Microsoft-Windows-Diagnosis-DPS
24 events across 3 channels
Event ID 1: The Diagnostic Policy Service started.
#Description
The Diagnostic Policy Service started. This event signals diagnostic modules for delayed processing after the service is initialized.
Message #
Event ID 2: The Diagnostic Policy Service started.
#Description
The Diagnostic Policy Service started. This event signals diagnostic modules for immediate processing after the service is initialized.
Message #
Event ID 5: The scenario ScenarioId has a configuration error or has been explicitly disabled in the WDI registry namespace.
#Event ID 100: Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) detected a problem for scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) detected a problem for scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | |
InstanceId GUID | |
OriginalActivityId GUID | |
DiagnosticModuleImageName UnicodeString | |
DiagnosticModuleId GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "{6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3}",
"event_source_name": "",
"event_id": 100,
"version": 0,
"level": 4,
"task": 1,
"opcode": 12,
"keywords": 4611686052787126272,
"time_created": "2026-05-29T06:44:05.9831709+00:00",
"event_record_id": 6,
"correlation": {
"ActivityID": "{559E5142-CDCD-4213-BC43-A528C3D24645}"
},
"execution": {
"process_id": 6960,
"thread_id": 2084
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "telemetry-DC-b.cell-b.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "{180b3a99-8c39-4f12-b631-2031998efe45}",
"InstanceId": "{559e5142-cdcd-4213-bc43-a528c3d24645}",
"OriginalActivityId": "{00000000-0000-0000-0000-000000000000}",
"DiagnosticModuleImageName": "%windir%\\system32\\radardt.dll",
"DiagnosticModuleId": "{45de1ea9-10bc-4f96-9b21-4b6b83dbf476}"
},
"message": "Diagnostic module {45de1ea9-10bc-4f96-9b21-4b6b83dbf476} (%windir%\\system32\\radardt.dll) detected a problem for scenario {180b3a99-8c39-4f12-b631-2031998efe45}, instance {559e5142-cdcd-4213-bc43-a528c3d24645}, original activity ID {00000000-0000-0000-0000-000000000000}."
}
Event ID 105: Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) started troubleshooting scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) started troubleshooting scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | |
InstanceId GUID | |
OriginalActivityId GUID | |
DiagnosticModuleImageName UnicodeString | |
DiagnosticModuleId GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "{6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3}",
"event_source_name": "",
"event_id": 105,
"version": 0,
"level": 4,
"task": 1,
"opcode": 13,
"keywords": 4611686052787126272,
"time_created": "2026-05-29T06:44:05.9831741+00:00",
"event_record_id": 7,
"correlation": {
"ActivityID": "{559E5142-CDCD-4213-BC43-A528C3D24645}"
},
"execution": {
"process_id": 6960,
"thread_id": 2084
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "telemetry-DC-b.cell-b.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "{180b3a99-8c39-4f12-b631-2031998efe45}",
"InstanceId": "{559e5142-cdcd-4213-bc43-a528c3d24645}",
"OriginalActivityId": "{00000000-0000-0000-0000-000000000000}",
"DiagnosticModuleImageName": "%windir%\\system32\\radardt.dll",
"DiagnosticModuleId": "{45de1ea9-10bc-4f96-9b21-4b6b83dbf476}"
},
"message": "Diagnostic module {45de1ea9-10bc-4f96-9b21-4b6b83dbf476} (%windir%\\system32\\radardt.dll) started troubleshooting scenario {180b3a99-8c39-4f12-b631-2031998efe45}, instance {559e5142-cdcd-4213-bc43-a528c3d24645}, original activity ID {00000000-0000-0000-0000-000000000000}."
