input.csv

Event ID,Message
0,"2025-03-11 22:57:22.778 UTC [5460] LOG:  redirecting log output to logging collector process
2025-03-11 22:57:22.778 UTC [5460] HINT:  Future log output will appear in directory ""log""."
1,"File System Filter 'CldFlt' (Version 10.0, ?2008?-?12?-?25T02:48:25.000000000Z) unloaded successfully."
3,The miniport 'Microsoft Hyper-V Network Adapter #2' was successfully initialized
5,"ADM Connector (1.0_8.0.1.967) Start: pid 10964, tid 4"
6,"File System Filter 'CldFlt' (10.0, ?2008?-?12?-?25T02:48:25.000000000Z) has successfully loaded and registered with Filter Manager."
11,Miniport NIC 'Microsoft Hyper-V Network Adapter #2' restarted
12,The operating system started at system time ?2025?-?03?-?11T22:56:13.500000000Z.
13,"Mellanox ConnectX-4 Lx Virtual Ethernet Adapter #4 device detects that the link is up, and has initiated a normal operation."
14,"Credential Guard configuration: 0x0, 0"
15,Hive \??\C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT was reorganized with a starting size of 13402112 bytes and an ending size of 11681792 bytes.
16,The access history in hive \??\C:\Users\.NET v4.5 Classic\NTUSER.DAT was cleared updating 1 keys and creating 1 modified pages.
18,There are 0x1 boot options on this system.
19,Installation Successful: Windows successfully installed the following update: 2025-03 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB5053596)
20,The last shutdown's success status was true. The last boot's success status was true.
25,The boot menu policy was 0x0.
26,"Application popup: Idle timer expired : Session has been idle over its time limit.
It will be disconnected in 2 minutes.
Press any key now to continue session."
27,The boot type was 0x0.
30,The firmware reported boot metrics.
32,The bootmgr spent 0 ms waiting for user input.
35,The time service is now synchronizing the system time with the time source VM IC Time Synchronization Provider with reference id 1347702102. Current local stratum number is 4.
37,"The time provider NtpClient is currently receiving valid time data from time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->168.61.215.74:123)."
43,Installation Started: Windows has started installing the following update: 2025-03 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB5053596)
44,Windows Update started downloading an update.
46,VF adapter '\DEVICE\{3BD0846C-87E2-4C14-AC49-10C6D4AFF353}' did not report NDK capabilities.
47,"Time Provider NtpClient: No valid response has been received from manually configured peer time.windows.com,0x8 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. The error was: The peer is unreachable. "
55,Processor 3 in group 0 exposes the following power management capabilities:Idle state type: ACPI Idle (C) States (1 state(s))Performance state type: NoneNominal Frequency (MHz): 2095Maximum performance percentage: 100Minimum performance percentage: 100Minimum throttle percentage: 100
64,Certificate for local system with Thumbprint 0e 1e 53 4b df a9 27 86 da 90 53 70 27 91 e7 bc 61 a9 04 6a is about to expire or already expired.
98,Volume C: (\Device\HarddiskVolume4) is healthy.  No action is needed.
102,"SearchIndexer (8800,P,98) Windows: The database engine (10.00.17763.0000) is starting a new instance (0)."
105,"svchost (3164,D,0) DS_Token_DB: The database engine started a new instance (0). (Time=0 seconds)  Additional Data: lgposV2[] = 0000000A:0001:0000 - 0000000A:0003:002B - 0000000A:0004:0000 - 0000000A:0004:0000 (00000000:0000:0000)cReInits = 1  Internal Timing Sequence: [1] 0.000735 +J(0) +M(C:0K, Fs:142, WS:556K # 556K, PF:2376K # 2376K, P:2376K)[2] 0.000547 +J(0) +M(C:8K, Fs:101, WS:392K # 392K, PF:1152K # 1152K, P:1152K)[3] 0.000044 +J(0) +M(C:0K, Fs:9, WS:32K # 32K, PF:68K # 68K, P:68K)[4] 0.000216 +J(0) +M(C:0K, Fs:57, WS:228K # 228K, PF:160K # 160K, P:160K)[5] 0.001207 +J(0) +M(C:0K, Fs:7, WS:28K # 28K, PF:20K # 20K, P:20K)[6] 0.005154 +J(0) +M(C:0K, Fs:41, WS:164K # 164K, PF:28K # 28K, P:28K)[7] 0.003378 -0.001281 (2) WT +J(0) +M(C:0K, Fs:33, WS:132K # 132K, PF:64K # 64K, P:64K)[8] 0.033210 -0.006505 (11) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:12168/7) +M(C:0K, Fs:126, WS:348K # 352K, PF:248K # 252K, P:248K)[9] 0.000808 +J(0) +M(C:0K, Fs:4, WS:16K # 12K, PF:0K # 0K, P:0K)[10] 0.000929 -0.000138 (1) WT +J(0) +M(C:0K, Fs:0, WS:-60K # 0K, PF:-60K # 0K, P:-60K)[11] 0.000384 +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:49/1) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K)[12] 0.004565 -0.001958 (2) WT +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K)[13] 0.076237 -0.000190 (2) CM -0.024770 (23) WT +J(CM:2, PgRf:2, Rd:0/2, Dy:0/0, Lg:8759/5) +M(C:0K, Fs:69, WS:156K # 172K, PF:212K # 216K, P:212K)[14] 0.000019 +J(0)[15] 0.000017 +J(0)[16] 0.000761 -0.000096 (1) WT +J(0) +M(C:0K, Fs:2, WS:0K # 0K, PF:0K # 0K, P:0K)."
109,"The kernel power manager has initiated a shutdown transition.

