Sysmon Event ID 13
13: RegistryEvent (Value Set)
This is an event from
Sysmon.
On this page
This Registry event type identifies Registry value modifications. The event records the value written for Registry values of type DWORD and QWORD.
Free Security Log Resources by Randy
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- EventType
- UtcTime
- ProcessGuid
- ProcessId
- Image
- TargetObject
- Details
Supercharger Free Edition
Supercharger's built-in Xpath filters leave the noise behind.
Free.
Registry value set:
EventType: SetValue
UtcTime: 2017-05-11 04:31:19.613
ProcessGuid: {a23eae89-e8bf-5913-0000-0010db9f7109}
ProcessId: 25228
Image: C:\Windows\regedit.exe
TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BadWolf
Details: run
Event XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>13</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-05-11T04:31:19.619361100Z" />
<EventRecordID>725973</EventRecordID>
<Correlation />
<Execution ProcessID="3188" ThreadID="3836" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="EventType">SetValue</Data>
<Data Name="UtcTime">2017-05-11 04:31:19.613</Data>
<Data Name="ProcessGuid">{A23EAE89-E8BF-5913-0000-0010DB9F7109}</Data>
<Data Name="ProcessId">25228</Data>
<Data Name="Image">C:\Windows\regedit.exe</Data>
<Data Name="TargetObject">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BadWolf</Data>
<Data Name="Details">run</Data>
</EventData>
</Event>
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection