Skip to content

Instantly share code, notes, and snippets.

@Cyb3rWard0g

Cyb3rWard0g/securityevent-4688-schema.xml

Created September 17, 2019 04:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Cyb3rWard0g/a32d1537561b15a261f265648705a666 to your computer and use it in GitHub Desktop.
Save Cyb3rWard0g/a32d1537561b15a261f265648705a666 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
securityevent-4688-schema.xml
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2019-09-17T03:03:59.074909100Z" />
<EventRecordID>7</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="96" />
<Channel>Security</Channel>
<Computer>WIN-GQU8912BA1A</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="NewProcessId">0x1a0</Data>
<Data Name="NewProcessName">C:\Windows\System32\smss.exe</Data>
<Data Name="TokenElevationType">%%1936</Data>
<Data Name="ProcessId">0x144</Data>
<Data Name="CommandLine" />
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">-</Data>
<Data Name="TargetDomainName">-</Data>
<Data Name="TargetLogonId">0x0</Data>
<Data Name="ParentProcessName">C:\Windows\System32\smss.exe</Data>
<Data Name="MandatoryLabel">S-1-16-16384</Data>
</EventData>
</Event>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment