Powershell event id 400. # The module will process events based on this config.

Powershell event id 400 0\powershell. To access Windows Events, I have identified that a user has several options: 1. No errors or anything else that By default, module and script block logging (event ID’s 410x) are disabled, to enable them you can do so through "Windows Powershell" GPO settings and set "Turn on Module Logging" and "Turn on PowerShell Script Block Logging" to enabled. P. Oct 9, 2006 · 2. Event IDs. Event ID 4104: This event is logged when PowerShell script block logging is enabled and a script block is executed. As a detection mechanism, the “Windows PowerShell” classic event log has event ID 400. Mar 13, 2024 · Hallo zusammen, wir haben hier ein Problem mit der Powershell. Now that you know the causes of the Event ID, let us check out the solutions to fix it. Version Event Id: 400: Source: Microsoft-Windows-TerminalServices-Gateway: Description: The TS Gateway service is shutting down. Within the classic PowerShell log, event ID 400 indicates when a new PowerShell host process has started. This is a malicious event where the code attempts to retrieve instructions from the internet for a phishing attack. Why It Works: Monitoring these events helps identify when attackers use PowerShell Remoting to move laterally within the environment. Email: Name / Alias: Event IDs: PowerShell Version: EID 800 events log one command per event; EID 400 useful for detecting downgrade attacks Filtering out specific event ID’s Get-Event cmdlet 获取当前会话的 PowerShell 事件队列中的事件。 可以获取所有事件或使用 EventIdentifier 或 SourceIdentifier 参数来指定事件。 事件发生时，会将其添加到事件队列。 事件队列包括已注册的事件、使用 New-Event cmdlet 创建的事件，以及 PowerShell 退出时引发的事件。 可以使用 Get-Event 或 Wait-Event 来 Nov 1, 2018 · “Windows PowerShell” Event Log. You signed in with another tab or window. The cmdlet gets data from event logs that are generated by the Windows Event Log technology introduced in Windows Vista and events in log files generated by Event Tracing for Windows (ETW). Oct 4, 2023 · Insufficient permissions – If the user running PowerShell does not have sufficient permissions, it can result in Event ID 4103 errors, restricting certain operations. 1 and Server 20 12 and above : o PowerShell version 3 and ð, ^ Windows PowerShell _ log - Event ID [s 400, 500, 501 and 800 This is how a downgrade attack is logged under Event ID 400 in the Windows PowerShell log when using the commands mentioned above: The main takeaway from this section is that while downgrade attacks can be detected, it still creates a visibility gap and you should do everything possible to remove the PowerShell 2. Windows PowerShell. Provider "Variable" is Started. Jan 13, 2023 · I have a group policy which runs a . CMD Command Execution Records Event ID: 4688 Create New Process. Event ID 4103: This event is logged when PowerShell module logging is enabled and a module is loaded or unloaded. BAT as a logon script. L’applet de commande obtient les données des journaux d’événements générés par la technologie journal des événements Oct 21, 2016 · Hello, I've been asked to audit the access to the Windows Event logs themselves this might be more of a Windows Server question, but still Splunk relevant. I could make it work by passing the OuterXML of the event as a param to PowerShell but I just can't understand why this doesn't work! The PowerShell is simple:- Dec 16, 2022 · PowerShell downgrade attacks can be detected through the classic PowerShell event log (event ID 400) as described here by Lee Holmes, a senior member of the PowerShell product group. By default, module and script block logging (event ID’s 410x) are disabled, to enable them you can do so through "Windows Powershell" GPO settings and set "Turn on Module Logging" and "Turn on PowerShell Script Block Logging" to enabled. Dec 8, 2023 · By default, Windows PowerShell engine and provider events are recorded in the event log, but you can use the event log preference variables to customize the event log. These logs only go back as far as the previous startup, so I can't go back that far and I only discovered