deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 05:43:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

add event viewer gif and instructions for manually viewing events

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire
2017-09-28 16:19:47 -07:00
parent 614ed27747
commit 459586af69
10 changed files with 91 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
View File

@ -41,6 +41,8 @@ You can create custom views in the Windows Event Viewer to only see events for s
The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of all Windows Defender Exploit Guard events](#list-of-all-windows-defender-exploit-guard-events) section at the end of this topic for more details.
### Import an existing XML custom view
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views:
@ -144,40 +146,48 @@ The easiest way to do this is to import a custom view as an XML file. You can ob
All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
You can access these events in Windows Event viewer:
1. Open the **Start** menu and type **event viewer**, and then click on the **Event Viewer** result.
2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below.
3. Double-click on the sub item to see events. Scroll through the events to find the one you are looking.
![Animation showing using Event Viewer](images/event-viewer.gif)
Feature | Provider/source | Event ID | Description
:-|:-|:-:|:-
Exploit Protection | Security-Mitigations | 1 | ACG audit
Exploit Protection | Security-Mitigations | 2 | ACG enforce
Exploit Protection | Security-Mitigations | 3 | Do not allow child processes audit
Exploit Protection | Security-Mitigations | 4 | Do not allow child processes block
Exploit Protection | Security-Mitigations | 5 | Block low integrity images audit
Exploit Protection | Security-Mitigations | 6 | Block low integrity images block
Exploit Protection | Security-Mitigations | 7 | Block remote images audit
Exploit Protection | Security-Mitigations | 8 | Block remote images block
Exploit Protection | Security-Mitigations | 9 | Disable win32k system calls audit
Exploit Protection | Security-Mitigations | 10 | Disable win32k system calls block
Exploit Protection | Security-Mitigations | 11 | Code integrity guard audit
Exploit Protection | Security-Mitigations | 12 | Code integrity guard block
Exploit Protection | Security-Mitigations | 13 | EAF audit
Exploit Protection | Security-Mitigations | 14 | EAF enforce
Exploit Protection | Security-Mitigations | 15 | EAF+ audit
Exploit Protection | Security-Mitigations | 16 | EAF+ enforce
Exploit Protection | Security-Mitigations | 17 | IAF audit
Exploit Protection | Security-Mitigations | 18 | IAF enforce
Exploit Protection | Security-Mitigations | 19 | ROP StackPivot audit
Exploit Protection | Security-Mitigations | 20 | ROP StackPivot enforce
Exploit Protection | Security-Mitigations | 21 | ROP CallerCheck audit
Exploit Protection | Security-Mitigations | 22 | ROP CallerCheck enforce
Exploit Protection | Security-Mitigations | 23 | ROP SimExec audit
Exploit Protection | Security-Mitigations | 24 | ROP SimExec enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 1 | ACG audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 2 | ACG enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 3 | Do not allow child processes audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 4 | Do not allow child processes block
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 5 | Block low integrity images audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 6 | Block low integrity images block
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 7 | Block remote images audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 8 | Block remote images block
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 9 | Disable win32k system calls audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 10 | Disable win32k system calls block
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 11 | Code integrity guard audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 12 | Code integrity guard block
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 13 | EAF audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 14 | EAF enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 15 | EAF+ audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 16 | EAF+ enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 17 | IAF audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 18 | IAF enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 19 | ROP StackPivot audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 20 | ROP StackPivot enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 21 | ROP CallerCheck audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 22 | ROP CallerCheck enforce
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 23 | ROP SimExec audit
Exploit Protection | Security-Mitigations (Kernal Mode/User Mode) | 24 | ROP SimExec enforce
Exploit Protection | WER-Diagnostics | 5 | CFG Block
Exploit Protection | Win32K | 260 | Untrusted Font
Network Protection | Windows Defender | 5007 | Event when settings are changed
Network Protection | Windows Defender | 1125 | Event when Network Protection fires in Audit-mode
Network Protection | Windows Defender | 1126 | Event when Network Protection fires in Block-mode
Controlled Folder Access | Windows Defender | 5007 | Event when settings are changed
Controlled Folder Access | Windows Defender | 1124 | Audited Controlled Folder Access event
Controlled Folder Access | Windows Defender | 1123 | Blocked Controlled Folder Access event
Attack Surface Reduction | Windows Defender | 5007 | Event when settings are changed
Attack Surface Reduction | Windows Defender | 1122 | Event when rule fires in Audit-mode
Attack Surface Reduction | Windows Defender | 1121 | Event when rule fires in Block-mode
Exploit Protection | Win32K (Operational) | 260 | Untrusted Font
Network Protection | Windows Defender (Operational) | 5007 | Event when settings are changed
Network Protection | Windows Defender (Operational) | 1125 | Event when Network Protection fires in Audit-mode
Network Protection | Windows Defender (Operational) | 1126 | Event when Network Protection fires in Block-mode
Controlled Folder Access | Windows Defender (Operational) | 5007 | Event when settings are changed
Controlled Folder Access | Windows Defender (Operational) | 1124 | Audited Controlled Folder Access event
Controlled Folder Access | Windows Defender (Operational) | 1123 | Blocked Controlled Folder Access event
Attack Surface Reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
Attack Surface Reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode
Attack Surface Reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode