From dd1035c3bea09135690426df189d95ee2f5f29a0 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Thu, 27 May 2021 15:29:19 -0700 Subject: [PATCH 1/7] Task ID 33452921 Created an Appendix table that lists other IDs and their descriptions. --- .../event-id-explanations.md | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index e0c8044cf1..80c6a5ba40 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -81,3 +81,42 @@ In order to enable 3090 allow events as well as 3091 and 3092 events, you must i ```powershell reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 ``` + +## Appendix +A list of other relevant event IDs and their corresponding description. +| Event ID | Description | +|---|----------| +| 3001 | An unsigned driver was attempted to load on the system. | +| 3002 | Code Integrity could not verify the boot image as the page hash could not be found. | +| 3004 | Code Integrity could not verify the file as the page hash could not be found. | +| 3010 | The catalog containing the signature for the file under validation is invalid. | +| 3011 | Code Integrity finished loading the signature catalog. | +| 3012 | Code Integrity started loading the signature catalog. | +| 3023 | The driver file under validation did not meet the requirements to pass the application control policy. | +| 3024 | Windows application control was unable to refresh the boot catalog file. | +| 3026 | The catalog loaded is signed by a signing certificate that has been revoked by Microsoft and/or the certificate issuing authority. | +| 3033 | The file under validation did not meet the requirements to pass the application control policy. | +| 3034 | The file under validation would not meet the requirements to pass the application control policy if the policy was enforced. The file was allowed since the policy is in audit mode. |  +| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. | +| 3064 | A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. The DLL was allowed since the policy is in audit mode. |  +| 3065 | [Ignored] A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. | +| 3074 | Page hash failure while hypervisor-protected code integrity was enabled. | +| 3075 | This event monitors the performance of the Code Integrity policy check a file. | +| 3079 | The file under validation did not meet the requirements to pass the application control policy. | +| 3080 | The file under validation would not have me the requirements to pass the application control policy, if the policy was in enforced mode. | +| 3081 | The file under validation did not meet the requirements to pass the application control policy. | +| 3082 | The non-WHQL driver would have been denied by the policy, if the policy was in enforced mode. | +| 3084 | Code Integrity will enforce theWHQL Required policy setting on this session. | +| 3085 | Code Integrity will not enforce theWHQL Required policy setting on this session. | +| 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. | +| 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | +| 3097 | The Code Integrity policy cannot be refreshed. | +| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. | +| 3101 | Code Integrity started refreshing the policy. | +| 3102 | Code Integrity finished refreshing the policy. | +| 3103 | Code Integrity is ignoring the policy refresh. | +| 3104 | The file under validation does not meet the signing requirements for a PPL (protected process light) process. | +| 3105 | Code Integrity is attempting to refresh the policy. | +| 3108 | Windows mode change event was successful. | +| 3110 | Windows mode change event was unsuccessful. | +| 3111 | The file under validation did not meet the hypervisor-protected code integrity (HVCI) policy. | \ No newline at end of file From 1f87678437a9f81518b72325058fd4ed9dff4e15 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 28 May 2021 12:13:29 -0700 Subject: [PATCH 2/7] Task ID 33452921 - edited some appendix items Also increased column spacing for the tables. --- .../event-id-explanations.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 80c6a5ba40..0e97655117 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -29,7 +29,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind ## Microsoft Windows CodeIntegrity Operational log event IDs | Event ID | Explanation | -|---|----------| +| -------- | ----------- | | 3076 | Audit executable/dll file | | 3077 | Block executable/dll file | | 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | @@ -38,7 +38,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind ## Microsoft Windows Applocker MSI and Script log event IDs | Event ID | Explanation | -|---|----------| +| -------- | ----------- | | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. | | 8029 | Block script/MSI file | | 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | @@ -48,7 +48,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. | Event ID | Explanation | -|---|----------| +| -------- | ----------- | | 3090 | Allow executable/dll file | | 3091 | Audit executable/dll file | | 3092 | Block executable/dll file | @@ -60,7 +60,7 @@ If either the ISG or MI is enabled in a WDAC policy, you can optionally choose t Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates. | Name | Explanation | -|---|----------| +| -------- | ----------- | | StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. | | ManagedInstallerEnabled | Policy trusts a MI | | PassesManagedInstaller | File originated from a trusted MI | @@ -85,7 +85,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x ## Appendix A list of other relevant event IDs and their corresponding description. | Event ID | Description | -|---|----------| +| -------- | ----------- | | 3001 | An unsigned driver was attempted to load on the system. | | 3002 | Code Integrity could not verify the boot image as the page hash could not be found. | | 3004 | Code Integrity could not verify the file as the page hash could not be found. | @@ -98,16 +98,16 @@ A list of other relevant event IDs and their corresponding description. | 3033 | The file under validation did not meet the requirements to pass the application control policy. | | 3034 | The file under validation would not meet the requirements to pass the application control policy if the policy was enforced. The file was allowed since the policy is in audit mode. |  | 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. | -| 3064 | A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. The DLL was allowed since the policy is in audit mode. |  -| 3065 | [Ignored] A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. | +| 3064 | If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. The DLL was allowed since the policy is in audit mode. |  +| 3065 | [Ignored] If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. | | 3074 | Page hash failure while hypervisor-protected code integrity was enabled. | | 3075 | This event monitors the performance of the Code Integrity