A
Anders890
I just wonder if this ID event have something with an mounted USB memory?
Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Kernel-General" Guid="{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}" />
<EventID>15</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-10-27T10:44:03.532324000Z" />
<EventRecordID>3929</EventRecordID>
<Correlation />
<Execution ProcessID="4308" ThreadID="10120" />
<Channel>System</Channel>
<Computer>AndersH2015</Computer>
<Security UserID="S-1-5-21-4201251730-2606191966-776299460-1005" />
</System>
- <EventData>
<Data Name="HiveNameLength">41</Data>
<Data Name="HiveName">\??\C:\Windows\System32\config\components</Data>
<Data Name="OriginalSize">71229440</Data>
<Data Name="NewSize">51052544</Data>
</EventData>
</Event>
Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Kernel-General" Guid="{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-10-27T10:46:12.971887400Z" />
<EventRecordID>3932</EventRecordID>
<Correlation />
<Execution ProcessID="4592" ThreadID="7092" />
<Channel>System</Channel>
<Computer>AndersH2015</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="ExtraStringLength">78</Data>
<Data Name="ExtraString">\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\WINDOWS\System32\config\SYSTEM</Data>
<Data Name="TmId">{3E7EE446-9B5D-11E6-8328-54271ED3A836}</Data>
<Data Name="RmId">{3E7EE445-9B5D-11E6-8328-54271ED3A836}</Data>
<Data Name="Status">0xc00000a2</Data>
<Data Name="InternalCode">7</Data>
</EventData>
</Event>
Continue reading...
Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Kernel-General" Guid="{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}" />
<EventID>15</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-10-27T10:44:03.532324000Z" />
<EventRecordID>3929</EventRecordID>
<Correlation />
<Execution ProcessID="4308" ThreadID="10120" />
<Channel>System</Channel>
<Computer>AndersH2015</Computer>
<Security UserID="S-1-5-21-4201251730-2606191966-776299460-1005" />
</System>
- <EventData>
<Data Name="HiveNameLength">41</Data>
<Data Name="HiveName">\??\C:\Windows\System32\config\components</Data>
<Data Name="OriginalSize">71229440</Data>
<Data Name="NewSize">51052544</Data>
</EventData>
</Event>
Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Kernel-General" Guid="{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-10-27T10:46:12.971887400Z" />
<EventRecordID>3932</EventRecordID>
<Correlation />
<Execution ProcessID="4592" ThreadID="7092" />
<Channel>System</Channel>
<Computer>AndersH2015</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="ExtraStringLength">78</Data>
<Data Name="ExtraString">\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\WINDOWS\System32\config\SYSTEM</Data>
<Data Name="TmId">{3E7EE446-9B5D-11E6-8328-54271ED3A836}</Data>
<Data Name="RmId">{3E7EE445-9B5D-11E6-8328-54271ED3A836}</Data>
<Data Name="Status">0xc00000a2</Data>
<Data Name="InternalCode">7</Data>
</EventData>
</Event>
Continue reading...