Microsoft-Antimalware-Engine
110 events across 1 channel
Event ID 1: Start of engine scan request
#Event ID 2: End of engine scan request
#Event ID 3: Message
#Fields #
| Name | Description |
|---|---|
Message UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 3,
"version": 0,
"level": 4,
"task": 2,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:53.152+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 13108
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Message": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.We0722664#\\fabb9e10f6808e7fbef2496dc4f4b9a2\\Microsoft.WSMan.Management.ni.dll : CI bit is set, but level is too low. Level: 2"
},
"message": "GenericMessageTask"
}
Event ID 4: Versions
#Fields #
| Name | Description |
|---|---|
EngineVersion UnicodeString | |
AVVersion UnicodeString | |
ASVersion UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 4,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:18:28.322+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4712,
"thread_id": 16152
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AS Version": "1.451.223.0",
"AV Version": "1.451.223.0",
"Engine Version": "1.1.26040.8"
},
"message": "VersionTask"
}
Event ID 5: Start of stream scan request
#Description
Start of stream scan request.
Message #
Fields #
| Name | Description |
|---|---|
Id UInt32 | |
Path UnicodeString | |
Process UnicodeString | |
Reason UInt32 | |
ThreadTime FILETIME | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 5,
"version": 1,
"level": 4,
"task": 4,
"opcode": 1,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:52.988+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{C3AAE106-E766-4DFA-9E19-A815726CDA4D}"
},
"execution": {
"process_id": 3756,
"thread_id": 4400
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Id": 477820198,
"PID": 11608,
"Path": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Local\\Temp\\__PSScriptPolicyTest_i3yqwsnl.1tp.ps1",
"Process": "\\Device\\HarddiskVolume4\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Reason": 2,
"ThreadTime": "1601-01-01 00:01:27.187Z"
},
"message": "StreamScanRequestTask"
}
Event ID 6: End of stream scan request
#Description
End of stream scan request.
Message #
Fields #
| Name | Description |
|---|---|
Id UInt32 | |
Path UnicodeString | |
Process UnicodeString | |
Reason UInt32 | |
ThreadTime FILETIME | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 6,
"version": 1,
"level": 4,
"task": 4,
"opcode": 2,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:52.991+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{C3AAE106-E766-4DFA-9E19-A815726CDA4D}"
},
"execution": {
"process_id": 3756,
"thread_id": 4400
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Id": 477820198,
"PID": 11608,
"Path": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Local\\Temp\\__PSScriptPolicyTest_i3yqwsnl.1tp.ps1",
"Process": "\\Device\\HarddiskVolume4\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Reason": 2,
"ThreadTime": "1601-01-01 00:01:27.187Z"
},
"message": "StreamScanRequestTask"
}
Event ID 7: Skipped file
#Description
Skipped file.
Message #
Fields #
| Name | Description |
|---|---|
Path UnicodeString | |
Reason AnsiString |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 7,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:53.580+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{7D77A037-82FB-4E65-B66C-86F3AA5440F9}"
},
"execution": {
"process_id": 3756,
"thread_id": 4400
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Path": "\\Device\\HarddiskVolume4\\Windows\\System32\\en-US\\logman.exe.mui",
"Reason": "Log skip"
},
"message": "SkippedFileTask"
}
Event ID 8: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
GUID GUID | |
Type UInt32 | |
Name UnicodeString | |
SignatureId HexInt64 | |
ImagePath UnicodeString |
Event ID 9: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
PPID UInt32 | |
ImagePath UnicodeString | |
Flags HexInt32 |
Event ID 11: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
ImagePath UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 11,
"version": 0,
"level": 4,
"task": 6,
"opcode": 13,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:52.924+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 8752
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"ImagePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\win32u.dll",
"PID": 14912
},
"message": "BehaviorMonitorTask"
}
Event ID 12: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
ImageName UnicodeString | |
FileName UnicodeString |
Event ID 15: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
FileName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 15,
"version": 0,
"level": 4,
"task": 6,
"opcode": 17,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T04:00:01.310+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 5168
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"FileName": "\\Device\\HarddiskVolume4\\Windows\\System32\\LogFiles\\WMI\\RtBackup\\EtwRTAdmin_PS_Provider.etl",
"PID": 4
},
"message": "BehaviorMonitorTask"
}
Event ID 16: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
FileName UnicodeString | |
OldFileName UnicodeString |
Event ID 20: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
KeyPath UnicodeString | |
ValueName UnicodeString |
Event ID 21: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
KeyPath UnicodeString | |
ValueName UnicodeString |
Event ID 26: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 26,
"version": 0,
"level": 4,
"task": 6,
"opcode": 28,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:53.178+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 8752
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"PID": 15580
},
"message": "BehaviorMonitorTask"
}
Event ID 28: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
RecordType UInt32 | |
ImagePath UnicodeString | |
Path UnicodeString |
Event ID 29: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
TPID UInt32 | |
TTID UInt32 | |
ImageName UnicodeString |
Event ID 30: UfsScanFileTask
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
FilePath UnicodeString | |
ThreadTime FILETIME |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 30,
"version": 2,
"level": 4,
"task": 17,
"opcode": 1,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T04:10:23.756+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 10388
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"EngineId": "0x7FFCAC8D0000",
"FilePath": "C:\\Windows\\System32\\csrss.exe",
"ThreadTime": "1601-01-01 00:00:13.781Z"
},
"message": "UfsScanFileTask"
}
Event ID 31: UfsScanFileTask
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
FilePath UnicodeString | |
ThreadTime FILETIME | |
StartQPC UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 31,
"version": 3,
"level": 4,
"task": 17,
"opcode": 2,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T04:10:23.759+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{2B9B7F01-B456-4101-B35E-FBBF789E6ADF}"
},
"execution": {
"process_id": 3756,
"thread_id": 10388
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"EngineId": "0x7FFCAC8D0000",
"FilePath": "C:\\Windows\\System32\\csrss.exe",
"StartQPC": 1166334107702,
"ThreadTime": "1601-01-01 00:00:13.781Z"
},
"message": "UfsScanFileTask"
}
Event ID 32: UfsScanProcTaskStart_V2
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
FilePath UnicodeString | |
PID UInt32 | |
ThreadTime FILETIME |
Event ID 33: UfsScanProcTaskStop_V3
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
FilePath UnicodeString | |
PID UInt32 | |
ThreadTime FILETIME | |
StartQPC UInt64 |
Event ID 35: Cache
#Fields #
| Name | Description |
|---|---|
ScanSource UInt32 | |
EventType UInt32 | |
Classification UInt32 | |
Info UnicodeString | |
FileName UnicodeString | |
FileID UInt32 | |
FileUSN UInt32 | |
Result HexInt32 |
Event ID 36: Cache
#Fields #
| Name | Description |
|---|---|
ScanSource UInt32 | |
EventType UInt32 | |
Classification UInt32 | |
Info UnicodeString | |
FileName UnicodeString | |
FileID UInt32 | |
FileUSN UInt32 | |
Result HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 36,
"version": 0,
"level": 4,
"task": 7,
"opcode": 35,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:52.923+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 1744
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Classification": 1,
"EventType": 56,
"FileID": 62386,
"FileName": "C:\\Windows\\System32\\psapi.dll",
"FileUSN": 44610216,
"Info": "",
"Result": "01800000",
"ScanSource": 0
},
"message": "CacheTask"
}
Event ID 37: Cache
#Fields #
| Name | Description |
|---|---|
