Microsoft-Antimalware-RTP

29 events across 1 channel

Event	Title	Channel	Sample
1	RTPPassthroughStart	Application	N
2	RTPPassthroughStop	Application	N
3	RTPPluginStart	Application	N
4	RTPPluginStop	Application	N
5	RTPFilterLoad	Application	N
6	RTPFilterUnload	Application	N
7	RTPSetEngine	Application	N
8	RTPFlushCache	Application	N
9	RTPScanTimeout	Application	N
10	RTPEnabled	Application	N
11	RTPDisabled	Application	N
12	RTPConfigUpdate	Application	N
13	RTPSetRegistryMonitoring	Application	N
14	RTPThreatDetection	Application	N
15	RTPSampleDetection	Application	N
16	RTPLofiDetection	Application	N
17	RTPExpensiveDetection	Application	N
18	RTPBMDetection	Application	N
19	RTPSeqRead	Application	N
20	RTPSuspend	Application	N
21	RTPResume	Application	N
22	RTPPriority	Application	Y
23	DlpPerfOperationStart	Application	N
24	DlpPerfOperationStop	Application	N
25	DCEvent	Application	N
26	DCEvent26	Application	N
27	RTPFileScanResult	Application	Y
28	DCEvent28	Application	N
29	DCEvent29	Application	N

Event ID 1: RTPPassthroughStart

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPPassthrough
Opcode: Start

Event ID 2: RTPPassthroughStop

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPPassthrough
Opcode: Stop

Event ID 3: RTPPluginStart

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPPlugin
Opcode: Start

Event ID 4: RTPPluginStop

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPPlugin
Opcode: Stop

Event ID 5: RTPFilterLoad

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPFilterLoad

Event ID 6: RTPFilterUnload

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPFilterUnload

Event ID 7: RTPSetEngine

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPSetEngine

Event ID 8: RTPFlushCache

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPFlushCache

Event ID 9: RTPScanTimeout

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPScanTimeout

Event ID 10: RTPEnabled

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPEnabled

Event ID 11: RTPDisabled

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPDisabled

Event ID 12: RTPConfigUpdate

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPConfigUpdate

Event ID 13: RTPSetRegistryMonitoring

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPSetRegistryMonitoring

Event ID 14: RTPThreatDetection

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPThreatDetection

Fields #

Name	Description
`File` UnicodeString

Event ID 15: RTPSampleDetection

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPSampleDetection

Fields #

Name	Description
`File` UnicodeString

Event ID 16: RTPLofiDetection

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPLofiDetection

Fields #

Name	Description
`File` UnicodeString

Event ID 17: RTPExpensiveDetection

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPExpensiveDetection

Fields #

Name	Description
`File` UnicodeString

Event ID 18: RTPBMDetection

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPBMDetection

Event ID 19: RTPSeqRead

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPSeqRead

Event ID 20: RTPSuspend

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPSuspend

Event ID 21: RTPResume

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: RTPResume

Event ID 22: RTPPriority

Provider: Microsoft-Antimalware-RTP
Channel: Application
Also via: realtime ETW trace
Level: Informational
Task: RTPPriority
Opcode: win:Info

Fields #

Name	Description
`Description` UnicodeString
`PreviousValue` UInt32
`IntendedValueOrHResult` UInt32
`LatestValue` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-RTP",
    "guid": "{8E92DEEF-5E17-413B-B927-59B2F06A3CFC}",
    "event_source_name": "",
    "event_id": 22,
    "version": 0,
    "level": 4,
    "task": 20,
    "opcode": 0,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:18:28.997+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4712,
      "thread_id": 10308
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Description": "AsyncWorkerUpdate",
    "IntendedValueOrHResult": 0,
    "LatestValue": 8,
    "PreviousValue": 8
  },
  "message": "RTPPriority"
}

Event ID 23: DlpPerfOperationStart

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: DlpPerfOperation
Opcode: Start

Fields #

Name	Description
`Operation` UInt32	Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`SubOperation` UInt32
`AccessCheck` UInt32

Event ID 24: DlpPerfOperationStop

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: DlpPerfOperation
Opcode: Stop

Fields #

Name	Description
`Operation` UInt32	Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`SubOperation` UInt32
`AccessCheck` UInt32

Event ID 25: DCEvent

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: DCEvent

Fields #

Name	Description
`Timestamp` UInt64
`ActionType` UnicodeString
`Access` UnicodeString
`Policy` UnicodeString
`MachineName` UnicodeString
`MediaName` UnicodeString
`ClassName` UnicodeString
`ClassGuid` UnicodeString
`UserName` UnicodeString
`VendorId` UnicodeString
`ProductId` UnicodeString
`DeviceId` UnicodeString
`InstanceId` UnicodeString
`SerialNumber` UnicodeString
`BusType` UnicodeString
`FilePath` UnicodeString
`FileSize` UInt64
`Tag` UInt64
`DomainAuthenticatedNetworkPresent` UnicodeString
`ActiveVPNConnections` UnicodeString
`ProcessImageName` UnicodeString
`PolicyId` UnicodeString
`AccessChainRuleIds` UnicodeString
`AccessChainRuleEntryIds` UnicodeString
`PrinterPortName` UnicodeString

