Message:
An unknown error occurred while processing the current request: Exception of type Microsoft.Exchange.OMA.DataProviderInterface.ProviderException was thrown.
Stack trace:
at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)
at System.Web.SessionState.SessionStateModule.CompleteAcquireState()
at System.Web.SessionState.SessionStateModule.BeginAcquireState(Object source, EventArgs e, AsyncCallback cb, Object extraData)
at System.Web.AsyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Inner Error: Exception has been thrown by the target of an invocation.
Stack trace:
at System.Reflection.RuntimeConstructorInfo.InternalInvoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean isBinderDefault)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)
Inner Error: The remote server returned an error: (403) Forbidden.
Stack trace:
at Microsoft.Exchange.OMA.ExchangeDataProvider.OmaWebRequest.GetRequestStream()
at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices.GetSpecialFolders()
at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices..ctor(UserInfo user)
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Source:
Windows Update Agent
Message:
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Flash Player (KB913433).
Source:
Windows Update Agent
Message:
Installation Failure: Windows failed to install the following update with error 0x80070003: Security Update for Windows XP (KB873339).
Source:
Windows Update Agent
Message:
Installation Failure: Windows failed to install the following update with error 0x80070643: Visual Studio 2005 Service Pack 1.
Source:
Windows Update Agent
Message:
Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB928366)
Source:
Windows Update Agent
Message:
Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB928366)
Installation Error: the installation of the following update has failed with error 0x80070643: Security Update for Microsoft .NET Framework Verion 1.1 Service Pack 1 (KB928366)
Source:
Microsoft-Windows-ApplicationExperienceInfrastructure
Message:
The application (OfficeScan Client, from vendor Trend Micro, INC.) has the following problem: OfficeScan Client is incompatible with this version of Windows. For more information, contact Trend Micro, INC..
Source:
Microsoft-Windows-Perflib
Message:
The data buffer created for the "VMware" service in the "C:\Program Files\VMware\VMware Server\vmPerfmon.dll" library is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.
Source:
Microsoft-Windows-Kerberos-Key-Distribution-Center
Message:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
Source:
Windows Update Agent
Message:
Installation Failure: Windows failed to install the following update with error 0x80070643: Update for .NET Framework 3.0: x86 (KB932471).
Source:
Microsoft-Windows-GroupPolicy
Message:
The processing of Group Policy failed. Windows attempted to read the file \\mydomain.local\SysVol\mydomain.local\Policies\D3610029-D721-41DA-ACE6-FD0CAF521432\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Source:
Microsoft-Windows-WMI
Message:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Source:
Microsoft-Windows-Security-Auditing
Category:
Other System Events
Message:
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
Error Code: 2
Source:
Windows SharePoint Services 3
Message:
The Execute method of job definition Microsoft.Office.Server.Administration.ApplicationServerAdministrationServiceJob (ID 693fe0b2-6c9f-47bf-9d1a-c6a2aa7cd3c3) threw an exception. More information is included below.
Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
Source:
Microsoft-Windows-GroupPolicy
Message:
The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.
Source:
Windows SharePoint Services 3
Message:
The Execute method of job definition Microsoft.Office.Server.Administration.ApplicationServerAdministrationServiceJob (ID a778c03a-b4d5-47ad-b0d5-6130b9c8ba14) threw an exception. More information is included below.
Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
Source:
Windows Server Update
Message:
Self-update is not working
Source:
Microsoft-Windows-WPD-MTPClassDriver
Category:
Driver Initilization.
Message:
MTP WPD Driver has failed to start. Error 0x8007001f.
Source:
Report Server Windows Service (EVENTSENTRY)
Category:
Startup/Shutdown
Message:
The report server database is an invalid version.
Source:
Windows Search Service
Message:
A document ID cannot be allocated.
Context: Windows Application, SystemIndex Catalog
Details:
The content index server cannot update or access information because of a database error. Stop and restart the search service. If the problem persists, reset and recrawl the content index. In some cases it may be necessary to delete and recreate the content index. (0x8004117f)
Source:
Microsoft-Windows-Security-Auditing
Message:
An account was logged off.
Subject:
Security ID: TESTGROUND\cacheduser
Account Name: cacheduser
Account Domain: TESTGROUND
Logon ID: 0xbed3f1
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Source:
Microsoft-Windows-Security-Auditing
Message:
User initiated logoff:
Subject:
Security ID: TESTGROUND\cacheduser
Account Name: cacheduser
Account Domain: TESTGROUND
Logon ID: 0xbed3f1
This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Source:
Windows Server Update Services
Message:
Some client computers have not reported back to the server in the last 30 days. 4 have been detected so far.
Source:
Microsoft-Windows-CAPI2
Message:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddCoreCsiFiles : BeginFileEnumeration() failed.
System Error:
Access is denied.
..
Message:
File backup was cancelled by the user.
Source:
Microsoft-Windows-Folder Redirection
Message:
Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect.
Message:
The backup did not complete because of an error writing to the backup location B:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006).
Source:
Microsoft-Windows-Security-Auditing
Category:
System Integrity
Message:
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\System32\l3codeca.acm
Source:
Microsoft-Windows-Backup
Source:
Microsoft-Windows-Eventlog
Message:
The security log is now full.
Source:
Microsoft-Windows-Eventlog
Message:
Event log automatic backup
Log: Security
File: C:\Windows\System32\Winevt\Logs\Archive-Security-2010-11-05-11-20-26-007.evtx
Source:
Microsoft-Windows-RPC-Events
Message:
Possible Memory Leak. Application ("C:\Windows\system32\mmc.exe" "C:\Windows\system32\dhcpmgmt.msc" ) (PID: 6320) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({6BFFD098-A112-3610-9833-46C3F874532D}), Method number (2). User Action: Contact your application vendor for an updated version of the application.
Source:
Microsoft-Windows-WindowsUpdateClient
Category:
Windows Update Agent
Message:
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for SQL Server 2008 R2 (KB2494088).
Source:
Microsoft-Windows-Security-Auditing
Category:
Other Policy Change Events
Message:
One or more errors occured while processing security policy in the group policy objects.
Error Code: 87
GPO List:
{F0DF8E32-7E0A-4B67-1234-9BD831BFE64C} Windows Audit & Event Log Settings
{AAC1786C-016F-11D2-9012-00C04fB984F9} Default Domain Controllers Policy
{91B2F340-016D-11D2-1234-00C04FB984F9} Default Domain Policy
Source:
Microsoft-Windows-CAPI2
Message:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Source:
Microsoft-Windows-Resource-Exhaustion-Detector
Category:
Resource Exhaustion Diagnosis Events
Message:
Windows successfully diagnosed a low virtual memory condition. The following programs consumed the most virtual memory: SomeProcess.exe (848) consumed 372129792 bytes, Procmon64.exe (3616) consumed 209563648 bytes, and devenv.exe (6364) consumed 201162752 bytes.
Message:
The backup was not successful. The error is: There is not enough space on this drive to save the backup. Free up space by deleting older backups and unnecessary data or change your backup settings. (0x81000005).
Source:
Microsoft-Windows-Security-Auditing
Category:
MPSSVC Rule-Level Policy Change
Message:
Windows Firewall ignored a rule because its major version number is not recognized.
Profile: All
Ignored Rule:
ID: clr_optimization_v4.0.30319_32-1
Name: -
Source:
Microsoft-Windows-Service Pack Installer
Message:
There is not enough free disk space to install the Service Pack. Required=4834 MB.
Source:
Microsoft-Windows-Servicing
Message:
Windows Servicing failed to complete the process of setting package KB967723 (Security Update) into Installed(Installed) state
Source:
Microsoft-Windows-Hyper-V-Worker-Admin
Message:
'VM-SRV-001' started successfully. (Virtual machine ID D8EB8812-63FE-468A-9545-1E2028EC1F5F)
Source:
Microsoft Windows security
Category:
System Integrity
Message:
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
File Name: \Device\HarddiskVolume3\Windows\System32\sysfer.dll
Source:
Microsoft-Windows-GroupPolicy
Message:
The processing of Group Policy failed. Windows could not evaluate the Windows Management Instrumentation (WMI) filter for the Group Policy object cn={D3610029-DDDD-4141-AAAA-FDFFFFCCBB22},cn=policies,cn=system,DC=yourdomain,DC=local. This could be caused by RSOP being disabled or Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI service is started and the startup type is set to automatic. New Group Policy objects or settings will not process until this event has been resolved.
Source:
Microsoft-Windows-Security-Auditing
Message:
An account was logged off.
Subject:
Security ID: Domain\ad2user
Account Name: ad1user
Account Domain: Domain
Logon ID: 0xbb55b23
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Source:
Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Message:
Certificate for %1 with Thumbprint %2 is about to expire or has already expired.