Shutdown Reason: Kernel API"
153,Virtualization-based security (policies: 0) is disabled.
172,"Connectivity state in standby: Disconnected, Reason: NIC compliance"
258,The storage optimizer successfully completed retrim on AppData (F:)
262,"Mellanox ConnectX-4 Lx Virtual Ethernet Adapter #4 has got:
    vendor_id      	15b3
    device_id      	1016
    subvendor_id   	15b3
    subsystem_id   	0190
    HW revision    	80
    FW version     	14.30.5000
    port type      	ETH"
285,"Mellanox ConnectX-4 Lx Virtual Ethernet Adapter #4: is currently running:
     Driver Version:       	2.70.24728.0
     Firmware Version:     	14.30.5000
     PSID number:          	MSF0010110035"
286,"Mellanox ConnectX-4 Lx Virtual Ethernet Adapter #4: is currently running:
     GUID:                 	0022:48ff:fd1f:3cd6
     MAC:                  	00-22-48-1F-3C-D6"
289,Mellanox ConnectX-4 Lx Virtual Ethernet Adapter #4 Traffic flow is in restarting state.
290,Mellanox ConnectX-4 Lx Virtual Ethernet Adapter #4 Traffic flow is in running state.
300,"svchost (3164,R,98) DS_Token_DB: The database engine is initiating recovery steps."
301,"svchost (3164,R,98) DS_Token_DB: The database engine has finished replaying logfile C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log.  Processing Stats: [1] 0.023290 -0.004661 (7) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:12168/7) +M(C:0K, Fs:70, WS:204K # 148K, PF:152K # 84K, P:152K). Log record of type 'AttachDB ' was seen most frequently (1 times)"
302,"svchost (3164,U,98) DS_Token_DB: The database engine has successfully completed recovery steps."
326,"svchost (3164,D,50) DS_Token_DB: The database engine attached a database (1, C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat). (Time=0 seconds)  Saved Cache: 1 0 Additional Data: lgposAttach = 0000000A:0006:0268  Internal Timing Sequence: [1] 0.000004 +J(0)[2] 0.001928 -0.001329 (1) WT +J(0) +M(C:0K, Fs:17, WS:4K # 4K, PF:4K # 0K, P:4K)[3] 0.028898 -0.004570 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:11, WS:40K # 0K, PF:40K # 0K, P:40K)[4] 0.000722 +J(0)[5] -[6] -[7] -[8] 0.000374 -0.000207 (2) CM -0.000139 (2) WT +J(CM:2, PgRf:2, Rd:4/2, Dy:0/0, Lg:0/0) +M(C:8K, Fs:3, WS:12K # 0K, PF:8K # 0K, P:8K)[9] 0.000803 -0.000512 (3) CM -0.000427 (3) WT +J(CM:3, PgRf:23, Rd:0/3, Dy:0/0, Lg:0/0) +M(C:0K, Fs:24, WS:88K # 76K, PF:196K # 188K, P:196K)[10] 0.000356 -0.000223 (3) CM -0.000147 (3) WT +J(CM:3, PgRf:40, Rd:0/3, Dy:0/0, Lg:0/0) +M(C:0K, Fs:1, WS:4K # 4K, PF:64K # 56K, P:64K)[11] 0.000013 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:1, WS:4K # 4K, PF:0K # 0K, P:0K)[12] 0.000064 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:5, WS:20K # 20K, PF:0K # 0K, P:0K)[13] 0.0 +J(0)[14] 0.0 +J(0)[15] 0.000006 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0)."
379,"Mellanox ConnectX-4 Lx Virtual Ethernet Adapter #4: Zero Touch RoCE: Some of the required capabilities are not supported by FW.
 Requested: SlowRestart = 1, TxWindow = 1, AdpRetrans = 1
 Supported: SlowRestart = 0, TxWindow = 0, AdpRetrans = 0"
781,The COM+ sub system is suppressing duplicate event log entries for a duration of 86400 seconds.  The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\COM3\Eventlog.
900,"The Software Protection service is starting.
Parameters:<explicit>"
902,"The Software Protection service has started.
10.0.17763.7009"
903,The Software Protection service has stopped.
1000,Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.
1001,Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
1003,The Windows Search Service started.
1014,Name resolution for the name 1f6fa344-ce4d-490d-9354-fd970ff42674.ods.opinsights.azure.com timed out after none of the configured DNS servers responded.
1029,Product: Microsoft Azure Site Recovery Mobility Service/Master Target Server. Restart required. The installation or update for the product required a restart for all changes to take effect.  The restart was deferred to a later time.
1033,"These policies are being excluded since they are only defined with override-only attribute.
Policy Names=(Security-SPP-Reserved-EnableNotificationMode) 
App Id=55c92734-d682-4d71-983e-d6ec3f16059f
Sku Id=34e1ae55-27f8-4950-8877-7a03be5fb181"
1034,Duplicate definition of policy found. Policy name=AAD-WindowsCore-AddAccountRestrictions  Priority=100
1035,Windows Installer reconfigured the product. Product Name: Microsoft Azure Site Recovery Mobility Service/Master Target Server. Product Version: 9.64.7314.1. Product Language: 1033. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0.
1038,Windows Installer requires a system restart. Product Name: Microsoft Azure Site Recovery Mobility Service/Master Target Server. Product Version: 9.64.7314.1. Product Language: 1033. Manufacturer: Microsoft Corporation. Type of System Restart: 2. Reason for Restart: 1.
1040,Beginning a Windows Installer transaction: C:\Packages\Plugins\Microsoft.Azure.RecoveryServices.SiteRecovery.Windows\1.0.0.9245\MobilityServiceInstaller\UNIFIEDAGENTMSI.MSI. Client Process Id: 10652.
1042,Ending a Windows Installer transaction: C:\Packages\Plugins\Microsoft.Azure.RecoveryServices.SiteRecovery.Windows\1.0.0.9245\MobilityServiceInstaller\UNIFIEDAGENTMSI.MSI. Client Process Id: 10652.
1066,"Initialization status for service objects.C:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/inherited/1.0, 0x00000000, 0x00000000C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/detect, 0x00000000, 0x00000000C:\Windows\system32\sppobjs.dll, msft:spp/ActionScheduler/1.0, 0x00000000, 0x00000000C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000C:\Windows\system32\sppobjs.dll, msft:spp/statecollector/pkey, 0x00000000, 0x00000000C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/activationinfo/1.0, 0x00000000, 0x00000000"
1074,The process C:\Windows\system32\svchost.exe (USEAZSMARTFTP01) has initiated the restart of computer USEAZSMARTFTP01 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Service pack (Planned) Reason Code: 0x80020010 Shutdown Type: restart Comment: 
1100,The event logging service has shut down.
1309,Event code: 3005 Event message: An unhandled exception has occurred. Event time: 2/22/2025 8:12:56 PM Event time (UTC): 2/22/2025 8:12:56 PM Event ID: 600da4ddc2b44977b61fabfe9f3c3773 Event sequence: 1832 Event occurrence: 1 Event detail code: 0  Application information:     Application domain: /LM/W3SVC/1/ROOT-1-133847279938018226     Trust level: Full     Application Virtual Path: /     Application Path: C:\inetpub\wwwroot\     Machine name: USEAZSPDFTP04  Process information:     Process ID: 12676     Process name: w3wp.exe     Account name: IIS APPPOOL\DefaultAppPool  Exception information:     Exception type: HttpException     Exception message: A potentially dangerous Request.Path value was detected from the client (:).   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)  Request information:     Request URL: https://USEAZRSPDFTP01.gep.com:443/DB4Web/USEAZInfoSecReport:23/foo     Request path: /DB4Web/USEAZInfoSecReport:23/foo     User host address: 172.20.13.208     User:      Is authenticated: False     Authentication Type:      Thread account name: IIS APPPOOL\DefaultAppPool  Thread information:     Thread ID: 28     Thread account name: IIS APPPOOL\DefaultAppPool     Is impersonating: False     Stack trace:    at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)  Custom event details: 
1531,The User Profile Service has started successfully.  
1532,The User Profile Service has stopped.  
1796,"The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931"
2003,The configuration information of the performance library "C:\Windows\system32\InterceptCounters.dll" for the "InterceptCountersManager" service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.
2017,Unable to collect NUMA physical memory utilization data. The first four bytes (DWORD) of the Data section contains the status code.
4111,"Successful auto update of third-party root list with effective date: ?Tuesday, ?January ?28, ?2025 12:46:32 AM."
4202,"MSDTC started with the following settings: Security Configuration (OFF = 0 and ON = 1): Allow Remote Administrator = 0, Network Clients = 0, Transaction Manager Communication:  Allow Inbound Transactions = 0, Allow Outbound Transactions = 0, Transaction Internet Protocol (TIP) = 0,  Enable XA Transactions = 0,  Enable SNA LU 6.2 Transactions = 1,  MSDTC Communications Security = Mutual Authentication Required, Account = NT AUTHORITY\NetworkService,  Firewall Exclusion Detected = 0 Transaction Bridge Installed = 0 Filtering Duplicate Events = 1"
4608,"Windows is starting up.

This event is logged when LSASS.EXE starts and the auditing subsystem is initialized."
4610,"An authentication package has been loaded by the Local Security Authority.
This authentication package will be used to authenticate logon attempts.

Authentication Package Name:	C:\Windows\system32\msv1_0.DLL : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"
4611,A trusted logon process has been registered with the Local Security Authority.This logon process will be trusted to submit logon requests.Subject: Security ID:  S-1-5-18 Account Name:  USSPDDEVDB04$ Account Domain:  GEP Logon ID:  0x3E7Logon Process Name:  UserManager
4614,"A notification package has been loaded by the Security Account Manager.
This package will be notified of any account or password changes.

Notification Package Name:	KDCPW"
4616,"The system time was changed.Subject: Security ID:  S-1-5-19 Account Name:  LOCAL SERVICE Account Domain:  NT AUTHORITY Logon ID:  0x3E5Process Information: Process ID: 0x424 Name:  C:\Windows\System32\svchost.exePrevious Time:  ?2025?-?03?-?14T17:20:51.997746000ZNew Time:  ?2025?-?03?-?14T17:20:52.004372200ZThis event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer."
4622,"A security package has been loaded by the Local Security Authority.

