I first noticed this when I was testing PowerShell queries on a test laptop running Windows 1809. I noticed something worrying in the System log. Here’s the query:
Get-EventLog -LogName System -Newest 20 | Format-Table
I’ve highlighted the results which caught my eye:
I changed the query to use Format-List so I could see the name of the Source and saw that it was Microsoft-Windows-Kernel-General.
I rewrote the query to narrow it down:
Get-EventLog -LogName System -InstanceId 1 -Source Microsoft-Windows-Kernel-General -Newest 20 | Format-Table
This showed that the Possible detection of CVE event was logged once a day at least, sometimes twice or three times.
The message included:
This Event is generated when an attempt to exploit a known vulnerability (2022-12-29T19:38:59.190732800Z) is detected.
This Event is raised by a User mode process.
This sounded worrying, especially as the last sentence indicated that something I was doing (as the only user) was responsible for triggering the event.
However, there were anomalies. For example, one event was logged on December 25th when I was many miles away visiting my daughter for Xmas dinner. Others were at times when I had been asleep.
Yet another anomaly was that there was no record found of the CVE vulnerability mentioned (2022-12-29T19) in the CVE Details security vulnerability database.
Another puzzling thing was I couldn’t find these Possible detection of CVE events in either the built-in Event Viewer or Nir Sofer’s FullEventLogView. They’re just not visible… at all.
I’ve finally got round to testing on another laptop. This had Windows 22H2 clean installed on Nov. 1st and was then shut down and put to one side immediately after Windows Update had shown there were no more updates at the time to be found. I’ve just powered it up and run the same PowerShell query:
Yet I haven’t used it for *anything* and there’s only Windows installed; no other software. It’s *only* internet access has been to Windows Update. I haven’t even opened Edge on it. I went back to the System logs again and finally realised what was happening.
Every Possible detection of CVE event has a corresponding Time Sync event when Windows compares itself with time.windows.com and makes any necessary adjustment. Every. Single. Time. It’s not a User mode process causing it at all, it’s an automatic system event that is the culprit.
IMO it’s simply a bug in whatever interaction there is between the system’s automatic time sync and PowerShell.
Try the second PowerShell query for yourself and see if your results are the same…
Hope this helps…