Source:
Windows Media Player Network Sharing Service
Message:
Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
Source:
Microsoft-Windows-Security-Auditing
Message:
A handle to an object was requested.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: COMPUTER$
Account Domain: DOMAIN
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.9200.16384_none_8325ae6a331660a6\GdiPlus.dll
Handle ID: 0x0
Resource Attributes: -
Process Information:
Process ID: 0x354
Process Name: C:\Windows\System32\svchost.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes
Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA)
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA)
ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BA)
ReadEA: Granted by D:(A;;0x1200a9;;;BA)
ReadAttributes: Granted by ACE on parent folder D:(A;;0x1200a9;;;BA)
WriteAttributes: Not granted
Access Mask: 0x120189
Privileges Used for Access Check: -
Restricted SID Count: 0
Source:
Microsoft-Windows-FailoverClustering
Message:
Cluster Shared Volume 'Volume2' ('ClusterStorage Volume 2') is no longer available on this node because of 'STATUS_CLUSTER_CSV_AUTO_PAUSE_ERROR(c0130021)'. All I/O will temporarily be queued until a path to the volume is reestablished.
Source:
Microsoft-Windows-GroupPolicy
Message:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
Source:
Microsoft-Windows-TaskScheduler/Operational
Category:
Task Start Failed
Message:
Task Scheduler failed to start "\Some Important Task" task for user "MYDOMAIN\EventMonitor". Additional Data: Error Value: 2147942402.
Source:
Microsoft-Windows-Hyper-V-Worker
Message:
Device 'Microsoft Synthetic Display Controller' in 'SERVER01' is loaded but has a different version from the server. Server version 3.0 Client version 3.2 (Virtual machine ID 8D6415C4-6E44-78FC-6BB8-34CCA67ACF48). The device will work, but this is an unsupported configuration. This means that technical support will not be provided until this problem is resolved. To fix this problem, upgrade the integration services. To upgrade, connect to the virtual machine and select Insert Integration Services Setup Disk from the Action menu.
Source:
Microsoft-Windows-CertificateServicesClient-CertEnroll
Message:
Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from testsql.domain.local\TESTCA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
Source:
Microsoft-Windows-IIS-W3SVC-PerfCounters
Message:
It has taken too long to refresh the W3SVC counters, the stale counters are being used instead.
Source:
RPC (Microsoft-Windows-RPC-Events)
Message:
Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 980) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3f31c91e-2545-4b7b-9311-9529e8bffef6}), Method number (10). User Action: Contact your application vendor for an updated version of the application.
Detailed XML View
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-RPC-Events" Guid="{F4AED7C7-A898-4627-B053-44A7CAA12FCD}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-07-21T09:20:57.835029200Z" />
<EventRecordID>136</EventRecordID>
<Correlation />
<Execution ProcessID="980" ThreadID="112" />
<Channel>Application</Channel>
<Computer>Pochi-01</Computer>
<Security UserID="S-1-5-19" />
</System>
- <EventData>
<Data Name="ApplicationName">C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted</Data>
<Data Name="ProcessId">980</Data>
<Data Name="InterfaceId">{3F31C91E-2545-4B7B-9311-9529E8BFFEF6}</Data>
<Data Name="Method">10</Data>
</EventData>
</Event>
Source:
Microsoft-Windows-Time-Service
Message:
NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
Source:
Windows Server Update Services
Message:
No client computers have ever contacted the server.
Source:
Microsoft-Windows-CAPI2
Message:
Reached crypt32 threshold of 50 events and will suspend logging for 60 minutes.
Source:
Microsoft-Windows-CAPI2
Message:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
System Error:
Access is denied.
Source:
RPC (Microsoft-Windows-RPC-Events)
Message:
Log Name: Application
Source: Microsoft-Windows-RPC-Events
Date: 22/07/2015 13:43:53
Event ID: 11
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: UNDERTHEBED7-PC
Description:
Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 940) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3f31c91e-2545-4b7b-9311-9529e8bffef6}), Method number (20). User Action: Contact your application vendor for an updated version of the application.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-RPC-Events" Guid="{F4AED7C7-A898-4627-B053-44A7CAA12FCD}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2015-07-22T12:43:53.117673400Z" />
<EventRecordID>138</EventRecordID>
<Correlation />
<Execution ProcessID="940" ThreadID="1592" />
<Channel>Application</Channel>
<Computer>UNDERTHEBED7-PC</Computer>
<Security UserID="S-1-5-19" />
</System>
<EventData>
<Data Name="ApplicationName">C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted</Data>
<Data Name="ProcessId">940</Data>
<Data Name="InterfaceId">{3F31C91E-2545-4B7B-9311-9529E8BFFEF6}</Data>
<Data Name="Method">20</Data>
</EventData>
</Event>
Source:
RPC (Microsoft-Windows-RPC-Events)
Message:
Log Name: Application
Source: Microsoft-Windows-RPC-Events
Date: 22/07/2015 13:43:53
Event ID: 11
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: UNDERTHEBED7-PC
Description:
Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 940) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3f31c91e-2545-4b7b-9311-9529e8bffef6}), Method number (20). User Action: Contact your application vendor for an updated version of the application.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-RPC-Events" Guid="{F4AED7C7-A898-4627-B053-44A7CAA12FCD}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2015-07-22T12:43:53.117673400Z" />
<EventRecordID>138</EventRecordID>
<Correlation />
<Execution ProcessID="940" ThreadID="1592" />
<Channel>Application</Channel>
<Computer>UNDERTHEBED7-PC</Computer>
<Security UserID="S-1-5-19" />
</System>
<EventData>
<Data Name="ApplicationName">C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted</Data>
<Data Name="ProcessId">940</Data>
<Data Name="InterfaceId">{3F31C91E-2545-4B7B-9311-9529E8BFFEF6}</Data>
<Data Name="Method">20</Data>
</EventData>
</Event>
Source:
Microsoft-Windows-WER-SystemErrorReporting
Message:
The computer has rebooted from a bugcheck. The bugcheck was: 0x00000116 (0xffffe0008b64c4c0, 0xfffff8003e9d4650, 0x0000000000000000, 0x000000000000000d). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: 10281589-8be9-d71c-c713-e024f5515a45.
Source:
Microsoft-Windows-WMI
Message:
Windows Management Instrumentation has stopped WMIPRVSE.EXE because a quota reached a warning value. Quota: HandleCount Value: %2 Maximum value: 4096 WMIPRVSE PID: %4 Providers hosted in this process: %systemroot%\system32\wbem\cimwin32.dll
Source:
Microsoft-Windows-Defrag
Message:
The volume WINRE_DRV was not optimized because an error was encountered: The parameter is incorrect. (0x80070057)
Source:
Windows Server Update Services
Message:
The catalog was last synchronized successfully 1 or more days ago.
Source:
Microsoft-Windows-DNS-Server-Service
Message:
Zone somedomain.local expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down.
Source:
Microsoft-Windows-PowerShell
Category:
Executing Pipeline
Message:
Error Message = File C:\Users\wizard\test.ps1 cannot be loaded. The file C:\Users\wizard\test.ps1 is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
Fully Qualified Error ID = UnauthorizedAccess
Recommended Action =
Context:
Severity = Warning
Host Name = ConsoleHost
Host Version = 5.1.14393.1944
Host ID = babd41a2-db0f-45d0-ac50-e34b71dd9ac0
Host Application = powershell . .\test.ps1
Engine Version = 5.1.14393.1944
Runspace ID = 0155307c-603a-440d-a22c-85b5c9cbffff
Pipeline ID = 1
Command Name =
Command Type =
Script Name =
Command Path =
Sequence Number = 15
User = DOMAIN\user
Connected User =
Shell ID = Microsoft.PowerShell
User Data:
Source:
Microsoft-Windows-PowerShell
Category:
Executing Pipeline
Message:
CommandInvocation(Write-Host): "Write-Host"
ParameterBinding(Write-Host): name="Object"; value="TestPowerShellV5"
Context:
Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.14393.1944
Host ID = e44f3df1-0f65-48dc-814a-01219d11a426
Host Application = powershell Write-Host TestPowerShellV5
Engine Version = 5.1.14393.1944
Runspace ID = 0b4180d7-55ca-476a-9712-26e61d5c3be1
Pipeline ID = 1
Command Name = Write-Host
Command Type = Cmdlet
Script Name =
Command Path =
Sequence Number = 16
User = DOMAIN\username
Connected User =
Shell ID = Microsoft.PowerShell
User Data:
Source:
Microsoft-Windows-PowerShell
Category:
PowerShell Console Startup
Message:
PowerShell console is starting up
Source:
Microsoft-Windows-PowerShell
Category:
PowerShell Console Startup
Message:
PowerShell console is ready for user input
Source:
Microsoft-Windows-PowerShell
Category:
Execute a Remote Command
Message:
Creating Scriptblock text (1 of 1):
Write-Host PowerShellV5ScriptBlockLogging
ScriptBlock ID: 6d90e0bb-e381-4834-8fe2-5e076ad267b3
Path:
Source:
Microsoft-Windows-Security-Auditing
Category:
Other Logon/Logoff Events
Message:
A session was disconnected from a Window Station.