Security Package Name:	C:\Windows\system32\cloudAP.DLL : CloudAP"
4624,"An account was successfully logged on.Subject: Security ID:  S-1-5-20 Account Name:  EUNAZRSPDFTP1-N$ Account Domain:  WORKGROUP Logon ID:  0x3E4Logon Information: Logon Type:  8 Restricted Admin Mode: - Virtual Account:  No Elevated Token:  NoImpersonation Level:  ImpersonationNew Logon: Security ID:  S-1-5-21-4168947982-2554143436-4086189163-1001 Account Name:  IPS_smartftp Account Domain:  EUNAZRSPDFTP1-N Logon ID:  0x40B0CB97 Linked Logon ID:  0x0 Network Account Name: - Network Account Domain: - Logon GUID:  {00000000-0000-0000-0000-000000000000}Process Information: Process ID:  0xec4 Process Name:  C:\Windows\SysWOW64\inetsrv\w3wp.exeNetwork Information: Workstation Name: EUNAZRSPDFTP1-N Source Network Address: - Source Port:  -Detailed Authentication Information: Logon Process:  Advapi   Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length:  0This event is generated when a logon session is created. It is generated on the computer that was accessed.The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.The impersonation level field indicates the extent to which a process in the logon session can impersonate.The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
4625,"An account failed to log on.Subject: Security ID:  S-1-5-18 Account Name:  SEAAZRSDC03$ Account Domain:  GEP Logon ID:  0x3E7Logon Type:   3Account For Which Logon Failed: Security ID:  S-1-0-0 Account Name:  SvcLeoMdbAuthConnect Account Domain:  GEPFailure Information: Failure Reason:  The specified account's password has expired. Status:   0xC000006E Sub Status:  0xC0000071Process Information: Caller Process ID: 0x334 Caller Process Name: C:\Windows\System32\lsass.exeNetwork Information: Workstation Name: SEAAZRSDC03 Source Network Address: 192.168.34.7 Source Port:  58218Detailed Authentication Information: Logon Process:  Advapi   Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Transited Services: - Package Name (NTLM only): - Key Length:  0This event is generated when a logon request fails. It is generated on the computer where access was attempted.The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).The Process Information fields indicate which account and process on the system requested the logon.The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
4627,"Group membership information.Subject: Security ID:  S-1-0-0 Account Name:  - Account Domain:  - Logon ID:  0x0Logon Type:   3New Logon: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27958643 Account Name:  MUM02L11318$ Account Domain:  GEP.COM Logon ID:  0x16A958CC3Event in sequence:  1 of 1Group Membership:     %{S-1-5-21-932416472-1581942402-1327342795-515}  %{S-1-1-0}  %{S-1-5-32-554}  %{S-1-5-32-545}  %{S-1-5-2}  %{S-1-5-11}  %{S-1-5-15}  %{S-1-5-21-932416472-1581942402-1327342795-27729472}  %{S-1-18-1}  %{S-1-16-8448}The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.This event is generated when the Audit Group Membership subcategory is configured.  The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session."
4634,An account was logged off.Subject: Security ID:  S-1-5-21-580355598-3368204733-2967366707-1001 Account Name:  IPS_smartftp Account Domain:  USEAZSPDFTP04 Logon ID:  0x5CEFA843Logon Type:   2This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
4647,User initiated logoff:Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27941113 Account Name:  Sachint0 Account Domain:  GEP Logon ID:  0x2A8D863CThis event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
4648,"A logon was attempted using explicit credentials.Subject: Security ID:  S-1-5-82-2502795-2290409902-159026534-96860550-3370483566 Account Name:  WS_FTP_SERVER Account Domain:  IIS APPPOOL Logon ID:  0x449A43A Logon GUID:  {00000000-0000-0000-0000-000000000000}Account Whose Credentials Were Used: Account Name:  IPS_smartftp Account Domain:  USEAZSPDFTP04 Logon GUID:  {00000000-0000-0000-0000-000000000000}Target Server: Target Server Name: localhost Additional Information: localhostProcess Information: Process ID:  0x228c Process Name:  C:\Windows\SysWOW64\inetsrv\w3wp.exeNetwork Information: Network Address: 104.211.91.170 Port:   50864This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command."
4656,A handle to an object was requested.Subject: Security ID:  S-1-5-18 Account Name:  SEAAZRSDC04$ Account Domain:  GEP Logon ID:  0x3E7Object: Object Server:  Security Object Type:  Key Object Name:  \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection Handle ID:  0x490 Resource Attributes: -Process Information: Process ID:  0x6b0 Process Name:  C:\Windows\System32\svchost.exeAccess Request Information: Transaction ID:  {00000000-0000-0000-0000-000000000000} Accesses:  DELETE    READ_CONTROL    WRITE_DAC    WRITE_OWNER    Query key value    Set key value    Create sub-key    Enumerate sub-keys    Notify about changes to keys    Create Link     Access Reasons:  - Access Mask:  0xF003F Privileges Used for Access Check: - Restricted SID Count: 0
4657,A registry value was modified.Subject: Security ID:  S-1-5-18 Account Name:  MUMWDCP03$ Account Domain:  GEP Logon ID:  0x3E7Object: Object Name:  \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\WMI\Autologger\EventLog-System\{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78} Object Value Name: MatchAnyKeyword Handle ID:  0x1e8 Operation Type:  Existing registry value modifiedProcess Information: Process ID:  0x14d0 Process Name:  C:\Windows\System32\wevtutil.exeChange Information: Old Value Type:  REG_QWORD Old Value:  0x8000000000000000 New Value Type:  REG_QWORD New Value:  0xC000000000000000
4658,The handle to an object was closed.Subject : Security ID:  S-1-5-18 Account Name:  SEAAZRSDC04$ Account Domain:  GEP Logon ID:  0x3E7Object: Object Server:  Security Handle ID:  0x490Process Information: Process ID:  0x6b0 Process Name:  C:\Windows\System32\svchost.exe
4659,A handle to an object was requested with intent to delete.Subject: Security ID:  S-1-5-18 Account Name:  USEAZSPDFTP04$ Account Domain:  WORKGROUP Logon ID:  0x3E7Object: Object Server: Security Object Type: File Object Name: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\dismApiWrapperPath\JEF459A.tmp Handle ID: 0x0Process Information: Process ID: 0xdd0Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE    READ_CONTROL    SYNCHRONIZE    ReadData (or ListDirectory)    WriteData (or AddFile)    AppendData (or AddSubdirectory or CreatePipeInstance)    ReadEA    WriteEA    ReadAttributes    WriteAttributes     Access Mask: 0x13019F Privileges Used for Access Check: -
4660,An object was deleted.Subject: Security ID:  S-1-5-18 Account Name:  USEAZSMARTFTP01$ Account Domain:  WORKGROUP Logon ID:  0x3E7Object: Object Server: Security Handle ID: 0x5c0Process Information: Process ID: 0x25d0 Process Name: C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe Transaction ID: {00000000-0000-0000-0000-000000000000}
4661,A handle to an object was requested.Subject : Security ID:  S-1-5-21-932416472-1581942402-1327342795-27926779 Account Name:  Saloni.Ushire Account Domain:  GEP Logon ID:  0x169204D1EObject: Object Server: Security Account Manager Object Type: SAM_GROUP Object Name: S-1-5-21-932416472-1581942402-1327342795-512 Handle ID: 0x2c942d93820Process Information: Process ID: 0x33c Process Name: C:\Windows\System32\lsass.exeAccess Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: READ_CONTROL    AddMember    ListMembers    Undefined Access (no effect) Bit 7     Access Reasons:  - Access Mask: 0x20094 Privileges Used for Access Check: - Properties: --- {bf967a9c-0de6-11d0-a285-00aa003049e2}READ_CONTROLAddMemberListMembersUndefined Access (no effect) Bit 7   {bf9679e8-0de6-11d0-a285-00aa003049e2}   {3e0abfd0-126a-11d0-a060-00aa006c33ed}  {bc0ac240-79a9-11d0-9020-00c04fc2d4cf}   {bf9679c0-0de6-11d0-a285-00aa003049e2}  {59ba2f42-79a2-11d0-9020-00c04fc2d3cf} Restricted SID Count: 0
4662,An operation was performed on an object.Subject : Security ID:  S-1-5-18 Account Name:  USEAZUATFTP$ Account Domain:  WORKGROUP Logon ID:  0x3E7Object: Object Server:  WMI Object Type:  WMI Namespace Object Name:  root\CIMV2\Security\MicrosoftVolumeEncryption Handle ID:  0x0Operation: Operation Type:  Object Access Accesses:  Unknown specific access (bit 0)     Access Mask:  0x1 Properties:  -Additional Information: Parameter 1:  Local Read (ExecQuery) Parameter 2:  root\CIMV2\Security\MicrosoftVolumeEncryption:references of {__Win32Provider.Name="Win32_EncryptableVolumeProvider"}
4663,An attempt was made to access an object.Subject: Security ID:  S-1-5-18 Account Name:  USEAZSMARTFTP01$ Account Domain:  WORKGROUP Logon ID:  0x3E7Object: Object Server:  Security Object Type:  File Object Name:  C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Output_{A7104D6C-AE4B-46C6-BB54-AB4FA163B97A}.txt Handle ID:  0x550 Resource Attributes: S:AIProcess Information: Process ID:  0x25d0 Process Name:  C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exeAccess Request Information: Accesses:  DELETE     Access Mask:  0x10000
4664,An attempt was made to create a hard link.Subject: Account Name:  S-1-5-18 Account Name:  USEAZUATFTP$ Account Domain:  WORKGROUP Logon ID:  0x3E7Link Information: File Name: C:\Windows\WinSxS\x86_mscorlib_b77a5c561934e089_4.0.15744.1170_none_7a02250fa8e24941\normnfd.nlp Link Name: C:\Windows\WinSxS\x86_mscorlib_b77a5c561934e089_4.0.15744.551_none_5f364f58670632b5\normnfd.nlp Transaction ID: {f471462f-0418-11f0-9bae-000d3a569fe0}
4670,Permissions on an object were changed.Subject: Security ID:  S-1-5-18 Account Name:  USEAZSMARTFTP01$ Account Domain:  WORKGROUP Logon ID:  0x3E7Object: Object Server: Security Object Type: Token Object Name: - Handle ID: 0x590Process: Process ID: 0xc60 Process Name: C:\Windows\System32\svchost.exePermissions Change: Original Security Descriptor: D:(A;;GA;;;SY)(A;;GA;;;LS) New Security Descriptor: D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-86-1544737700-199408000-2549878335-3519669259-381336952)
4672,"Special privileges assigned to new logon.

Subject:
	Security ID:		S-1-5-17
	Account Name:		IUSR
	Account Domain:		NT AUTHORITY
	Logon ID:		0x3E3

Privileges:		SeImpersonatePrivilege"
4673,A privileged service was called.Subject: Security ID:  S-1-5-18 Account Name:  USEAZSMARTFTP01$ Account Domain:  WORKGROUP Logon ID:  0x3E7Service: Server: NT Local Security Authority / Authentication Service Service Name: LsaRegisterLogonProcess()Process: Process ID: 0x360 Process Name: C:\Windows\System32\lsass.exeService Request Information: Privileges:  SeTcbPrivilege
4674,An operation was attempted on a privileged object.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27951727 Account Name:  Laxman.Vemunurit1 Account Domain:  GEP Logon ID:  0x5E83E702Object: Object Server: Security Object Type: - Object Name: - Object Handle: 0x408Process Information: Process ID: 0x7d4c Process Name: C:\Windows\System32\wsmprovhost.exeRequested Operation: Desired Access: 2031617 Privileges:  SeTakeOwnershipPrivilege
4675,SIDs were filtered.Target Account: Security ID:  S-1-5-21-3611907846-4248448592-3007916314-16102 Account Name:  - Account Domain:  -Trust Information: Trust Direction: 2 Trust Attributes: 8 Trust Type: 2 TDO Domain SID: S-1-5-21-3611907846-4248448592-3007916314Filtered SIDs:   %{S-1-5-9}
4688,"A new process has been created.Creator Subject: Security ID:  S-1-5-18 Account Name:  USEAZUATFTP$ Account Domain:  WORKGROUP Logon ID:  0x3E7Target Subject: Security ID:  S-1-0-0 Account Name:  - Account Domain:  - Logon ID:  0x0Process Information: New Process ID:  0x2680 New Process Name: C:\Program Files\New Relic\newrelic-infra\newrelic-integrations\nr-winpkg.exe Token Elevation Type: %%1936 Mandatory Label:  S-1-16-16384 Creator Process ID: 0x1824 Creator Process Name: C:\Program Files\New Relic\newrelic-infra\newrelic-infra.exe Process Command Line: ./nr-winpkgToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator."
4689,"A process has exited.

