-
Notifications
You must be signed in to change notification settings - Fork 60
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-D…
…eviceSetupManager_100.map
- Loading branch information
1 parent
d12e3ff
commit b812773
Showing
1 changed file
with
50 additions
and
0 deletions.
There are no files selected for viewing
50 changes: 50 additions & 0 deletions
50
...s/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_100.map
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| Author: Andrew Rathbun | ||
| Description: Microsoft-Windows-DeviceSetupManager service starting | ||
| EventId: 100 | ||
| Channel: "Microsoft-Windows-DeviceSetupManager/Admin" | ||
| Provider: "Microsoft-Windows-DeviceSetupManager" | ||
| Maps: | ||
| - | ||
| Property: PayloadData1 | ||
| PropertyValue: "Prop_UpTime_Seconds: %Prop_UpTime_Seconds%" | ||
| Values: | ||
| - | ||
| Name: Prop_UpTime_Seconds | ||
| Value: "/Event/EventData/Data[@Name=\"Prop_UpTime_Seconds\"]" | ||
| - | ||
| Property: PayloadData2 | ||
| PropertyValue: "Prop_WorkTime_MilliSeconds: %Prop_WorkTime_MilliSeconds%" | ||
| Values: | ||
| - | ||
| Name: Prop_WorkTime_MilliSeconds | ||
| Value: "/Event/EventData/Data[@Name=\"Prop_WorkTime_MilliSeconds\"]" | ||
|
|
||
| # Documentation: | ||
| # https://cyberforensicator.com/wp-content/uploads/2017/09/USB-Storage-Device-Forensics-for-Windows-10.pdf | ||
| # https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/ | ||
| # https://www.swiftforensics.com/2013/11/event-log-entries-for-devices-in.html | ||
| # This event directly precedes a 112 event. | ||
| # | ||
| # Example Event Data: | ||
| # <Event> | ||
| # <System> | ||
| # <Provider Name="Microsoft-Windows-DeviceSetupManager" Guid="fcfb06bb-6a2a-46e3-abaa-246cb4e508b2" /> | ||
| # <EventID>100</EventID> | ||
| # <Version>0</Version> | ||
| # <Level>4</Level> | ||
| # <Task>0</Task> | ||
| # <Opcode>0</Opcode> | ||
| # <Keywords>0x4000000040000000</Keywords> | ||
| # <TimeCreated SystemTime="2019-12-04 09:51:10.8548641" /> | ||
| # <EventRecordID>2098</EventRecordID> | ||
| # <Correlation /> | ||
| # <Execution ProcessID="679" ThreadID="17840" /> | ||
| # <Channel>Microsoft-Windows-DeviceSetupManager/Admin</Channel> | ||
| # <Computer>HOSTNAME.domain.com</Computer> | ||
| # <Security UserID="S-1-5-18" /> | ||
| # </System> | ||
| # <EventData> | ||
| # <Data Name="Prop_CoreServiceMode">0</Data> | ||
| # <Data Name="Prop_Event_Window_Seconds">71534</Data> | ||
| # </EventData> | ||
| # </Event> |