You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close

18: List of PolicyPak Event Categories and IDs

Global Event Ranges

Event IDs

Description

100-199

Events related to policy processing, and specifically Group Policy processing.

200-299

General events, such as errors that don't belong to any other category.

300-599

Product-specific events, such as errors that don't belong to any other category.

600-9999

Events related to operational activities, such as allowing, blocking or elevating a process



Policy Processing (100-199)

100. Policies refreshed successfully

Description: PPLPM processed Group Policy successfully.
Message: Policies for %1 have been refreshed successfully. Flags: %2. Elapsed: %3. Message ID: %4
Severity: Informational


102. Policy refresh failed

Description: PPLPM failed to process Group Policy.
Message: Couldn't refresh policies for %1. Cause: %2. Flags: %2. Elapsed: %4. Message ID: %5
Severity: Error

 

101, 103-109. Future events related to group policy processing

120-139. Future events related to non-group policy processing

140-199. Future events related to policy processing



General (200-299)

200. Couldn't send a message to the service

Description: Some component failed to communicate with PPExtensionService. This usually indicates a bug (e.g., the service has crashed).
Message: Couldn't send a message to the service. Cause: %1
Severity: Error

201. The service has been disabled by Administrator

Description: Some component failed to communicate with PPExtensionService because the service is disabled.
Message: The service has been disabled by Administrator!
Severity: Warning

202. Couldn't start the service

Description: Some component failed to communicate with PPExtensionService because it wasn't running (has probably crashed). When the component tried to start the service, it failed.
Message: Couldn't start the service. Error code: %1
Severity: Error

203. Starting the service

Description: Some component failed to communicate with PPExtensionService because it wasn't running (has probably crashed). When the component tried to start the service, it succeeded.
Message: Starting the service...
Severity: Informational

Operational Event Ranges

Event IDs

Category

Description

600-999

 

Reserved for general operational-related events, such as errors.

1000-1499

User Action Allowed

Events reported when PPLPM has performed some permissive action.

1500-1999

 

Reserved.

2000-2999

User Action Blocked

Events reported when PPLPM has performed some denying action.

2500-2999

 

Reserved.

3000-5999

 

Reserved for any other security actions performed by PPLPM.

6000-6499

Audit

User performed some action that must be audited.

6300-6399

Admin Approval

Audit-style events originated from Admin Approval

6400-6999

 

Reserved for other audit-style events.

7000-9999

 

Reserved.

Operational Events

Event ID

Description

1000

A process has been allowed to run by a rule.

1001

A process has been allowed to run by a rule inherited from parent process.

1002

An AppX package (UWP app) has been allowed to run by a rule.

1020

A process has been allowed to run by an on-demand rule.

1021

A process has been allowed to run by an on-demand rule inherited from parent process.

1100

A process has been forced to run with a limited token by a rule.

1101

A process has been forced to run with a limited token by a rule inherited from parent process.

1120

A process has been forced to run with a limited token by an on-demand rule.

1121

A process has been forced to run with a limited token by an on-demand rule inherited from parent process.

1200

A process has been elevated by a rule.

1201

A process has been elevated by a rule inherited from parent process.

1220

A process has been elevated by an on-demand rule.

1221

A process has been elevated by an on-demand rule inherited from parent process.

1300

A process has been allowed to run with custom security settings.

1301

A process has been allowed to run with custom security settings inherited from parent process.

1320

A process has been allowed to run with custom security settings by an on-demand rule.

1321

A process has been allowed to run with custom security settings by an on-demand rule inherited from parent process.

2000

A process has been blocked by a rule.

2002

An AppX package (UWP app) has been blocked by a rule.

2010

A process has been blocked by SecureRun.

6200

AUDIT: Process runs elevated.

6205

AUDIT: Process requires elevation.

6210

AUDIT: Process is untrusted and would have been blocked by SecureRun.

6300

AA prompt is displayed because a process requires admin privileges.

6301

AA prompt is displayed because a process is blocked by SecureRun.

6302

AA prompt is displayed because user right-clicked on a file and selected Run with PolicyPak.

6310

Correct Response Code provided in AA prompt.

6315

Alternate Admin Credentials provided in AA prompt.

6320

AA prompt has been cancelled.

6330

Incorrect Response Code provided in AA prompt.

6500

A process has been elevated as SecureCopy.

6501

A process has been elevated by a SecureCopy rule inherited from parent process.

  • 1145
  • 16-Jul-2021
  • 760 Views