Subject:
	Security ID:		S-1-5-18
	Account Name:		CLKWDCP01$
	Account Domain:		GEP
	Logon ID:		0x3E7

Process Information:
	Process ID:	0x1500
	Process Name:	C:\Windows\System32\svchost.exe
	Exit Status:	0x0"
4690,An attempt was made to duplicate a handle to an object.Subject: Security ID:  S-1-5-18 Account Name:  SEAAZRSDC04$ Account Domain:  GEP Logon ID:  0x3E7Source Handle Information: Source Handle ID: 0x490 Source Process ID: 0x6b0New Handle Information: Target Handle ID: 0x44a8 Target Process ID: 0x4
4696,A primary token was assigned to process.Subject: Security ID:  S-1-5-18 Account Name:  - Account Domain:  - Logon ID:  0x3E7Process Information: Process ID: 0x4 Process Name: Target Process: Target Process ID: 0x58 Target Process Name: RegistryNew Token Information: Security ID:  S-1-0-0 Account Name:  - Account Domain:  - Logon ID:  0x3E7
4697,A service was installed in the system.Subject: Security ID:  S-1-5-18 Account Name:  MUMWDCP03$ Account Domain:  GEP Logon ID:  0x3E7Service Information: Service Name:   UserDataSvc_359f343d Service File Name: C:\Windows\system32\svchost.exe -k UnistackSvcGroup Service Type:   0xE0 Service Start Type: 3 Service Account:   LocalSystem
4698,A scheduled task was created.Subject: Security ID:  S-1-5-18 Account Name:  USEAZSMARTFTP01$ Account Domain:  WORKGROUP Logon ID:  0x3E7Task Information: Task Name:   \Microsoft\Windows\UpdateOrchestrator\AC Power Install Task Content:   <?xml version="1.0" encoding="UTF-16"?><Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">  <RegistrationInfo>    <URI>\Microsoft\Windows\UpdateOrchestrator\AC Power Install</URI>  </RegistrationInfo>  <Triggers>    <WnfStateChangeTrigger>      <Enabled>true</Enabled>      <StateName>7508BCA3380C960C</StateName>      <Data>01000000</Data>      <DataOffset>0</DataOffset>    </WnfStateChangeTrigger>  </Triggers>  <Settings>    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>    <AllowHardTerminate>true</AllowHardTerminate>    <StartWhenAvailable>true</StartWhenAvailable>    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>    <IdleSettings>      <Duration>PT10M</Duration>      <WaitTimeout>PT1H</WaitTimeout>      <StopOnIdleEnd>true</StopOnIdleEnd>      <RestartOnIdle>false</RestartOnIdle>    </IdleSettings>    <AllowStartOnDemand>true</AllowStartOnDemand>    <Enabled>true</Enabled>    <Hidden>false</Hidden>    <RunOnlyIfIdle>false</RunOnlyIfIdle>    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>    <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>    <WakeToRun>true</WakeToRun>    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>    <Priority>7</Priority>  </Settings>  <Actions Context="Author">    <Exec>      <Command>%systemroot%\system32\usoclient.exe</Command>      <Arguments>StartInstall</Arguments>    </Exec>  </Actions>  <Principals>    <Principal id="Author">      <UserId>S-1-5-18</UserId>      <RunLevel>LeastPrivilege</RunLevel>    </Principal>  </Principals></Task>Other Information: ProcessCreationTime:   12103423998558556 ClientProcessId:    5024 ParentProcessId:    840 FQDN:   0 
4699,A scheduled task was deleted.Subject: Security ID:  S-1-5-18 Account Name:  USEAZSMARTFTP01$ Account Domain:  WORKGROUP Logon ID:  0x3E7Task Information: Task Name:   \Microsoft\Windows\UpdateOrchestrator\AC Power Install Task Content:   Other Information: ProcessCreationTime:   12103423998558556 ClientProcessId:    5024 ParentProcessId:    840 FQDN:   0 
4700,"A scheduled task was enabled.Subject: Security ID:  S-1-5-20 Account Name:  USSPDPRODTM01$ Account Domain:  GEP Logon ID:  0x3E4Task Information: Task Name:   \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskNetwork Task Content:   <?xml version=""1.0"" encoding=""UTF-16""?><Task xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task"">  <RegistrationInfo>    <Version>1.0</Version>    <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFW;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-431836887-2321537645-4075769387-3393595759-2187231311)</SecurityDescriptor>    <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source>    <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author>    <Description>$(@%systemroot%\system32\sppc.dll,-203)</Description>    <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskNetwork</URI>  </RegistrationInfo>  <Principals>    <Principal id=""NetworkService"">      <UserId>S-1-5-20</UserId>    </Principal>  </Principals>  <Settings>    <AllowHardTerminate>false</AllowHardTerminate>    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>    <Hidden>true</Hidden>    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>    <RestartOnFailure>      <Count>3</Count>      <Interval>PT1M</Interval>    </RestartOnFailure>    <IdleSettings>      <StopOnIdleEnd>true</StopOnIdleEnd>      <RestartOnIdle>false</RestartOnIdle>    </IdleSettings>    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>  </Settings>  <Triggers>    <EventTrigger>      <Subscription>&lt;QueryList&gt;&lt;Query Id=""0"" Path=""Microsoft-Windows-NetworkProfile/Operational""&gt;&lt;Select Path=""Microsoft-Windows-NetworkProfile/Operational""&gt;*[System[EventID=10000]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>    </EventTrigger>  </Triggers>  <Actions Context=""NetworkService"">    <ComHandler>      <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>      <Data><![CDATA[network]]></Data>    </ComHandler>  </Actions></Task>Other Information: ProcessCreationTime:   8162774324689892 ClientProcessId:    10192 ParentProcessId:    760 FQDN:   0 "
4701,"A scheduled task was disabled.Subject: Security ID:  S-1-5-20 Account Name:  USSPDDEVDB04$ Account Domain:  GEP Logon ID:  0x3E4Task Information: Task Name:   \Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask Task Content:   <?xml version=""1.0"" encoding=""UTF-16""?><Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task"">  <RegistrationInfo>    <Version>1.0</Version>    <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)</SecurityDescriptor>    <Source>$(@%systemroot%\system32\sppc.dll,-200)</Source>    <Author>$(@%systemroot%\system32\sppc.dll,-200)</Author>    <Description>$(@%systemroot%\system32\sppc.dll,-201)</Description>    <URI>\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</URI>  </RegistrationInfo>  <Principals>    <Principal id=""NetworkService"">      <UserId>S-1-5-20</UserId>    </Principal>  </Principals>  <Settings>    <AllowHardTerminate>false</AllowHardTerminate>    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>    <Enabled>false</Enabled>    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>    <Hidden>true</Hidden>    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>    <RestartOnFailure>      <Count>3</Count>      <Interval>PT1M</Interval>    </RestartOnFailure>    <StartWhenAvailable>true</StartWhenAvailable>    <IdleSettings>      <StopOnIdleEnd>true</StopOnIdleEnd>      <RestartOnIdle>false</RestartOnIdle>    </IdleSettings>    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>  </Settings>  <Triggers>    <CalendarTrigger>      <StartBoundary>2025-03-19T08:51:33+00:00</StartBoundary>      <ScheduleByDay>        <DaysInterval>1</DaysInterval>      </ScheduleByDay>    </CalendarTrigger>  </Triggers>  <Actions Context=""NetworkService"">    <ComHandler>      <ClassId>{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}</ClassId>      <Data><![CDATA[timer]]></Data>    </ComHandler>  </Actions></Task>Other Information: ProcessCreationTime:   18858823439774905 ClientProcessId:    12052 ParentProcessId:    840 FQDN:   0 "
4702,"A scheduled task was updated.Subject: Security ID:  S-1-5-18 Account Name:  EUNAZRSPDFTP1-N$ Account Domain:  WORKGROUP Logon ID:  0x3E7Task Information: Task Name:   \Microsoft\Windows\Windows Error Reporting\QueueReporting Task New Content:   <?xml version=""1.0"" encoding=""UTF-16""?><Task version=""1.6"" xmlns=""http://schemas.microsoft.com/windows/2004/02/mit/task"">  <RegistrationInfo>    <Source>$(@%SystemRoot%\system32\wer.dll,-292)</Source>    <Author>$(@%SystemRoot%\system32\wer.dll,-293)</Author>    <Version>1.5</Version>    <Description>$(@%SystemRoot%\system32\wer.dll,-294)</Description>    <URI>\Microsoft\Windows\Windows Error Reporting\QueueReporting</URI>    <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>  </RegistrationInfo>  <Triggers>    <BootTrigger id=""QueueReportingBootTrigger"">      <Enabled>true</Enabled>      <Delay>PT3M</Delay>    </BootTrigger>    <WnfStateChangeTrigger id=""QueueReportingWnfTrigger"">      <Enabled>true</Enabled>      <StateName>7510BCA33A0B9441</StateName>      <Data>01</Data>      <DataOffset>0</DataOffset>    </WnfStateChangeTrigger>    <WnfStateChangeTrigger id=""QueueReportingFreeNetworkTrigger"">      <Enabled>true</Enabled>      <StateName>7510BCA33E0B8441</StateName>      <Data>03</Data>      <DataOffset>0</DataOffset>    </WnfStateChangeTrigger>    <TimeTrigger id=""QueueReportingTimeTrigger"">      <Repetition>        <Interval>PT30M</Interval>        <StopAtDurationEnd>false</StopAtDurationEnd>      </Repetition>      <StartBoundary>2025-03-19T09:49:37Z</StartBoundary>      <Enabled>true</Enabled>      <RandomDelay>PT30M</RandomDelay>    </TimeTrigger>  </Triggers>  <Principals>    <Principal id=""LocalSystem"">      <UserId>S-1-5-18</UserId>      <RunLevel>HighestAvailable</RunLevel>    </Principal>  </Principals>  <Settings>    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>    <AllowHardTerminate>true</AllowHardTerminate>    <StartWhenAvailable>true</StartWhenAvailable>    <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>    <IdleSettings>      <StopOnIdleEnd>false</StopOnIdleEnd>      <RestartOnIdle>false</RestartOnIdle>    </IdleSettings>    <AllowStartOnDemand>true</AllowStartOnDemand>    <Enabled>true</Enabled>    <Hidden>false</Hidden>    <RunOnlyIfIdle>false</RunOnlyIfIdle>    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>    <WakeToRun>false</WakeToRun>    <ExecutionTimeLimit>PT4H</ExecutionTimeLimit>    <Priority>7</Priority>  </Settings>  <Actions Context=""LocalSystem"">    <Exec>      <Command>%windir%\system32\wermgr.exe</Command>      <Arguments>-upload</Arguments>    </Exec>  </Actions></Task>Other Information: ProcessCreationTime:   12384898975365391 ClientProcessId:    10320 ParentProcessId:    1744 FQDN:   0 "
4703,A token right was adjusted.Subject: Security ID:  S-1-5-18 Account Name:  SEAAZRSDC04$ Account Domain:  GEP Logon ID:  0x3E7Target Account: Security ID:  S-1-0-0 Account Name:  SEAAZRSDC04$ Account Domain:  GEP Logon ID:  0x3E7Process Information: Process ID:  0x6b0 Process Name:  C:\Windows\System32\svchost.exeEnabled Privileges:   SeSecurityPrivilegeDisabled Privileges:   -
4719,"System audit policy was changed.Subject: Security ID:  S-1-5-18 Account Name:  USE2AZRSDC03$ Account Domain:  GEP Logon ID:  0x3E7Audit Policy Change: Category:  Logon/Logoff Subcategory:  IPsec Quick Mode Subcategory GUID: {0cce9219-69ae-11d9-bed3-505054503030} Changes:  Success Added, Failure added"
4720,A user account was created.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27938107 Account Name:  LeenaAIBotT2 Account Domain:  GEP Logon ID:  0x1A3EC32B0New Account: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27966867 Account Name:  saloni.pawanarkar Account Domain:  GEPAttributes: SAM Account Name: saloni.pawanarkar Display Name:  Saloni Pawanarkar User Principal Name: saloni.pawanarkar@gep.com Home Directory:  - Home Drive:  - Script Path:  - Profile Path:  - User Workstations: - Password Last Set: <never> Account Expires:  <never> Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value:  0x0 New UAC Value:  0x15 User Account Control:   Account Disabled  'Password Not Required' - Enabled  'Normal Account' - Enabled User Parameters: - SID History:  - Logon Hours:  <value not set>Additional Information: Privileges  -
4722,A user account was enabled.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27953816 Account Name:  Mukunthrt2 Account Domain:  GEP Logon ID:  0x16942E3A4Target Account: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27964692 Account Name:  CBT-DR9T244$ Account Domain:  GEP
4723,An attempt was made to change an account's password.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27948134 Account Name:  AZINDCITAPP01$ Account Domain:  GEP Logon ID:  0x16A9DED2CTarget Account: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27952994 Account Name:  Kajal.Bhanushali Account Domain:  GEPAdditional Information: Privileges  -
4724,An attempt was made to reset an account's password.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27938107 Account Name:  LeenaAIBotT2 Account Domain:  GEP Logon ID:  0x1A3EC32B0Target Account: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27966867 Account Name:  saloni.pawanarkar Account Domain:  GEP
4725,A user account was disabled.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944644 Account Name:  prathameshut2 Account Domain:  GEP Logon ID:  0x165B8E7F7Target Account: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27926500 Account Name:  Prince.Tiwari Account Domain:  GEP
