Version: 1.3.0

Error Code

Enrich Windows

Synopsis

Decodes Windows system error codes into human-readable descriptions.

Schema

- error_code:
    field: <ident>
    target_field: <string>
    code_type: <string>
    add_components: <boolean>
    add_hex: <boolean>
    description: <text>
    if: <script>
    ignore_failure: <boolean>
    ignore_missing: <boolean>
    on_failure: <processor[]>
    on_success: <processor[]>
    tag: <string>

Configuration

The following fields are used to define the processor:

Field	Required	Default	Description
`field`	Y	-	Source field containing error code to decode
`target_field`	N	`{field}_decoded`	Target field to store decoded error information
`code_type`	N	`auto`	Error code type (auto, hresult, ntstatus, win32, dos)
`add_components`	N	`false`	Include detailed component breakdown
`add_hex`	N	`false`	Include hexadecimal representation
`description`	N	-	Explanatory note
`if`	N	-	Condition to run
`ignore_failure`	N	`false`	Continue processing if decoding fails
`ignore_missing`	N	`false`	Skip processing if referenced field doesn't exist
`on_failure`	N	-	See Handling Failures
`on_success`	N	-	See Handling Success
`tag`	N	-	Identifier

Details

Decodes Windows system error codes including HRESULT, NTSTATUS, Win32, and DOS error codes into structured information with human-readable descriptions. The processor supports both numeric and hexadecimal input formats.

The processor maintains comprehensive databases of error codes for different Windows subsystems. When code_type is set to "auto", it automatically detects the error type based on the numeric value range and bit patterns.

note

Error code detection uses specific patterns: Win32 errors are typically small positive values, NTSTATUS codes have 0xCxxxxxxx or 0x4xxxxxxx patterns, and HRESULT codes use the 0x8xxxxxxx pattern for failures.

When add_components is enabled, the processor extracts detailed information from structured error codes like HRESULT (severity, facility, error code) and NTSTATUS (severity, customer flag, facility).

warning

Error code databases are comprehensive but not exhaustive. Unknown error codes will be returned with generic descriptions. Some older or specialized error codes may not have detailed descriptions available.

Examples

Basic HRESULT Decoding

Decoding Windows HRESULT error code...

{
  "error_code": "0x80070005"
}

- error_code:
    field: error_code
    target_field: error_info
    add_hex: true

provides detailed error information:

{
  "error_code": "0x80070005",
  "error_info": {
    "code": 2147942405,
    "type": "hresult",
    "hex": "0x80070005",
    "description": "E_ACCESSDENIED - Access is denied"
  }
}

NTSTATUS with Components

Extracting NTSTATUS components and description...

{
  "status_code": 3221225506
}

- error_code:
    field: status_code
    code_type: ntstatus
    add_components: true
    target_field: status_details

breaks down NTSTATUS structure:

{
  "status_code": 3221225506,
  "status_details": {
    "code": 3221225506,
    "type": "ntstatus",
    "severity": "error",
    "is_error": true,
    "is_customer": false,
    "facility": 0,
    "error_code": 34,
    "description": "STATUS_OBJECT_NAME_NOT_FOUND - Object name not found"
  }
}

Win32 Error Array Processing

Processing multiple Win32 error codes...

{
  "error_codes": ["2", "5", "1326"]
}

- error_code:
    field: error_codes
    code_type: win32
    add_components: true
    target_field: decoded_errors

decodes each error in the array:

{
  "error_codes": ["2", "5", "1326"],
  "decoded_errors": [
    {
      "code": 2,
      "type": "win32",
      "category": "system",
      "description": "ERROR_FILE_NOT_FOUND - The system cannot find the file specified"
    },
    {
      "code": 5,
      "type": "win32",
      "category": "system",
      "description": "ERROR_ACCESS_DENIED - Access is denied"
    },
    {
      "code": 1326,
      "type": "win32",
      "category": "system",
      "description": "ERROR_LOGON_FAILURE - Logon failure"
    }
  ]
}

Auto-Detection Mode

Using automatic error type detection...

{
  "system_error": "-2147024891"
}

- error_code:
    field: system_error
    code_type: auto
    add_hex: true
    target_field: auto_decoded

automatically detects HRESULT type:

{
  "system_error": "-2147024891",
  "auto_decoded": {
    "code": 2147942405,
    "type": "hresult",
    "hex": "0x80070005",
    "description": "E_ACCESSDENIED - Access is denied"
  }
}

HRESULT Component Analysis

Analyzing HRESULT structure components...

{
  "com_error": "0x800401F0"
}

- error_code:
    field: com_error
    code_type: hresult
    add_components: true
    add_hex: true
    target_field: com_details

provides complete HRESULT breakdown:

{
  "com_error": "0x800401F0",
  "com_details": {
    "code": 2147746288,
    "type": "hresult",
    "hex": "0x800401F0",
    "severity": "failure",
    "is_failure": true,
    "is_customer": false,
    "facility": 4,
    "facility_name": "FACILITY_ITF",
    "error_code": 496,
    "description": "CO_E_NOTINITIALIZED - CoInitialize has not been called"
  }
}

Legacy DOS Error Handling

Processing legacy DOS error codes...	`{ "dos_error": 5 }` `- error_code: field: dos_error code_type: dos target_field: dos_description`
translates DOS error:	`{ "dos_error": 5, "dos_description": { "code": 5, "type": "dos", "description": "Access denied" } }`

Synopsis​

Schema​

Configuration​

Details​

Examples​

Basic HRESULT Decoding​

NTSTATUS with Components​

Win32 Error Array Processing​

Auto-Detection Mode​

HRESULT Component Analysis​

Legacy DOS Error Handling​