenImpersonationLevel, PreviousTokenUser, PreviousTokenTrustLevelCount, PreviousTokenTrustLevel, PreviousTokenIntegrityLevel, PreviousTokenSessionId, PreviousTokenLowBoxNumber, PreviousTokenAuthenticationId, PreviousTokenGroupsCount, PreviousTokenGroups, CurrentTokenQueryResult, CurrentTokenType, CurrentTokenElevation, CurrentTokenElevationType, CurrentTokenImpersonationLevel, CurrentTokenUser, CurrentTokenTrustLevelCount, CurrentTokenTrustLevel, CurrentTokenIntegrityLevel, CurrentTokenSessionId, CurrentTokenLowBoxNumber, CurrentTokenAuthenticationId, CurrentTokenGroupsCount, CurrentTokenGroups | Y |
| KERNEL_THREATINT_PROCESS_IMPERSONATION_REVERT | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime | Y |
| KERNEL_THREATINT_PROCESS_SYSCALL_USAGE | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, SessionId, SyscallEnum, IsSandboxedToken | Y |
| KERNEL_THREATINT_PROCESS_IMPERSONATION_DOWN | CallingProcessId, CallingProcessCreateTime, CallingProcessStartKey, CallingProcessSignatureLevel, CallingProcessSectionSignatureLevel, CallingProcessProtection, CallingThreadId, CallingThreadCreateTime, PreviousTokenQueryResult, PreviousTokenType, PreviousTokenElevation, PreviousTokenElevationType, PreviousTokenImpersonationLevel, PreviousTokenUser, PreviousTokenTrustLevelCount, PreviousTokenTrustLevel, PreviousTokenIntegrityLevel, PreviousTokenSessionId, PreviousTokenLowBoxNumber, PreviousTokenAuthenticationId, PreviousTokenGroupsCount, PreviousTokenGroups, CurrentTokenQueryResult, CurrentTokenType, CurrentTokenElevation, CurrentTokenElevationType, CurrentTokenImpersonationLevel, CurrentTokenUser, CurrentTokenTrustLevelCount, CurrentTokenTrustLevel, CurrentTokenIntegrityLevel, CurrentTokenSessionId, CurrentTokenLowBoxNumber, CurrentTokenAuthenticationId, CurrentTokenGroupsCount, CurrentTokenGroups | Y |
Microsoft-Windows-Kernel-Process
GUID: {22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}
| Event Symbol Name | Arguments | Relevant |
|---|---|---|
| ProcessStart | ProcessID, CreateTime, ParentProcessID, SessionID, ImageName | Y |
| ProcessStart_V1 | ProcessID, CreateTime, ParentProcessID, SessionID, Flags, ImageName | |
| ProcessStart_V2 | ProcessID, CreateTime, ParentProcessID, SessionID, Flags, ImageName, ImageChecksum, TimeDateStamp, PackageFullName, PackageRelativeAppId | |
| ProcessStart_V3 | ProcessID, ProcessSequenceNumber, CreateTime, ParentProcessID, ParentProcessSequenceNumber, SessionID, Flags, ProcessTokenElevationType, ProcessTokenIsElevated, MandatoryLabel, ImageName, ImageChecksum, TimeDateStamp, PackageFullName, PackageRelativeAppId | |
| ProcessStart_V4 | ProcessID, ProcessSequenceNumber, CreateTime, ParentProcessID, ParentProcessSequenceNumber, SessionID, Flags, ProcessTokenElevationType, ProcessTokenIsElevated, MandatoryLabel, ImageName, ImageChecksum, TimeDateStamp, PackageFullName, PackageRelativeAppId, SecurityMitigations | |
| ProcessStop | ProcessID, CreateTime, ExitTime, ExitCode, TokenElevationType, HandleCount, CommitCharge, CommitPeak, ImageName | Y |
