Rule: 92058 fired (level 12) -> "Application Compatibility Database launched"
127 views
Skip to first unread message
EugenX
Dec 23, 2025, 5:24:49 PM12/23/25
to Wazuh | Mailing List
Hi everyone. I've updated my workstations to Windows 11 from Windows 10 two days ago, since then one wazuh agent is reporting an event, this event happens every hour, ex. 14:05, 15:05, 16:.05.
I'm seeing first time this kind of event and I don't know how to mitigate it, how to determine the root cause. I would really appreciate any help regarding the issue, thank you in advance.
Here is the log:
Wazuh Notification.
2025 Dec 23 19:04:30
Received From: (NEW-PC) any->EventChannel
Rule: 92058 fired (level 12) -> "Application Compatibility Database launched"
User: NT AUTHORITY\SYSTEM
Portion of the log(s):
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2025-12-23T17:04:29.5130065Z","eventRecordID":"270866","processID":"4944","threadID":"5156","channel":"Microsoft-Windows-Sysmon/Operational","computer":"NEW-PC.ga.intranet","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: -\r\nUtcTime: 2025-12-23 17:04:29.508\r\nProcessGuid: {f0f0f557-cb9d-694a-420a-000000000400}\r\nProcessId: 11788\r\nImage: C:\\Windows\\System32\\sdbinst.exe\r\nFileVersion: 10.0.26100.7309 (WinBuild.160101.0800)\r\nDescription: Application Compatibility Database Installer\r\nProduct: MicrosoftÂŽ WindowsÂŽ Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sdbinst.exe\r\nCommandLine: C:\\WINDOWS\\System32\\sdbinst.exe -m -bg\r\nCurrentDirectory: C:\\WINDOWS\\system32\\\r\nUser: NT AUTHORITY\\SYSTE
M\r\nLogonGuid: {f0f0f557-9590-6949-e703-000000000000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 0\r\nIntegrityLevel: System\r\nHashes: SHA256=F98BB76EEAE67C5E88FBC6E9564F4471505EEEF0723DBF9A5DC89F6B5779B5F1\r\nParentProcessGuid: {f0f0f557-963d-6949-6901-000000000400}\r\nParentProcessId: 7228\r\nParentImage: C:\\Windows\\System32\\svchost.exe\r\nParentCommandLine: C:\\WINDOWS\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc\r\nParentUser: NT AUTHORITY\\SYSTEM\""},"eventdata":{"utcTime":"2025-12-23 17:04:29.508","processGuid":"{f0f0f557-cb9d-694a-420a-000000000400}","processId":"11788","image":"C:\\\\Windows\\\\System32\\\\sdbinst.exe","fileVersion":"10.0.26100.7309 (WinBuild.160101.0800)","description":"Application Compatibility Database Installer","product":"MicrosoftÂŽ WindowsÂŽ Operating System","company":"Microsoft Corporation","originalFileName":"sdbinst.exe","commandLine":"C:\\\\WINDOWS\\\\System32\\\\sdbinst.exe -m -bg","currentDirectory":"C:\\\\WINDOWS\\\\sy
stem32\\\\","user":"NT AUTHORITY\\\\SYSTEM","logonGuid":"{f0f0f557-9590-6949-e703-000000000000}","logonId":"0x3e7","terminalSessionId":"0","integrityLevel":"System","hashes":"SHA256=F98BB76EEAE67C5E88FBC6E9564F4471505EEEF0723DBF9A5DC89F6B5779B5F1","parentProcessGuid":"{f0f0f557-963d-6949-6901-000000000400}","parentProcessId":"7228","parentImage":"C:\\\\Windows\\\\System32\\\\svchost.exe","parentCommandLine":"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc","parentUser":"NT AUTHORITY\\\\SYSTEM"}}}
win.system.providerName: Microsoft-Windows-Sysmon
win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
win.system.eventID: 1
win.system.version: 5
win.system.level: 4
win.system.task: 1
win.system.opcode: 0
win.system.keywords: 0x8000000000000000
win.system.systemTime: 2025-12-23T17:04:29.5130065Z
win.system.eventRecordID: 270866
win.system.processID: 4944
win.system.threadID: 5156
win.system.channel: Microsoft-Windows-Sysmon/Operational
win.system.computer: NEW-PC.ga.intranet
win.system.severityValue: INFORMATION
win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-12-23 17:04:29.508
ProcessGuid: {f0f0f557-cb9d-694a-420a-000000000400}
ProcessId: 11788
Image: C:\Windows\System32\sdbinst.exe
FileVersion: 10.0.26100.7309 (WinBuild.160101.0800)
Description: Application Compatibility Database Installer
Product: MicrosoftÂŽ WindowsÂŽ Operating System
Company: Microsoft Corporation
OriginalFileName: sdbinst.exe
CommandLine: C:\WINDOWS\System32\sdbinst.exe -m -bg
CurrentDirectory: C:\WINDOWS\system32\
LogonGuid: {f0f0f557-9590-6949-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=F98BB76EEAE67C5E88FBC6E9564F4471505EEEF0723DBF9A5DC89F6B5779B5F1
ParentProcessGuid: {f0f0f557-963d-6949-6901-000000000400}
ParentProcessId: 7228
ParentImage: C:\Windows\System32\svchost.exe
ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
ParentUser: NT AUTHORITY\SYSTEM"
win.eventdata.utcTime: 2025-12-23 17:04:29.508
win.eventdata.processGuid: {f0f0f557-cb9d-694a-420a-000000000400}
win.eventdata.processId: 11788
win.eventdata.image: C:\\Windows\\System32\\sdbinst.exe
win.eventdata.fileVersion: 10.0.26100.7309 (WinBuild.160101.0800)
win.eventdata.description: Application Compatibility Database Installer
win.eventdata.product: MicrosoftÂŽ WindowsÂŽ Operating System
win.eventdata.company: Microsoft Corporation
win.eventdata.originalFileName: sdbinst.exe
win.eventdata.commandLine: C:\\WINDOWS\\System32\\sdbinst.exe -m -bg
win.eventdata.currentDirectory: C:\\WINDOWS\\system32\\
win.eventdata.user: NT AUTHORITY\\SYSTEM
win.eventdata.logonGuid: {f0f0f557-9590-6949-e703-000000000000}
win.eventdata.logonId: 0x3e7
win.eventdata.terminalSessionId: 0
win.eventdata.integrityLevel: System
win.eventdata.hashes: SHA256=F98BB76EEAE67C5E88FBC6E9564F4471505EEEF0723DBF9A5DC89F6B5779B5F1
win.eventdata.parentProcessGuid: {f0f0f557-963d-6949-6901-000000000400}
win.eventdata.parentProcessId: 7228
win.eventdata.parentImage: C:\\Windows\\System32\\svchost.exe
win.eventdata.parentCommandLine: C:\\WINDOWS\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
win.eventdata.parentUser: NT AUTHORITY\\SYSTEM
--END OF NOTIFICATION
carlos...@wazuh.com
Dec 24, 2025, 1:40:39 AM12/24/25
to Wazuh | Mailing List
Hello EugenX,
It looks like this alert is being triggered due to the sdbinst.exe utility, which is the "Application Compatibility Database Installer." Some information regarding this can be found at Windows - Using the Sdbinst.exe Command-Line Tool and Information on sdbinst.exe
Within the information above, you can find that while the process sdbinst.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes. In your case, it seems like the parent process is PcaSvc, which seems to be Windows' Program Compatibility Assistant Service, which might make it seem like it is running on a legitimate use case.
At this point, before anything, you'll need to determine if this process is running for a legitimate reason or if you think this could be leveraged for malicious intent. It might be some Windows Updates missing or maybe a program trying to run in compatibility mode after the upgrade to Windows 11.
If, after analyzing, you determine this is a legitimate process, you can mitigate it by creating a child rule that ignores this specific alert when being used by PcaSvc (or whichever criteria you want to use). For example, a child rule to ignore this process when being leveraged by PcaSvc would look something like this:
<rule id="100050" level="3">
<if_sid>92058</if_sid>
<field name="win.eventdata.parentCommandLine" type="pcre2">PcaSvc</field>
<description>Windows Application Compatibility Database maintenance (PcaSvc).</description>
<options>no_email_alert</options>
</rule>
<if_sid>92058</if_sid>
<field name="win.eventdata.parentCommandLine" type="pcre2">PcaSvc</field>
<description>Windows Application Compatibility Database maintenance (PcaSvc).</description>
<options>no_email_alert</options>
</rule>
The rule above will trigger if the original rule 92058 triggers, and if the parent service is PcaSvc, it will ignore it, but if there's any other service leveraging it, it will still trigger the alert. Further details on how to use and create custom rules can be found at Wazuh Custom Rules
Hope you find this information useful!
