Skip to content

Latest commit

 

History

History
62 lines (51 loc) · 3.19 KB

evtx-4004-computer-manual-gpo-processing-start.md

File metadata and controls

62 lines (51 loc) · 3.19 KB

Microsoft-Windows-GroupPolicy/Operational/4004: Starting manual processing of policy for computer

This event indicates that the Group Policy for a specific computer has been updated manually, typically as a result of issuing the command gpudate /force. This event is also triggered by periodic updates to the Group Policy as well. This is as opposed to [Microsoft-Windows-GroupPolicy/Operational/4000: Starting computer boot policy processing, which is a computer GPO processing started when a computer first boots.

Analysis Value

  • Network - Evidence of Network Activity

Operating System Availability

  • Windows 11
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Vista

Artifact Location(s)

  • %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Artifact Interpretation

XML Path Interpretation
System/Correlation ActivityID The ActivityID for this GPO update. This can be used to filter/correlate other events relating to this activity in both the System event log as well as the Group Policy Operational log.
EventData/PrincipalSamName The SAM name for the computer account for which the GPO update was started.

In the event that new Computer Group Policy Objects were found for the computer in question, System/1502: The Group Policy settings for the computer were processed successfully will be generated with the same System/Correlation ActivityID .

If new Computer Group Policy Objects were found, Microsoft-Windows-GroupPolicy/Operational/5312: List of applicable Group Policy objects will be generated with the same System/Correlation ActivityID, providing a list of all the applicable GPOs.

Example

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" /> 
  <EventID>4004</EventID> 
  <Version>1</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>1</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2024-04-22T19:48:02.0178152Z" /> 
  <EventRecordID>499</EventRecordID> 
  <Correlation ActivityID="{d739f467-3600-41b9-8b95-3cef52425544}" /> 
  <Execution ProcessID="13044" ThreadID="4444" /> 
  <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel> 
  <Computer>DESKTOP-88KIKM6.example.lan</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="PolicyActivityId">{d739f467-3600-41b9-8b95-3cef52425544}</Data> 
  <Data Name="PrincipalSamName">EXAMPLEDOMAIN\DESKTOP-88KIKM6$</Data> 
  <Data Name="IsMachine">1</Data> 
  <Data Name="IsDomainJoined">true</Data> 
  <Data Name="IsBackgroundProcessing">true</Data> 
  <Data Name="IsAsyncProcessing">false</Data> 
  <Data Name="IsServiceRestart">false</Data> 
  <Data Name="ReasonForSyncProcessing">0</Data> 
  </EventData>
  </Event>

This example was produced on Windows 10, Version 10.0.19045 Build 19045