4726,A user account was deleted.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944646 Account Name:  rahuljt2 Account Domain:  GEP Logon ID:  0x15A73BE06Target Account: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27966664 Account Name:  Vijaya.Bhanavath Account Domain:  GEPAdditional Information: Privileges -
4728,"A member was added to a security-enabled global group.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27954412 Account Name:  Abhishek.ST2 Account Domain:  GEP Logon ID:  0x1A3FB86B2Member: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27964692 Account Name:  CN=CBT-DR9T244,CN=Computers,DC=gep,DC=comGroup: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27729472 Group Name:  Bitlocker Encryption Intune Policy Group Domain:  GEPAdditional Information: Privileges:  -"
4729,"A member was removed from a security-enabled global group.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944652 Account Name:  sagargt2 Account Domain:  GEP Logon ID:  0x1698826E4Member: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27720155 Account Name:  CN=Kishan Mund,OU=USR,OU=IND,DC=gep,DC=comGroup: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27955714 Group Name:  Leo-ADO-RfxNg Group Domain:  GEPAdditional Information: Privileges:  -"
4735,A security-enabled local group was changed.Subject: Security ID:  S-1-5-18 Account Name:  USAZSPDDFIR-N$ Account Domain:  GEP Logon ID:  0x3E7Group: Security ID:  S-1-5-32-544 Group Name:  Administrators Group Domain:  BuiltinChanged Attributes: SAM Account Name: - SID History:  -Additional Information: Privileges:  -
4737,A security-enabled global group was changed.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27954412 Account Name:  Abhishek.ST2 Account Domain:  GEP Logon ID:  0x1A3FB86B2Group: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27729472 Group Name:  Bitlocker Encryption Intune Policy Group Domain:  GEPChanged Attributes: SAM Account Name: - SID History:  -Additional Information: Privileges:  -
4738,A user account was changed.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27948134 Account Name:  AZINDCITAPP01$ Account Domain:  GEP Logon ID:  0x16A9DED2CTarget Account: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27952994 Account Name:  Kajal.Bhanushali Account Domain:  GEPChanged Attributes: SAM Account Name: - Display Name:  - User Principal Name: - Home Directory:  - Home Drive:  - Script Path:  - Profile Path:  - User Workstations: - Password Last Set: 3/19/2025 9:08:12 AM Account Expires:  - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value:  - New UAC Value:  - User Account Control: - User Parameters: - SID History:  - Logon Hours:  -Additional Information: Privileges:  -
4740,A user account was locked out.Subject: Security ID:  S-1-5-18 Account Name:  INDAZRSDC04$ Account Domain:  GEP Logon ID:  0x3E7Account That Was Locked Out: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27731093 Account Name:  Pankaj.MurudkarAdditional Information: Caller Computer Name: MUM02L11688
4741,A computer account was created.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27953816 Account Name:  Mukunthrt2 Account Domain:  GEP Logon ID:  0x16942E3A4New Computer Account: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27964692 Account Name:  CBT-DR9T244$ Account Domain:  GEPAttributes: SAM Account Name: CBT-DR9T244$ Display Name:  - User Principal Name: - Home Directory:  - Home Drive:  - Script Path:  - Profile Path:  - User Workstations: - Password Last Set: 3/19/2025 7:47:32 AM Account Expires:  <never> Primary Group ID: 515 AllowedToDelegateTo: - Old UAC Value:  0x0 New UAC Value:  0x80 User Account Control:   'Workstation Trust Account' - Enabled User Parameters: - SID History:  - Logon Hours:  <value not set> DNS Host Name:  CBT-DR9T244.gep.com Service Principal Names:   HOST/CBT-DR9T244.gep.com  RestrictedKrbHost/CBT-DR9T244.gep.com  HOST/CBT-DR9T244  RestrictedKrbHost/CBT-DR9T244Additional Information: Privileges  -
4742,A computer account was changed.Subject: Security ID:  S-1-5-7 Account Name:  ANONYMOUS LOGON Account Domain:  NT AUTHORITY Logon ID:  0x3E6Computer Account That Was Changed: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27921877 Account Name:  MUM02L10065$ Account Domain:  GEPChanged Attributes: SAM Account Name: - Display Name:  - User Principal Name: - Home Directory:  - Home Drive:  - Script Path:  - Profile Path:  - User Workstations: - Password Last Set: 3/19/2025 9:24:28 AM Account Expires:  - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value:  - New UAC Value:  - User Account Control: - User Parameters: - SID History:  - Logon Hours:  - DNS Host Name:  - Service Principal Names: -Additional Information: Privileges:  -
4743,A computer account was deleted.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944626 Account Name:  aniketbt2 Account Domain:  GEP Logon ID:  0x1A3F8690CTarget Computer: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27883182 Account Name:  MUM02L8951$ Account Domain:  GEPAdditional Information: Privileges:  -
4750,A security-disabled global group was changed.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944637 Account Name:  krishmapt2 Account Domain:  GEP Logon ID:  0x1A37B0CBFGroup: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27733089 Group Name:  SignifyPTP Group Domain:  GEPChanged Attributes: SAM Account Name: - SID History:  -Additional Information: Privileges:  -
4751,"A member was added to a security-disabled global group.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944637 Account Name:  krishmapt2 Account Domain:  GEP Logon ID:  0x1A37B0CBFMember: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27926763 Account Name:  CN=Sankalp Panmand,OU=USR,OU=IND,DC=gep,DC=comGroup: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27733089 Group Name:  SignifyPTP Group Domain:  GEPAdditional Information: Privileges:  -"
4752,"A member was removed from a security-disabled global group.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944644 Account Name:  prathameshut2 Account Domain:  GEP Logon ID:  0x165A1586FMember: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27911000 Account Name:  CN=Paramjyot Kaur Suman,OU=USR,OU=IND,DC=gep,DC=comGroup: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27231571 Group Name:  J&J_GEP_NA Group Domain:  GEPAdditional Information: Privileges:  -"
4755,A security-enabled universal group was changed.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944637 Account Name:  krishmapt2 Account Domain:  GEP Logon ID:  0x1A2BF7993Group: Security ID:  S-1-5-21-932416472-1581942402-1327342795-3043 Group Name:  Gep_IND_consulting Group Domain:  GEPChanged Attributes: SAM Account Name: - SID History:  -Additional Information: Privileges:  -
4756,"A member was added to a security-enabled universal group.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944637 Account Name:  krishmapt2 Account Domain:  GEP Logon ID:  0x1A2BF7993Member: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27933513 Account Name:  CN=Naincy Vishwakarma,OU=USR,OU=IND,DC=gep,DC=comGroup: Security ID:  S-1-5-21-932416472-1581942402-1327342795-3043 Account Name:  Gep_IND_consulting Account Domain:  GEPAdditional Information: Privileges:  -"
4757,"A member was removed from a security-enabled universal group.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944644 Account Name:  prathameshut2 Account Domain:  GEP Logon ID:  0x165B8E7F7Member: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27926500 Account Name:  CN=Prince Tiwari,OU=USR,OU=IND,DC=gep,DC=comGroup: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27712234 Group Name:  Gep_Ind_Mumbai Group Domain:  GEPAdditional Information: Privileges:  -"
4760,A security-disabled universal group was changed.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944644 Account Name:  prathameshut2 Account Domain:  GEP Logon ID:  0x165B8E7F7Group: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27231025 Group Name:  GEP_IND_KnowledgeSvcs Group Domain:  GEPChanged Attributes: SAM Account Name: - SID History:  -Additional Information: Privileges:  -
4761,"A member was added to a security-disabled universal group.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944643 Account Name:  nitinnt2 Account Domain:  GEP Logon ID:  0x1449BB0B6Member: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27964683 Account Name:  cn=Gustavo Diaz Guevara,OU=USR,OU=LTM,DC=gep,DC=comGroup: Security ID:  S-1-5-21-932416472-1581942402-1327342795-5401 Group Name:  GEP_LatAm Group Domain:  GEPAdditional Information: Privileges:  -"
4762,"A member was removed from a security-disabled universal group.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944644 Account Name:  prathameshut2 Account Domain:  GEP Logon ID:  0x165B8E7F7Member: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27926500 Account Name:  CN=Prince Tiwari,OU=USR,OU=IND,DC=gep,DC=comGroup: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27231025 Group Name:  GEP_IND_KnowledgeSvcs Group Domain:  GEPAdditional Information: Privileges:  -"
4764,A group’s type was changed.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27941113 Account Name:  Sachint0 Account Domain:  GEP Logon ID:  0x7F9B3423Change Type:   Security Disabled Global Group Changed to Security Enabled Universal Group.Group: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27906724 Group Name:  GEP_IND_Coimbatore Group Domain:  GEPAdditional Information: Privileges:  -
4767,A user account was unlocked.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-28522 Account Name:  MSOL_625991824688 Account Domain:  GEP Logon ID:  0x1184CB67BTarget Account: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27731093 Account Name:  Pankaj.Murudkar Account Domain:  GEP
4768,"A Kerberos authentication ticket (TGT) was requested.Account Information: Account Name:  TFSAdmin Supplied Realm Name: GEP User ID:   S-1-5-21-932416472-1581942402-1327342795-12599 MSDS-SupportedEncryptionTypes: 0x27 (DES, RC4, AES-Sk) Available Keys: AES-SHA1, RC4Service Information: Service Name:  krbtgt Service ID:  S-1-5-21-932416472-1581942402-1327342795-502 MSDS-SupportedEncryptionTypes: 0x1F (DES, RC4, AES128-SHA96, AES256-SHA96) Available Keys: AES-SHA1, RC4Domain Controller Information: MSDS-SupportedEncryptionTypes: 0x1F (DES, RC4, AES128-SHA96, AES256-SHA96) Available Keys: AES-SHA1, RC4Network Information: Client Address:  ::ffff:172.20.13.132 Client Port:  51036 Advertized Etypes:   AES256-CTS-HMAC-SHA1-96  AES128-CTS-HMAC-SHA1-96  RC4-HMAC-NT  RC4-HMAC-NT-EXP  RC4-HMAC-OLD-EXP  DES-CBC-MD5Additional Information: Ticket Options:  0x40810010 Result Code:  0x0 Ticket Encryption Type: 0x12 Session Encryption Type: 0x12 Pre-Authentication Type: 2 Pre-Authentication EncryptionType: 0x12Certificate Information: Certificate Issuer Name:   Certificate Serial Number:  Certificate Thumbprint:  Ticket information Response ticket hash:  n/aCertificate information is only provided if a certificate was used for pre-authentication.Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120."
4769,"A Kerberos service ticket was requested.Account Information: Account Name:  GEPAZPRODEUDRUP$@GEP.COM Account Domain:  GEP.COM Logon GUID:  {d935cc0a-10f3-3973-6544-ec7dcf2af5fd} MSDS-SupportedEncryptionTypes: N/A Available Keys: N/AService Information: Service Name:  krbtgt Service ID:  S-1-5-21-932416472-1581942402-1327342795-502 MSDS-SupportedEncryptionTypes: 0x1F (DES, RC4, AES128-SHA96, AES256-SHA96) Available Keys: AES-SHA1, RC4Domain Controller Information: MSDS-SupportedEncryptionTypes: 0x1F (DES, RC4, AES128-SHA96, AES256-SHA96) Available Keys: AES-SHA1, RC4Network Information: Client Address:  ::ffff:172.26.144.12 Client Port:  64203 Advertized Etypes:   AES256-CTS-HMAC-SHA1-96Additional Information: Ticket Options:  0x60810010 Ticket Encryption Type: 0x12 Session Encryption Type: 0x12 Failure Code:  0x0 Transited Services: -Ticket information Request ticket hash:  N/A Response ticket hash:  N/AThis event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120."
4771,"Kerberos pre-authentication failed.Account Information: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27937749 Account Name:  Joao.MateusService Information: Service Name:  krbtgt/GEPNetwork Information: Client Address:  ::ffff:172.26.52.9 Client Port:  52241Additional Information: Ticket Options:  0x40810010 Failure Code:  0x18 Pre-Authentication Type: 2Certificate Information: Certificate Issuer Name:   Certificate Serial Number:   Certificate Thumbprint:  Certificate information is only provided if a certificate was used for pre-authentication.Pre-authentication types, ticket options and failure codes are defined in RFC 4120.If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present."
4776,"The computer attempted to validate the credentials for an account.

Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:	$
Source Workstation:	USEAZInfoSecReport
Error Code:	0xC0000064"
4778,"A session was reconnected to a Window Station.Subject: Account Name:  Sivakumar.Reddyt1 Account Domain:  GEP Logon ID:  0xD8D1303Session: Session Name:  RDP-Tcp#108Additional Information: Client Name:  HYD-6G9ZNW3 Client Address:  172.28.72.5This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching."
4779,"A session was disconnected from a Window Station.Subject: Account Name:  laxman.vemunurit1 Account Domain:  GEP Logon ID:  0x550BD1A5Session: Session Name:  RDP-Tcp#92Additional Information: Client Name:  HYD-JDVP2N3 Client Address:  172.28.72.5This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching."
4781,The name of an account was changed:Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944641 Account Name:  miriam.reiserovat2 Account Domain:  GEP Logon ID:  0x112529756Target Account: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27925127 Account Domain:  GEP Old Account Name: CLK-9SX4LR3$ New Account Name: CLK-94PSCW3$Additional Information: Privileges:  -
4797,An attempt was made to query the existence of a blank password for an account.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27951723 Account Name:  thirupathi.reddyt1 Account Domain:  GEP Logon ID:  0x146ED527Additional Information: Caller Workstation: USSPDDEVDB04 Target Account Name: WDAGUtilityAccount Target Account Domain: USSpdDevDB04
4798,A user's local group membership was enumerated.Subject: Security ID:  S-1-5-18 Account Name:  USEAZSPDFTP04$ Account Domain:  WORKGROUP Logon ID:  0x3E7User: Security ID:  S-1-5-21-580355598-3368204733-2967366707-1002 Account Name:  nessesscan Account Domain:  USEAZSPDFTP04Process Information: Process ID:  0x15ec Process Name:  C:\Windows\System32\wbem\WmiPrvSE.exe
4799,A security-enabled local group membership was enumerated.Subject: Security ID:  S-1-5-18 Account Name:  AZRUAEWSFTP$ Account Domain:  WORKGROUP Logon ID:  0x3E7Group: Security ID:  S-1-5-32-551 Group Name:  Backup Operators Group Domain:  BuiltinProcess Information: Process ID:  0x104c Process Name:  C:\Windows\System32\svchost.exe
4800,"The workstation was locked.

Subject:
	Security ID:		S-1-5-21-3772321609-3024441946-537470876-500
	Account Name:		prodsmart
	Account Domain:		USEAZSMARTFTP01
	Logon ID:		0x19F667AF
	Session ID:	2"
4801,"The workstation was unlocked.

Subject:
	Security ID:		S-1-5-21-932416472-1581942402-1327342795-9164
	Account Name:		srinivas.nunna
	Account Domain:		GEP
	Logon ID:		0x103CC5
	Session ID:	2"
4816,"RPC detected an integrity violation while decrypting an incoming message.

Peer Name:	172.20.13.208
Protocol Sequence:	ncacn_ip_tcp
Security Error:	2148074255"
4826,Boot Configuration Data loaded.Subject: Security ID:  S-1-5-18 Account Name:  - Account Domain:  - Logon ID:  0x3E7General Settings: Load Options:  - Advanced Options:  No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: OffSignature Settings: Test Signing:  No Flight Signing:  No Disable Integrity Checks: NoHyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Off HyperVisor Debugging: No
4902,"The Per-user audit policy table was created.

