Apr 26, 2018 Describes an issue in a Hyper-V guest operating system of Windows Server 2008 R2 or of Windows 7 in which the VDS Basic Provider event ID 1 is logged.
-->Applies to
- Jul 17, 2013 Event ID 1, The system time has changed.to the future! Go to Event Viewer, check the Windows security logs and see if any related entries, keywords: Event ID: 4616; Task Category: Security State Change were logged. This will help us to find out which process that was making the change.
- Sysmon Event ID 1. Source: Sysmon: Discussions on Event ID 1 Ask a question about this event. 1: Process creation. Free Tool for Windows Event Collection. Discussions on Event ID 1. Ask a question about this event Upcoming Webinars Anatomy of an Attack: MitM into O365, defeat MFA, then Lateral Movement into On-Prem.
- Windows Event Log Analysis Splunk App Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.
- Windows 10
- Windows Server 2016
Subcategory:Audit Logon
Event Description:
This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
Windows Event Id 1074
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions:
- 0 - Windows Server 2008, Windows Vista.
- 1 - Windows Server 2012, Windows 8.
- Added “Impersonation Level” field.
- 2 – Windows 10.
- Added “Logon Information:” section.
- Logon Type moved to “Logon Information:” section.
- Added “Restricted Admin Mode” field.
- Added “Virtual Account” field.
- Added “Elevated Token” field.
- Added “Linked Logon ID” field.
- Added “Network Account Name” field.
- Added “Network Account Domain” field.
Field Descriptions:
Subject:
- Security ID [Type = SID]: SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers.
- Account Name [Type = UnicodeString]: the name of the account that reported information about successful logon.
- Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4672(S): Special privileges assigned to new logon.”
Logon Information [Version 2]:
- Logon Type [Version 0, 1, 2] [Type = UInt32]: the type of logon which was performed. The table below contains the list of possible values for this field.
Logon types and descriptions
Logon Type | Logon Title | Description |
---|---|---|
2 | Interactive | A user logged on to this computer. |
3 | Network | A user or computer logged on to this computer from the network. |
4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
5 | Service | A service was started by the Service Control Manager. |
7 | Unlock | This workstation was unlocked. |
8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
- Restricted Admin Mode [Version 2] [Type = UnicodeString]: Only populated for RemoteInteractive logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.Reference: http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx.If not a RemoteInteractive logon, then this will be '-' string.
- Virtual Account [Version 2] [Type = UnicodeString]: a “Yes” or “No” flag, which indicates if the account is a virtual account (e.g., 'Managed Service Account'), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using 'NetworkService'.
- Elevated Token [Version 2] [Type = UnicodeString]: a “Yes” or “No” flag. If “Yes” then the session this event represents is elevated and has administrator privileges.
Impersonation Level [Version 1, 2] [Type = UnicodeString]: can have one of these four values:
- SecurityAnonymous (displayed as empty string): The server process cannot obtain identification information about the client, and it cannot impersonate the client. It is defined with no value given, and thus, by ANSI C rules, defaults to a value of zero.
- SecurityIdentification (displayed as 'Identification'): The server process can obtain information about the client, such as security identifiers and privileges, but it cannot impersonate the client. This is useful for servers that export their own objects, for example, database products that export tables and views. Using the retrieved client-security information, the server can make access-validation decisions without being able to use other services that are using the client's security context.
- SecurityImpersonation (displayed as 'Impersonation'): The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems. This is the most common type.
- SecurityDelegation (displayed as 'Delegation'): The server process can impersonate the client's security context on remote systems.
New Logon:
- Security ID [Type = SID]: SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers.
- Account Name [Type = UnicodeString]: the name of the account for which logon was performed.
- Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4672(S): Special privileges assigned to new logon.”
- Linked Logon ID [Version 2] [Type = HexInt64]: A hexadecimal value of the paired logon session. If there is no other logon session associated with this logon session, then the value is “0x0”.
