JSI Tip 2134. Windows File Protection event log entries.


When SFC is run, it is possible for a user to cancel a file replacement, or the entire run.

If a user cancels a file replacement, Event ID 6406 is logged. If they cancel the entire scan, Event ID 6409 is logged:


   Event ID 6406
   Type: Informational
   Source: Windows File Protection
   Description: The system file Filename was not restored to its original, valid version because
                the WFP restoration process was canceled by user interaction, user name is UserID. 


   Event ID: 6409
   Type: Informational
   Source: Windows File Protection
   Description: The WFP file scan was canceled by user interaction, user name was UserID. 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish