Microsoft-Windows-Diagnosis-PLA

48 events across 2 channels

Event	Title	Channel	Sample
1000	Data collector set DataCollectorSetCreation.Name was created by …	Operational	Y
1001	Data collector set DataCollectorSetEdit.Name was changed by …	Operational	Y
1002	Data collector set DataCollectorSetDeletion.Name was deleted by …	Operational	Y
1003	Data collector set DataCollectorSetStart.Name started as …	Operational	Y
1004	Data collector set Name failed to start as User with error code Error.	Operational	N
1005	Data collector set DataCollectorSetStop.Name stopped.	Operational	Y
1006	Data collector set Name stopped because of error Error.	Operational	N
1007	Data collector set Name launched task TaskName.	Operational	N
1008	Data collector set Name failed to launch task TaskName with error code Error.	Operational	N
1009	PLA upgrade failed with error code Error.	Operational	N
1010	Counter CounterName could not be added to collector Name, error code is Error.	Operational	N
1011	Configuration data collector DataCollecotrSet\Name completed.	Operational	N
1012	Data collector set Name is compiling.	Operational	N
1013	Data collector set Name segmented.	Operational	N
1014	Alert Data Collector Name in Data Collector Set DataCollecotrSet failed to start …	Operational	N
1015	Alert Data Collector Name in Data Collector Set DataCollecotrSet failed to start …	Operational	N
1016	Alert Data Collector Name in Data Collector Set DataCollecotrSet failed to write …	Operational	N
1017	PLA failed to send cabinet file CabName to server ServerName, error code is …	Operational	N
2031	Message.	Operational	N
3000	Description.	Operational	N
3001	Description.	Operational	N
3002	Description.	Operational	N
5001	task_05001	Debug	Y
5002	task_05002	Debug	N
5003	task_05003	Debug	N
5004	task_05004	Debug	N
5005	task_05005	Debug	N
5006	task_05006	Debug	N
5007	task_05007	Debug	N
5008	task_05008	Debug	N
5009	task_05009	Debug	N
5010	task_05010	Debug	N
5011	task_05011	Debug	N
5012	task_05012	Debug	N
5013	task_05013	Debug	N
5014	task_05014	Debug	Y
5015	task_05015	Debug	Y
5016	task_05016	Debug	Y
5017	task_05017	Debug	Y
5018	task_05018	Debug	N
5019	task_05019	Debug	Y
5020	task_05020	Debug	Y
5021	task_05021	Debug	Y
5022	task_05022	Debug	Y
5023	task_05023	Debug	Y
5024	task_05024	Debug	Y
5025	task_05025	Debug	Y
5026	task_05026	Debug	Y

Event ID 1000: Data collector set DataCollectorSetCreation.Name was created by DataCollectorSetCreation.UserName.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational
Level: Informational

Description

Data collector set DataCollectorSetCreation.Name was created by DataCollectorSetCreation.UserName.

Message #

Data collector set %1 was created by %2.

Fields #

Name	Description
`Name` UnicodeString
`User` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "E4D53F84-7DE3-11D8-9435-505054503030",
    "event_source_name": "",
    "event_id": 1000,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:03:17.259228+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 11200,
      "thread_id": 10592
    },
    "channel": "Microsoft-Windows-Diagnosis-PLA/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "user_data": {
    "DataCollectorSetCreation": {
      "Name": "TestEventCollector",
      "UserName": "ludus\\domainadmin"
    }
  },
  "message": ""
}

Event ID 1001: Data collector set DataCollectorSetEdit.Name was changed by DataCollectorSetEdit.UserName.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational
Level: Informational

Description

Data collector set DataCollectorSetEdit.Name was changed by DataCollectorSetEdit.UserName.

Message #

Data collector set %1 was changed by %2.

Fields #

Name	Description
`Name` UnicodeString
`User` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "E4D53F84-7DE3-11D8-9435-505054503030",
    "event_source_name": "",
    "event_id": 1001,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:03:18.006697+00:00",
    "event_record_id": 2,
    "correlation": {},
    "execution": {
      "process_id": 10872,
      "thread_id": 11492
    },
    "channel": "Microsoft-Windows-Diagnosis-PLA/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "DataCollectorSetEdit": {
      "Name": "TestEventCollector",
      "UserName": "NT AUTHORITY\\LOCAL SERVICE"
    }
  },
  "message": ""
}

Event ID 1002: Data collector set DataCollectorSetDeletion.Name was deleted by DataCollectorSetDeletion.UserName.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational
Level: Informational

Description

Data collector set DataCollectorSetDeletion.Name was deleted by DataCollectorSetDeletion.UserName.

Message #

Data collector set %1 was deleted by %2.

