Microsoft-Windows-CertPolEng
48 events across 1 channel
Event ID 0: Entering Function FunctionName.
#Description
Entering Function FunctionName.
Message #
Fields #
| Name | Description |
|---|---|
FunctionName AnsiString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CertPolEng",
"guid": "AF9CC194-E9A8-42BD-B0D1-834E9CFAB799",
"event_source_name": "",
"event_id": 0,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T20:00:13.524244+00:00",
"event_record_id": 1,
"correlation": {
"ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
},
"execution": {
"process_id": 968,
"thread_id": 2336
},
"channel": "Microsoft-Windows-CertPoleEng/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"FunctionName": "IntPstGetTrustAnchors"
},
"message": ""
}
Event ID 1: Exiting Function FunctionName.
#Description
Exiting Function FunctionName.
Message #
Fields #
| Name | Description |
|---|---|
FunctionName AnsiString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CertPolEng",
"guid": "AF9CC194-E9A8-42BD-B0D1-834E9CFAB799",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T20:00:13.524262+00:00",
"event_record_id": 6,
"correlation": {
"ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
},
"execution": {
"process_id": 968,
"thread_id": 2336
},
"channel": "Microsoft-Windows-CertPoleEng/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"FunctionName": "CProviderRegistrationCache::IntGetTrustAnchors"
},
"message": ""
}
Event ID 2: FunctionName failed with return code LastError.
#Description
FunctionName failed with return code LastError.
Message #
Fields #
| Name | Description |
|---|---|
FunctionName AnsiString | |
LastError UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CertPolEng",
"guid": "AF9CC194-E9A8-42BD-B0D1-834E9CFAB799",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T20:00:13.524258+00:00",
"event_record_id": 4,
"correlation": {
"ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
},
"execution": {
"process_id": 968,
"thread_id": 2336
},
"channel": "Microsoft-Windows-CertPoleEng/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"FunctionName": "IntGetTrustAnchors(actual error)",
"LastError": 3221685484
},
"message": ""
}
Event ID 3: FunctionName returned LastError.
#Event ID 5: Running inside LSA
#Description
Running inside LSA.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CertPolEng",
"guid": "AF9CC194-E9A8-42BD-B0D1-834E9CFAB799",
"event_source_name": "",
"event_id": 5,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-14T16:28:40.910557+00:00",
"event_record_id": 10,
"correlation": {
"ActivityID": "0DD0D01B-52DE-45C4-BB8D-BF1723FA1D6F"
},
"execution": {
"process_id": 1092,
"thread_id": 3352
},
"channel": "Microsoft-Windows-CertPoleEng/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 7: No online providers are installed
#Description
No online providers are installed.
Message #
Event ID 8: There are no trust anchors for the providers
#Description
There are no trust anchors for the providers.
Message #
Event ID 9: Total number of TrustRoot Found Number.
#Event ID 10: Target name is TargetName, HostName is HostName.
#Event ID 11: PSTGetCertificate called, number of select criteria are NumOfCriteria, bIsClient parameter is bClient.
#Event ID 12: Opening Machine Store?
#Event ID 14: Unable to find Provider From Certificate: Error LastError.
#Event ID 15: Calling LRPC cert renewal Interface psz.
#Event ID 16: Expired Certificate were found, will call CertSelectCertificateChains again
#Description
Expired Certificate were found, will call CertSelectCertificateChains again.
Message #
Event ID 17: No matching Certificate were found
#Description
No matching Certificate were found.
Message #
Event ID 18: Will Special case for Homegroup self sign certificates
#Description
Will Special case for Homegroup self sign certificates.
Message #
Event ID 19: GetCertificates returning Number certificates.
#Event ID 20: RequestIssuancePolicy Is Specified
#Description
RequestIssuancePolicy Is Specified.
Message #
Event ID 22: Certificate found in HomeGroup Container
#Description
Certificate found in HomeGroup Container.
