From 9505c0b91e4e4da905f6d329b78a39657d9cd7bb Mon Sep 17 00:00:00 2001
From: Tony <bigt2002@gmail.com>
Date: Thu, 17 Feb 2022 21:20:12 +0000
Subject: [PATCH 1/3] Create Application_Microsoft-Windows-Winsrv_10001.map

---
 ...ication_Microsoft-Windows-Winsrv_10001.map | 43 +++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 evtx/Maps/Application_Microsoft-Windows-Winsrv_10001.map

diff --git a/evtx/Maps/Application_Microsoft-Windows-Winsrv_10001.map b/evtx/Maps/Application_Microsoft-Windows-Winsrv_10001.map
new file mode 100644
index 00000000..537d08ce
--- /dev/null
+++ b/evtx/Maps/Application_Microsoft-Windows-Winsrv_10001.map
@@ -0,0 +1,43 @@
+Author: Tony Knutson
+Description: Application is stopping shutdown operation
+EventId: 10001
+Channel: "Application"
+Provider: "Microsoft-Windows-Winsrv"
+Maps:
+  -
+    Property: ExecutableInfo
+    PropertyValue: "%AppName%"
+    Values:
+      -
+        Name: AppName
+        Value: "/Event/UserData/VetoAppEvent/AppName"
+
+# Documentation:
+# http://deusexmachina.uk/evdoco/event.php?event=1025
+# A shutdown or hibernation has been requested, but this application, upon receiving the WM_QUERYENDSESSION message, has responded with a zero - meaning no, don't shut me down! I'm not done here yet!.
+#
+# Example Event Data:
+# - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#  - <System>
+#    <Provider Name="Microsoft-Windows-Winsrv" Guid="{9d55b53d-449b-4824-a637-24f9d69aa02f}" /> 
+#    <EventID>10001</EventID> 
+#    <Version>0</Version> 
+#    <Level>4</Level> 
+#    <Task>0</Task> 
+#    <Opcode>0</Opcode> 
+#    <Keywords>0x8000000000000000</Keywords> 
+#    <TimeCreated SystemTime="2022-01-12T13:19:19.0238592Z" /> 
+#    <EventRecordID>1648636</EventRecordID> 
+#    <Correlation /> 
+#    <Execution ProcessID="948" ThreadID="88" /> 
+#    <Channel>Application</Channel> 
+#    <Computer>COMPUTERNAME</Computer> 
+#    <Security UserID="S-1-5-18" /> 
+#  </System>
+#   - <UserData>
+#     <VetoAppEvent xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/winsrv">
+#     <AppName>NAME OF PROGRAM</AppName> 
+#     <ResponseTime>0</ResponseTime> 
+#     </VetoAppEvent>
+#     </UserData>
+#  </Event>

From 20bcb48ba25ef5430debaa57f97e1f55fa89aa6e Mon Sep 17 00:00:00 2001
From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com>
Date: Fri, 18 Feb 2022 07:10:12 -0500
Subject: [PATCH 2/3] Update Application_Microsoft-Windows-Winsrv_10001.map

---
 ...ication_Microsoft-Windows-Winsrv_10001.map | 34 +++++++++----------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/evtx/Maps/Application_Microsoft-Windows-Winsrv_10001.map b/evtx/Maps/Application_Microsoft-Windows-Winsrv_10001.map
index 537d08ce..fb979348 100644
--- a/evtx/Maps/Application_Microsoft-Windows-Winsrv_10001.map
+++ b/evtx/Maps/Application_Microsoft-Windows-Winsrv_10001.map
@@ -1,4 +1,4 @@
-Author: Tony Knutson
+                                                      Author: Tony Knutson
 Description: Application is stopping shutdown operation
 EventId: 10001
 Channel: "Application"
@@ -19,25 +19,25 @@ Maps:
 # Example Event Data:
 # - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 #  - <System>
-#    <Provider Name="Microsoft-Windows-Winsrv" Guid="{9d55b53d-449b-4824-a637-24f9d69aa02f}" /> 
-#    <EventID>10001</EventID> 
-#    <Version>0</Version> 
-#    <Level>4</Level> 
-#    <Task>0</Task> 
-#    <Opcode>0</Opcode> 
-#    <Keywords>0x8000000000000000</Keywords> 
-#    <TimeCreated SystemTime="2022-01-12T13:19:19.0238592Z" /> 
-#    <EventRecordID>1648636</EventRecordID> 
-#    <Correlation /> 
-#    <Execution ProcessID="948" ThreadID="88" /> 
-#    <Channel>Application</Channel> 
-#    <Computer>COMPUTERNAME</Computer> 
-#    <Security UserID="S-1-5-18" /> 
+#    <Provider Name="Microsoft-Windows-Winsrv" Guid="{9d55b53d-449b-4824-a637-24f9d69aa02f}" />
+#    <EventID>10001</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x8000000000000000</Keywords>
+#    <TimeCreated SystemTime="2022-01-12T13:19:19.0238592Z" />
+#    <EventRecordID>1648636</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="948" ThreadID="88" />
+#    <Channel>Application</Channel>
+#    <Computer>COMPUTERNAME</Computer>
+#    <Security UserID="S-1-5-18" />
 #  </System>
 #   - <UserData>
 #     <VetoAppEvent xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/winsrv">
-#     <AppName>NAME OF PROGRAM</AppName> 
-#     <ResponseTime>0</ResponseTime> 
+#     <AppName>NAME OF PROGRAM</AppName>
+#     <ResponseTime>0</ResponseTime>
 #     </VetoAppEvent>
 #     </UserData>
 #  </Event>

From a1c5952f4b2e958800f4f5e4a676ce55eb90b9bb Mon Sep 17 00:00:00 2001
From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com>
Date: Fri, 18 Feb 2022 07:12:48 -0500
Subject: [PATCH 3/3] Update Application_Microsoft-Windows-Winsrv_10001.map

---
 evtx/Maps/Application_Microsoft-Windows-Winsrv_10001.map | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/evtx/Maps/Application_Microsoft-Windows-Winsrv_10001.map b/evtx/Maps/Application_Microsoft-Windows-Winsrv_10001.map
index fb979348..5c4a9039 100644
--- a/evtx/Maps/Application_Microsoft-Windows-Winsrv_10001.map
+++ b/evtx/Maps/Application_Microsoft-Windows-Winsrv_10001.map
@@ -1,4 +1,4 @@
-                                                      Author: Tony Knutson
+Author: Tony Knutson
 Description: Application is stopping shutdown operation
 EventId: 10001
 Channel: "Application"