Best regards,
Carlos
EugenX
Feb 5, 2026, 6:47:15 AMFeb 5
to Wazuh | Mailing List
Thank you Carlos, for you support, but unfortunately the rule you provided doesn't seem to work. I still receive email alerts...
Wazuh Notification.
2026 Feb 05 12:01:46
2026 Feb 05 12:01:46
Received From: (NEW-PC) any->EventChannel
Rule: 92058 fired (level 12) -> "Application Compatibility Database launched"
User: NT AUTHORITY\SYSTEM
Portion of the log(s):
{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-02-05T10:01:54.1214586Z","eventRecordID":"475400","processID":"4860","threadID":"7084","channel":"Microsoft-Windows-Sysmon/Operational","computer":"NEW-PC.ga.intranet","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: -\r\nUtcTime: 2026-02-05 10:01:54.117\r\nProcessGuid: {f0f0f557-6a92-6984-aa1e-000000001400}\r\nProcessId: 3280\r\nImage: C:\\Windows\\System32\\sdbinst.exe\r\nFileVersion: 10.0.26100.7705 (WinBuild.160101.0800)\r\nDescription: Application Compatibility Database Installer\r\nProduct: MicrosoftÂŽ WindowsÂŽ Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: sdbinst.exe\r\nCommandLine: C:\\WINDOWS\\System32\\sdbinst.exe -m -bg\r\nCurrentDirectory: C:\\WINDOWS\\system32\\\r\nUser: NT AUTHORITY\\SYSTEM
\r\nLogonGuid: {f0f0f557-ab30-6981-e703-000000000000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 0\r\nIntegrityLevel: System\r\nHashes: SHA256=7B44604F1C8C89E1AB00AB4953A379B03788B73C66342754CB564A8C4E6E4906\r\nParentProcessGuid: {00000000-0000-0000-0000-000000000000}\r\nParentProcessId: 8876\r\nParentImage: -\r\nParentCommandLine: -\r\nParentUser: -\""},"eventdata":{"utcTime":"2026-02-05 10:01:54.117","processGuid":"{f0f0f557-6a92-6984-aa1e-000000001400}","processId":"3280","image":"C:\\\\Windows\\\\System32\\\\sdbinst.exe","fileVersion":"10.0.26100.7705 (WinBuild.160101.0800)","description":"Application Compatibility Database Installer","product":"MicrosoftÂŽ WindowsÂŽ Operating System","company":"Microsoft Corporation","originalFileName":"sdbinst.exe","commandLine":"C:\\\\WINDOWS\\\\System32\\\\sdbinst.exe -m -bg","currentDirectory":"C:\\\\WINDOWS\\\\system32\\\\","user":"NT AUTHORITY\\\\SYSTEM","logonGuid":"{f0f0f557-ab30-6981-e703-000000000000}","logonId":"0x3e7","terminalSessionI
d":"0","integrityLevel":"System","hashes":"SHA256=7B44604F1C8C89E1AB00AB4953A379B03788B73C66342754CB564A8C4E6E4906","parentProcessGuid":"{00000000-0000-0000-0000-000000000000}","parentProcessId":"8876"}}}
\r\nLogonGuid: {f0f0f557-ab30-6981-e703-000000000000}\r\nLogonId: 0x3E7\r\nTerminalSessionId: 0\r\nIntegrityLevel: System\r\nHashes: SHA256=7B44604F1C8C89E1AB00AB4953A379B03788B73C66342754CB564A8C4E6E4906\r\nParentProcessGuid: {00000000-0000-0000-0000-000000000000}\r\nParentProcessId: 8876\r\nParentImage: -\r\nParentCommandLine: -\r\nParentUser: -\""},"eventdata":{"utcTime":"2026-02-05 10:01:54.117","processGuid":"{f0f0f557-6a92-6984-aa1e-000000001400}","processId":"3280","image":"C:\\\\Windows\\\\System32\\\\sdbinst.exe","fileVersion":"10.0.26100.7705 (WinBuild.160101.0800)","description":"Application Compatibility Database Installer","product":"MicrosoftÂŽ WindowsÂŽ Operating System","company":"Microsoft Corporation","originalFileName":"sdbinst.exe","commandLine":"C:\\\\WINDOWS\\\\System32\\\\sdbinst.exe -m -bg","currentDirectory":"C:\\\\WINDOWS\\\\system32\\\\","user":"NT AUTHORITY\\\\SYSTEM","logonGuid":"{f0f0f557-ab30-6981-e703-000000000000}","logonId":"0x3e7","terminalSessionI
