detection.wiki

Microsoft-Windows-AppSruProv

1 events across 1 channel

EventTitleChannelSample
3000AppId (AppId), UserId (UserSid), FgCycles (FgCycles), BgCycles(BgCycles), …Microsoft-Windows-AppSruProvY

Event ID 3000: AppId (AppId), UserId (UserSid), FgCycles (FgCycles), BgCycles(BgCycles), FgClockTime (FgClockTime), FgCtxSwitches (FgCtxSwitches), BgCtxSwitches (BgCtxSwitches), FgBytesRead (FgBytesRead), FgBytes...

#
Provider
Microsoft-Windows-AppSruProv
Channel
Microsoft-Windows-AppSruProv
Also via
realtime ETW trace
Level
Informational
Opcode
Info

Description

AppId (AppId), UserId (UserSid), FgCycles (FgCycles), BgCycles(BgCycles), FgClockTime (FgClockTime), FgCtxSwitches (FgCtxSwitches), BgCtxSwitches (BgCtxSwitches), FgBytesRead (FgBytesRead), FgBytesWritten (FgBytesWritten), FgNumReadOps (FgNumReadOps), FgNumWriteOps (FgNumWriteOps), FgNumFlushOps (FgNumFlushOps), BgBytesRead (BgBytesRead), BgBytesWritten (BgBytesWritten), BgNumReadOps (BgNumReadOps), BgNumWriteOps (BgNumWriteOps), BgNumFlushOps (BgNumFlushOps)

Message #

AppId (%1), UserId (%2), FgCycles (%3), BgCycles(%4), FgClockTime (%5), FgCtxSwitches (%6), BgCtxSwitches (%7), FgBytesRead (%8), FgBytesWritten (%9), FgNumReadOps (%10), FgNumWriteOps (%11), FgNumFlushOps (%12), BgBytesRead (%13), BgBytesWritten (%14), BgNumReadOps (%15), BgNumWriteOps (%16), BgNumFlushOps (%17)

Fields #

NameDescription
AppId UnicodeString
UserSid SID
FgCycles UInt64
BgCycles UInt64
FgClockTime UInt64
FgCtxSwitches UInt32
BgCtxSwitches UInt32
FgBytesRead UInt64
FgBytesWritten UInt64
FgNumReadOps UInt32
FgNumWriteOps UInt32
FgNumFlushOps UInt32
BgBytesRead UInt64
BgBytesWritten UInt64
BgNumReadOps UInt32
BgNumWriteOps UInt32
BgNumFlushOps UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-AppSruProv",
    "guid": "{0CC157B3-CF07-4FC2-91EE-31AC92E05FE1}",
    "event_source_name": "",
    "event_id": 3000,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:19:00.040+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{29927B46-ADEC-4261-AC1D-CDD7BC6BDA32}"
    },
    "execution": {
      "process_id": 5340,
      "thread_id": 11656
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AppId": "svc.ownproc.s0.uc0.host2000000000000000_1.0.0.0_neutral__1234567890abc",
    "BgBytesRead": 0,
    "BgBytesWritten": 0,
    "BgCtxSwitches": 0,
    "BgCycles": 0,
    "BgNumFlushOps": 0,
    "BgNumReadOps": 0,
    "BgNumWriteOps": 0,
    "FgBytesRead": 0,
    "FgBytesWritten": 0,
    "FgClockTime": 600036843,
    "FgCtxSwitches": 188,
    "FgCycles": 14411115,
    "FgNumFlushOps": 0,
    "FgNumReadOps": 0,
    "FgNumWriteOps": 0,
    "UserSid": "NT AUTHORITY\\LogonSessionId_0_224564065"
  },
  "message": ""
}

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {0CC157B3-CF07-4FC2-91EE-31AC92E05FE1}

Defined in appsruprov.dll, which carries the event manifest.

Observed on:

  • WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.2849, captured 2026-06-02
  • WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
  • Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02

Downloads