detection.wiki

Application Hang

1 events across 1 channel

EventTitleChannelSample
1002The program Widgets.ApplicationY

Event ID 1002: The program Widgets.

#
Provider
Application Hang
Channel
Application
Level
Error
Collection Priority
Recommended (Microsoft-WEF, others)
Task
HangingEvents

Description

The program version stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Message #

The program %1 version %2 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Fields #

NameDescription
AppName UnicodeString
AppVersion AnsiString
ProcessId HexInt32
StartTime HexInt64
TerminationTime UInt32
ExeFileName UnicodeString
ReportId UnicodeString
PackageFullName UnicodeString
PackageRelativeAppId UnicodeString
HangType AnsiString

Example Event #

{
  "system": {
    "provider": "Application Hang",
    "guid": "C631C3DC-C676-59E4-2DB3-5C0AF00F9675",
    "event_source_name": "",
    "event_id": 1002,
    "version": 0,
    "level": 2,
    "task": 101,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-10-25T22:54:51.317638+00:00",
    "event_record_id": 1421,
    "correlation": {},
    "execution": {
      "process_id": 5556,
      "thread_id": 2660
    },
    "channel": "Application",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "AppName": "Widgets.exe",
    "AppVersion": "421.20070.1820.0",
    "ProcessId": 6304,
    "StartTime": 133427479671228897,
    "TerminationTime": 4294967295,
    "ExeFileName": "C:\\Program Files\\WindowsApps\\MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy\\Dashboard\\Widgets.exe",
    "ReportId": "370b2f4d-7ae9-405d-8247-82bfb244169e",
    "PackageFullName": "MicrosoftWindows.Client.WebExperience_423.23500.0.0_x64__cw5n1h2txyewy",
    "PackageRelativeAppId": "Widgets",
    "HangType": "Quiesce"
  },
  "message": "The program Widgets.exe version 421.20070.1820.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.\n"
}

Community Notes #

Application hang, may occur if a TA tool fails to execute as expected.

References #

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID c631c3dc-c676-59e4-2db3-5c0af00f9675

Defined in wersvc.dll, which carries the event manifest.

Observed on:

  • Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02