these logs a few days ago. winlog. In this article, we’ll look at how to write logs to the Windows Event Viewer from a PowerShell script or the command prompt. Feb 23, 2025 · Event ID: xxxx PowerShell File Download Record. The . The Graylog message above indicates that we may have Powershell Empire running our environment. Verwenden Sie zum Abrufen von Protokollen von Remotecomputern den Parameter ComputerName. This event indicates the start of a PowerShell activity, whether local or remote. We can use the "Host ID" field. Das Cmdlet ruft Ereignisse ab, die Sep 8, 2020 · Currently PowerShell v5 still logs both 800 and 4103 event codes when Module Logging is turned on, in v7 this no longer happens so we'll need better logging with existing 4103 event codes. The Get-EventLog cmdlet gets events and event logs from local and remote computers. On Powershell(admin), copy, paste, and enter each command below: Dec 1, 2018 · PowerShell其实已经被广泛运用于不同规模的攻击活动，可以预见再未来几年仍是攻击热点技术。PowerShell事件日志作为企业受到攻击时进行监测预警的重要数据支持必须充分发挥作用，建议企业用户保持PowerShell事件查看器处于最新版本，并启用ScriptBlock日志等功能来加强防御。 Aug 5, 2019 · Relatively new to the windows side of things, and have a question about powershell logs. exe EngineVersion=4. When the DSC script resource executes, it generates a unique event log entry that can be easily signatured. This is one of the questions where reading the information Hi I started having issues with my laptop a few days ago and when I started investigating the issue I found about the errors in Kernel-PnP ID 400, 410 and 440. This is an Engine Lifecycle event and includes the engine version. The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs. Thanks! Jan 15, 2013 · Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers; Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand Aug 18, 2024 · 场景 1（问题 1）：服务器管理员向管理层提出了大量关于 PowerShell 在环境中被阻止的投诉。管理层最终批准在环境中使用 PowerShell。查看哪些日志、监控哪些事件 ID 等。 1. . Windows PowerShell 會建立名為 Windows PowerShell 的 Windows 事件記錄檔，以記錄 Windows PowerShell 事件。 您可以在 事件檢視器 中檢視此記錄，或使用取得事件的 Cmdlet，例如 'Get-EventLog' Cmdlet。 根據預設，Windows PowerShell 引擎和提供者事件會記錄在事件記錄檔中，但您可以使用事件記錄檔喜好設定變數來自定義 Oct 21, 2023 · Severity=Warning SequenceNumber=13 HostName=ConsoleHost HostVersion=5. Now, let me show you how to query specific event logs using PowerShell. Here’s an example: Engine state is changed from None to Available. El cmdlet obtiene eventos que coinciden con los valores de Mar 9, 2023 · 騷擾是任何意圖打擾或煩擾個人或群體的行為。 威脅包括任何暴力威脅，或是對另一個威脅造成傷害 Das Cmdlet Get-EventLog ruft Ereignisse und Ereignisprotokolle von lokalen und Remotecomputern ab. Wir konnten das Problem soweit eingrenzen das wir mittlerweile wissen was dieses El cmdlet Get-EventLog obtiene eventos y registros de eventos de equipos locales y remotos. 0 engine. event_logs: - name: Micro Event Id: 403: Source: Microsoft-Windows-DNS-Server-Service: Description: The DNS server could not create a Transmission Control Protocol (TCP) socket. NewProviderState=Started. When working with Event IDs it can be important to specify the source in addition to the ID, the same number can have different meanings in different logs from different source Dec 5, 2017 · The Powershell Empire command that was run in Powershell; The source aka the machine the log was generated from; A timestamp of when the event occurred; Provided a Windows Event ID(EID) which is 400; Uncover: New patterns and TTPs. The local computer may not have the necessary Oct 11, 2023 · I'm really scared because the event says: "powershell. PreviousEngineState=Available. Details: ProviderName=Certificate. The cmdlet gets events that match the specified property values. Feb 27, 2019 · Each time PowerShell executes a single command, whether it is a local or remote session, the following event logs (identified by event ID, i. 0 HostId=5f2b609e-c195-4914-b7bb-09f492cb0056 HostApplication=C:\Windows\System32\WindowsPowerShell\v1. Details: NewEngineState=Stopped. L’applet de commande obtient les données des journaux d’événements générés par la technologie journal des événements Event ID 400 & Event ID 200 CONTACT INFORMATION First Name: Dennis Ng, Email: "*** 為保護隱私權已移除電子郵件地址 ***" QUESTIONS OR COMMENTS Message: My system is being much slower than before, and I find the below information, please help to fix it ASAP. This will collect information about the scripts and modules that are being executed. Furthermore, EID 400 may indicate the start time and EID 403 Jun 30, 2017 · Display only events with a specific ID. SequenceNumber=11. User PowerShell Cmdlt Get-EventLog 3. Only an Email address is required for returning users. De forma predeterminada, Get-EventLog obtiene registros del equipo local. To write information to the Windows event logs, use the Write-EventLog cmdlet. HostApplication=powershell (Get-AppxPackage ASUSAmbientHal64). BAT copies a . One of the most, if not the most, abused cmdlets built into PowerShell is Invoke Add a new Winlogbeat module to collect logs from PowerShell. Click Start, click All Programs, click Accessories, right-click Command Prompt, and select Run as Administrator. Example 9: Get log information from event object properties. Warning PowerShell ID 300 - Device not ready occurs at every start or starting W. This Cette applet de commande est disponible uniquement sur la plateforme Windows. 2428 HostId=89612446-8e92-4cc4-9a82-79dd3db631d4 HostApplication=powershell. Mar 11, 2023 · Answer Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem. You can use the Get-EventLog parameters and property values to search for events. o PowerShell v ersion 2 thru ð, ^Windows PowerShell _ log – Event ID [s 400, 500, 501 and 800 Windows 8. Below is a screenshot for 400. exe or pwsh. Nur für eine Lösung hat es noch nicht gereicht. To get logs from remote computers, use the ComputerName parameter. - <Event Mar 13, 2024 · yu gu1 您好，欢迎您咨询微软社区. Click Continue or supply Administrator credentials if prompted. The policy also sets the local Execution UserPolicy to RemoteSigned. For example, Microsoft provides a list of nearly 400 event Apr 3, 2022 · Event ID: 400. The other 6 times, catagory "Provider Lifecycle" with Event ID 600. Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318} Event ID: 420. What is the Task Category for Event ID 800?. Here is an example query to find lower versions of the PowerShell engine being loaded: Jul 16, 2014 · Windows PowerShell event log entries indicating the start and stop of PowerShell activity: Event ID 400 (“Engine state is changed from None to Available”), upon the start of any local or remote PowerShell activity. Mar 17, 2017 · You have several options to detect and prevent PowerShell Downgrade Attacks. exe. To be supplemented. By default, Get-WinEvent returns Event ID 4103 - Powershell Module Loaded. Aug 17, 2023 · To get the corresponding start event (400), you have to find the closest one (by comparing CreateTime property) Sometimes these are created exactly at the same time; To get stop event (403), you need HostId property which is the same as for the start event (400) The PowerShell start event (400) is sometimes not logged at all for some reason Feb 24, 2023 · One time the task catagory was "Engine Lifecycle" with Event ID 400. HostId=7d6d577e-5f9d-4668-b61a-ea83af51733d. This is the “Engine Lifecycle” event, and includes the Engine Version. PowerShell cmdlets that contain the Mar 26, 2020 · また、個々のコンピューターで確認するのであれば、ダウングレードしたバージョンでコマンドレットを実行すると、イベントビューアのWindows PowerShellログにイベントID 400が記録され、その中で実行したコマンドレットが確認できます。 Dec 24, 2024 · Query Specific Event Logs using PowerShell. Pipeline execution details for command line: Write-Host Test. Jan 3, 2011 · Original title: Event Viewer Event viewer showed over 600 powershell events Id600(marked provider lifecycle) with a few id400z(engine lifecycle) thrown in from3:51 pm 1-1-11 to 8:08pm 1-2-11 is that May 17, 2022 · For example, an event ID of 4104 relates to a PowerShell execution, which might not appear suspicious. You signed out in another tab or window. Puede usar los parámetros Get-EventLog y los valores de propiedad para buscar eventos. Process ID allows you to link this event to the corresponding event 592 (process start of the parent process) but there is little need since this event gives you the program name (image) and the user under which the process was running (primary user fields). Event IDs are unique identifiers for specific types of events. Event Log. Context Information: DetailSequence=1 DetailTotal=1 SequenceNumber=50 UserId=DOMAIN\username HostName=ConsoleHost HostVersion=4. The Get-Event cmdlet gets events in the PowerShell event queue for the current session. Event ID 403: PowerShell engine stop event. Use Event Viewer 2. 