Home
  •  

Vista Aggregate Page Corruption Collection

Microsoft.Windows.Client.Vista.Computer.PageCorruption.Collection (Rule)

Knowledge Base article:

Summary

This rule collects events logged by Windows Vista when the Kernel detects page corruption in memory that it is delivering to applications and services

Causes

There could be hardware defects in the memory

Element properties:

TargetMicrosoft.Windows.Client.Vista.Aggregate.Computer
CategoryEventCollection
EnabledTrue
Event_ID1801
Event SourceApplication Popup
Alert GenerateFalse
RemotableTrue
Event LogSystem

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Windows.EventProvider System.PrivilegedMonitoringAccount
Mapper ConditionDetection Microsoft.Windows.Client.Vista.LinkedDataMapper Default
PublishToMemoryFailureChannel WriteAction Microsoft.Windows.Client.Vista.Computer.PublishLinkedData Default

Source Code:

<Rule ID="Microsoft.Windows.Client.Vista.Computer.PageCorruption.Collection" Enabled="true" Target="Microsoft.Windows.Client.Vista.Aggregate.Computer">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="EventDS" RunAs="System!System.PrivilegedMonitoringAccount" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</ComputerName>

      <LogName>System</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>Application Popup</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>1801</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <ConditionDetection TypeID="Microsoft.Windows.Client.Vista.LinkedDataMapper" ID="Mapper">

    <ManagedEntityId>$Target/Id$</ManagedEntityId>

    <RuleId>$MPElement$</RuleId>

  </ConditionDetection>

  <WriteActions>

    <WriteAction ID="PublishToMemoryFailureChannel" TypeID="Microsoft.Windows.Client.Vista.Computer.PublishLinkedData">

      <ChannelId>1015F394-D13D-4C63-BB71-61D09581AEF6</ChannelId>

    </WriteAction>

  </WriteActions>

</Rule>