}
Event ID 110: Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) finished troubleshooting scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) finished troubleshooting scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId. No resolution was set by the diagnostic module.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | |
InstanceId GUID | |
OriginalActivityId GUID | |
DiagnosticModuleImageName UnicodeString | |
DiagnosticModuleId GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3",
"event_source_name": "",
"event_id": 110,
"version": 0,
"level": 4,
"task": 1,
"opcode": 14,
"keywords": 4611686052787126272,
"time_created": "2023-11-05T22:33:58.076518+00:00",
"event_record_id": 55,
"correlation": {
"ActivityID": "51DC3142-BD1D-4BBF-9040-E1AF3322EAF0"
},
"execution": {
"process_id": 3160,
"thread_id": 3436
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "86432A0B-3C7D-4DDF-A89C-172FAA90485D",
"InstanceId": "51DC3142-BD1D-4BBF-9040-E1AF3322EAF0",
"OriginalActivityId": "86432A0B-3C7D-4DDF-A89C-172FAA90485D",
"DiagnosticModuleImageName": "%SystemRoot%\\system32\\diagperf.dll",
"DiagnosticModuleId": "C8544339-5BE9-4F25-862E-485F1B1A6935"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 115: Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) finished troubleshooting scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module () finished troubleshooting scenario , instance , original activity ID . It set resolution for user in session with expiration date . The resolution will be started immediately.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | |
InstanceId GUID | |
OriginalActivityId GUID | |
DiagnosticModuleImageName UnicodeString | |
ResolutionId GUID | |
ResolutionSID SID | |
ResolutionSessionId UInt32 | |
ResolutionExpirationDate FILETIME | |
DiagnosticModuleId GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "{6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3}",
"event_source_name": "",
"event_id": 115,
"version": 0,
"level": 4,
"task": 1,
"opcode": 15,
"keywords": 4611686052787126272,
"time_created": "2026-05-29T06:44:05.9859497+00:00",
"event_record_id": 8,
"correlation": {
"ActivityID": "{559E5142-CDCD-4213-BC43-A528C3D24645}"
},
"execution": {
"process_id": 6960,
"thread_id": 2084
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "telemetry-DC-b.cell-b.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "{180b3a99-8c39-4f12-b631-2031998efe45}",
"InstanceId": "{559e5142-cdcd-4213-bc43-a528c3d24645}",
"OriginalActivityId": "{00000000-0000-0000-0000-000000000000}",
"DiagnosticModuleImageName": "%windir%\\system32\\radardt.dll",
"ResolutionId": "{5ee64afb-398d-4edb-af71-3b830219abf7}",
"ResolutionSID": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"ResolutionSessionId": "1",
"ResolutionExpirationDate": "1601-01-01T00:00:00.0000000Z",
"DiagnosticModuleId": "{45de1ea9-10bc-4f96-9b21-4b6b83dbf476}"
},
"message": "Diagnostic module {45de1ea9-10bc-4f96-9b21-4b6b83dbf476} (%windir%\\system32\\radardt.dll) finished troubleshooting scenario {180b3a99-8c39-4f12-b631-2031998efe45}, instance {559e5142-cdcd-4213-bc43-a528c3d24645}, original activity ID {00000000-0000-0000-0000-000000000000}. It set resolution {5ee64afb-398d-4edb-af71-3b830219abf7} for user S-1-5-21-1006758700-2167138679-1475694448-1105 in session 1 with expiration date 1601-01-01T00:00:00.000000000Z. The resolution will be started immediately."
}
Event ID 120: Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) finished troubleshooting scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module () finished troubleshooting scenario , instance , original activity ID . It set resolution for user in session with expiration date . The resolution was queued to start later.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | |
InstanceId GUID | |
OriginalActivityId GUID | |
DiagnosticModuleImageName UnicodeString | |
ResolutionId GUID | |
ResolutionSID SID | |
ResolutionSessionId UInt32 | |
ResolutionExpirationDate FILETIME | |
DiagnosticModuleId GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3",
"event_source_name": "",
"event_id": 120,
"version": 0,
"level": 4,
"task": 1,
"opcode": 16,
"keywords": 4611686052787126272,
"time_created": "2023-10-25T22:50:15.569431+00:00",
"event_record_id": 34,
"correlation": {
"ActivityID": "13443185-CF4B-4989-8B2A-A73BBD6A6B1A"
},
"execution": {
"process_id": 2912,
"thread_id": 3572
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "3A5D4378-9D2F-4393-B1E5-34F5FA9A1140",
"InstanceId": "13443185-CF4B-4989-8B2A-A73BBD6A6B1A",
"OriginalActivityId": "8E76E1FB-2E89-4557-8E7A-927267F0975C",
"DiagnosticModuleImageName": "%SystemRoot%\\system32\\diagperf.dll",
"ResolutionId": "B171AB1C-60E9-4301-A338-BEAB1C70B3E9",
"ResolutionSID": "S-1-1-0",
"ResolutionSessionId": 0,
"ResolutionExpirationDate": "2024-01-23T22:50:15.559312Z",
"DiagnosticModuleId": "B171AB1C-60E9-4301-A338-BEAB1C70B3E9"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 125: Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) started resolving scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) started resolving scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | |
InstanceId GUID | |
OriginalActivityId GUID | |
DiagnosticModuleImageName UnicodeString | |
DiagnosticModuleId GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "{6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3}",
"event_source_name": "",
"event_id": 125,
"version": 0,
"level": 4,
"task": 1,
"opcode": 17,
"keywords": 4611686052787126272,
"time_created": "2026-05-29T06:44:06.0373979+00:00",
"event_record_id": 9,
"correlation": {
"ActivityID": "{559E5142-CDCD-4213-BC43-A528C3D24645}"
},
"execution": {
"process_id": 6960,
"thread_id": 2084
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "telemetry-DC-b.cell-b.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "{180b3a99-8c39-4f12-b631-2031998efe45}",
"InstanceId": "{559e5142-cdcd-4213-bc43-a528c3d24645}",
"OriginalActivityId": "{00000000-0000-0000-0000-000000000000}",
"DiagnosticModuleImageName": "%windir%\\system32\\radarrs.dll",
"DiagnosticModuleId": "{5ee64afb-398d-4edb-af71-3b830219abf7}"
},
"message": "Diagnostic module {5ee64afb-398d-4edb-af71-3b830219abf7} (%windir%\\system32\\radarrs.dll) started resolving scenario {180b3a99-8c39-4f12-b631-2031998efe45}, instance {559e5142-cdcd-4213-bc43-a528c3d24645}, original activity ID {00000000-0000-0000-0000-000000000000}."
}
Event ID 126: Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) was queued to start later for scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) was queued to start later for scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | |
InstanceId GUID | |
OriginalActivityId GUID | |
DiagnosticModuleImageName UnicodeString | |
DiagnosticModuleId GUID |
Event ID 130: Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) finished resolving scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) finished resolving scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | |
InstanceId GUID | |
OriginalActivityId GUID | |
DiagnosticModuleImageName UnicodeString | |
DiagnosticModuleId GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "{6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3}",
"event_source_name": "",
"event_id": 130,
"version": 0,
"level": 4,
"task": 1,
"opcode": 19,
"keywords": 4611686052787126272,
"time_created": "2026-05-29T06:44:08.0836010+00:00",
"event_record_id": 10,
"correlation": {
"ActivityID": "{559E5142-CDCD-4213-BC43-A528C3D24645}"
},
"execution": {
"process_id": 6960,
"thread_id": 3148
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "telemetry-DC-b.cell-b.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "{180b3a99-8c39-4f12-b631-2031998efe45}",
"InstanceId": "{559e5142-cdcd-4213-bc43-a528c3d24645}",
"OriginalActivityId": "{00000000-0000-0000-0000-000000000000}",
"DiagnosticModuleImageName": "%windir%\\system32\\radarrs.dll",
"DiagnosticModuleId": "{5ee64afb-398d-4edb-af71-3b830219abf7}"
},
"message": "Diagnostic module {5ee64afb-398d-4edb-af71-3b830219abf7} (%windir%\\system32\\radarrs.dll) finished resolving scenario {180b3a99-8c39-4f12-b631-2031998efe45}, instance {559e5142-cdcd-4213-bc43-a528c3d24645}, original activity ID {00000000-0000-0000-0000-000000000000}."
}
Event ID 135: The Diagnostic Policy Service could not create a diagnostic module host instance for diagnostic module DiagnosticModuleId (DiagnosticModuleImageName).
#Description
The Diagnostic Policy Service could not create a diagnostic module host instance for diagnostic module (). The error code was . The scenario , instance , original activity ID will be discarded.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | |
InstanceId GUID | |
OriginalActivityId GUID | |
StatusCode UInt32 | NTSTATUS reference |
DiagnosticModuleImageName UnicodeString | |
DiagnosticModuleId GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3",
"event_source_name": "",
"event_id": 135,
"version": 0,
"level": 2,
"task": 1,
"opcode": 20,
"keywords": 4611686052787126272,
"time_created": "2026-03-13T19:07:40.320523+00:00",
"event_record_id": 31,
"correlation": {
"ActivityID": "9E133514-C13B-49E9-AADB-614204EBAB23"
},
"execution": {
"process_id": 8540,
"thread_id": 8560
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "DC42FF48-E40D-4A60-8675-E71F7E64AA9A",
"InstanceId": "9E133514-C13B-49E9-AADB-614204EBAB23",
"OriginalActivityId": "00000000-0000-0000-0000-000000000000",
"StatusCode": 2147943469,
"DiagnosticModuleImageName": "%windir%\\system32\\fthsvc.dll",
"DiagnosticModuleId": "8D39BD5B-81F8-4B94-A608-6A50BBFF5D15"
},
"message": ""
}
Event ID 140: The Diagnostic Policy Service encountered an error in file FileName, function FunctionName, line LineNumber: ErrorMessage.
#Event ID 145: This event is raised when the SCM loads the service DLL
#Description
This event is raised when the SCM loads the service DLL.
Message #
Event ID 150: This event is raised when the service enters a SERVICE_RUNNING state
#Description
This event is raised when the service enters a SERVICE_RUNNING state.
Message #
Event ID 155: This event is raised when the SCM signals the service to shut down.
#Description
This event is raised when the SCM signals the service to shut down.
Message #
Event ID 160: This event is raised when the service is successfully stopped
#Description
This event is raised when the service is successfully stopped.
Message #
Event ID 165: The Diagnostic Policy Service encountered an error while handling scenario ScenarioId with diagnostic module DiagnosticModuleId (DiagnosticModuleImageName), instance InstanceId, original activity I...
#Description
The Diagnostic Policy Service encountered an error while handling scenario ScenarioId with diagnostic module DiagnosticModuleId (DiagnosticModuleImageName), instance InstanceId, original activity ID OriginalActivityId. The error code was StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | |
InstanceId GUID | |
OriginalActivityId GUID | |
StatusCode UInt32 | NTSTATUS reference |
DiagnosticModuleImageName UnicodeString | |
DiagnosticModuleId GUID |
Event ID 170: Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) encountered an error while handling scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) encountered an error while handling scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId. The error code was StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | |
InstanceId GUID | |
OriginalActivityId GUID | |
DiagnosticModuleImageName UnicodeString | |
StatusCode Int32 | NTSTATUS reference |
DiagnosticModuleId GUID |
Event ID 175: Scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId was dropped by diagnostic module DiagnosticModuleId (DiagnosticModuleImageName).
#Description
Scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId was dropped by diagnostic module DiagnosticModuleId (DiagnosticModuleImageName). The error code was StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | |
InstanceId GUID | |
OriginalActivityId GUID | |
DiagnosticModuleImageName UnicodeString | |
StatusCode Int32 | NTSTATUS reference |
DiagnosticModuleId GUID |
Event ID 180: The Diagnostic Policy Service just refreshed the Group Policy.
#Description
The Diagnostic Policy Service just refreshed the Group Policy. This event notifies the diagnostic modules about the Group Policy changes.
Message #
Event ID 185: Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) was moved into a broken state.
#Description
Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) was moved into a broken state. The error code was StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
DiagnosticModuleImageName UnicodeString | |
DiagnosticModuleId GUID | |
StatusCode Int32 | NTSTATUS reference |
Event ID 5016: The Diagnostic Policy Service just made a heap allocation
#Event ID 5017: The Diagnostic Policy Service just freed a previously made heap allocation
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 6bba3851-2c7e-4dea-8f54-31e5afd029e3
Defined in dps.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02