| ProcessStop_V1 | ProcessID, CreateTime, ExitTime, ExitCode, TokenElevationType, HandleCount, CommitCharge, CommitPeak, CPUCycleCount, ReadOperationCount, WriteOperationCount, ReadTransferKiloBytes, WriteTransferKiloBytes, HardFaultCount, ImageName | |
| ProcessStop_V2 | ProcessID, ProcessSequenceNumber, CreateTime, ExitTime, ExitCode, TokenElevationType, HandleCount, CommitCharge, CommitPeak, CPUCycleCount, ReadOperationCount, WriteOperationCount, ReadTransferKiloBytes, WriteTransferKiloBytes, HardFaultCount, ImageName | |
| ThreadStart | ProcessID, ThreadID, StackBase, StackLimit, UserStackBase, UserStackLimit, StartAddr, Win32StartAddr, TebBase | Y |
| ThreadStart_V1 | ProcessID, ThreadID, StackBase, StackLimit, UserStackBase, UserStackLimit, StartAddr, Win32StartAddr, TebBase, SubProcessTag | |
| ThreadStop | ProcessID, ThreadID, StackBase, StackLimit, UserStackBase, UserStackLimit, StartAddr, Win32StartAddr, TebBase | Y |
| ThreadStop_V1 | ProcessID, ThreadID, StackBase, StackLimit, UserStackBase, UserStackLimit, StartAddr, Win32StartAddr, TebBase, SubProcessTag, CycleTime | |
| ImageLoad | ImageBase, ImageSize, ProcessID, ImageCheckSum, TimeDateStamp, DefaultBase, ImageName | Y |
| ImageUnload | ImageBase, ImageSize, ProcessID, ImageCheckSum, TimeDateStamp, DefaultBase, ImageName | Y |
| CpuBasePriorityChange | ProcessID, ThreadID, OldPriority, NewPriority | |
| CpuPriorityChange | ProcessID, ThreadID, OldPriority, NewPriority | |
| PagePriorityChange | ProcessID, ThreadID, OldPriority, NewPriority | |
| IoPriorityChange | ProcessID, ThreadID, OldPriority, NewPriority | |
| ProcessFreezeStart | FrozenProcessID | |
| ProcessFreezeStart_V1 | FrozenProcessID, CreateTime | |
| ProcessFreezeStop | FrozenProcessID | |
| ProcessFreezeStop_V1 | FrozenProcessID, CreateTime | |
| JobStart | ContainerID, JobID, StatusCode | |
| JobTerminateStop | ContainerID, JobID, StatusCode | |
| ProcessRundown | ProcessID, CreateTime, ParentProcessID, SessionID, Flags, ImageName, ImageChecksum, TimeDateStamp, PackageFullName, PackageRelativeAppId | |
| ProcessRundown_V1 | ProcessID, ProcessSequenceNumber, CreateTime, ParentProcessID, ParentProcessSequenceNumber, SessionID, Flags, ProcessTokenElevationType, ProcessTokenIsElevated, MandatoryLabel, ImageName, ImageChecksum, TimeDateStamp, PackageFullName, PackageRelativeAppId | |
| ProcessRundown_V2 | ProcessID, ProcessSequenceNumber, CreateTime, ParentProcessID, ParentProcessSequenceNumber, SessionID, Flags, ProcessTokenElevationType, ProcessTokenIsElevated, MandatoryLabel, ImageName, ImageChecksum, TimeDateStamp, PackageFullName, PackageRelativeAppId, SecurityMitigations | |
| task_0 | n/a | |
| PsDiskIoAttributionStart | JobID, DiskIoAttribution, StatusCode | |
| PsDiskIoAttributionStop | JobID, DiskIoAttribution, StatusCode | |
| PsIoRateControlStart | JobID, IoRateControl, ControlType, RateType, RateAmount, StatusCode | |