ScanSource UInt32 | |
EventType UInt32 | |
Classification UInt32 | |
Info UnicodeString | |
FileName UnicodeString | |
FileID UInt32 | |
FileUSN UInt32 | |
Result HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 37,
"version": 0,
"level": 4,
"task": 7,
"opcode": 36,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:52.991+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{E6DA7C55-BDD5-43E2-923E-C2831F5534D0}"
},
"execution": {
"process_id": 3756,
"thread_id": 4400
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Classification": 1,
"EventType": 31,
"FileID": 174812,
"FileName": "C:\\Users\\localuser\\AppData\\Local\\Temp\\__PSScriptPolicyTest_i3yqwsnl.1tp.ps1",
"FileUSN": 153465104,
"Info": "",
"Result": "00000000",
"ScanSource": 0
},
"message": "CacheTask"
}
Event ID 38: Cache
#Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
CacheName UnicodeString | |
Result UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 38,
"version": 0,
"level": 4,
"task": 7,
"opcode": 38,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:53.151+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 13108
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CacheName": "USN Cache",
"FileName": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.We0722664#\\fabb9e10f6808e7fbef2496dc4f4b9a2\\Microsoft.WSMan.Management.ni.dll",
"Result": "MISS"
},
"message": "CacheTask"
}
Event ID 39: Cache
#Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
CacheName UnicodeString | |
Result UnicodeString |
Event ID 40: PersistedStoreTaskPersistedStoreAction
#Fields #
| Name | Description |
|---|---|
action UnicodeString | |
key UInt64 | |
filename UnicodeString | |
result UInt32 |
Event ID 41: PersistedStoreTaskPersistedStoreMaintenance
#Fields #
| Name | Description |
|---|---|
utilization UInt32 | |
result UInt32 |
Event ID 42: PersistedStoreTaskPersistedStoreAnalyzeFile
#Fields #
| Name | Description |
|---|---|
key UInt64 | |
filename UnicodeString | |
parentKey UInt64 | |
result UInt32 |
Event ID 43: ExpensiveOperationTask
#Fields #
| Name | Description |
|---|---|
Message UnicodeString | |
Name UnicodeString | |
Data UInt64 | |
StartStop Boolean | |
ThreadTime FILETIME |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 43,
"version": 1,
"level": 4,
"task": 9,
"opcode": 43,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:52.990+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{E6DA7C55-BDD5-43E2-923E-C2831F5534D0}"
},
"execution": {
"process_id": 3756,
"thread_id": 4400
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": 60,
"Message": "GetHashes",
"Name": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Local\\Temp\\__PSScriptPolicyTest_i3yqwsnl.1tp.ps1",
"StartStop": true,
"ThreadTime": "1601-01-01 00:01:27.187Z"
},
"message": "ExpensiveOperationTask"
}
Event ID 44: MetaStoreTask
#Fields #
| Name | Description |
|---|---|
action UnicodeString | |
vault UInt32 | |
key UInt64 | |
result UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 44,
"version": 0,
"level": 4,
"task": 10,
"opcode": 44,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:52.921+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 1744
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"action": "exists",
"key": 1312170257355239075,
"result": 0,
"vault": 7
},
"message": "MetaStoreTask"
}
Event ID 45: MetaStoreTaskMetaStoreMaintenance
#Fields #
| Name | Description |
|---|---|
vault UInt32 | |
records UInt64 | |
result UInt32 |
Event ID 53: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
TargetPID UInt32 | |
AccessMask UInt32 | Access mask reference |
WasHardened Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 53,
"version": 0,
"level": 4,
"task": 6,
"opcode": 53,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:52.947+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 8752
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"AccessMask": 2097151,
"PID": 15704,
"TargetPID": 14692,
"WasHardened": false
},
"message": "BehaviorMonitorTask"
}
Event ID 59: Message
#Fields #
| Name | Description |
|---|---|
VName AnsiString | |
SigSeq HexInt64 | |
SigSha AnsiString | |
Result Int8 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 59,
"version": 0,
"level": 4,
"task": 2,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:53.030+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 1744
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Result": 0,
"SigSeq": "E24B7913B31F0100",
"SigSha": "4b623fca87b0cb1048a094ee73e570d3e5ba1f97",
"VName": "Behavior:Win32/NonStdMpClientLoader.A"
},
"message": "GenericMessageTask"
}
Event ID 60: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
Channel UnicodeString | |
EventId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 60,
"version": 0,
"level": 4,
"task": 6,
"opcode": 60,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:53.214+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 1748
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Channel": "ThreatIntel",
"EventId": 19,
"PID": 16720
},
"message": "BehaviorMonitorTask"
}
Event ID 61: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
FolderName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 61,
"version": 0,
"level": 4,
"task": 6,
"opcode": 61,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:53.109+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 8752
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"FolderName": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Local\\Temp\\EtwGenFile_09220244\\subdir",
"PID": 15144
},
"message": "BehaviorMonitorTask"
}
Event ID 62: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
Count UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 62,
"version": 0,
"level": 4,
"task": 6,
"opcode": 62,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:53.261+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 15096
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Count": 1
},
"message": "BehaviorMonitorTask"
}
Event ID 63: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
TaintReason UInt64 | |
ReasonImagePath UnicodeString | |
ProcessImagePath UnicodeString |
Event ID 64: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
FileName UnicodeString | |
OldFileName UnicodeString |
Event ID 66: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
FileName UnicodeString | |
FileHardLinkName UnicodeString |
Event ID 67: ExpensiveOperationTask
#Fields #
| Name | Description |
|---|---|
Message UnicodeString | |
Name UnicodeString | |
Data UInt64 | |
StartStop Boolean | |
ThreadTime FILETIME | |
DeltaCPU UInt64 | |
DeltaWall UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 67,
"version": 1,
"level": 4,
"task": 9,
"opcode": 67,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:52.990+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{E6DA7C55-BDD5-43E2-923E-C2831F5534D0}"
},
"execution": {
"process_id": 3756,
"thread_id": 4400
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": 60,
"DeltaCPU": 0,
"DeltaWall": 0,
"Message": "GetHashes",
"Name": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Local\\Temp\\__PSScriptPolicyTest_i3yqwsnl.1tp.ps1",
"StartStop": false,
"ThreadTime": "1601-01-01 00:01:27.187Z"
},
"message": "ExpensiveOperationTask"
}
Event ID 68: Message
#Fields #
| Name | Description |
|---|---|
SigName AnsiString | |
SigSeq HexInt64 | |
SigSha AnsiString | |
SigTypeName AnsiString | |
Dimension AnsiString | |
Value UInt64 | |
Limit UInt64 | |
FileName UnicodeString | |
VPath UnicodeString | |
FileSha1 AnsiString | |
PartialCRC1 HexInt32 | |
PartialCRC2 HexInt32 | |
PartialCRC3 HexInt32 | |
FileSize UInt64 |
Event ID 69: Message
#Fields #
| Name | Description |
|---|---|
Guid AnsiString | |
VolumeSize UInt64 | |
Attributes HexInt32 | |
FilesCount HexInt32 | |
FileGuidsArray AnsiString | |
FileSizeArray AnsiString | |
CompressedFileSizeArray AnsiString | |
FileNameArray UnicodeString | |
FileAttributesArray AnsiString | |
EfiFileTypeArray AnsiString | |
FileSha1Array AnsiString | |
SmbiosAttributes AnsiString | |
FileCRCsArray AnsiString |
Event ID 70: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
BasePath UnicodeString | |
CommandLine UnicodeString | |
PID UInt32 | |
ParentPID UInt32 | |
Flags UInt32 | |
IntegrityLevel UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 70,
"version": 0,
"level": 4,
"task": 6,
"opcode": 68,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T04:10:16.967+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 10388
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"BasePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\logman.exe",
