Rule: 92058 fired (level 12) -> "Application Compatibility Database launched"

[EugenX]

Hi everyone. I've updated my workstations to Windows 11 from Windows 10 two days ago, since then one wazuh agent is reporting an event, this event happens every hour, ex. 14:05, 15:05, 16:.05.

I'm seeing first time this kind of event and I don't know how to mitigate it, how to determine the root cause. I would really appreciate any help regarding the issue, thank you in advance.

Here is the log:

Wazuh Notification.
2025 Dec 23 19:04:30

Received From: (NEW-PC) any->EventChannel
Rule: 92058 fired (level 12) -> "Application Compatibility Database launched"
User: NT AUTHORITY\SYSTEM

Portion of the log(s):

{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2025-12-23T17:04:29.5130065Z","eventRecordID":"270866","processID":"4944","threadID":"5156","channel":"Microsoft-Windows-Sysmon/Operational","computer":"NEW-PC.ga.intranet","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: -\r\nUtcTime: 2025-12-23 17:04:29.508\r\nProcessGuid: {f0f0f557-cb9d-694a-420a-000000000400}\r\nProcessId: 11788\r\nImage: C:\\Windows\\System32\\sdbinst.exe\r\nFileVersion: 10.0.26100.7309 (WinBuild.160101.0800)\r\nDescription: Application Compatibility Database Installer\r\nProduct: MicrosoftÂŽ WindowsÂŽ Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sdbinst.exe\r\nCommandLine: C:\\WINDOWS\\System32\\sdbinst.exe -m -bg\r\nCurrentDirectory: C:\\WINDOWS\\system32\\\r\nUser: NT AUTHORITY\\SYSTE
 M\r\nLogonGuid: {f0f0f557-9590-6949-e703-000000000000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 0\r\nIntegrityLevel: System\r\nHashes: SHA256=F98BB76EEAE67C5E88FBC6E9564F4471505EEEF0723DBF9A5DC89F6B5779B5F1\r\nParentProcessGuid: {f0f0f557-963d-6949-6901-000000000400}\r\nParentProcessId: 7228\r\nParentImage: C:\\Windows\\System32\\svchost.exe\r\nParentCommandLine: C:\\WINDOWS\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc\r\nParentUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"utcTime":"2025-12-23 17:04:29.508","processGuid":"{f0f0f557-cb9d-694a-420a-000000000400}","processId":"11788","image":"C:\\\\Windows\\\\System32\\\\sdbinst.exe","fileVersion":"10.0.26100.7309 (WinBuild.160101.0800)","description":"Application Compatibility Database Installer","product":"MicrosoftÂŽ WindowsÂŽ Operating System","company":"Microsoft Corporation","originalFileName":"sdbinst.exe","commandLine":"C:\\\\WINDOWS\\\\System32\\\\sdbinst.exe -m -bg","currentDirectory":"C:\\\\WINDOWS\\\\sy
 stem32\\\\","user":"NT AUTHORITY\\\\SYSTEM","logonGuid":"{f0f0f557-9590-6949-e703-000000000000}","logonId":"0x3e7","terminalSessionId":"0","integrityLevel":"System","hashes":"SHA256=F98BB76EEAE67C5E88FBC6E9564F4471505EEEF0723DBF9A5DC89F6B5779B5F1","parentProcessGuid":"{f0f0f557-963d-6949-6901-000000000400}","parentProcessId":"7228","parentImage":"C:\\\\Windows\\\\System32\\\\svchost.exe","parentCommandLine":"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc","parentUser":"NT AUTHORITY\\\\SYSTEM"}}}
win.system.providerName: Microsoft-Windows-Sysmon
win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
win.system.eventID: 1
win.system.version: 5
win.system.level: 4
win.system.task: 1
win.system.opcode: 0
win.system.keywords: 0x8000000000000000
win.system.systemTime: 2025-12-23T17:04:29.5130065Z
win.system.eventRecordID: 270866
win.system.processID: 4944
win.system.threadID: 5156
win.system.channel: Microsoft-Windows-Sysmon/Operational
win.system.computer: NEW-PC.ga.intranet
win.system.severityValue: INFORMATION
win.system.message: "Process Create:

