Microsoft-Windows-AppXDeployment
93 events across 2 channels
Event ID 301: The calling process is {FileName}.
#Event ID 302: Failed to start system service: ServiceName with error: ErrorCode.
#Description
Failed to start system service: ServiceName with error: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
ServiceName UnicodeString | Failed to start system service. |
ErrorCode HexInt32 | with error. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"guid": "{8127F6D4-59F9-4ABF-8952-3E3A02073D5F}",
"event_source_name": "",
"event_id": 302,
"version": 0,
"level": 2,
"task": 4,
"opcode": 0,
"keywords": 4611756387171631104,
"time_created": "2026-04-18T00:30:09.2925045+00:00",
"event_record_id": 16,
"correlation": {},
"execution": {
"process_id": 4272,
"thread_id": 4472
},
"channel": "Microsoft-Windows-AppXDeployment/Operational",
"computer": "WIN11-25H2-X64",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ServiceName": "appxsvc",
"ErrorCode": "0x8007045b"
},
"message": "Failed to start system service: appxsvc with error: 0x8007045B."
}
Event ID 303: Failed to start system service: ServiceName with error: ErrorCode.
#Description
Failed to start system service: ServiceName with error: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
ServiceName UnicodeString | |
ErrorCode HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"guid": "{8127F6D4-59F9-4ABF-8952-3E3A02073D5F}",
"event_source_name": "",
"event_id": 303,
"version": 0,
"level": 3,
"task": 4,
"opcode": 0,
"keywords": 4611686018427453440,
"time_created": "2026-05-27T14:12:43.4281519+00:00",
"event_record_id": 41,
"correlation": {
"ActivityID": "{05F4C740-EDE2-0007-F6CA-F405E2EDDC01}"
},
"execution": {
"process_id": 2072,
"thread_id": 5336
},
"channel": "Microsoft-Windows-AppXDeployment/Operational",
"computer": "telemetry-W11-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ServiceName": "clipsvc",
"ErrorCode": "0x8007041d"
},
"message": "Failed to start system service: clipsvc with error: 0x8007041D."
}
Event ID 304: Starting recovery of package repository during a RecoveryType.
#Event ID 305: Finished recovery of package repository with result code ErrorCode.
#Event ID 306: Skipping recovery of package PackageFullName because it is already installed.
#Event ID 307: Recovery has completed for package PackageFullName with result code ErrorCode.
#Event ID 308: Starting staged package recovery.
#Description
Starting staged package recovery.
Message #
Event ID 309: Finished staged package recovery with result code ErrorCode.
#Event ID 310: Skipping recovery of package PackageFullName because of error ErrorCode.
#Event ID 311: Failed to bind to the APPXSVC RPC server with error: ErrorCode.
#Event ID 312: ErrorCode: Package runtime information FileName is corrupted (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId).
#Description
ErrorCode: Package runtime information FileName is corrupted (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId). Reinstall the package to fix this issue.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
ErrorCode HexInt32 | |
Size UInt64 | |
Offset UInt32 | |
HeaderAddr Pointer | |
Section UnicodeString | |
ProcessId UInt32 |
Event ID 313: ErrorCode: Package runtime information FileName is missing expected data (address=HeaderAddr, size=Size, section=Section, processid=ProcessId).
#Description
ErrorCode: Package runtime information FileName is missing expected data (address=HeaderAddr, size=Size, section=Section, processid=ProcessId). Reinstall the package to fix this issue.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
ErrorCode HexInt32 | |
Size UInt64 | |
HeaderAddr Pointer | |
Section UnicodeString | |
ProcessId UInt32 |
Event ID 314: ErrorCode: Package runtime information FileName contains conflicting data (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId).
#Description
ErrorCode: Package runtime information FileName contains conflicting data (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId). Reinstall the package to fix this issue.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
ErrorCode HexInt32 | |
Size UInt64 | |
Offset UInt32 | |
HeaderAddr Pointer | |
Section UnicodeString | |
ProcessId UInt32 |
Event ID 315: ErrorCode: Package runtime information FileName contains unexpected data (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId).