"CommandLine": "\"C:\\WINDOWS\\system32\\logman.exe\" query etw-cap-fixtest-b0 -ets",
"Flags": 33554432,
"IntegrityLevel": 12288,
"PID": 4944,
"ParentPID": 2348
},
"message": "BehaviorMonitorTask"
}
Event ID 71: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
FileName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 71,
"version": 0,
"level": 4,
"task": 6,
"opcode": 69,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:52.948+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 8752
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"FileName": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Local\\Temp\\EtwGen_8ddae864\\host.err",
"PID": 15704
},
"message": "BehaviorMonitorTask"
}
Event ID 72: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
FileName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 72,
"version": 0,
"level": 4,
"task": 6,
"opcode": 70,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:53.210+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 8752
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"FileName": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Local\\Temp\\__PSScriptPolicyTest_sbsid2qt.goq.psm1",
"PID": 11280
},
"message": "BehaviorMonitorTask"
}
Event ID 73: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
CreationTime FILETIME | |
PID UInt32 | |
filepath UnicodeString | |
flags HexInt32 | |
flags2low HexInt64 | |
flags2high HexInt64 | |
oldFlags HexInt32 | |
oldFlags2low HexInt64 | |
oldFlags2high HexInt64 | |
Source UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 73,
"version": 2,
"level": 4,
"task": 6,
"opcode": 71,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:53.161+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{F2714F70-C68A-4E47-85BF-FAD7C1934515}"
},
"execution": {
"process_id": 3756,
"thread_id": 4400
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CreationTime": "2026-06-02 05:20:53.156Z",
"EngineId": "0x7FFCAC8D0000",
"PID": 5984,
"Source": "SyncStart",
"filepath": "C:\\Windows\\System32\\logman.exe",
"flags": "FF030040",
"flags2high": "0000000000000000",
"flags2low": "4400000000000000",
"oldFlags": "00000000",
"oldFlags2high": "0000000000000000",
"oldFlags2low": "0000000000000000"
},
"message": "BehaviorMonitorTask"
}
Event ID 74: SenseRemediationTask
#Fields #
| Name | Description |
|---|---|
Sha1 UnicodeString | |
Sha256 UnicodeString | |
SigSeq HexInt64 | |
SigSha UnicodeString | |
AllSigSeqs UnicodeString | |
AllSigShas UnicodeString | |
RealPath UnicodeString | |
VPath UnicodeString | |
EtwDataReportType UInt32 | |
ReportType UInt32 | |
EngineReportGuid UnicodeString | |
ResourceData UnicodeString | |
ResourceSchema UnicodeString | |
Determination Int32 | |
ActionStatus HexInt32 | |
ProcessID UInt32 | |
ProcessCreationTime UInt64 | |
ProcessPath UnicodeString | |
ThreatName UnicodeString | |
Classification HexInt32 | |
IsLatent Boolean | |
IsPassiveMode Boolean | |
ScanSource UInt32 | |
ScanType UInt32 | |
RtpProcessID UInt32 | |
RtpProcessCreationTime UInt64 | |
ProcessCommandLine UnicodeString | |
ExtraDataJson UnicodeString |
Event ID 75: Message
#Fields #
| Name | Description |
|---|---|
DeviceInfo AnsiString | |
TCGEventsArray AnsiString | |
PCRsArray AnsiString |
Event ID 77: SmsScanTaskSmsRequestMonitorProcessId
#Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | |
CreationTime FILETIME | |
Level UInt8 | |
EffectiveLevel UInt8 | |
TriggerSigSeq UInt64 | |
Origin UInt8 |
Event ID 78: SmsScanTaskSmsRequestMonitorFilePath
#Fields #
| Name | Description |
|---|---|
ImageFilePath UnicodeString | |
Level UInt8 | |
EffectiveLevel UInt8 | |
TriggerSigSeq UInt64 | |
Origin UInt8 |
Event ID 79: SmsScanTaskSmsMonitoringStart
#Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | |
CreationTime FILETIME | |
Level UInt8 | |
TriggerSigSeq UInt64 |
Event ID 80: SmsScanTaskSmsMonitoringStop
#Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | |
CreationTime FILETIME | |
Level UInt8 | |
TriggerSigSeq UInt64 | |
StopReason UInt8 |
Event ID 81: SmsScanTaskSmsScanStart
#Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | |
CreationTime FILETIME | |
ScanReason UInt8 |
Event ID 82: SmsScanTaskSmsScanStop
#Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | |
CreationTime FILETIME | |
ScanReason UInt8 | |
ScanResult UInt8 |
Event ID 87: EngineTaskStart
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
EngineVersion UnicodeString | |
AVVersion UnicodeString | |
ASVersion UnicodeString |
Event ID 88: EngineTaskStop
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
EngineVersion UnicodeString | |
AVVersion UnicodeString | |
ASVersion UnicodeString |
Event ID 89: EngineTaskDCStart
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
EngineVersion UnicodeString | |
AVVersion UnicodeString | |
ASVersion UnicodeString |
Event ID 90: EngineTaskDCStop
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
EngineVersion UnicodeString | |
AVVersion UnicodeString | |
ASVersion UnicodeString |
Event ID 91: UfsScanFileTaskDCStart_V1
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
FilePath UnicodeString | |
ThreadId UInt32 | |
StartQPC UInt64 |
Event ID 92: UfsScanFileTaskDCStop_V1
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
FilePath UnicodeString | |
ThreadId UInt32 | |
StartQPC UInt64 |
Event ID 93: UfsScanProcTaskDCStart_V1
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
FilePath UnicodeString | |
PID UInt32 | |
ThreadId UInt32 | |
StartQPC UInt64 |
Event ID 94: UfsScanProcTaskDCStop_V1
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
FilePath UnicodeString | |
PID UInt32 | |
ThreadId UInt32 | |
StartQPC UInt64 |
Event ID 95: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | |
CreationTime FILETIME | |
FileName UnicodeString | |
FirstOffsetWritten UInt64 | |
LastOffsetWritten UInt64 | |
SmallestOffsetWritten UInt64 | |
BiggestOffsetWritten UInt64 | |
TotalSizeOfWrites UInt64 | |
TotalSizeOfAppends UInt64 | |
NumberOfWrites UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 95,
"version": 0,
"level": 4,
"task": 6,
"opcode": 78,
"keywords": "0x0000000000000010",
"time_created": "2026-06-02T04:10:43.003+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 10144
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"BiggestOffsetWritten": 104044,
"CreationTime": "2026-05-27 20:01:10.073Z",
"FileName": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper",
"FirstOffsetWritten": 0,
"LastOffsetWritten": 104044,
"NumberOfWrites": 13,
"ProcessId": 5396,
"SmallestOffsetWritten": 0,
"TotalSizeOfAppends": 0,
"TotalSizeOfWrites": 104053
},
"message": "BehaviorMonitorTask"
}
Event ID 97: Scan request
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
Id UInt8 | |
Type AnsiString | |
Flags HexInt32 | |
ScanSource UInt32 | |
ResourceCount UInt32 | |
FirstResourceType UnicodeString | |
FirstResourcePath UnicodeString | |
ThreadId UInt32 | |
StartQPC UInt64 |
Event ID 98: Scan request
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
Id UInt8 | |
Type AnsiString | |
Flags HexInt32 | |
ScanSource UInt32 | |
ResourceCount UInt32 | |
FirstResourceType UnicodeString | |
FirstResourcePath UnicodeString | |
ThreadId UInt32 | |
StartQPC UInt64 |
Event ID 99: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
CreationTime FILETIME | |
PID UInt32 | |
flags HexInt32 | |
flags2low HexInt64 | |
flags2high HexInt64 |
Event ID 100: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
CreationTime FILETIME | |
PID UInt32 | |
flags HexInt32 | |
flags2low HexInt64 | |
flags2high HexInt64 |
Event ID 101: EngineLoadTaskStart
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
EngineVersion UnicodeString | |
AVVersion UnicodeString | |
ASVersion UnicodeString |
Event ID 102: EngineLoadTaskStop
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
EngineVersion UnicodeString | |
AVVersion UnicodeString | |
ASVersion UnicodeString |
Event ID 104: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
FeatureId UInt32 | |
FirstParam UnicodeString | |
SecondParam UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 104,
"version": 0,
"level": 4,
"task": 6,
"opcode": 82,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:52.968+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 1744
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"FeatureId": 22,
"FirstParam": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"PID": 13856,
"SecondParam": "\"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\\Tools\\Sealighter\\drv\\drv15.ps1 "
},
"message": "BehaviorMonitorTask"
}
Event ID 105: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
EventId UnicodeString | |
KeyPath UnicodeString | |
