From 1bf4abff9868c390ded6f4313b9e2d43f088b1b7 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 26 May 2021 10:22:15 -0700 Subject: [PATCH] Task ID 33123704 Deleted the merged event tags and id page to rework it under a different branch. --- .../event-id-and-tag-explanations.md | 160 ------------------ 1 file changed, 160 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md deleted file mode 100644 index 9b21c840e5..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-and-tag-explanations.md +++ /dev/null @@ -1,160 +0,0 @@ ---- -title: Understanding Application Control event IDs and tags (Windows 10) -description: Learn what different Windows Defender Application Control event IDs and tags signify. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro -ms.collection: M365-security-compliance -author: jsuther1974 -ms.reviewer: jogeurte -ms.reviewer: v-kikl -ms.author: dansimp -manager: dansimp -ms.date: 5/7/2021 -ms.technology: mde ---- - -## Understanding Application Control event IDs and tags - -A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events include a number of fields, which provide helpful troubleshooting information to figure out exactly what an event means. - -These events are generated under two locations: - -- Event IDs beginning with 30 appear in Applications and Services logs | Microsoft | Windows | CodeIntegrity | Operational - -- Event IDs beginning with 80 appear in Applications and Services logs | Microsoft | Windows | AppLocker | MSI and Script - -## Microsoft Windows CodeIntegrity Operational log event IDs - -| Event ID | Explanation | -|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 3076 | Audit executable/dll file | -| 3077 | Block executable/dll file | -| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | -| 3099 | Indicates that a policy has been loaded | - -## Microsoft Windows Applocker MSI and Script log event IDs - -| Event ID | Explanation | -|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. | -| 8029 | Block script/MSI file | -| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | - -## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events - -If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. - -| Event ID | Explanation | -|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 3090 | Allow executable/dll file | -| 3091 | Audit executable/dll file | -| 3092 | Block executable/dll file | - -3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated. - -### SmartLocker template - -Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates. - -| Name | Explanation | -|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. | -| ManagedInstallerEnabled | Policy trusts a MI | -| PassesManagedInstaller | File originated from a trusted MI | -| SmartlockerEnabled | Policy trusts the ISG | -| PassesSmartlocker | File had positive reputation | -| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode | - -### Enabling ISG and MI diagnostic events - -In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command: - -```powershell -reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100 -``` - -In order to enable 3090 allow events as well as 3091 and 3092 events, you must instead create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command: - -```powershell -reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 -``` - -## Event Tags - -Below, we have documented the values and meanings for a few useful event tags. - -## SignatureType - -Represents the type of signature which verified the image. - -| SignatureType Value | Explanation | -|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | Unsigned or verification has not been attempted | -| 1 | Embedded signature | -| 2 | Cached signature; presence of CI EA shows that file had been previously verified | -| 3 | Cached catalog verified via Catalog Database or searching catalog directly | -| 4 | Un-cached catalog verified via Catalog Database or searching catalog directly | -| 5 | Successfully verified using an EA that informs CI which catalog to try first | -|6 | AppX / MSIX package catalog verified | -| 7 | File was verified | - -## ValidatedSigningLevel - -Represents the signature level at which the code was verified. - -| ValidatedSigningLevel Value | Explanation | -|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | Signing level has not yet been checked | -| 1 | File is unsigned | -| 2 | Trusted by WDAC policy | -| 3 | Developer signed code | -| 4 | Authenticode signed | -| 5 | Microsoft Store signed app PPL (Protected Process Light) | -| 6 | Microsoft Store-signed | -| 7 | Signed by an Antimalware vendor whose product is using AMPPL | -| 8 | Microsoft signed | -| 11 | Only used for signing of the .NET NGEN compiler | -| 12 | Windows signed | -| 14 | Windows Trusted Computing Base signed | - -## VerificationError - -Represents why verification failed, or if it succeeded. - -| VerificationError Value | Explanation | -|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | Successfully verified signature | -| 1 | File has an invalid hash | -| 2 | File contains shared writable sections | -| 3 | File is not signed| -| 4 | Revoked signature | -| 5 | Expired signature | -| 6 | File is signed using a weak hashing algorithm which does not meet the minimum policy | -| 7 | Invalid root certificate | -| 8 | Signature was unable to be validated; generic error | -| 9 | Signing time not trusted | -| 10 | The file must be signed using page hashes for this scenario | -| 11 | Page hash mismatch | -| 12 | Not valid for a PPL (Protected Process Light) | -| 13 | Not valid for a PP (Protected Process) | -| 14 | The signature is missing the required ARM EKU | -| 15 | Failed WHQL check | -| 16 | Default policy signing level not met | -| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs | -| 18 | Custom signing level not met; returned if signature fails to match CISigners in UMCI | -| 19 | Binary is revoked by file hash | -| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy | -| 21 | Failed to pass WDAC policy | -| 22 | Not IUM (Isolated User Mode) signed; indicates trying to load a non-trustlet binary into a trustlet | -| 23 | Invalid image hash | -| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS | -| 25 | Anti-cheat policy violation | -| 26 | Explicitly denied by WADC policy | -| 27 | The signing chain appears to be tampered/invalid | -| 28 | Resource page hash mismatch |