KGRKJGETMRETU895U-589TY5MIGM5JGB5SDFESFREWTGR54TY
Server : Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
System : Windows NT SERVER-PC 10.0 build 26200 (Windows 11) AMD64
User : ServerPC ( 0)
PHP Version : 8.2.12
Disable Function : NONE
Directory :  C:/Windows/diagnostics/system/Apps/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : C:/Windows/diagnostics/system/Apps/VF_WSReset.ps1
# Copyright © 2017, Microsoft Corporation. All rights reserved.
# :: ======================================================= ::

PARAM($DateProblemDetected)

#====================================================================================
# Initialize
#====================================================================================
$APP_DELETE_EVENT_ID = 41
$APP_CREATE_EVENT_ID = 39
$APP_STATUS_EVENT_ID = 70
$PACKAGE_STATUS_MASK_BAD = @{0x00000001 = "LICENSE_ISSUE"; 0x00000002 = "MODIFIED_PACKAGE"; 0x00000100 = "MODIFIED_STATE"; 0x00000200 = "MODIFIED_DATA"; 0x00000004 = "TAMPERED"}

function Get-AppContainerEvents([System.DateTime]$StartDate)
{ 
    return Get-WinEvent -FilterHashtable @{logname='Microsoft-Windows-AppModel-Runtime/Admin';id=$APP_DELETE_EVENT_ID,$APP_CREATE_EVENT_ID,$APP_STATUS_EVENT_ID;StartTime=$StartDate} -ErrorAction SilentlyContinue
}

function Get-UniqueAppNames($Events)
{
    $faultyApps = New-Object System.Collections.ArrayList

    if ($Events.Count -gt 0)
    {
        $i = 0
        foreach ($event in $Events)
        {
            $i++
            if ($event.Message -match ".*[ ](.*?)[.](.*?)_")
            {
                $faultyApps += "$($Matches[2])"
            }
        }
    }

    $faultyApps = $faultyApps | Select -Unique
    $faultyApps
}

function Get-AppResetComplete($Events, $AppName)
{
    $AppDeleteEvent = $Events | Where-Object {$_.message.contains("$AppName") -eq $true -and $_.id -eq $APP_DELETE_EVENT_ID}
    $AppCreateEvent = $Events | Where-Object {$_.message.contains("$AppName") -eq $true -and $_.id -eq $APP_CREATE_EVENT_ID}
    $AppStatusEvent = $Events | Where-Object {$_.message.contains("$AppName") -eq $true -and $_.id -eq $APP_STATUS_EVENT_ID} | Sort-Object TimeCreated -Descending | Select-Object -first 1
    
    # Compare current package status against bitmask
    $IsPackageDamaged = ($PACKAGE_STATUS_MASK_BAD.Keys | where { $_ -band $AppStatusEvent.Properties[2].value}).Count -gt 0

    return ($AppDeleteEvent -ne $null -and $AppCreateEvent -ne $null -and $IsPackageDamaged -eq $false)
}

#====================================================================================
# Main
#====================================================================================

$AppContainerEvents = Get-AppContainerEvents -StartDate $DateProblemDetected
$UniqueAppNames = Get-UniqueAppNames $AppContainerEvents

$AppRepairComplete = $false

foreach ($AppName in $UniqueAppNames)
{
    $AppRepairStatus = Get-AppResetComplete $AppContainerEvents $AppName
    if ($AppRepairStatus -eq $true)
    {
        $AppRepairComplete = $true
        break
    }
}

Update-DiagRootCause -Id 'RC_WSReset' -Detected (-not $AppRepairComplete)

Anon7 - 2021