- Network Account Name [Version 2] [Type = UnicodeString]: User name that will be used for outbound (network) connections. Valid only for NewCredentials logon type.If not NewCredentials logon, then this will be a '-' string.
- Network Account Domain [Version 2] [Type = UnicodeString]: Domain for the user that will be used for outbound (network) connections. Valid only for NewCredentials logon type.If not NewCredentials logon, then this will be a '-' string.
- Logon GUID [Type = GUID]: a GUID that can help you correlate this event with another event that can contain the same Logon GUID, “4769(S, F): A Kerberos service ticket was requested event on a domain controller.It also can be used for correlation between a 4624 event and several other events (on the same computer) that can contain the same Logon GUID, “4648(S): A logon was attempted using explicit credentials” and “4964(S): Special groups have been assigned to a new logon.”This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
NoteGUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
Process Information:
- Process ID [Type = Pointer]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has been created” Process InformationNew Process ID.
- Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Network Information:
- Workstation Name [Type = UnicodeString]: machine name from which logon attempt was performed.
- Source Network Address [Type = UnicodeString]: IP address of machine from which logon attempt was performed.
- IPv6 address or ::ffff:IPv4 address of a client.
- ::1 or 127.0.0.1 means localhost.
- Source Port [Type = UnicodeString]: source port which was used for logon attempt from remote machine.
- 0 for interactive logons.
Detailed Authentication Information:
- Logon Process [Type = UnicodeString]: the name of the trusted logon process that was used for the logon. See event “4611: A trusted logon process has been registered with the Local Security Authority” description for more information.
- Authentication Package [Type = UnicodeString]: The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLMSYSTEMCurrentControlSetControlLsaOSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “4610: An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “4622: A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are: Chief architect x1 crack windows 7.
- NTLM – NTLM-family Authentication
- Kerberos – Kerberos authentication.
- Negotiate – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
- Transited Services [Type = UnicodeString] [Kerberos-only]: the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx
- Package Name (NTLM only) [Type = UnicodeString]: The name of the LAN Manager sub-package (NTLM-family protocol name) that was used during logon. Possible values are:
- “NTLM V1”
- “NTLM V2”
- “LM”Only populated if “Authentication Package” = “NTLM”.
- Key Length [Type = UInt32]: the length of NTLM Session Security key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “Authentication Package” = “Kerberos”, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using Negotiate authentication package.
Security Monitoring Recommendations
For 4624(S): An account was successfully logged on.
Type of monitoring required | Recommendation |
---|---|
High-value accounts: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the “New LogonSecurity ID” that corresponds to the high-value account or accounts. |
Anomalies or malicious actions: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the “New LogonSecurity ID” (with other information) to monitor how or when a particular account is being used. |
Non-active accounts: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the “New LogonSecurity ID” that corresponds to the accounts that should never be used. |
Account whitelist: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the “New LogonSecurity ID” for accounts that are outside the whitelist. |
Accounts of different types: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the “New LogonSecurity ID” to see whether the account type is as expected. |
External accounts: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the “SubjectAccount Domain” corresponding to accounts from another domain or “external” accounts. |
Restricted-use computers or devices: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target Computer: (or other target device) for actions performed by the “New LogonSecurity ID” that you are concerned about. |
Account naming conventions: Your organization might have specific naming conventions for account names. | Monitor “SubjectAccount Name” for names that don’t comply with naming conventions. |
- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever “SubjectSecurity ID” is not SYSTEM.
- If “Restricted Admin” mode must be used for logons by certain accounts, use this event to monitor logons by “New LogonSecurity ID” in relation to “Logon Type”=10 and “Restricted Admin Mode”=”Yes”. If “Restricted Admin Mode”=”No” for these accounts, trigger an alert.
- If you need to monitor all logon events for accounts with administrator privileges, monitor this event with “Elevated Token”=”Yes”.
- If you need to monitor all logon events for managed service accounts and group managed service accounts, monitor for events with “Virtual Account”=”Yes”.
- To monitor for a mismatch between the logon type and the account that uses it (for example, if Logon Type 4-Batch or 5-Service is used by a member of a domain administrative group), monitor Logon Type in this event.
- If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
- If the user account “New LogonSecurity ID” should never be used to log on from the specific Computer:.
- If New LogonSecurity ID credentials should not be used from Workstation Name or Source Network Address.
- If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for Network InformationSource Network Address and compare the network address with your list of IP addresses.
- If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor Package Name (NTLM only), for example, to find events where Package Name (NTLM only) does not equal NTLM V2.
- If NTLM is not used in your organization, or should not be used by a specific account (New LogonSecurity ID). In this case, monitor for all events where Authentication Package is NTLM.
- If the Authentication Package is NTLM. In this case, monitor for Key Length not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
- If you monitor for potentially malicious software, or software that is not authorized to request logon actions, monitor this event for Process Name.
- If you have a trusted logon processes list, monitor for a Logon Process that is not from the list.
Windows Events provides a standard, centralized way for applications (and the operating system) to record important software and hardware events. The event-logging service stores events from various sources in a single collection called an event log. Prior to Windows Vista, you would use either Event Tracing for Windows (ETW) or Event Logging to log events. Windows Vista introduced a new eventing model that unifies both ETW and the Windows Event Log API.
The installer also writes entries into the event log. These record events such as following:
- Success or failure of the installation; removal or repair of a product.
- Errors that occur during product configuration.
- Detection of corrupted configuration data.
If a large amount of information is written, the Event Log file can become full and the installer displays the message, 'The Application log file is full.'
Smbwitnessclient Event Id 1
The installer may write the following entries in the event log. All event log messages have a unique event ID. All general errors authored in the Error table that are returned for an installation that fails are logged in the Application Event Log with a message ID equal to the Error + 10,000. For example, the error number in the Error table for an installation completed successfully is 1707. The successful installation is logged in the Application Event Log with a message ID of 11707 (1707 + 10,000).
Windows Event Id 12
For information about how to enable verbose logging on a user's computer when troubleshooting deployment, see Windows Installer Best Practices.
Event ID | Message | Remarks |
---|---|---|
1001 | Detection of product '%1', feature '%2' failed during request for component '%3' | A warning message. For details, see Searching For a Broken Feature or Component. |
1002 | Unexpected or missing value (name: '%1', value: '%2') in key '%3' | Error message that there was an unexpected or missing value. |
1003 | Unexpected or missing subkey '%1' in key '%2' | Error message that there was an unexpected or missing subkey. |
1004 | Detection of product '%1', feature '%2', component '%3' failed Note: Beginning with Windows Installer version 2.0, this message is: Detection of product '%1', feature '%2', component '%3' failed. The resource '%4' does not exist. | A warning message. See also Searching For a Broken Feature or Component. |
1005 | Install operation initiated a reboot | Informational message that the installation initiated a reboot of the system. |
1006 | Verification of the digital signature for cabinet '%1' cannot be performed. WinVerifyTrust is not available on the computer. | Warning message. A cabinet was authored in the MsiDigitalSignature table to have a WinVerifyTrust check performed. This action could not be performed because the computer does not have the proper cryptography DLLs installed. |
1007 | The installation of %1 is not permitted by software restriction policy. The Windows Installer only allows execution of unrestricted items. The authorization level returned by software restriction policy was %2. | An error message indicating that the administrator has configured software restriction policy to disallow this install. |
1008 | The installation of %1 is not permitted due to an error in software restriction policy processing. The object cannot be trusted. | An error message indicating that there were problems attempting to verify the package according to software restriction policy. |
1012 | This version of Windows does not support deploying 64-bit packages. The script '%1' is for a 64-bit package. | Error message indicating that scripts for 64-bit packages can only be executed on a 64-bit computer. |
1013 | {Unhandled exception report} | Error message for an unhandled exception, this is the report. |
1014 | Windows Installer proxy information not registered correctly | Error message that proxy information was not registered correctly. |
1015 | Failed to connect to server. Error: %d | Informational message that the installation failed to connect to server. |
1016 | Detection of product '%1', feature '%2', component '%3' failed. The resource '%4' in a run-from-source component could not be located because no valid and accessible source could be found. | Warning message. For more information, see Searching for a Broken Feature or Component. |
1017 | User SID had changed from '%1' to '%2' but the managed app and the user data keys cannot be updated. Error = '%3'. | Error message indicating that an error occurred while attempting to update the user's registration after the user's SID changed. |
1018 | The application '%1' cannot be installed because it is not compatible with this version of Windows. | Error message indicating that the installation is incompatible with the currently running version of Windows. Contact the manufacturer of the software being installed for an update. |
1019 | Product: %1 - Update '%2' was successfully removed. | Informational message that the installer has removed the update.Windows Installer 2.0: Not available. |
1020 | Product: %1 - Update '%2' could not be removed. Error code %3. Additional information is available in the log file %4. | Error message indicating that the installer was unable to remove the update. Additional information is available in the log file.Windows Installer 2.0: Not available. |
1021 | Product: %1 - Update '%2' could not be removed. Error code %3. | Error message indicating that the installer was unable to remove the update. For information on how to turn on logging, see Enable verbose logging on user's computer when troubleshooting deployment.Windows Installer 2.0: Not available. |
1022 | Product: %1 - Update '%2' installed successfully. | Informational message that the installer has installed the update successfully. Windows Installer 2.0: Not available. |
1023 | Product: %1 - Update '%2' could not be installed. Error code %3. Additional information is available in the log file %4. | Error message indicating that the installer was unable to install the update. Additional information is available in the log file.Windows Installer 2.0: Not available. |
1024 | Product: %1 - Update '%2' could not be installed. Error code %3. | Error message indicating that the installer was unable to install the update. For information on how to turn logging on, see Enable verbose logging on user's computer when troubleshooting deployment.Windows Installer 2.0: Not available. |
1025 | Product: %1. The file %2 is being used by the following process: Name: %3 , Id %4. | Windows Installer 2.0: Not available. |
1026 | Windows Installer has determined that its configuration data registry key was not secured properly. The owner of the key must be either Local System or BuiltinAdministrators. The existing key will be deleted and re-created with the appropriate security settings. | Warning message.Windows Installer 3.1 and earlier: Not available. |
1027 | Windows Installer has determined that a registry sub key %1 within its configuration data was not secured properly. The owner of the key must be either Local System or BuiltinAdministrators. The existing sub key and all of its contents will be deleted. | Warning message.Windows Installer 3.1 and earlier: Not available. |
1028 | Windows Installer has determined that its configuration data cache folder was not secured properly. The owner of the key must be either Local System or BuiltinAdministrators. The existing folder will be deleted and re-created with the appropriate security settings. | Warning messageWindows Installer 3.1 and earlier: Not available. |
1029 | Product: %1. Restart required. | Warning message indicatiing that a system restart is required to complete the installation and the restart has been deferred to a later time.Windows Installer 3.1 and earlier: Not available. |
1030 | Product: %1. The application tried to install a more recent version of the protected Windows file %2. You may need to update your operating system for this application to work correctly. (Package Version: %3, Operating System Protected Version: %4). | Warning message indicating that the installation tried to replace a critical file that is protected by Windows Resource Protection. An update of the operating system may be required to use this application. Windows Installer 3.1 and earlier: Not available. |
1031 | Product: %1. The assembly '%2' for component '%3' is in use. | Warning message indicating that the installation tried to update an assembly currently in use. The system must be restarted to complete the update of this assembly.Windows Installer 3.1 and earlier: Not available. |
1032 | An error occurred while refreshing environment variables updated during the installation of '%1'. | Warning message indicating that some users who are logged on to the computer may need to log off and back on to complete the update of environment variables.Windows Installer 3.1 and earlier: Not available. |
1033 | Product: %1. Version: %2. Language: %3. Installation completed with status: %4. Manufacturer: %5. | Field 1 - ProductName Field 2 - ProductVersion Field 3 - ProductLanguage Windows Installer 3.1 and earlier: Not available. Field 5 - Manufacturer Windows Installer 4.5 and earlier: Field 5 not available. |
1034 | Product: %1. Version: %2. Language: %3. Removal completed with status: %4. Manufacturer: %5. | Field 1 - ProductName Field 2 - ProductVersion Field 3 - ProductLanguage Windows Installer 3.1 and earlier: Not available. Field 5 - Manufacturer Windows Installer 4.5 and earlier: Field 5 not available. |
1035 | Product: %1. Version: %2. Language: %3. Configuration change completed with status: %4. Manufacturer: %5. | Field 1 - ProductName Field 2 - ProductVersion Field 3 - ProductLanguage Field 5 - Manufacturer Windows Installer 4.5 and earlier: Field 5 not available. |
1036 | Product: %1. Version: %2. Language: %3. Update: %4. Update installation completed with status: %5. Manufacturer: %6. | Field 1 - ProductName Field 2 - ProductVersion Field 3 - ProductLanguage Field 4 - This is the user friendly name if the MsiPatchMetadata Table is present in the patch package. Otherwise, this is the patch code GUID of the patch. Field 5 - Status of update installation. Windows Installer 3.1 and earlier: Not available. Field 6 - Manufacturer Windows Installer 4.5 and earlier: Field 6 not available. |
1037 | Product: %1. Version: %2. Language: %3. Update: %4. Update removal completed with status: %5. Manufacturer: %6. | Field 1 - ProductName Field 2 - ProductVersion Field 3 - ProductLanguage Field 4 - This is the user friendly name if the MsiPatchMetadata Table is present in the patch package. Otherwise, this is the patch code GUID of the patch. Field 5 - Status of update removal. Windows Installer 3.1 and earlier: Not available. Field 6 - Manufacturer Windows Installer 4.5 and earlier: Field 6 not available. |
1038 | Product: %1. Version: %2. Language: %3. Reboot required. Reboot Type: %4. Reboot Reason: %5. Manufacturer: %6. | Field 1 - ProductName Field 2 - ProductVersion Field 3 - ProductLanguage
msirbRebootDeferred (2) - A user or admin has deferred a required restart of the computer using the UI or REBOOT=ReallySuppress.
msirbRebootInUseFilesReason (1)- A restart was required to replace files in use. msirbRebootScheduleRebootReason (2)- The package contains a ScheduleReboot action. msirbRebootForceRebootReason (3)- The package contains a ForceReboot action. msirbRebootCustomActionReason (4)- A custom action called the MsiSetMode function. Field 6 - Manufacturer Windows Installer 4.5 and earlier: Field 6 not available. |
10005 | The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is [1]. {{The arguments are: [2], [3], [4]}} | Error message indicating an internal error occurred. The text of this message is based upon the text authored for error 5 in the Error table. |
11707 | Product [2] – Installation operation completed successfully | Informational message that the installation of the product was successful. |
11708 | Product [2] – Installation operation failed | Error message that the installation of the product failed. |
11728 | Product [2] -- Configuration completed successfully. | Informational message that configuration of the product was successful. |
You can import localized errors strings for events into your database by using Msidb.exe or MsiDatabaseImport. The SDK includes localized resource strings for each of the languages listed in the Localizing the Error and ActionText Tables section. If the error strings corresponding to events are not populated, the installer loads localized strings for the language specified by the ProductLanguage property.