| PsIoRateControlStart_V1 | JobID, IoRateControl, MaxIops, MaxBandwidth, MaxTimePercent, ReservationIops, ReservationBandwidth, ReservationTimePercent, CriticalReservationIops, CriticalReservationBandwidth, CriticalReservationTimePercent, ControlFlags, VolumeName, StatusCode | |
| PsIoRateControlStart_V2 | JobID, IoRateControl, MaxIops, MaxBandwidth, MaxTimePercent, ReservationIops, ReservationBandwidth, ReservationTimePercent, CriticalReservationIops, CriticalReservationBandwidth, CriticalReservationTimePercent, SoftMaxIops, SoftMaxBandwidth, SoftMaxTimePercent, ControlFlags, VolumeName, StatusCode | |
| PsIoRateControlStop | JobID, IoRateControl, ControlType, RateType, RateAmount, StatusCode | |
| PsIoRateControlStop_V1 | JobID, IoRateControl, MaxIops, MaxBandwidth, MaxTimePercent, ReservationIops, ReservationBandwidth, ReservationTimePercent, CriticalReservationIops, CriticalReservationBandwidth, CriticalReservationTimePercent, ControlFlags, VolumeName, StatusCode | |
| PsIoRateControlStop_V2 | JobID, IoRateControl, MaxIops, MaxBandwidth, MaxTimePercent, ReservationIops, ReservationBandwidth, ReservationTimePercent, CriticalReservationIops, CriticalReservationBandwidth, CriticalReservationTimePercent, SoftMaxIops, SoftMaxBandwidth, SoftMaxTimePercent, ControlFlags, VolumeName, StatusCode | |
| ThreadWorkOnBehalfUpdate | OldWorkOnBehalfThreadID, NewWorkOnBehalfThreadID | |
| JobServerSiloStateChange | ContainerID, JobID, State | |
| ServerSiloCreateCallbackStart | ContainerID, JobID, MonitorName | |
| ServerSiloCreateCallbackStop | ContainerID, JobID, Status, MonitorName | |
| ServerSiloTerminateCallbackStart | ContainerID, JobID, MonitorName | |
| ServerSiloTerminateCallbackStop | ContainerID, JobID, MonitorName | |
| ProcessInPrivateSet | ProcessName, ProcessID |
Microsoft-Windows-Kernel-Audit-API-Calls
GUID: {e02a841c-75a3-4fa7-afc8-ae09cf9b7f23}
| Event Symbol Name | Arguments | Relevant |
|---|---|---|
| PspLogAuditSetLoadImageNotifyRoutineEvent | NotifyRoutineAddress, ReturnCode | |
| PspLogAuditTerminateRemoteProcessEvent | TargetProcessId, ReturnCode | |
| PspLogAuditTerminateRemoteProcessEvent_V1 | TargetProcessId, ReturnCode, TargetProcessStartKey, TargetProcessCreationTime | |
| NtCreateSymbolicLink | LinkSourceName, LinkTargetName, DesiredAccess, ReturnCode | Y |
| PspSetContextThreadInternal | ReturnCode | Y |
| PspLogAuditOpenProcessEvent | TargetProcessId, DesiredAccess, ReturnCode | Y |
| PspLogAuditOpenThreadEvent | TargetProcessId, TargetThreatId, DesiredAccess, ReturnCode | Y |
| IoRegisterLastChanceShutdownNotification | DriverName, ReturnCode | |
| IoRegisterShutdownNotification | DriverName, ReturnCode |
Microsoft-Windows-Kernel-File
GUID: {edd08927-9cc4-4e65-b970-c2560fb5c289}
| Event Symbol Name | Arguments | Relevant |
|---|---|---|
| NameCreate | FileKey, FileName | Y |
| NameDelete | FileKey, FileName | |
| Create | Irp, ThreadId, FileObject, CreateOptions, CreateAttributes, ShareAccess, FileName | |
| Create_V1 | Irp, FileObject, IssuingThreadId, CreateOptions, CreateAttributes, ShareAccess, FileName | |
| Cleanup | Irp, ThreadId, FileObject, FileKey | |