policy check a file. | | 3079 | The file under validation did not meet the requirements to pass the application control policy. | -| 3080 | The file under validation would not have me the requirements to pass the application control policy, if the policy was in enforced mode. | +| 3080 | If the policy was in enforced mode, the file under validation would not have meet the requirements to pass the application control policy. | | 3081 | The file under validation did not meet the requirements to pass the application control policy. | -| 3082 | The non-WHQL driver would have been denied by the policy, if the policy was in enforced mode. | -| 3084 | Code Integrity will enforce theWHQL Required policy setting on this session. | -| 3085 | Code Integrity will not enforce theWHQL Required policy setting on this session. | +| 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | +| 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. | +| 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. | | 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. | | 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | | 3097 | The Code Integrity policy cannot be refreshed. | From 1cabfc785fefc65becce43d25f18c73d708671cc Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 1 Jun 2021 09:18:00 -0700 Subject: [PATCH 3/7] Corrected a typo for task ID 33452921 --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 0e97655117..d12d89b766 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -103,7 +103,7 @@ A list of other relevant event IDs and their corresponding description. | 3074 | Page hash failure while hypervisor-protected code integrity was enabled. | | 3075 | This event monitors the performance of the Code Integrity policy check a file. | | 3079 | The file under validation did not meet the requirements to pass the application control policy. | -| 3080 | If the policy was in enforced mode, the file under validation would not have meet the requirements to pass the application control policy. | +| 3080 | If the policy was in enforced mode, the file under validation would not have met the requirements to pass the application control policy. | | 3081 | The file under validation did not meet the requirements to pass the application control policy. | | 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | | 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. | From 650157521e9df48c2067c009c4a1ad6b585ee98f Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 2 Jun 2021 11:00:44 -0700 Subject: [PATCH 4/7] Updated line item 3086 in the Appendix section. --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index d12d89b766..1a7b70e7b5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -108,7 +108,7 @@ A list of other relevant event IDs and their corresponding description. | 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | | 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. | | 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. | -| 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. | +| 3086 | COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs| | 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | | 3097 | The Code Integrity policy cannot be refreshed. | | 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. | From c032b2068ad8a27752e1ee48080c2e0a52c32dc3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 2 Jun 2021 11:45:25 -0700 Subject: [PATCH 5/7] Update event-id-explanations.md --- .../event-id-explanations.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 1a7b70e7b5..2e5b97dc75 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 3/17/2020 +ms.date: 06/02/2021 ms.technology: mde --- @@ -48,7 +48,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. | Event ID | Explanation | -| -------- | ----------- | +|--------|---------| | 3090 | Allow executable/dll file | | 3091 | Audit executable/dll file | | 3092 | Block executable/dll file | @@ -60,7 +60,7 @@ If either the ISG or MI is enabled in a WDAC policy, you can optionally choose t Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates. | Name | Explanation | -| -------- | ----------- | +|------|------| | StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. | | ManagedInstallerEnabled | Policy trusts a MI | | PassesManagedInstaller | File originated from a trusted MI | @@ -85,7 +85,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x ## Appendix A list of other relevant event IDs and their corresponding description. | Event ID | Description | -| -------- | ----------- | +|-------|------| | 3001 | An unsigned driver was attempted to load on the system. | | 3002 | Code Integrity could not verify the boot image as the page hash could not be found. | | 3004 | Code Integrity could not verify the file as the page hash could not be found. | @@ -119,4 +119,4 @@ A list of other relevant event IDs and their corresponding description. | 3105 | Code Integrity is attempting to refresh the policy. | | 3108 | Windows mode change event was successful. | | 3110 | Windows mode change event was unsuccessful. | -| 3111 | The file under validation did not meet the hypervisor-protected code integrity (HVCI) policy. | \ No newline at end of file +| 3111 | The file under validation did not meet the hypervisor-protected code integrity (HVCI) policy. | From b29b9ac9cd466b108897a5c1e83aa093ef131f06 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 2 Jun 2021 11:48:00 -0700 Subject: [PATCH 6/7] Update event-id-explanations.md --- .../event-id-explanations.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 2e5b97dc75..eb711a6db2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -22,9 +22,9 @@ ms.technology: mde A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: -- Event IDs beginning with 30 appear in Applications and Services logs | Microsoft | Windows | CodeIntegrity | Operational +- Event IDs beginning with 30 appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational** -- Event IDs beginning with 80 appear in Applications and Services logs | Microsoft | Windows | AppLocker | MSI and Script +- Event IDs beginning with 80 appear in **Applications and Services logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script** ## Microsoft Windows CodeIntegrity Operational log event IDs From aa141093e3fd295cf7beeabb8d3130fa372c5606 Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik <36546697+jborsecnik@users.noreply.github.com> Date: Wed, 2 Jun 2021 12:02:42 -0700 Subject: [PATCH 7/7] Update event-id-explanations.md fix table formatting (needed line before) --- .../event-id-explanations.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 849d3ce821..c97df0f805 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -84,6 +84,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x ## Appendix A list of other relevant event IDs and their corresponding description. + | Event ID | Description | |-------|------| | 3001 | An unsigned driver was attempted to load on the system. |