Fields #

Name	Description
`Name` UnicodeString
`User` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "E4D53F84-7DE3-11D8-9435-505054503030",
    "event_source_name": "",
    "event_id": 1002,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:03:24.662101+00:00",
    "event_record_id": 5,
    "correlation": {},
    "execution": {
      "process_id": 8176,
      "thread_id": 4812
    },
    "channel": "Microsoft-Windows-Diagnosis-PLA/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "user_data": {
    "DataCollectorSetDeletion": {
      "Name": "TestEventCollector",
      "UserName": "ludus\\domainadmin"
    }
  },
  "message": ""
}

Event ID 1003: Data collector set DataCollectorSetStart.Name started as DataCollectorSetStart.UserName.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational
Level: Informational

Description

Data collector set DataCollectorSetStart.Name started as DataCollectorSetStart.UserName.

Message #

Data collector set %1 started as %3.

Fields #

Name	Description
`Name` UnicodeString
`Key` UnicodeString
`User` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "E4D53F84-7DE3-11D8-9435-505054503030",
    "event_source_name": "",
    "event_id": 1003,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:03:18.022218+00:00",
    "event_record_id": 3,
    "correlation": {},
    "execution": {
      "process_id": 12224,
      "thread_id": 11396
    },
    "channel": "Microsoft-Windows-Diagnosis-PLA/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "DataCollectorSetStart": {
      "Name": "TestEventCollector",
      "Key": "0x1944_0x1eac_0x225e1a275",
      "UserName": "ludus\\LAB-DC01$"
    }
  },
  "message": ""
}

Event ID 1004: Data collector set Name failed to start as User with error code Error.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

Data collector set Name failed to start as User with error code Error.

Message #

Data collector set %1 failed to start as %3 with error code %4.

Fields #

Name	Description
`Name` UnicodeString
`Key` UnicodeString
`User` UnicodeString
`Error` UInt32

Event ID 1005: Data collector set DataCollectorSetStop.Name stopped.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational
Level: Informational

Description

Data collector set DataCollectorSetStop.Name stopped.

Message #

Data collector set %1 stopped.

Fields #

Name	Description
`Name` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "E4D53F84-7DE3-11D8-9435-505054503030",
    "event_source_name": "",
    "event_id": 1005,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:03:23.041732+00:00",
    "event_record_id": 4,
    "correlation": {},
    "execution": {
      "process_id": 12224,
      "thread_id": 5752
    },
    "channel": "Microsoft-Windows-Diagnosis-PLA/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "DataCollectorSetStop": {
      "Name": "TestEventCollector"
    }
  },
  "message": ""
}

Event ID 1006: Data collector set Name stopped because of error Error.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

Data collector set Name stopped because of error Error.

Message #

Data collector set %1 stopped because of error %2.

Fields #

Name	Description
`Name` UnicodeString
`Error` UInt32

Event ID 1007: Data collector set Name launched task TaskName.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

Data collector set Name launched task TaskName.

Message #

Data collector set %1 launched task %2.

Fields #

Name	Description
`Name` UnicodeString
`TaskName` UnicodeString

Event ID 1008: Data collector set Name failed to launch task TaskName with error code Error.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

Data collector set Name failed to launch task TaskName with error code Error.

Message #

Data collector set %1 failed to launch task %2 with error code %3.

Fields #

Name	Description
`Name` UnicodeString
`TaskName` UnicodeString
`Error` UInt32

Event ID 1009: PLA upgrade failed with error code Error.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

PLA upgrade failed with error code Error.

Message #

PLA upgrade failed with error code %1.

Fields #

Name	Description
`Error` UInt32

Event ID 1010: Counter CounterName could not be added to collector Name, error code is Error.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

Counter CounterName could not be added to collector Name, error code is Error.

Message #

Counter %2 could not be added to collector %1, error code is %3.

Fields #

Name	Description
`Name` UnicodeString
`CounterName` UnicodeString
`Error` UInt32

Event ID 1011: Configuration data collector DataCollecotrSet\Name completed.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

Configuration data collector DataCollecotrSet\Name completed.

Message #

Configuration data collector %1\%2 completed.

Fields #

Name	Description
`DataCollecotrSet` UnicodeString
`Name` UnicodeString

Event ID 1012: Data collector set Name is compiling.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

Data collector set Name is compiling.

Message #

Data collector set %1 is compiling.

Fields #

Name	Description
`Name` UnicodeString

Event ID 1013: Data collector set Name segmented.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

Data collector set Name segmented.

Message #

Data collector set %1 segmented.

Fields #

Name	Description
`Name` UnicodeString

Event ID 1014: Alert Data Collector Name in Data Collector Set DataCollecotrSet failed to start task, error code is Error.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

Alert Data Collector Name in Data Collector Set DataCollecotrSet failed to start task, error code is Error.

Message #

Alert Data Collector %2 in Data Collector Set %1 failed to start task, error code is %3.

