Elastic Windows Event Explorer


Publisher - Microsoft-Windows-UAC-FileVirtualization

Event ID 4000

Message:

Virtual file "%{FileNameBuffer}" created.

Event Data:

# Name In Type
Out Type
1 Flags win:UInt32 win:HexInt32
2 SidLength win:UInt32 xs:unsignedInt
3 Sid win:SID xs:string
4 FileNameLength win:UInt16 xs:unsignedShort
5 FileNameBuffer win:UnicodeString xs:string
6 ProcessImageNameLength win:UInt16 xs:unsignedShort
7 ProcessImageNameBuffer win:UnicodeString xs:string
8 CreateOptions win:UInt32 xs:unsignedInt
9 DesiredAccess win:UInt32 win:HexInt32
10 IrpMajorFunction win:UInt8 xs:unsignedByte

Observed Windows Versions:

Version: 0

Fingerprint: UBIFQE5T23SZG