Event ID
|
Event Description
|
Example
|
12000
|
An application was installed.
|
Application {51A3EF81-FAAF-4E70-815C-74D34D4EC313} (Cloudmark SpamNet 3.0) was installed.
Additional Information:
Publisher: NETIKUS.NET ltd
Installation Directory: C:\Program Files\EventSentry
|
12001
|
An application was uninstalled.
|
Application {51A3EF81-FAAF-4E70-815C-74D34D4EC313} (Cloudmark SpamNet 3.0)
|
12002
|
An application or file registered itself in a autorun registry key and will be run automatically when a user logs on.
|
Application badtrojan.exe registered itself in the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run and will be automatically run when a user logs into the system.
|
12003
|
An application or file registered itself in the registry by changing a value.
|
The registry value Shell in key HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon changed from "explorer.exe" to "badandevilshell.exe". All files specified in this value will be automatically run when a user logs into the system.
|
12004
|
An application was removed from an autorun registry key.
|
Application desktophog.exe was removed from the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run and will no longer be run when a user logs into the system.
|
12005
|
A file was registered in an autorun directory.
|
The application eraseallfiles.exe registered itself in the directory c:\Documents and Settings\All Users\Start Menu\Programs\Startup and will be automatically run when a user logs into the system.
|
12006
|
A shortcut was registered in an autorun directory.
|
The shortcut PerformanceEnhancer.lnk (using file c:\windows\evilvirus.exe) registered itself in the directory C:\Documents and Settings\All Users\Start Menu\Programs\Startup and will be automatically run when a user logs into the system.
|
12007
|
A shortcut was removed from an autorun directory.
|
The shortcut PerformanceEnhancer.lnk (using file c:\windows\evilvirus.exe) was removed from directory C:\Documents and Settings\All Users\Start Menu\Programs\Startup and will no longer run when a user logs into the system.
|
12008
|
An application registered itself in an autorun registry key and will be run automatically when the computer starts.
|
Application YourPersonalAdware.exe was added to the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup and will be automatically run when the system boots.
|
12009
|
An application was removed from an autorun key and will no longer be run when the system boots.
|
Application YourPersonalAdware.exe was removed from the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup and will no longer be run the system boots.
|
12010
|
An application registered itself in a registry key and might be automatically run when a user logs into the system.
|
The application SmartTrojan registered file c:\windows\eraseanddestroy.exe in registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components and might be automatically run when a user logs into the system. Please see the help file (search for ACTIVE SETUP) for more information.
|
12011
|
An application removed itself from a registry key and will no longer be run when a user logs into the system.
|
Application SmartTrojan (using file c:\windows\eraseanddestroy.exe) was removed from the registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components and will no longer be run when a user logs into the system.
|
12012
|
A registry key could not be monitored and the feature disabled itself.
|
There was an error (999) monitoring registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components. Please restart the EventSentry agent or notify NETIKUS.NET support if this problem persists. Autorun monitoring will NOT continue.
|
12030
|
The installed memory changed.
|
The amount of physically installed memory changed from 512 Mb to 256 Mb.
|
12031
|
The number of installed processors changed.
|
The number of installed processors changed from 1 to 2.
|
12032
|
The number of installed floppy drives changed.
|
The number of installed floppy drives changed from 0 to 1.
|
12033
|
The number of installed CDROM drives changed.
|
The number of installed CDROM drives changed from 1 to 0.
|
12034
|
The number of installed DVD drives changed.
|
The number of installed DVD drives changed from 1 to 2.
|
12035
|
The number of removable drives changed.
|
The number of removable drives changed from 0 to 2.
|
12036
|
The link speed of a network adapter changed.
|
The link speed of adapter Gigabit Network Card changed from 1Gb to 100Mb.
|
12040
|
A removable drive has been added.
|
|
12041
|
A removable drive has been removed.
|
|
12042
|
A drive reported a S.M.A.R.T. status error.
|
|