ValueName UnicodeString | |
OldValue UnicodeString | |
NewValue UnicodeString | |
UserMode UnicodeString | |
FeatureType UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 105,
"version": 0,
"level": 4,
"task": 6,
"opcode": 83,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:52.967+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 6200
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"EventId": "RegistryValueSet",
"FeatureType": 0,
"KeyPath": "HKCU@S-1-5-21-3798294047-1846905762-1150995898-1000\\SOFTWARE\\ETWGEN",
"NewValue": "2026-06-02T05:20:23.7274078+00:00",
"OldValue": "N/A",
"PID": 6556,
"UserMode": "false",
"ValueName": "ts"
},
"message": "BehaviorMonitorTask"
}
Event ID 106: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
LiveContextCount UInt32 | |
TotalContextCount UInt32 |
Event ID 107: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
EngineId Pointer | |
LiveContextCount UInt32 | |
TotalContextCount UInt32 |
Event ID 108: SenseExclusionTask
#Fields #
| Name | Description |
|---|---|
Type AnsiString | |
Scope AnsiString | |
ResourceType AnsiString | |
TargetResource UnicodeString | |
ParentResource UnicodeString | |
DetectionName AnsiString | |
UserName UnicodeString |
Event ID 109: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
ProcessContextId Pointer | |
ImagePath UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 109,
"version": 0,
"level": 4,
"task": 6,
"opcode": 86,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T04:10:16.967+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 10388
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"ImagePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\logman.exe",
"PID": 4944,
"ProcessContextId": "0x1FF1D6EFEE0"
},
"message": "BehaviorMonitorTask"
}
Event ID 110: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
ProcessContextId Pointer | |
TerminationTime UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 110,
"version": 0,
"level": 4,
"task": 6,
"opcode": 87,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T04:10:40.283+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 2760
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"PID": 1220,
"ProcessContextId": "0x1FF1FD2AEE0",
"TerminationTime": 134248470076227719
},
"message": "BehaviorMonitorTask"
}
Event ID 111: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
AttrId UInt32 | |
AttrSeq UInt32 | |
AttrSubset UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 111,
"version": 0,
"level": 4,
"task": 6,
"opcode": 88,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:52.921+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 1744
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"AttrId": 16404,
"AttrSeq": 1812357,
"AttrSubset": 0,
"PID": 13856
},
"message": "BehaviorMonitorTask"
}
Event ID 112: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
AttrId UInt32 | |
AttrSeq UInt32 | |
AttrSubset UInt32 | |
MatchedThreatsNumber UInt32 | |
IsMultiProcMatch Boolean | |
IsMultiProcDetection Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Antimalware-Engine",
"guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
"event_source_name": "",
"event_id": 112,
"version": 0,
"level": 4,
"task": 6,
"opcode": 89,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:20:52.921+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 1744
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"AttrId": 16404,
"AttrSeq": 1812357,
"AttrSubset": 0,
"IsMultiProcDetection": false,
"IsMultiProcMatch": false,
"MatchedThreatsNumber": 0,
"PID": 13856
},
"message": "BehaviorMonitorTask"
}
Event ID 113: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
DetectionName UnicodeString | |
SigSeq UInt64 |
Event ID 114: Behavior Monitoring
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
DetectionName UnicodeString | |
SigSeq UInt64 | |
CloudResponse UnicodeString |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {0A002690-3839-4E3A-B3B6-96D8DF868D99}
Defined in mpengine_etw.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 1.1.26040.8, captured 2026-06-02
- Win11-26200.6584, sample captured from a live trace, binary version 1.1.26040.8, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 1.1.26040.8, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 1.1.26040.8, captured 2026-06-02