0 RunspaceId=77d31d66-4314-43f4-bf5a-caa6757c2130 PipelineId=8 Mar 15, 2017 · In this article, we will focus on EventIDs related to PowerShell Remoting. 1 and Server 20 12 and above : o PowerShell version 3 and ð, ^ Windows PowerShell _ log - Event ID [s 400, 500, 501 and 800 Cette applet de commande est disponible uniquement sur la plateforme Windows. In the next example, the command displays all events with ID 1020 from the System log: May 3, 2020 · Format-Table displays the Id and Description of the event objects. 了解到您的疑问，事件ID为4104通常表示PowerShell脚本执行期间发生了错误。从日志详情中看，这个事件似乎是在执行一个名为Get-StorageSubSystem的函数时发生的，这个函数可能是由某个脚本或程序调用的。 To prevent downgrade attacks, threat hunters should check for event ID 400 or 4688, each of which indicate the start of PowerShell activity, whether local or remote. The Name and GUID attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. Restart the DNS server or reboot the computer. Run system file checker. To diagnose possible causes for this problem, verify whether the following services are installed and started: (1) World Wide Web Publishing Service (2) Internet Authentication Service (IAS) (3) RPC/HTTP Load Balancing Service. 4103: Script Block Logging 400: Engine Lifecycle 403: Engine Lifecycle 4103 Sep 21, 2020 · This Warning is coming from PowerShell telling you the Certificate provider failed to load. 22621. May 15, 2024 · The details of the event are as follows: Engine state is changed from Available to Stopped. # The module will process events based on this config. Mar 16, 2015 · I have a - rather complex - PowerShell script running on a Windows Server 2008 R2. Since the initial problem started several unusual behaviors started to happen on my laptop and I am now suspicious that they are related. You can filter logs by event ID to find particular events. S 5. info Dec 8, 2023 · Windows PowerShell creates a Windows event log that's named "Windows PowerShell" to record Windows PowerShell events. A: Execute a Remote Command. exe high CPU load im Bereich Apps im Windows Info bei einer Lösung; Hallo zusammen,wir haben hier ein Problem mit der Powershell. HostApplication=C:\Windows\System32\WindowsPowerShell\v1. 根据实验原理,PowerShell Downgrade Attacks这个攻击的事件ID为400 Sep 6, 2022 · Windows' PowerShell event logs provide insight into script execution throughout the life of a malicious script. HostVersion=5. PS1 from the server to the local workstation, then executes it. This example shows how to get information about a log's contents using event object properties. Ope Dec 26, 2023 · Hi, thank you so much for replying, you are correct, there is no file inside and as per checking and analyzing the event files you have, there are general errors on the event files, moreover kindly follow the steps below for us to fix the issue: Method 1. Is this normal in an AD environment with 50ish users? Nov 3, 2021 · Hello, When I check the Application and Services Logs &gt; Microsoft &gt; Windows &gt;Powershell &gt; Operational I tnoticed every hour I have a group of 70 events 4104 starting by this one: &quot; Creating Scriptblock text (1 of 1): requires… Feb 10, 2025 · Updated Date: 2025-02-10 ID: d6f2b006-0041-11ec-8885-acde48001122 Author: Michael Haag, Splunk Type: Hunting Product: Splunk Enterprise Security Description The following analytic identifies suspicious PowerShell execution using Script Block Logging (EventCode 4104). PowerShell has a "provider" built into Windows that connects cert: to the certificate stores on your computer so you can manipulate certificates in PowerShell Event ID 4688: Windows PowerShell Logs (Security log): Logs when a new process is created, including PowerShell. In dem Powershell EventViewer ist folgender… Nov 30, 2018 · 事件ID 400：引擎状态从无更改为可用，记录任何本地或远程PowerShell活动的开始； 事件ID 600：记录类似“WSMan”等提供程序在系统上进行PowerShell处理活动的开始，比如”Provider WSMan Is Started“； 事件ID 403：引擎状态从可用状态更改为停止，记录PowerShell活动结束。 May 17, 2017 · PowerShell downgrade attacks can be detected through the classic PowerShell event log (event ID 400) as described here by Lee Holmes, senior member of the PowerShell product group. SequenceNumber=15. Q: Analyze the Windows PowerShell log. To display only events matching a specific ID, you need to provide another key/value pair with ID as the key and the specified ID as the value. You can view this log in Event Viewer or by using cmdlets that get events, such as the Get-EventLog cmdlet. HostId=61bf9dba-7118-4245-8076-e6399876c9b7. In the last 10 minutes since I have cleared them, seeing over 100 new entries, mostly event 600, 400, and 403, as things are started, or the service changes states back and forth. Sep 21, 2020 · winlogbeat. You may also be wondering how we can correlate an Event ID 400 with an Event ID 4103. See 528/540 for explanation of Logon ID. 1320. For example, you can add events about Windows PowerShell commands. Proposed technical implementation details (optional) Add param1 from "Windows PowerShell" event_id 800 into the operational 4103 event logs. Apr 2, 2023 · Event ID 800: This event is logged when a PowerShell command is executed remotely using PowerShell remoting. Sep 27, 2023 · Every single startup of my Windows 10 Pro 22H2 PC, there are a ton of Warning and Verbose-level Event 4104 logs in Applications and Information > Windows > PowerShell > Operational in Event Viewer. The event is marked with "Engine state is Device Key in Log Message LogRhythm Schema Data Type Schema Description; Provider Name: N/A: N/A: Identifies the provider that logged the event. Use Case - Abnormal Command Line Length. Mar 9, 2023 · The script executed in the temp folder with an id 4104 event, and there is one difference that the second script doesn't have ms copyright while others have, and I couldn't find it elsewhere. e. Hi ,could be a few things ,i think event 600 is remote Mar 3, 2025 · Alternatively to using text log files in scripts, you can write event information directly to the Event Viewer logs. HostName=ConsoleHost. Turn on PowerShell Transcription: Enabled. You switched accounts on another tab or window. When executing the script in the ISE or also in the console, everything runs fine. Reload to refresh your session. Sie können die Get-EventLog Parameter und Eigenschaftswerte verwenden, um nach Ereignissen zu suchen. You can get all events or use the EventIdentifier or SourceIdentifier parameter to specify the events. L’applet Get-WinEvent de commande obtient des événements à partir des journaux d’événements, y compris les journaux classiques, tels que les journaux système et application . Filtering by Event ID. event_logs: name: ForwardedEvents tags: [forwarded] processors: script: when. 1. Event objects are stored in a variable and then grouped and counted by Event Id and Level. there is 1 Event ID 800 event (between the last 'Engine changed from None to Available' and the first 'Available to Stopped' messages), that says: Oct 25, 2024 · Event ID 400: PowerShell engine startup event. Event ID 4688 is not enabled by default in Windows and needs to be manually enabled in advance. 19041. It leverages specific patterns and keywords within the ScriptBlockText field to detect potentially malicious activities. Dec 10, 2019 · EID 400和EID 403事件的消息详细信息包括HostName字段。如果在本地执行，则此字段将记录为HostName = ConsoleHost。如果正在使用PowerShell远程处理，则访问的系统将使用HostName = ServerRemoteHost记录这些事件。 Running the System File Checker … 1. Jun 17, 2021 · The event itself triggers the PowerShell but the PowerShell cannot find the event that spawned it! I have tried Start-Sleep just in case there was some kind of propagation issue but no joy. 2506. Using the PowerShell cmdlet ‘Get-WinEvent’ to detect any downgrades, makes it easy peasy… Get-Event コマンドレットは、現在のセッションの PowerShell イベント キュー内のイベントを取得します。 すべてのイベントを取得するか、EventIdentifier または sourceIdentifier パラメーター 使用してイベントを指定できます。 