Number of Elements:	0
Policy ID:	0x74F2"
4904,An attempt was made to register a security event source.Subject : Security ID:  S-1-5-18 Account Name:  USEAZUATFTP$ Account Domain:  WORKGROUP Logon ID:  0x3E7Process: Process ID: 0x2ed4 Process Name: C:\Windows\System32\VSSVC.exeEvent Source: Source Name: VSSAudit Event Source ID: 0x6055E90E
4905,An attempt was made to unregister a security event source.Subject Security ID:  S-1-5-18 Account Name:  USEAZUATFTP$ Account Domain:  WORKGROUP Logon ID:  0x3E7Process: Process ID: 0x2ed4 Process Name: C:\Windows\System32\VSSVC.exeEvent Source: Source Name: VSSAudit Event Source ID: 0x6055E90E
4907,Auditing settings on object were changed.Subject: Security ID:  S-1-5-18 Account Name:  USEAZSMARTFTP01$ Account Domain:  WORKGROUP Logon ID:  0x3E7Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppvClientComConsumer.dll Handle ID: 0x100Process Information: Process ID: 0x21e4 Process Name: C:\Windows\System32\poqexec.exeAuditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor:  S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
4911,"Resource attributes of the object were changed.Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27951724 Account Name:  satish.sasettyt1 Account Domain:  GEP Logon ID:  0x721AFFAAObject: Object Server: Security Object Type: File Object Name: F:\Avinash\sqlserver2017-kb5042215-x64_7e226891f58ad9d37abe9d02d97f93ffda0f459c.exe Handle ID: 0x1d1cProcess Information: Process ID: 0x26f54 Process Name: C:\Windows\explorer.exeResource Attributes: Original Security Descriptor:  New Security Descriptor:  S:ARAI(RA;;;;;WD;(""IMAGELOAD"",TU,0x0,1))"
4932,"Synchronization of a replica of an Active Directory naming context has begun.Destination DRA: CN=NTDS Settings,CN=INDAZRSDC04,CN=Servers,CN=AZIND,CN=Sites,CN=Configuration,DC=gep,DC=comSource DRA: CN=NTDS Settings,CN=INDAZRSDC03,CN=Servers,CN=AZIND,CN=Sites,CN=Configuration,DC=gep,DC=comNaming Context: DC=gep,DC=comOptions:  19Session ID: 138880Start USN: 31232796"
4933,"Synchronization of a replica of an Active Directory naming context has ended.Destination DRA: CN=NTDS Settings,CN=INDAZRSDC04,CN=Servers,CN=AZIND,CN=Sites,CN=Configuration,DC=gep,DC=comSource DRA: CN=NTDS Settings,CN=INDAZRSDC03,CN=Servers,CN=AZIND,CN=Sites,CN=Configuration,DC=gep,DC=comNaming Context: DC=gep,DC=comOptions:  19Session ID: 138880End USN: 31232815Status Code: 0"
4944,The following policy was active when the Windows Firewall started.Group Policy Applied: NoProfile Used: PublicOperational mode: OnAllow Remote Administration: DisabledAllow Unicast Responses to Multicast/Broadcast Traffic: EnabledSecurity Logging: Log Dropped Packets: Disabled Log Successful Connections: Disabled
4945,"A rule was listed when the Windows Firewall started.
	
Profile used:	Public

Rule:
	Rule ID:	CoreNet-DHCP-In
	Rule Name:	Core Networking - Dynamic Host Configuration Protocol (DHCP-In)"
4946,"A change was made to the Windows Firewall exception list. A rule was added.
	
Profile Changed:	All

Added Rule:
	Rule ID:	09328e9c-41ad-4ce4-9d4f-7b778c4df3b3
	Rule Name:	Inbound service restriction rule for WinDefend"
4947,"A change was made to the Windows Firewall exception list. A rule was modified.
	
Profile Changed:	All

Modified Rule:
	Rule ID:	{0372CDC9-F040-4137-A5D9-1A53B49C5696}
	Rule Name:	489a3258-99f6-4b26-88bb-cdde5f17a5cf"
4948,"A change was made to the Windows Firewall exception list. A rule was deleted.
	
Profile Changed:	All

Deleted Rule:
	Rule ID:	002e324e-2c0e-4572-8730-c7653d0bd868
	Rule Name:	Outbound service restriction rule for WinDefend"
4953,"Windows Firewall ignored a rule because it could not be parsed.
	
Profile:	All

Reason for Rejection:	An error occurred.

Rule:
	ID:	MDEServer-1
	Name:	-"
4956,"Windows Firewall changed the active profile.

New Active Profile:	Domain"
4957,"Windows Firewall did not apply the following rule:

Rule Information:
	ID:	CoreNet-ICMP6-LD-In
	Name:	Core Networking - Multicast Listener Done (ICMPv6-In)

Error Information:
	Reason:	Remote Addresses resolved to an empty set."
4985,The state of a transaction has changed.Subject: Security ID:  S-1-5-18 Account Name:  USEAZUATFTP$ Account Domain:  WORKGROUP Logon ID:  0x3E7Transaction Information: RM Transaction ID: {f47146cb-0418-11f0-9bae-000d3a569fe0} New State:  52 Resource Manager: {147924dc-4c3b-11ee-be69-000d3aa4ac00}Process Information: Process ID:  0x26a0 Process Name:  C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.7000_none_570cdffd9901f522\TiWorker.exe
5024,The Windows Firewall service started successfully.
5033,The Windows Firewall Driver started successfully.
5058,Key file operation.Subject: Security ID:  S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 Account Name:  DefaultAppPool Account Domain:  IIS APPPOOL Logon ID:  0x137ACDProcess Information: Process ID:  7808 Process Creation Time: ?2025?-?03?-?19T10:15:44.341576500ZCryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: iisCngConfigurationKey Key Type: Machine key.Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\Keys\f0e91f6485ac2d09485e4ec18135601e_e42e5145-166b-4dcf-8731-0e290e38063f Operation: Read persisted key from file. Return Code: 0x0
5059,Key migration operation.Subject: Security ID:  S-1-5-18 Account Name:  AZRUAEWSFTP$ Account Domain:  WORKGROUP Logon ID:  0x3E7Process Information: Process ID:  2844 Process Creation Time: ?2025?-?03?-?12T03:55:36.264572600ZCryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: bd7dc23e-4fb8-41c9-8302-6fb09fb717bb Key Type: Machine key.Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0
5061,Cryptographic operation.Subject: Security ID:  S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 Account Name:  DefaultAppPool Account Domain:  IIS APPPOOL Logon ID:  0x137ACDCryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: SP800_108_CTR_HMAC Key Name: iisCngConfigurationKey Key Type: Machine key.Cryptographic Operation: Operation: Open Key. Return Code: 0x0
5074,A worker process with process id of '10232' serving application pool 'WSFTPSVR_WTM' has requested a recycle because the worker process reached its allowed processing time limit.
5136,"A directory service object was modified. Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27934124 Account Name:  HYD-5BLLNW3$ Account Domain:  GEP Logon ID:  0x1A63648B7Directory Service: Name: gep.com Type: Active Directory Domain Services Object: DN: CN=HYD-5BLLNW3,OU=WKS,OU=IND,DC=gep,DC=com GUID: {e287557b-2b54-46a3-ba51-cff10b2decd1} Class: computer Attribute: LDAP Display Name: servicePrincipalName Syntax (OID): 2.5.5.12 Value: TERMSRV/HYD-5BLLNW3 Operation: Type: Value Added Correlation ID: {ff4d69ad-e233-45c0-bbf8-d3544d1719ee} Application Correlation ID: -"
5137,"A directory service object was created. Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27943269 Account Name:  CLJ-6ZWNGY3$ Account Domain:  GEP Logon ID:  0xE062A99D Directory Service: Name: gep.com Type: Active Directory Domain Services Object: DN: CN=2025-03-19T12:08:59\+02:00{9A441A13-C190-4127-90C3-D158E042EBB9},CN=CLJ-6ZWNGY3,OU=WKS,OU=EUR,DC=gep,DC=com GUID: {c4b64a85-f8bb-40c3-a0c3-3e127267f27f} Class: msFVE-RecoveryInformation Operation: Correlation ID: {7cb74372-804b-454c-bf40-3d9b4f5da890} Application Correlation ID: -"
5139,"A directory service object was moved. Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944648 Account Name:  ramakrishnayt2 Account Domain:  GEP Logon ID:  0x1A51C792B Directory Service: Name:  gep.com Type:  Active Directory Domain Services Object: Old DN:  CN=HYD-1K2FSX3,CN=Computers,DC=gep,DC=com New DN: CN=HYD-1K2FSX3,OU=WKS,OU=IND,DC=gep,DC=com GUID:  {fb39d4cb-3f37-4bca-ae51-b1c361469396} Class:  computer Operation: Correlation ID:   {4329503b-a019-4a94-887e-927118e0809f} Application Correlation ID: -"
5140,A network share object was accessed. Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27958595 Account Name:  MUM02L12288$ Account Domain:  GEP Logon ID:  0x1691FCE93Network Information:  Object Type:  File Source Address:  172.16.30.143 Source Port:  58368 Share Information: Share Name:  \\*\IPC$ Share Path:  Access Request Information: Access Mask:  0x1 Accesses:  ReadData (or ListDirectory)    
5141,"A directory service object was deleted. Subject: Security ID:  S-1-5-21-932416472-1581942402-1327342795-27944626 Account Name:  aniketbt2 Account Domain:  GEP Logon ID:  0x1A3F8690C Directory Service: Name: gep.com Type: Active Directory Domain Services Object: DN: CN=MUM02L8951,OU=WKS,OU=IND,DC=gep,DC=com GUID: {e1bfad76-ccb8-4f18-8d74-c6b2cd781438} Class: computer Operation: Tree Delete: No Correlation ID: {029cfc7f-412c-4ff1-a0f2-ec3928382513} Application Correlation ID: -"
5145,A network share object was checked to see whether client can be granted desired access. Subject: Security ID:  S-1-5-18 Account Name:  USE2AZRSDC03$ Account Domain:  GEP Logon ID:  0xADC331C4Network Information:  Object Type:  File Source Address:  ::1 Source Port:  49180 Share Information: Share Name:  \\*\SYSVOL Share Path:  \??\F:\SYSVOL\sysvol Relative Target Name: gep.com\Policies\{B653B210-D2AC-48A6-82F5-7AC223816D36}\Machine\Preferences\Registry\Registry.xmlAccess Request Information: Access Mask:  0x120089 Accesses:  READ_CONTROL    SYNCHRONIZE    ReadData (or ListDirectory)    ReadEA    ReadAttributes    Access Check Results: READ_CONTROL: Granted by Ownership    SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD)    ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD)    ReadEA: Granted by D:(A;;0x1200a9;;;WD)    ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 
5152,The Windows Filtering Platform has blocked a packet.Application Information: Process ID:  0 Application Name: -Network Information: Direction:  Inbound Source Address:  172.29.13.241 Source Port:  65037 Destination Address: 172.28.40.13 Destination Port:  389 Protocol:  6Filter Information: Filter Run-Time ID: 2046749 Layer Name:  Transport Layer Run-Time ID: 13
5156,The Windows Filtering Platform has permitted a connection.Application Information: Process ID:  1440 Application Name: \device\harddiskvolume4\windows\system32\svchost.exeNetwork Information: Direction:  Outbound Source Address:  ::1 Source Port:  56471 Destination Address: ::1 Destination Port:  389 Protocol:  6Filter Information: Filter Run-Time ID: 65853 Layer Name:  Connect Layer Run-Time ID: 50
5158,The Windows Filtering Platform has permitted a bind to a local port.Application Information: Process ID:  1440 Application Name: \device\harddiskvolume4\windows\system32\svchost.exeNetwork Information: Source Address:  :: Source Port:  56471 Protocol:  6Filter Information: Filter Run-Time ID: 0 Layer Name:  Resource Assignment Layer Run-Time ID: 38
5186,A worker process with process id of '10000' serving application pool 'WSFTPSVR_WTM' was shutdown due to inactivity.  Application Pool timeout configuration was set to 20 minutes.  A new worker process will be started when needed.
5211,The Windows Process Activation Service (WAS) started with 'Classic' mode using 'ConfigurationSystem'
5379,Credential Manager credentials were read.Subject: Security ID:  S-1-5-18 Account Name:  INDAZRSDC03$ Account Domain:  GEP Logon ID:  0x3E7 Read Operation:  Enumerate CredentialsThis event occurs when a user performs a read operation on stored credentials in Credential Manager.
5381,"Vault credentials were read.

