EricZimmerman
diff --git a/‎evtx/Maps/Application_MsiInstaller_10002.map ‎evtx/Maps/Application_Microsoft-Windows-RestartManager_10002.map
+5-5 b/‎evtx/Maps/Application_MsiInstaller_10002.map ‎evtx/Maps/Application_Microsoft-Windows-RestartManager_10002.map
+5-5
diff --git a/‎evtx/Maps/Application_Microsoft-Windows-Winsrv_10002.map
+41 b/‎evtx/Maps/Application_Microsoft-Windows-Winsrv_10002.map
+41
diff --git a/‎evtx/Maps/Application_System Restore_8194.map
+41 b/‎evtx/Maps/Application_System Restore_8194.map
+41
diff --git a/‎evtx/Maps/Application_System Restore_8195.map
+41 b/‎evtx/Maps/Application_System Restore_8195.map
+41
diff --git a/‎evtx/Maps/Application_System Restore_8196.map
+41 b/‎evtx/Maps/Application_System Restore_8196.map
+41
@@ -1,25 +1,25 @@
 Author: Hyun Yi @hyuunnn
-Description: Terminated due to non-response
+Description: Shutting down application or service
 EventId: 10002
 Channel: "Application"
 Provider: "Microsoft-Windows-RestartManager"
 Maps:
   -
-    Property: PayloadData1
-    PropertyValue: "FullPath: %FullPath%"
+    Property: ExecutableInfo
+    PropertyValue: "%FullPath%"
     Values:
       -
         Name: FullPath
         Value: "/Event/UserData/RmApplicationEvent/FullPath"
   -
-    Property: PayloadData2
+    Property: PayloadData1
     PropertyValue: "DisplayName: %DisplayName%"
     Values:
       -
         Name: DisplayName
         Value: "/Event/UserData/RmApplicationEvent/DisplayName"
   -
-    Property: PayloadData3
+    Property: PayloadData2
     PropertyValue: "Files: %Files%"
     Values:
       -
 
@@ -0,0 +1,41 @@
+Author: Hyun Yi @hyuunnn
+Description: Terminated due to non-response
+EventId: 10002
+Channel: "Application"
+Provider: "Microsoft-Windows-Winsrv"
+Maps:
+  -
+    Property: ExecutableInfo
+    PropertyValue: "%AppName%"
+    Values:
+      -
+        Name: AppName
+        Value: "/Event/UserData/HungAppEvent/AppName"
+        
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="Microsoft-Windows-Winsrv" Guid="{GUID}" /> 
+#     <EventID>10002</EventID> 
+#     <Version>0</Version> 
+#     <Level>4</Level> 
+#     <Task>0</Task> 
+#     <Opcode>0</Opcode> 
+#     <Keywords>0x8000000000000000</Keywords> 
+#     <TimeCreated SystemTime="2020-12-28T16:45:14.6424242Z" /> 
+#     <EventRecordID>31565</EventRecordID> 
+#     <Correlation /> 
+#     <Execution ProcessID="11364" ThreadID="23376" /> 
+#     <Channel>Application</Channel> 
+#     <Computer>ComputerName</Computer> 
+#     <Security UserID="{UserID}" /> 
+#   </System>
+#   <UserData>
+#     <HungAppEvent xmlns="http://manifests.microsoft.com/win/2004/08/windows/winsrv">
+#       <AppName>PotPlayer.exe</AppName> 
+#     </HungAppEvent>
+#   </UserData>
+# </Event>
@@ -0,0 +1,41 @@
+Author: Hyun Yi @hyuunnn
+Description: Restore point created successfully
+EventId: 8194
+Channel: "Application"
+Provider: "System Restore"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "Data: %Data%"
+    Values:
+      -
+        Name: Data
+        Value: "/Event/EventData/Data"
+        
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="System Restore" /> 
+#     <EventID Qualifiers="0">8194</EventID> 
+#     <Version>0</Version> 
+#     <Level>4</Level> 
+#     <Task>0</Task> 
+#     <Opcode>0</Opcode> 
+#     <Keywords>0x80000000000000</Keywords> 
+#     <TimeCreated SystemTime="2020-10-12T07:13:41.6976173Z" /> 
+#     <EventRecordID>2347</EventRecordID> 
+#     <Correlation /> 
+#     <Execution ProcessID="0" ThreadID="0" /> 
+#     <Channel>Application</Channel> 