| Cleanup_V1 | Irp, FileObject, FileKey, IssuingThreadId | |
| Close | Irp, ThreadId, FileObject, FileKey | |
| Close_V1 | Irp, FileObject, FileKey, IssuingThreadId | |
| Read | ByteOffset, Irp, ThreadId, FileObject, FileKey, IOSize, IOFlags | |
| Read_V1 | ByteOffset, Irp, FileObject, FileKey, IssuingThreadId, IOSize, IOFlags, ExtraFlags | |
| Write | ByteOffset, Irp, ThreadId, FileObject, FileKey, IOSize, IOFlags | |
| Write_V1 | ByteOffset, Irp, FileObject, FileKey, IssuingThreadId, IOSize, IOFlags, ExtraFlags | |
| SetInformation | Irp, ThreadId, FileObject, FileKey, ExtraInformation, InfoClass | |
| SetInformation_V1 | Irp, FileObject, FileKey, ExtraInformation, IssuingThreadId, InfoClass | |
| SetDelete | Irp, ThreadId, FileObject, FileKey, ExtraInformation, InfoClass | |
| SetDelete_V1 | Irp, FileObject, FileKey, ExtraInformation, IssuingThreadId, InfoClass | |
| Rename | Irp, ThreadId, FileObject, FileKey, ExtraInformation, InfoClass | |
| Rename_V1 | Irp, FileObject, FileKey, ExtraInformation, IssuingThreadId, InfoClass | |
| DirEnum | Irp, ThreadId, FileObject, FileKey, Length, InfoClass, FileIndex, FileName | |
| DirEnum_V1 | Irp, FileObject, FileKey, IssuingThreadId, Length, InfoClass, FileIndex, FileName | |
| Flush | Irp, ThreadId, FileObject, FileKey | |
| Flush_V1 | Irp, FileObject, FileKey, IssuingThreadId | |
| QueryInformation | Irp, ThreadId, FileObject, FileKey, ExtraInformation, InfoClass | |
| QueryInformation_V1 | Irp, FileObject, FileKey, ExtraInformation, IssuingThreadId, InfoClass | |
| FSCTL | Irp, ThreadId, FileObject, FileKey, ExtraInformation, InfoClass | |
| FSCTL_V1 | Irp, FileObject, FileKey, ExtraInformation, IssuingThreadId, InfoClass | |
| OperationEnd | Irp, ExtraInformation, Status | |
| DirNotify | Irp, ThreadId, FileObject, FileKey, Length, InfoClass, FileIndex, FileName | |
| DirNotify_V1 | Irp, FileObject, FileKey, IssuingThreadId, Length, InfoClass, FileIndex, FileName | |
| DeletePath | Irp, ThreadId, FileObject, FileKey, ExtraInformation, InfoClass, FilePath | |
| DeletePath_V1 | Irp, FileObject, FileKey, ExtraInformation, IssuingThreadId, InfoClass, FilePath | |
| RenamePath | Irp, ThreadId, FileObject, FileKey, ExtraInformation, InfoClass, FilePath | |
| RenamePath_V1 | Irp, FileObject, FileKey, ExtraInformation, IssuingThreadId, InfoClass, FilePath | |
| SetLinkPath | Irp, ThreadId, FileObject, FileKey, ExtraInformation, InfoClass, FilePath | |
| SetLinkPath_V1 | Irp, FileObject, FileKey, ExtraInformation, IssuingThreadId, InfoClass, FilePath | |
| Rename29 | Irp, ThreadId, FileObject, FileKey, ExtraInformation, InfoClass | |
| Rename29_V1 | Irp, FileObject, FileKey, ExtraInformation, IssuingThreadId, InfoClass | |
| CreateNewFile | Irp, ThreadId, FileObject, CreateOptions, CreateAttributes, ShareAccess, FileName | Y |
| CreateNewFile_V1 | Irp, FileObject, IssuingThreadId, CreateOptions, CreateAttributes, ShareAccess, FileName | |
| SetSecurity_V1 | Irp, FileObject, FileKey, ExtraInformation, IssuingThreadId, InfoClass | |
