Global Event Ranges
Event IDs |
Description |
100-199 |
Events related to policy processing, and specifically Group Policy processing. |
200-299 |
General events, such as errors that don't belong to any other category. |
300-599 |
Product-specific events, such as errors that don't belong to any other category. |
600-9999 |
Events related to operational activities, such as allowing, blocking or elevating a process |
Policy Processing (100-199)
100. Policies refreshed successfully
Description: PPLPM processed Group Policy successfully.
Message: Policies for %1 have been refreshed successfully. Flags: %2. Elapsed: %3. Message ID: %4
Severity: Informational
102. Policy refresh failed
Description: PPLPM failed to process Group Policy.
Message: Couldn't refresh policies for %1. Cause: %2. Flags: %2. Elapsed: %4. Message ID: %5
Severity: Error
101, 103-109. Future events related to group policy processing
120-139. Future events related to non-group policy processing
140-199. Future events related to policy processing
General (200-299)
200. Couldn't send a message to the service
Description: Some component failed to communicate with PPExtensionService. This usually indicates a bug (e.g., the service has crashed).
Message: Couldn't send a message to the service. Cause: %1
Severity: Error
201. The service has been disabled by Administrator
Description: Some component failed to communicate with PPExtensionService because the service is disabled.
Message: The service has been disabled by Administrator!
Severity: Warning
202. Couldn't start the service
Description: Some component failed to communicate with PPExtensionService because it wasn't running (has probably crashed). When the component tried to start the service, it failed.
Message: Couldn't start the service. Error code: %1
Severity: Error
203. Starting the service
Description: Some component failed to communicate with PPExtensionService because it wasn't running (has probably crashed). When the component tried to start the service, it succeeded.
Message: Starting the service...
Severity: Informational
Operational Event Ranges
Event IDs |
Category |
Description |
600-999 |
Reserved for general operational-related events, such as errors. |
|
1000-1499 |
User Action Allowed |
Events reported when PPLPM has performed some permissive action. |
1500-1999 |
Reserved. |
|
2000-2999 |
User Action Blocked |
Events reported when PPLPM has performed some denying action. |
2500-2999 |
Reserved. |
|
3000-5999 |
Reserved for any other security actions performed by PPLPM. |
|
6000-6499 |
Audit |
User performed some action that must be audited. |
6300-6399 |
Admin Approval |
Audit-style events originated from Admin Approval |
6400-6999 |
Reserved for other audit-style events. |
|
7000-9999 |
Reserved. |
Operational Events
Event ID |
Description |
1000 |
A process has been allowed to run by a rule. |
1001 |
A process has been allowed to run by a rule inherited from parent process. |
1002 |
An AppX package (UWP app) has been allowed to run by a rule. |
1020 |
A process has been allowed to run by an on-demand rule. |
1021 |
A process has been allowed to run by an on-demand rule inherited from parent process. |
1100 |
A process has been forced to run with a limited token by a rule. |
1101 |
A process has been forced to run with a limited token by a rule inherited from parent process. |
1120 |
A process has been forced to run with a limited token by an on-demand rule. |
1121 |
A process has been forced to run with a limited token by an on-demand rule inherited from parent process. |
1200 |
A process has been elevated by a rule. |
1201 |
A process has been elevated by a rule inherited from parent process. |
1220 |
A process has been elevated by an on-demand rule. |
1221 |
A process has been elevated by an on-demand rule inherited from parent process. |
1300 |
A process has been allowed to run with custom security settings. |
1301 |
A process has been allowed to run with custom security settings inherited from parent process. |
1320 |
A process has been allowed to run with custom security settings by an on-demand rule. |
1321 |
A process has been allowed to run with custom security settings by an on-demand rule inherited from parent process. |
2000 |
A process has been blocked by a rule. |
2002 |
An AppX package (UWP app) has been blocked by a rule. |
2010 |
A process has been blocked by SecureRun. |
6200 |
AUDIT: Process runs elevated. |
6205 |
AUDIT: Process requires elevation. |
6210 |
AUDIT: Process is untrusted and would have been blocked by SecureRun. |
6300 |
AA prompt is displayed because a process requires admin privileges. |
6301 |
AA prompt is displayed because a process is blocked by SecureRun. |
6302 |
AA prompt is displayed because user right-clicked on a file and selected Run with PolicyPak. |
6310 |
Correct Response Code provided in AA prompt. |
6315 |
Alternate Admin Credentials provided in AA prompt. |
6320 |
AA prompt has been cancelled. |
6330 |
Incorrect Response Code provided in AA prompt. |
6500 |
A process has been elevated as SecureCopy. |
6501 |
A process has been elevated by a SecureCopy rule inherited from parent process. |