+#     <Computer>ComputerName</Computer> 
+#     <Security /> 
+#   </System>
+#   <EventData>
+#     <Data>C:\WINDOWS\system32\msiexec.exe /V</Data> 
+#     <Data>Installed AccessData FTK Imager.</Data> 
+#     <Binary>{Binary}</Binary> 
+#   </EventData>
+# </Event>
@@ -0,0 +1,41 @@
+Author: Hyun Yi @hyuunnn
+Description: System Restore has been disabled
+EventId: 8195
+Channel: "Application"
+Provider: "System Restore"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "Data: %Data%"
+    Values:
+      -
+        Name: Data
+        Value: "/Event/EventData/Data"
+        
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="System Restore" /> 
+#     <EventID Qualifiers="0">8195</EventID> 
+#     <Version>0</Version> 
+#     <Level>4</Level> 
+#     <Task>0</Task> 
+#     <Opcode>0</Opcode> 
+#     <Keywords>0x80000000000000</Keywords> 
+#     <TimeCreated SystemTime="2020-10-06T16:54:14.3633432Z" /> 
+#     <EventRecordID>390</EventRecordID> 
+#     <Correlation /> 
+#     <Execution ProcessID="0" ThreadID="0" /> 
+#     <Channel>Application</Channel> 
+#     <Computer>ComputerName</Computer> 
+#     <Security /> 
+#   </System>
+#   <EventData>
+#     <Data>C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.504_none_e781e76525fb2269\TiWorker.exe -Embedding</Data> 
+#     <Data /> 
+#     <Binary>{Binary}</Binary> 
+#   </EventData>
+# </Event>
@@ -0,0 +1,41 @@
+Author: Hyun Yi @hyuunnn
+Description: System Restore has been enabled
+EventId: 8196
+Channel: "Application"
+Provider: "System Restore"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "Data: %Data%"
+    Values:
+      -
+        Name: Data
+        Value: "/Event/EventData/Data"
+        
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="System Restore" /> 
+#     <EventID Qualifiers="0">8196</EventID> 
+#     <Version>0</Version> 
+#     <Level>4</Level> 
+#     <Task>0</Task> 
+#     <Opcode>0</Opcode> 
+#     <Keywords>0x80000000000000</Keywords> 
+#     <TimeCreated SystemTime="2020-10-06T16:54:14.5351795Z" /> 
+#     <EventRecordID>391</EventRecordID> 
+#     <Correlation /> 
+#     <Execution ProcessID="0" ThreadID="0" /> 
+#     <Channel>Application</Channel> 
+#     <Computer>ComputerName</Computer> 
+#     <Security /> 
+#   </System>
+#   <EventData>
+#     <Data>C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.504_none_e781e76525fb2269\TiWorker.exe -Embedding</Data> 
+#     <Data /> 
+#     <Binary>{Binary}</Binary> 
+#   </EventData>
+# </Event>
Original file line number	Diff line number	Diff line change
`@@ -1,25 +1,25 @@`
`1`	`1`	`Author: Hyun Yi @hyuunnn`
`2`		`-Description: Terminated due to non-response`
	`2`	`+Description: Shutting down application or service`
`3`	`3`	`EventId: 10002`
`4`	`4`	`Channel: "Application"`
`5`	`5`	`Provider: "Microsoft-Windows-RestartManager"`
`6`	`6`	`Maps:`
`7`	`7`	`-`
`8`		`- Property: PayloadData1`
`9`		`- PropertyValue: "FullPath: %FullPath%"`
	`8`	`+ Property: ExecutableInfo`
	`9`	`+ PropertyValue: "%FullPath%"`
`10`	`10`	`Values:`
`11`	`11`	`-`
`12`	`12`	`Name: FullPath`
`13`	`13`	`Value: "/Event/UserData/RmApplicationEvent/FullPath"`
`14`	`14`	`-`
`15`		`- Property: PayloadData2`
	`15`	`+ Property: PayloadData1`
`16`	`16`	`PropertyValue: "DisplayName: %DisplayName%"`
`17`	`17`	`Values:`
`18`	`18`	`-`
`19`	`19`	`Name: DisplayName`
`20`	`20`	`Value: "/Event/UserData/RmApplicationEvent/DisplayName"`
`21`	`21`	`-`
`22`		`- Property: PayloadData3`
	`22`	`+ Property: PayloadData2`
`23`	`23`	`PropertyValue: "Files: %Files%"`
`24`	`24`	`Values:`
`25`	`25`	`-`