Subject:
	Security ID:		S-1-5-21-932416472-1581942402-1327342795-27941113
	Account Name:		Sachint0
	Account Domain:		GEP
	Logon ID:		0xCE4A413E

This event occurs when a user enumerates stored vault credentials."
5382,"Vault credentials were read.

Subject:
	Security ID:		S-1-5-21-932416472-1581942402-1327342795-27941113
	Account Name:		Sachint0
	Account Domain:		GEP
	Logon ID:		0xCE4A413E

This event occurs when a user reads a stored vault credential."
5478,The IPsec Policy Agent service was started.
5615,Windows Management Instrumentation Service started sucessfully
5617,Windows Management Instrumentation Service subsystems initialized successfully
6000,The winlogon notification subscriber <WSearch> was unavailable to handle a notification event.
6003,The winlogon notification subscriber <TrustedInstaller> was unavailable to handle a critical notification event.
6005,The Event log service was started.
6006,The Event log service was stopped.
6009,Microsoft (R) Windows (R) 10.00. 17763  Multiprocessor Free.
6013,The system uptime is 1017261 seconds.
6416,A new external device was recognized by the system.Subject: Security ID:  S-1-5-18 Account Name:  CLKWDCP01$ Account Domain:  GEP Logon ID:  0x3E7Device ID: SWD\WPDBUSENUM\{eeda6161-6404-11ee-9d08-806e6f6e6963}#0000000001000000Device Name: ADLOGClass ID:  {eec5ad98-8080-425f-922a-dabf3de3f69a}Class Name: WPDVendor IDs: -Compatible IDs:   wpdbusenum\fs  SWD\Generic    Location Information: -
7000,"The Group Policy Client service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion."
7001,User Logon Notification for Customer Experience Improvement Program
7002,User Logoff Notification for Customer Experience Improvement Program
7009,A timeout was reached (30000 milliseconds) while waiting for the Group Policy Client service to connect.
7011,A timeout (30000 milliseconds) was reached while waiting for a transaction response from the filebeat service.
7023,"The Update Orchestrator Service service terminated with the following error: 
This operation returned because the timeout period expired."
7026,"The following boot-start or system-start driver(s) did not load: 
dam"
7031,The RdAgent service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.
7034,The filebeat service terminated unexpectedly.  It has done this 1 time(s).
7036,The AVCTP service service entered the running state.
7040,The start type of the BITS service was changed from demand start to auto start.
7043,The Windows Defender Advanced Threat Protection Service service did not shut down properly after receiving a preshutdown control.
7045,"A service was installed in the system.

Service Name:  KslD
Service File Name:  system32\drivers\wd\KslD.sys
Service Type:  kernel mode driver
Service Start Type:  demand start
Service Account:  "
7046,The following service has repeatedly stopped responding to service control requests: filebeatContact the service vendor or the system administrator about whether to disable this service until the problem is identified.You may have to restart the computer in safe mode before you can disable the service.
8197,"SLUI.exe was launched with the following command-line parameters:
RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=34e1ae55-27f8-4950-8877-7a03be5fb181;Trigger=TimerEvent"
8198,License Activation (slui.exe) failed with the following error code:hr=0x8007139FCommand-line arguments:RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=34e1ae55-27f8-4950-8877-7a03be5fb181;NotificationInterval=1440;Trigger=TimerEvent
8224,The VSS service is shutting down due to idle timeout. 
8229,"A VSS writer has rejected an event with error 0x800423f2, The writer's timeout expired between the Freeze and Thaw events.. Changes that the writer made to the writer components while handling the event will not be available to the requester. Check the event log for related events from the application hosting the VSS writer. Operation:   Thaw EventContext:   Execution Context: Writer   Writer Class Id: {afbab4a2-367d-4d15-a586-71dbb18f8485}   Writer Name: Registry Writer   Writer Instance ID: {bf6f9994-266d-4d2e-a530-1cf49163f96d}   Command Line: C:\Windows\system32\vssvc.exe   Process ID: 7208"
8230,The rules engine successfully re-evaluated the schedule.Kernel policies:Security-SPP-Action-StateData (REG_SZ) =AppId=55c92734-d682-4d71-983e-d6ec3f16059f;GraceEndDate=2025/09/12:05:55:38;LastConsumptionReason=0x00000000;LastNotificationId=Cleanup;LicenseState=SL_LICENSING_STATUS_LICENSED;PartialProductKey=63DFG;ProductKeyType=Volume:GVLK;SkuId=34e1ae55-27f8-4950-8877-7a03be5fb181;ruleId=379cccfb-d4e0-48fe-b0f2-0136097be147;uxDifferentiator=ENVIRONMENT;volumeActivationOrder=normal
9027,The Desktop Window Manager has registered the session port.
10000,Starting session 0 - ?2025?-?02?-?27T05:44:20.412090500Z.
10001,Ending session 0 started ?2025?-?02?-?27T05:44:20.412090500Z.
10016,The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} and APPID {0868DC9B-D9A2-4F64-9362-133CEA201299} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
10031,An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {45FB4600-E6E8-4928-B25E-50476FF79425} was rejected
10148,"The WinRM service is listening for WS-Management requests. 

 User Action 
 Use the following command to see the specific IPs on which WinRM is listening: 

 winrm enumerate winrm/config/listener"
10149,"The WinRM service is not listening for WS-Management requests. 

 User Action 
 If you did not intentionally stop the service, use the following command to see the WinRM configuration: 

 winrm enumerate winrm/config/listener"
11728,Product: Microsoft Azure Site Recovery Mobility Service/Master Target Server -- Configuration completed successfully.
12288,"The client has sent an activation request to the key management service machine.
Info:
0x00000000, 0x00000000, azkms.core.windows.net:1688, 6e456bb1-a472-489e-b68e-ca3993a06708, 2025/02/19 19:53, 1, 1, 247680, 34e1ae55-27f8-4950-8877-7a03be5fb181, 5"
12289,"The client has processed an activation response from the key management service machine.
Info:
0x00000000, 0x00000000, 1, 0, 50, 120, 10080, 2025/02/19 19:53"
16384,Successfully scheduled Software Protection service for re-start at 2025-02-19T19:52:48Z. Reason: RulesEngine.
16394,Offline downlevel migration succeeded.
16962,"Remote calls to the SAM database are being restricted using the default security descriptor: O:SYG:SYD:(A;;RC;;;BA).
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651."
16977,"The domain is configured with the following minimum password length-related settings.

MinimumPasswordLength: 0

MinimumPasswordLengthAudit: -1

For more information see https://go.microsoft.com/fwlink/?LinkId=2097191."
16983,"The security account manager is now logging periodic summary events for remote clients that call legacy password change or set RPC methods.

For more information please see https://go.microsoft.com/fwlink/?linkid=2150956."
36871,A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
36874,"An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed."
50036,DHCPv4 client service is started
50037,DHCPv4 client service is stopped. ShutDown Flag value is 1
50103,DHCPv4 client registered for shutdown notification
50104,DHCPv4 client received shutdown notification
50105,DHCPv4 client ProcessDHCPRequestForever received TERMINATE_EVENT
50106,DHCPv4 is waiting on DHCPv6 service to stop
51046,DHCPv6 client service is started
51047,DHCPv6 client service is stopped. ShutDown Flag value is 1
51057,DHCPv6 client service stop is almost done.DHCP Context Ref count is 1