5051 A file was virtualized
Written when a file is virtualized. It indicates that, via the UAC compatibility feature, a write to a protected folder was redirected to the user’s area.
Overview
The subcategory is Audit File System. It is generated when file virtualization (a compatibility feature where UAC transparently redirects writes to protected folders like Program Files or Windows into a per-user area, the VirtualStore) takes effect. It is the file counterpart to registry virtualization 5039.
How it is triggered
- When an old app that assumes administrator rights tries to write to a protected folder and is virtualized (redirected to the VirtualStore).
Security review points
- It is mostly normal behavior for compatibility, with low security priority. It is usable only to understand which app tried to write to a protected folder.
- Being virtualized means the actual protected folder was not changed. Do not confuse it with real file-access auditing (4663).
Notes for log review
- It occurs in environments using old apps. Its priority as a monitoring target is normally low.
- It is often enough to be aware of the virtualized apps and files.
Key fields
| Field | Meaning |
|---|---|
File Name | The virtualized file |
Process Name | The process that attempted the write |