| QuerySecurity_V1 | Irp, FileObject, FileKey, ExtraInformation, IssuingThreadId, InfoClass | |
| SetEA_V1 | Irp, FileObject, FileKey, ExtraInformation, IssuingThreadId, InfoClass | |
| QueryEA_V1 | Irp, FileObject, FileKey, ExtraInformation, IssuingThreadId, InfoClass |
Microsoft-Windows-Kernel-Network
GUID: {7dd42a49-5329-4832-8dfd-43d979153a88}
| Event Symbol Name | Arguments | Relevant |
|---|---|---|
| KERNEL_NETWORK_TASK_TCPIPDatasent. | PID, size, daddr, saddr, dport, sport, startime, endtime, seqnum, connid | |
| KERNEL_NETWORK_TASK_TCPIPDatareceived. | PID, size, daddr, saddr, dport, sport, seqnum, connid | |
| KERNEL_NETWORK_TASK_TCPIPConnectionattempted. | PID, size, daddr, saddr, dport, sport, mss, sackopt, tsopt, wsopt, rcvwin, rcvwinscale, sndwinscale, seqnum, connid | Y |
| KERNEL_NETWORK_TASK_TCPIPDisconnectissued. | PID, size, daddr, saddr, dport, sport, seqnum, connid | |
| KERNEL_NETWORK_TASK_TCPIPDataretransmitted. | PID, size, daddr, saddr, dport, sport, seqnum, connid | Y |
| KERNEL_NETWORK_TASK_TCPIPConnectionaccepted. | PID, size, daddr, saddr, dport, sport, mss, sackopt, tsopt, wsopt, rcvwin, rcvwinscale, sndwinscale, seqnum, connid | |
| KERNEL_NETWORK_TASK_TCPIPReconnectattempted. | PID, size, daddr, saddr, dport, sport, seqnum, connid | |
| KERNEL_NETWORK_TASK_TCPIPTCPconnectionattemptfailed. | Proto, FailureCode | |
| KERNEL_NETWORK_TASK_TCPIPProtocolcopieddataonbehalfofuser. | PID, size, daddr, saddr, dport, sport, seqnum, connid | |
| KERNEL_NETWORK_TASK_TCPIPDatasent.26 | PID, size, daddr, saddr, dport, sport, startime, endtime, seqnum, connid | |
| KERNEL_NETWORK_TASK_TCPIPDatareceived.27 | PID, size, daddr, saddr, dport, sport, seqnum, connid | |
| KERNEL_NETWORK_TASK_TCPIPConnectionattempted.28 | PID, size, daddr, saddr, dport, sport, mss, sackopt, tsopt, wsopt, rcvwin, rcvwinscale, sndwinscale, seqnum, connid | Y |
| KERNEL_NETWORK_TASK_TCPIPDisconnectissued.29 | PID, size, daddr, saddr, dport, sport, seqnum, connid | |
| KERNEL_NETWORK_TASK_TCPIPDataretransmitted.30 | PID, size, daddr, saddr, dport, sport, seqnum, connid | |
| KERNEL_NETWORK_TASK_TCPIPConnectionaccepted.31 | PID, size, daddr, saddr, dport, sport, mss, sackopt, tsopt, wsopt, rcvwin, rcvwinscale, sndwinscale, seqnum, connid | Y |
| KERNEL_NETWORK_TASK_TCPIPReconnectattempted.32 | PID, size, daddr, saddr, dport, sport, seqnum, connid | |
| KERNEL_NETWORK_TASK_TCPIPProtocolcopieddataonbehalfofuser.34 | PID, size, daddr, saddr, dport, sport, seqnum, connid | |
| KERNEL_NETWORK_TASK_UDPIPDatasentoverUDPprotocol. | PID, size, daddr, saddr, dport, sport, seqnum, connid | Y |
| KERNEL_NETWORK_TASK_UDPIPDatareceivedoverUDPprotocol. | PID, size, daddr, saddr, dport, sport, seqnum, connid | Y |
| KERNEL_NETWORK_TASK_UDPIPUDPconnectionattemptfailed. | Proto, FailureCode | |
| KERNEL_NETWORK_TASK_UDPIPDatasentoverUDPprotocol.58 | PID, size, daddr, saddr, dport, sport, seqnum, connid | Y |
| KERNEL_NETWORK_TASK_UDPIPDatareceivedoverUDPprotocol.59 | PID, size, daddr, saddr, dport, sport, seqnum, connid | Y |