RuleName: -

UtcTime: 2025-12-23 17:04:29.508

ProcessGuid: {f0f0f557-cb9d-694a-420a-000000000400}

ProcessId: 11788

Image: C:\Windows\System32\sdbinst.exe

FileVersion: 10.0.26100.7309 (WinBuild.160101.0800)

Description: Application Compatibility Database Installer

Product: MicrosoftÂŽ WindowsÂŽ Operating System

Company: Microsoft Corporation

OriginalFileName: sdbinst.exe

CommandLine: C:\WINDOWS\System32\sdbinst.exe -m -bg

CurrentDirectory: C:\WINDOWS\system32\

LogonGuid: {f0f0f557-9590-6949-e703-000000000000}

LogonId: 0x3E7

TerminalSessionId: 0

IntegrityLevel: System

Hashes: SHA256=F98BB76EEAE67C5E88FBC6E9564F4471505EEEF0723DBF9A5DC89F6B5779B5F1

ParentProcessGuid: {f0f0f557-963d-6949-6901-000000000400}

ParentProcessId: 7228

ParentImage: C:\Windows\System32\svchost.exe

ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

ParentUser: NT AUTHORITY\SYSTEM"
win.eventdata.utcTime: 2025-12-23 17:04:29.508
win.eventdata.processGuid: {f0f0f557-cb9d-694a-420a-000000000400}
win.eventdata.processId: 11788
win.eventdata.image: C:\\Windows\\System32\\sdbinst.exe
win.eventdata.fileVersion: 10.0.26100.7309 (WinBuild.160101.0800)
win.eventdata.description: Application Compatibility Database Installer
win.eventdata.product: MicrosoftÂŽ WindowsÂŽ Operating System
win.eventdata.company: Microsoft Corporation
win.eventdata.originalFileName: sdbinst.exe
win.eventdata.commandLine: C:\\WINDOWS\\System32\\sdbinst.exe -m -bg
win.eventdata.currentDirectory: C:\\WINDOWS\\system32\\
win.eventdata.user: NT AUTHORITY\\SYSTEM
win.eventdata.logonGuid: {f0f0f557-9590-6949-e703-000000000000}
win.eventdata.logonId: 0x3e7
win.eventdata.terminalSessionId: 0
win.eventdata.integrityLevel: System
win.eventdata.hashes: SHA256=F98BB76EEAE67C5E88FBC6E9564F4471505EEEF0723DBF9A5DC89F6B5779B5F1
win.eventdata.parentProcessGuid: {f0f0f557-963d-6949-6901-000000000400}
win.eventdata.parentProcessId: 7228
win.eventdata.parentImage: C:\\Windows\\System32\\svchost.exe
win.eventdata.parentCommandLine: C:\\WINDOWS\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
win.eventdata.parentUser: NT AUTHORITY\\SYSTEM


 --END OF NOTIFICATION

[carlos...@wazuh.com]

Hello EugenX,

It looks like this alert is being triggered due to the sdbinst.exe utility, which is the "Application Compatibility Database Installer." Some information regarding this can be found at Windows - Using the Sdbinst.exe Command-Line Tool and Information on sdbinst.exe

Within the information above, you can find that while the process sdbinst.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes. In your case, it seems like the parent process is PcaSvc, which seems to be Windows' Program Compatibility Assistant Service, which might make it seem like it is running on a legitimate use case.

At this point, before anything, you'll need to determine if this process is running for a legitimate reason or if you think this could be leveraged for malicious intent. It might be some Windows Updates missing or maybe a program trying to run in compatibility mode after the upgrade to Windows 11. 

If, after analyzing, you determine this is a legitimate process, you can mitigate it by creating a child rule that ignores this specific alert when being used by PcaSvc (or whichever criteria you want to use). For example, a child rule to ignore this process when being leveraged by PcaSvc would look something like this:

  <rule id="100050" level="3">
    <if_sid>92058</if_sid>
    <field name="win.eventdata.parentCommandLine" type="pcre2">PcaSvc</field>
    <description>Windows Application Compatibility Database maintenance (PcaSvc).</description>
    <options>no_email_alert</options>
  </rule>

The rule above will trigger if the original rule 92058 triggers, and if the parent service is PcaSvc, it will ignore it, but if there's any other service leveraging it, it will still trigger the alert. Further details on how to use and create custom rules can be found at Wazuh Custom Rules

Hope you find this information useful!

Best regards,

Carlos