Subject:
Account Name: some.user
Account Domain: SOMEDOMAIN
Logon ID: 0x2335b249
Session:
Session Name: RDP-Tcp#0
Additional Information:
Client Name: wksclient04.lo
Client Address: 192.168.1.6
Source:
Microsoft-Windows-Security-Auditing
Category:
Process Termination
Message:
A process has exited.
Subject:
Security ID: MYDOMAIN\some.user
Account Name: some.user
Account Domain: MYDOMAIN
Logon ID: 0x5E006051
Process Information:
Process ID: 0x5ec4
Process Name: C:\Windows\System32\dllhost.exe
Exit Status: 0x0
Source:
Microsoft-Windows-PerfProc
Source:
Microsoft-Windows-ActiveDirectory_DomainService
Message:
The directory has been configured to not enforce per-attribute authorization during LDAP add operations. Warning events will be logged, but no requests will be blocked. This setting is not secure and should only be used as a temporary troubleshooting step. Please review the suggested mitigations in the link below.
https://go.microsoft.com/fwlink/?linkid=2174032
Source:
Windows Update Agent
Message:
Unable to connect: Windows is unable to connect to the Automatic Updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.
Source:
Microsoft Windows security auditing.
Message:
The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4320
Application Name: \device\harddiskvolume2\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 167.196.121.75
Destination Port: 60070
Protocol: 17
Filter Information:
Filter Run-Time ID: 83103
Layer Name: Receive/Accept
Layer Run-Time ID: 44
Source:
Microsoft Windows security
Category:
User Account Management
Message:
A user account was created.
Source:
WindowsUpdateClient
Category:
Windows Update Agent
Message:
Windows Update failed to check for updates with error 0x80072EE2
Source:
WindowsUpdateClient
Category:
Windows Update Agent
Message:
Installation Failure: Windows failed to install the following update with error 0x80004002: 2022-03 Security Only Quality Update for Windows Server 2008 R2 for x64-based Systems (KB5011529).
Source:
Microsoft Windows security auditing
Message:
LogName=Security
EventCode=4725
EventType=0
ComputerName=domain.domain.local
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=2311231312
Keywords=Audit Success
TaskCategory=User Account Management
OpCode=Info
Message=A user account was disabled.
Subject:
Security ID: S-1-5-21-5232424-4342331231-1232132131-1605
Account Name: doamin
Account Domain: local
Logon ID: 0x1dasdwD
Target Account:
Security ID: S-1-5-21-5232424-4342331231-1232132131-1605
Account Name: ws-APP$
Account Domain: local
Source:
Microsoft-Windows-Directory-Services-SAM
Message:
There is no message from the SIEM logs I'm seeing from. Fields unique to this Event ID (Kibana Discover):
winlog.event_data.AccountDN
winlog.event_data.AccountSID
winlog.event_data.KeyHash
Source:
Microsoft-Windows-AppLocker
Message:
<UserData xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <RuleAndFileData xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0"> <PolicyNameLength>3</PolicyNameLength> <PolicyName>EXE</PolicyName> <RuleId>{5028efad-7497-4ac0-84ce-00bee63f3951}</RuleId> <RuleNameLength>24</RuleNameLength> <RuleName>(Default Rule) All Exe's</RuleName> <RuleSddlLength>48</RuleSddlLength> <RuleSddl>D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains "*"))</RuleSddl> <TargetUser>S-1-5-18</TargetUser> <TargetProcessId>9796</TargetProcessId> <FilePathLength>31</FilePathLength> <FilePath>%SYSTEM32%\SEARCHFILTERHOST.EXE</FilePath> <FileHashLength>32</FileHashLength> <FileHash>92DF47871C9BC9F0A2FF1BBCCCE7427499524FB9976DCEEA4C8171EDF2BD381A</FileHash> <FqbnLength>106</FqbnLength> <Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\WINDOWS® SEARCH\SEARCHFILTERHOST.EXE\7.0.17763.3232</Fqbn> <TargetLogonId>0x3e7</TargetLogonId> <FullFilePathLength>40</FullFilePathLength> <FullFilePath>C:\WINDOWS\system32\SearchFilterHost.exe</FullFilePath> </RuleAndFileData> </UserData>
Source:
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Message:
Message1 3FE12895-BDB5-4084-A4FF-FEF41A77BB29
Message2 HandleMessage
Source:
Microsoft-Windows-WLAN-Autoconfig
Message:
Adapter: *name of adapter*
DeviceGuid: *Guid of device"
LocalMac: *MAC Address of Host"
SSID: *ssid of the network whose interaction generated the event*
BSSType: *No Idea*
DataName: "ConnectionId:" *hex value*
Found 84 records