#Description
ErrorCode: Package runtime information FileName contains unexpected data (address=HeaderAddr, size=Size, offset=Offset, section=Section, processid=ProcessId). Reinstall the package to fix this issue.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
ErrorCode HexInt32 | |
Size UInt64 | |
Offset UInt32 | |
HeaderAddr Pointer | |
Section UnicodeString | |
ProcessId UInt32 |
Event ID 316: ErrorCode: Package runtime information FileName failed to load (processid=ProcessId).
#Event ID 317: Package runtime information FileName failed to load because exception ExceptionCode occurred.
#Event ID 318: ErrorCode: Package runtime information FileName is missing expected data (address=HeaderAddr, size=Size, section=ApplicationUserModelId, processid=ProcessId).
#Description
ErrorCode: Package runtime information FileName is missing expected data (address=HeaderAddr, size=Size, section=ApplicationUserModelId, processid=ProcessId). Reinstall the package to fix this issue.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
ErrorCode Int32 | |
Size UInt64 | |
HeaderAddr Pointer | |
ApplicationUserModelId UnicodeString | |
ProcessId UInt32 |
Event ID 319: ErrorCode: Application identity not accessible while loading package runtime information FileName (address=HeaderAddr, size=Size, processid=ProcessId).
#Event ID 320: Failed to queue removal of package PackageName for user UserSid with error: ErrorCode.
#Event ID 321: Failed to remove the package files of package PackageName with error: ErrorCode.
#Event ID 322: Failed to set the package status of package PackageName with error: ErrorCode.
#Event ID 323: Failed to remove {PackageName} for the user ({UserSid}) with error: {ErrorCode}.
#Event ID 324: Package runtime information FileName failed to refresh because the following error ErrorCode occurred in operation type Type.
#Event ID 325: PackageFamilyName is registered in good state, skip re-registering it.
#Event ID 326: Determining packages to be installed during logon for user: UserSid.
#Description
Determining packages to be installed during logon for user: UserSid.
Message #
Fields #
| Name | Description |
|---|---|
UserSid UnicodeString | Determining packages to be installed during logon for user. |
IsSpecialUserProfile Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"guid": "{8127F6D4-59F9-4ABF-8952-3E3A02073D5F}",
"event_source_name": "",
"event_id": 326,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 4611686018427453440,
"time_created": "2026-05-29T16:33:56.5973357+00:00",
"event_record_id": 35,
"correlation": {
"ActivityID": "{61A55000-55E5-1017-0000-000000000000}"
},
"execution": {
"process_id": 1056,
"thread_id": 5280
},
"channel": "Microsoft-Windows-AppXDeployment/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"IsSpecialUserProfile": "false"
},
"message": "Determining packages to be installed during logon for user: S-1-5-21-1006758700-2167138679-1475694448-1105."
}
Event ID 327: The following packages will be installed: InstallPackageList.
#Description
The following packages will be installed: InstallPackageList. The following packages will be removed: RemovePackageList.
Message #
Fields #
| Name | Description |
|---|---|
InstallPackageList UnicodeString | The following packages will be installed. |
RemovePackageList UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"guid": "{8127F6D4-59F9-4ABF-8952-3E3A02073D5F}",
"event_source_name": "",
"event_id": 327,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 4611686018427453440,
"time_created": "2026-05-29T16:33:56.6825926+00:00",
"event_record_id": 36,
"correlation": {
"ActivityID": "{61A55000-55E5-1017-0000-000000000000}"
},
"execution": {
"process_id": 1056,
"thread_id": 5280
},
"channel": "Microsoft-Windows-AppXDeployment/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"InstallPackageList": "NULL",
"RemovePackageList": "NULL"
},
"message": "The following packages will be installed: NULL. The following packages will be removed: NULL"
}
Event ID 328: Unable to determine packages to be installed during logon with error: ErrorCode.