Event ID 26: DCEvent26

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: DCEvent

Fields #

Name	Description
`Timestamp` UInt64
`Policy` UnicodeString
`PolicyRuleId` UnicodeString
`DuplicatedOperation` UnicodeString
`MachineName` UnicodeString
`UserName` UnicodeString
`ClassName` UnicodeString
`MediaName` UnicodeString
`InstanceId` UnicodeString
`SerialNumber` UnicodeString
`VendorId` UnicodeString
`ProductId` UnicodeString
`DeviceFilePath` UnicodeString
`EvidenceFileSize` UInt64
`EvidenceFileLocation` UnicodeString
`Tag` UInt64

Event ID 27: RTPFileScanResult

Provider: Microsoft-Antimalware-RTP
Channel: Application
Also via: realtime ETW trace
Level: Informational
Task: RTPFileScanResult
Opcode: win:Info

Fields #

Name	Description
`FileName` UnicodeString
`ScanReason` UInt32
`FileId` UInt64
`USN` UInt64
`RtpScanResult` UInt32
`RtpScanAction` UInt32
`DoNotCache` UInt32
`Flags` UInt32
`ScanResult` UInt32
`hr` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-RTP",
    "guid": "{8E92DEEF-5E17-413B-B927-59B2F06A3CFC}",
    "event_source_name": "",
    "event_id": 27,
    "version": 0,
    "level": 4,
    "task": 23,
    "opcode": 0,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T04:10:16.802+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E9BB1A5E-6969-4F68-BB28-D76285FBCF17}"
    },
    "execution": {
      "process_id": 3756,
      "thread_id": 3984
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "DoNotCache": 0,
    "FileId": 281474976775421,
    "FileName": "\\Device\\HarddiskVolume4\\Windows\\System32\\drivers\\msquic.sys",
    "Flags": 0,
    "RtpScanAction": 0,
    "RtpScanResult": 0,
    "ScanReason": 3,
    "ScanResult": 3,
    "USN": 0,
    "hr": 0
  },
  "message": "RTPFileScanResult"
}

Event ID 28: DCEvent28

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: DCEvent

Fields #

Name	Description
`Timestamp` UInt64
`CurrentGrantedAccess` UnicodeString
`MaximumPossibleGrantedAccess` UnicodeString
`CurrentDeniedAccess` UnicodeString
`MinimumGuaranteedDeniedAccess` UnicodeString
`MachineName` UnicodeString
`UserName` UnicodeString
`ClassName` UnicodeString
`MediaName` UnicodeString
`BusType` UnicodeString
`DeviceId` UnicodeString
`InstanceId` UnicodeString
`SerialNumber` UnicodeString
`VendorId` UnicodeString
`ProductId` UnicodeString
`DomainAuthenticatedNetworkPresent` UnicodeString
`ActiveVPNConnections` UnicodeString
`ActiveNetworks` UnicodeString
`DevicePolicyGroupMembership` UnicodeString

Event ID 29: DCEvent29

Provider: Microsoft-Antimalware-RTP
Channel: Application
Task: DCEvent

Fields #

Name	Description
`Timestamp` UInt64
`State` UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {8E92DEEF-5E17-413B-B927-59B2F06A3CFC}

Defined in MpRtp.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, sample captured from a live trace, binary version 4.18.26040.7, captured 2026-06-02
Win11-26200.6584, sample captured from a live trace, binary version 4.18.26040.7, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 4.18.26040.7, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 4.18.26040.7, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Antimalware-RTP

Event ID 1: RTPPassthroughStart

Event ID 2: RTPPassthroughStop

Event ID 3: RTPPluginStart

Event ID 4: RTPPluginStop

Event ID 5: RTPFilterLoad

Event ID 6: RTPFilterUnload

Event ID 7: RTPSetEngine

Event ID 8: RTPFlushCache

Event ID 9: RTPScanTimeout

Event ID 10: RTPEnabled

Event ID 11: RTPDisabled

Event ID 12: RTPConfigUpdate

Event ID 13: RTPSetRegistryMonitoring

Event ID 14: RTPThreatDetection

Fields #

Event ID 15: RTPSampleDetection

Fields #

Event ID 16: RTPLofiDetection

Fields #

Event ID 17: RTPExpensiveDetection

Fields #

Event ID 18: RTPBMDetection

Event ID 19: RTPSeqRead

Event ID 20: RTPSuspend

Event ID 21: RTPResume

Event ID 22: RTPPriority

Fields #

Example Event #

Event ID 23: DlpPerfOperationStart

Fields #

Event ID 24: DlpPerfOperationStop

Fields #

Event ID 25: DCEvent

Fields #

Event ID 26: DCEvent26

Fields #

Event ID 27: RTPFileScanResult

Fields #

Example Event #

Event ID 28: DCEvent28

Fields #

Event ID 29: DCEvent29

Fields #

Provenance

Downloads