イベントが発生すると、イベント キューに追加されます。 イベント キュー このコマンドレットは、Windows プラットフォームでのみ使用できます。 Get-WinEvent コマンドレットは、SystemApplication ログなどのクラシック ログを含むイベント ログからイベントを取得します。 このコマンドレットは、Windows Vista で導入された Windows イベント ログ テクノロジによって生成された Adversaries abuse the Windows automation and configuration management framework to execute commands, evade defenses, and more. Event ID: 400. Details: ProviderName=Variable. Wir konnten das Problem soweit eingrenzen das wir mittlerweile wissen was dieses verursacht. Should I see any other Event ID besides 4103 in Event Viewer with… Oct 1, 2023 · Task 2, Question 4. The event ID 4104 refers to the execution of a remote PowerShell command. May 28, 2024 · I have enabled the GPO (Turn on PowerShell Transcription): Computer Configuration-Administrative Templates-Windows Components-Windows PowerShell. For example, to find events with ID 1000 in the Application log, you can use the This cmdlet is only available on the Windows platform. PowerShell's Event ID 400 will detail when the EngineState has started. PowerShell's Event ID 800 should also be monitored. Is it normal to have this log given the scenario? I'm still trying to find the trigger. The event queue includes events for which you have registered, events created by using the New-Event cmdlet, and the event that is raised when Jul 16, 2018 · Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Use these Event IDs in Windows Event Viewer to filter for specific events. Apr 3, 2022 · Event ID:400. All events logged by PowerShell take the form of: Event Type: Information Event Source: PowerShell Event Category: (4) Event ID: 400 Date: 10/10/2006 Time: 3:40:51 PM User: N/A Computer: METAPHYSICAL Description: The description for Event ID ( 400 ) in Source ( PowerShell ) cannot be found. , EID) are generated: EID 400: The engine status is changed from None to Available. exe -NoExit -Command Help Set-ExecutionPolicy May 17, 2022 · If you look at the details for the event, you can see the PowerShell code to determine its intent. Look for processes with powershell. I was able to search for bccfa255-ac85-4974-b070-72c46825f804 from the 400 below. When an event occurs, it is added to the event queue. Monitor Process Creation with Command Line Auditing (Event ID 4688) Jan 1, 2021 · Over the years, to combat this trend, the PowerShell team at Microsoft have introduced telemetry such as script block, module and transcript logging, within PowerShell to aid defenders in identifying post exploitation activities conducted with PowerShell. In this edition of #techtalktuesday we explor. Device ROOT\NET\0000 was deleted. Para obtener registros de equipos remotos, use el parámetro ComputerName. Standardmäßig ruft Get-EventLog Protokolle vom lokalen Computer ab. channel: Security l… This page shows how to enable modules for security and sysmon but nothing for powershell. 1. exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -" it says that on every single one of these events. Dec 20, 2021 · Hi, Could you please format the post using code tags. equals. winlogbeat. Log File Name: Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager%4Operational. exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1'; EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=</Data> Mar 13, 2024 · Diskutiere und helfe bei Event ID 600 400 403 - powershell. Aug 11, 2020 · (Solved) Task Scheduler launches a powershell job (no one is logged in, the task has a saved user) that then launches a CMD file from Powershell via Start-Process and that command file successfully 此 Cmdlet 僅適用於 Windows 平臺。 Cmdlet Get-WinEvent 會從事件記錄檔取得事件，包括傳統記錄檔，例如 System 和 Application 記錄。 Cmdlet 會從 Windows Vista 中引進的事件記錄技術所產生的事件記錄檔取得數據，以及 Windows 事件追蹤所產生的 記錄檔事件 （ETW） 中的事件。 根據預設， Get-WinEvent 依最新到最舊的 Feb 9, 2023 · HI. All logon/logoff events include a Logon Type code, to give the precise type of logon or logoff. By default, Get-EventLog gets logs from the local computer. See full list on robwillis. It will be easier to read. evtx. 2. xcbavp hwqb cnoyqxdu qgqh xara vhxwpqkg tkq jpitfp bgvgt jyrn etjh uiau kksg gxu qpwxw