Message #
Event ID 23: Checking if the Certificate is from one of the Providers
#Description
Checking if the Certificate is from one of the Providers.
Message #
Event ID 24: Cert Subject name is psz.
#Event ID 25: UserName is psz.
#Event ID 26: Failed to Connect to psz.
#Event ID 27: CProviderEntry::ReadInfoFromRegistry LRPC Entrypoint is missing for provider Provider.
#Event ID 28: Failed to Open Provider Root Key Number.
#Event ID 29: Failed to Query Provider Root Key Number.
#Event ID 30: Failed to Query SubKey SubKey, Error LastError.
#Event ID 31: Invalid Provider GUID SubKey.
#Event ID 32: CertVerifyCertificateChainPolicy Failed Status is LastError, ChainIndex ChainIndex, lElementIndex lElementIndex.
#Event ID 33: Failed to open LSA Registry Root Key Number.
#Event ID 34: Pku2u is disabled by policy
#Description
Pku2u is disabled by policy.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CertPolEng",
"guid": "AF9CC194-E9A8-42BD-B0D1-834E9CFAB799",
"event_source_name": "",
"event_id": 34,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T20:00:13.524248+00:00",
"event_record_id": 3,
"correlation": {
"ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
},
"execution": {
"process_id": 968,
"thread_id": 2336
},
"channel": "Microsoft-Windows-CertPoleEng/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 35: Failed to open StoreName certificate store.
#Event ID 36: Failed to validate certificate.
#Event ID 37: Failed to validate certificate.
#Description
Failed to validate certificate. The hash comparison failed.
Message #
Event ID 39: The client name doesn't match the UPN.
#Event ID 40: The client name is psz.
#Event ID 41: The client name matched the UPN.
#Event ID 42: Certificate validation succeeded as the hash comparison succeeded
#Description
Certificate validation succeeded as the hash comparison succeeded.
Message #
Event ID 43: Unable to find the certificate in the HomeGroup Container
#Description
Unable to find the certificate in the HomeGroup Container.
Message #
Event ID 44: The certificate chains to an untrusted root
#Description
The certificate chains to an untrusted root.
Message #
Event ID 45: The supplied or saved credman credential with username UserName is not a UPN.
#Description
The supplied or saved credman credential with username UserName is not a UPN.
Message #
Fields #
| Name | Description |
|---|---|
UserName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CertPolEng",
"guid": "{AF9CC194-E9A8-42BD-B0D1-834E9CFAB799}",
"event_source_name": "",
"event_id": 45,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-04-16T21:56:41.6883342+00:00",
"event_record_id": 4577,
"correlation": {
"ActivityID": "{43D097FE-91EE-451F-9819-F3E495F14039}"
},
"execution": {
"process_id": 1108,
"thread_id": 9372
},
"channel": "Microsoft-Windows-CertPoleEng/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UserName": "domainuser"
},
"message": "The supplied or saved credman credential with username domainuser is not a UPN."
}
Event ID 46: Provider Provider is not enabled.
#Description
Provider Provider is not enabled.
Message #
Fields #
| Name | Description |
|---|---|
Provider GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CertPolEng",
"guid": "AF9CC194-E9A8-42BD-B0D1-834E9CFAB799",
"event_source_name": "",
"event_id": 46,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-14T16:28:40.869270+00:00",
"event_record_id": 5,
"correlation": {
"ActivityID": "0DD0D01B-52DE-45C4-BB8D-BF1723FA1D6F"
},
"execution": {
"process_id": 1092,
"thread_id": 3352
},
"channel": "Microsoft-Windows-CertPoleEng/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Provider": "6D0F37E4-4FAC-4E44-9C07-6B8343FE4953"
},
"message": ""
}
Event ID 47: Failed for Certificate (encoding=EncodingType,length=EncodedCertLength,value=EncodedCert).
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {AF9CC194-E9A8-42BD-B0D1-834E9CFAB799}
Defined in CertPolEng.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02