#Description
Unable to determine packages to be installed during logon with error: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode HexInt32 | Unable to determine packages to be installed during logon with error. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"guid": "8127F6D4-59F9-4ABF-8952-3E3A02073D5F",
"event_source_name": "",
"event_id": 328,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 4611686018427453440,
"time_created": "2023-10-25T22:52:41.304385+00:00",
"event_record_id": 18,
"correlation": {
"ActivityID": "61A55000-55E5-1017-0000-000000000000"
},
"execution": {
"process_id": 536,
"thread_id": 796
},
"channel": "Microsoft-Windows-AppXDeployment/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ErrorCode": "0x800401f0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 329: User Profile created for UserSid with path ProfilePath and type ProfileType.
#Description
User Profile created for UserSid with path ProfilePath and type ProfileType.
Message #
Fields #
| Name | Description |
|---|---|
UserSid UnicodeString | |
ProfilePath UnicodeString | |
ProfileType HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"event_id": 329,
"level": 5,
"task": 0,
"opcode": 0,
"time_created": "2026-04-18T00:30:41.2167345+00:00",
"computer": "WIN11-25H2-X64",
"channel": "Microsoft-Windows-AppXDeployment"
},
"event_data": {
"ProfileType": "0x0",
"UserSid": "S-1-5-21-3798294047-1846905762-1150995898-1000",
"ProfilePath": "C:\\Users\\localuser"
}
}
Event ID 330: User Profile deleted for UserSid with path ProfilePath and type ProfileType.
#Description
User Profile deleted for UserSid with path ProfilePath and type ProfileType.
Message #
Fields #
| Name | Description |
|---|---|
UserSid UnicodeString | |
ProfilePath UnicodeString | |
ProfileType HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"event_id": 330,
"level": 5,
"task": 0,
"opcode": 0,
"time_created": "2026-04-17T21:49:13.8308573+00:00",
"computer": "WIN11-25H2-X64",
"channel": "Microsoft-Windows-AppXDeployment"
},
"event_data": {
"ProfileType": "0x0",
"UserSid": "S-1-5-21-3798294047-1846905762-1150995898-1001",
"ProfilePath": "C:\\Users\\defaultuser0"
}
}
Event ID 331: Outdated packages registered to user UserSid: OutdatedPackages.
#Description
Outdated packages registered to user UserSid: OutdatedPackages. Corresponding up-to-date packages: UpToDatePackages.
Message #
Fields #
| Name | Description |
|---|---|
UserSid UnicodeString | |
OutdatedPackages UnicodeString | |
UpToDatePackages UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"event_id": 331,
"level": 4,
"task": 0,
"opcode": 0,
"time_created": "2026-04-18T00:30:43.7335415+00:00",
"computer": "WIN11-25H2-X64",
"channel": "Microsoft-Windows-AppXDeployment"
},
"event_data": {
"UpToDatePackages": "None",
"UserSid": "S-1-5-21-3798294047-1846905762-1150995898-1000",
"OutdatedPackages": "None"
}
}
Event ID 332: Deployment operation deploymentOperation on mainParam with options deploymentOptions and calling process callerProcess with callstack callstack.
#Description
Deployment operation deploymentOperation on mainParam with options deploymentOptions and calling process callerProcess with callstack callstack.
Message #
Fields #
| Name | Description |
|---|---|
mainParam UnicodeString | |
deploymentOperation UInt32 | |
deploymentOptions HexInt64 | |
callerProcess UnicodeString | |
callstack UnicodeString |
Event ID 1001: AppXDeployment.Task.Client.ServiceStartupStart
#Event ID 1002: AppXDeployment.Task.Client.ServiceStartup
#Event ID 1003: AppXDeployment.Task.Client.ServiceStartupStop
#Event ID 1004: AppXDeployment.Task.Client.AddPackageStart
#Event ID 1005: AppXDeployment.Task.Client.AddPackageStop
#Event ID 1006: AppXDeployment.Task.Client.RemovePackageStart
#Event ID 1007: AppXDeployment.Task.Client.RemovePackageStop
#Event ID 1008: AppXDeployment.Task.Client.DeploymentStart
#Event ID 1009: AppXDeployment.Task.Client.DeploymentStop
#Event ID 1010: AppXDeployment.Task.Client.DeploymentStart1010
#Event ID 1011: AppXDeployment.Task.Client.DeploymentStop1011
#Event ID 1012: AppXDeployment.Task.Client.DeploymentStart1012
#Event ID 1013: AppXDeployment.Task.Client.DeploymentStop1013
#Event ID 1014: AppXDeployment.Task.Client.DeploymentStart1014
#Event ID 1015: AppXDeployment.Task.Client.DeploymentStop1015
#Event ID 1016: AppXDeployment.Task.Client.DeploymentStart1016
#Event ID 1017: AppXDeployment.Task.Client.DeploymentStop1017
#Event ID 1018: AppXDeployment.Task.Client.DeploymentStart1018
#Event ID 1019: AppXDeployment.Task.Client.DeploymentStop1019
#Event ID 1020: AppXDeployment.Task.Client.EnumAPI
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"guid": "{8127F6D4-59F9-4ABF-8952-3E3A02073D5F}",
"event_source_name": "",
"event_id": 1020,
"version": 0,
"level": 4,
"task": 5,
"opcode": 1,
"keywords": "0x0001000000010000",
"time_created": "2026-06-02T05:08:28.577+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0004-E715-818753F0DC01}"
},
"execution": {
"process_id": 12932,
"thread_id": 21360
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "AppXDeployment.Task.Client.EnumAPI"
}
Event ID 1021: AppXDeployment.Task.Client.EnumAPI
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"guid": "{8127F6D4-59F9-4ABF-8952-3E3A02073D5F}",
"event_source_name": "",
"event_id": 1021,
"version": 0,
"level": 4,
"task": 5,
"opcode": 2,
"keywords": "0x0001000000010000",
"time_created": "2026-06-02T05:08:28.580+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0004-E715-818753F0DC01}"
},
"execution": {
"process_id": 12932,
"thread_id": 21360
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "AppXDeployment.Task.Client.EnumAPI"
}
Event ID 1022: AppXDeployment.Task.Client.EnumAPIStart1022
#Event ID 1023: AppXDeployment.Task.Client.EnumAPIStop1023
#Event ID 1024: AppXDeployment.Task.Client.EnumAPI
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"guid": "{8127F6D4-59F9-4ABF-8952-3E3A02073D5F}",
"event_source_name": "",
"event_id": 1024,
"version": 0,
"level": 4,
"task": 5,
"opcode": 1,
"keywords": "0x0001000000010000",
"time_created": "2026-06-02T05:08:31.847+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0004-8716-818753F0DC01}"
},
"execution": {
"process_id": 17916,
"thread_id": 15660
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "AppXDeployment.Task.Client.EnumAPI"
}
Event ID 1025: AppXDeployment.Task.Client.EnumAPI
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"guid": "{8127F6D4-59F9-4ABF-8952-3E3A02073D5F}",
"event_source_name": "",
"event_id": 1025,
"version": 0,
"level": 4,
"task": 5,
"opcode": 2,
"keywords": "0x0001000000010000",
"time_created": "2026-06-02T05:08:31.847+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0004-8716-818753F0DC01}"
},
"execution": {
"process_id": 17916,
"thread_id": 15660
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "AppXDeployment.Task.Client.EnumAPI"
}
Event ID 1026: AppXDeployment.Task.Client.DeploymentStart1026
#Event ID 1027: AppXDeployment.Task.Client.DeploymentStop1027
#Event ID 1028: AppXDeployment.Task.Client.Deployment
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"guid": "{8127F6D4-59F9-4ABF-8952-3E3A02073D5F}",
"event_source_name": "",
"event_id": 1028,
"version": 0,
"level": 4,
"task": 4,
"opcode": 1,
"keywords": "0x0001000000010000",
"time_created": "2026-06-02T05:18:51.658+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0008-3124-818753F0DC01}"
},
"execution": {
"process_id": 20696,
"thread_id": 12952
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "AppXDeployment.Task.Client.Deployment"
}
Event ID 1029: AppXDeployment.Task.Client.Deployment
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment",
"guid": "{8127F6D4-59F9-4ABF-8952-3E3A02073D5F}",
"event_source_name": "",
"event_id": 1029,
"version": 0,
"level": 4,
"task": 4,
"opcode": 2,
"keywords": "0x0001000000010000",
"time_created": "2026-06-02T05:18:51.659+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0008-3124-818753F0DC01}"
},
"execution": {
"process_id": 20696,
"thread_id": 12952
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "AppXDeployment.Task.Client.Deployment"
}
Event ID 1030: AppXDeployment.Task.Client.DeploymentStart1030
#Event ID 1031: AppXDeployment.Task.Client.DeploymentStop1031
#Event ID 1032: AppXDeployment.Task.Client.DeploymentStart1032
#Event ID 1033: AppXDeployment.Task.Client.DeploymentStop1033
#Fields #
| Name | Description |
|---|---|
ErrorCode HexInt32 |
Event ID 1034: AppXDeployment.Task.Client.EnumAPIStart1034
#Event ID 1035: AppXDeployment.Task.Client.EnumAPIStop1035
#Event ID 1036: AppXDeployment.Task.Client.DeploymentStart1036
#Event ID 1037: AppXDeployment.Task.Client.DeploymentStop1037
#Event ID 1038: AppXDeployment.Task.Client.DeploymentStart1038
#Event ID 1039: AppXDeployment.Task.Client.DeploymentStop1039
#Event ID 1040: AppXDeployment.Task.Client.DeploymentStart1040
#Event ID 1041: AppXDeployment.Task.Client.DeploymentStop1041
#Event ID 1042: AppXDeployment.Task.Client.DeploymentStart1042
#Event ID 1043: AppXDeployment.Task.Client.DeploymentStop1043
#Event ID 1044: AppXDeployment.Task.Client.DeploymentStart1044
#Event ID 1045: AppXDeployment.Task.Client.DeploymentStop1045
#Event ID 1046: AppXDeployment.Task.Client.DeploymentStart1046
#Event ID 1047: AppXDeployment.Task.Client.DeploymentStop1047
#Event ID 1048: AppXDeployment.Task.Client.EnumAPIStart1048
#Event ID 1049: AppXDeployment.Task.Client.EnumAPIStop1049
#Event ID 1050: AppXDeployment.Task.Client.EnumAPIStart1050
#Event ID 1051: AppXDeployment.Task.Client.EnumAPIStop1051
#Event ID 1052: AppXDeployment.Task.Client.EnumAPIStart1052
#Event ID 1053: AppXDeployment.Task.Client.EnumAPIStop1053
#Event ID 1054: AppXDeployment.Task.Client.EnumAPIStart1054
#Event ID 1055: AppXDeployment.Task.Client.EnumAPIStop1055
#Event ID 1056: AppXDeployment.Task.Client.DeploymentStart1056
#Event ID 1057: AppXDeployment.Task.Client.DeploymentStop1057
#Event ID 1058: AppXDeployment.Task.Client.DeploymentStart1058
#Event ID 1059: AppXDeployment.Task.Client.DeploymentStop1059
#Event ID 1060: AppXDeployment.Task.Client.DeploymentStart1060
#Event ID 1061: AppXDeployment.Task.Client.DeploymentStop1061
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {8127F6D4-59F9-4ABF-8952-3E3A02073D5F}
Defined in AppXDeploymentClient.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4768, captured 2026-06-02