d":"0","integrityLevel":"System","hashes":"SHA256=7B44604F1C8C89E1AB00AB4953A379B03788B73C66342754CB564A8C4E6E4906","parentProcessGuid":"{00000000-0000-0000-0000-000000000000}","parentProcessId":"8876"}}}
win.system.providerName: Microsoft-Windows-Sysmon
win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
win.system.eventID: 1
win.system.version: 5
win.system.level: 4
win.system.task: 1
win.system.opcode: 0
win.system.keywords: 0x8000000000000000
win.system.systemTime: 2026-02-05T10:01:54.1214586Z
win.system.eventRecordID: 475400
win.system.processID: 4860
win.system.threadID: 7084
win.system.eventRecordID: 475400
win.system.processID: 4860
win.system.threadID: 7084
win.system.channel: Microsoft-Windows-Sysmon/Operational
win.system.computer: NEW-PC.ga.intranet
win.system.severityValue: INFORMATION
win.system.message: "Process Create:
RuleName: -
UtcTime: 2026-02-05 10:01:54.117
ProcessGuid: {f0f0f557-6a92-6984-aa1e-000000001400}
ProcessId: 3280
ProcessGuid: {f0f0f557-6a92-6984-aa1e-000000001400}
ProcessId: 3280
Image: C:\Windows\System32\sdbinst.exe
FileVersion: 10.0.26100.7705 (WinBuild.160101.0800)
Description: Application Compatibility Database Installer
Product: MicrosoftÂŽ WindowsÂŽ Operating System
Company: Microsoft Corporation
OriginalFileName: sdbinst.exe
CommandLine: C:\WINDOWS\System32\sdbinst.exe -m -bg
CurrentDirectory: C:\WINDOWS\system32\
LogonGuid: {f0f0f557-ab30-6981-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=7B44604F1C8C89E1AB00AB4953A379B03788B73C66342754CB564A8C4E6E4906
ParentProcessGuid: {00000000-0000-0000-0000-000000000000}
ParentProcessId: 8876
ParentImage: -
ParentCommandLine: -
ParentUser: -"
win.eventdata.utcTime: 2026-02-05 10:01:54.117
win.eventdata.processGuid: {f0f0f557-6a92-6984-aa1e-000000001400}
win.eventdata.processId: 3280
ParentProcessGuid: {00000000-0000-0000-0000-000000000000}
ParentProcessId: 8876
ParentImage: -
ParentCommandLine: -
ParentUser: -"
win.eventdata.utcTime: 2026-02-05 10:01:54.117
win.eventdata.processGuid: {f0f0f557-6a92-6984-aa1e-000000001400}
win.eventdata.processId: 3280
win.eventdata.image: C:\\Windows\\System32\\sdbinst.exe
win.eventdata.fileVersion: 10.0.26100.7705 (WinBuild.160101.0800)
win.eventdata.description: Application Compatibility Database Installer
win.eventdata.product: MicrosoftÂŽ WindowsÂŽ Operating System
win.eventdata.company: Microsoft Corporation
win.eventdata.originalFileName: sdbinst.exe
win.eventdata.commandLine: C:\\WINDOWS\\System32\\sdbinst.exe -m -bg
win.eventdata.currentDirectory: C:\\WINDOWS\\system32\\
win.eventdata.user: NT AUTHORITY\\SYSTEM
win.eventdata.logonGuid: {f0f0f557-ab30-6981-e703-000000000000}
win.eventdata.logonId: 0x3e7
win.eventdata.terminalSessionId: 0
win.eventdata.integrityLevel: System
win.eventdata.hashes: SHA256=7B44604F1C8C89E1AB00AB4953A379B03788B73C66342754CB564A8C4E6E4906
win.eventdata.parentProcessGuid: {00000000-0000-0000-0000-000000000000}
win.eventdata.parentProcessId: 8876
--END OF NOTIFICATION
win.eventdata.parentProcessGuid: {00000000-0000-0000-0000-000000000000}
win.eventdata.parentProcessId: 8876
--END OF NOTIFICATION
Reply all
Reply to author
Forward
0 new messages