Fields #

Name	Description
`DataCollecotrSet` UnicodeString
`Name` UnicodeString
`Error` UInt32

Event ID 1015: Alert Data Collector Name in Data Collector Set DataCollecotrSet failed to start Data Collector Set, error code is Error.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

Alert Data Collector Name in Data Collector Set DataCollecotrSet failed to start Data Collector Set, error code is Error.

Message #

Alert Data Collector %2 in Data Collector Set %1 failed to start Data Collector Set, error code is %3.

Fields #

Name	Description
`DataCollecotrSet` UnicodeString
`Name` UnicodeString
`Error` UInt32

Event ID 1016: Alert Data Collector Name in Data Collector Set DataCollecotrSet failed to write event log event, error code is Error.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

Alert Data Collector Name in Data Collector Set DataCollecotrSet failed to write event log event, error code is Error.

Message #

Alert Data Collector %2 in Data Collector Set %1 failed to write event log event, error code is %3.

Fields #

Name	Description
`DataCollecotrSet` UnicodeString
`Name` UnicodeString
`Error` UInt32

Event ID 1017: PLA failed to send cabinet file CabName to server ServerName, error code is Error.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

PLA failed to send cabinet file CabName to server ServerName, error code is Error.

Message #

PLA failed to send cabinet file %2 to server %1, error code is %3.

Fields #

Name	Description
`ServerName` UnicodeString
`CabName` UnicodeString
`Error` UInt32

Event ID 2031: Message.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

Message

Message #

%5

Fields #

Name	Description
`Counter` UnicodeString
`Value` UnicodeString
`Operator` UnicodeString
`Threshold` UnicodeString
`Message` UnicodeString

Event ID 3000: Description.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

Message #

%2

Fields #

Name	Description
`ReportFileName` UnicodeString
`Description` UnicodeString

Event ID 3001: Description.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

Message #

%2

Fields #

Name	Description
`ReportFileName` UnicodeString
`Description` UnicodeString

Event ID 3002: Description.

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Operational

Description

Message #

%2

Fields #

Name	Description
`ReportFileName` UnicodeString
`Description` UnicodeString

Event ID 5001: task_05001

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug
Also via: realtime ETW trace

Fields #

Name	Description
`BuildNumber` UInt32
`BuildType` AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "{E4D53F84-7DE3-11D8-9435-505054503030}",
    "event_source_name": "",
    "event_id": 5001,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": "0x4000000000000100",
    "time_created": "2026-06-02T05:15:39.405+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 23132,
      "thread_id": 19600
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "BuildNumber": 7366771,
    "BuildType": ""
  },
  "message": ""
}

Event ID 5002: task_05002

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug

Fields #

Name	Description
`BuildNumber` UInt32
`BuildType` AnsiString

Event ID 5003: task_05003

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug

Fields #

Name	Description
`Reason` UInt32
`Result` UInt32

Event ID 5004: task_05004

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug

Fields #

Name	Description
`Name` UnicodeString
`FileName` UnicodeString

Event ID 5005: task_05005

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug

Fields #

Name	Description
`Name` UnicodeString
`SerialNumber` UInt32

Event ID 5006: task_05006

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug

Fields #

Name	Description
`Name` UnicodeString

Event ID 5007: task_05007

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug

Fields #

Name	Description
`Name` UnicodeString

Event ID 5008: task_05008

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug

Fields #

Name	Description
`Name` UnicodeString
`SerialNumber` UInt32

Event ID 5009: task_05009

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug

Fields #

Name	Description
`Name` UnicodeString
`Index` UInt32

Event ID 5010: task_05010

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug

Fields #

Name	Description
`Name` UnicodeString

Event ID 5011: task_05011

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug

Fields #

Name	Description
`Name` UnicodeString
`FileName` UnicodeString

Event ID 5012: task_05012

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug

Fields #

Name	Description
`Name` UnicodeString

Event ID 5013: task_05013

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug

Fields #

Name	Description
`Message` UnicodeString
`FileName` AnsiString
`Line` UInt32

Event ID 5014: task_05014

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug
Also via: realtime ETW trace

Fields #

Name	Description
`FileName` AnsiString
`Line` UInt32
`Address` Pointer
`Size` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "{E4D53F84-7DE3-11D8-9435-505054503030}",
    "event_source_name": "",
    "event_id": 5014,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": "0x4000000000000200",
    "time_created": "2026-06-02T05:15:39.405+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 23132,
      "thread_id": 19600
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Address": "0x1A9792FB8C0",
    "FileName": "",
    "Line": 0,
    "Size": "0x20"
  },
  "message": ""
}

Event ID 5015: task_05015

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug
Also via: realtime ETW trace

Fields #

Name	Description
`FileName` AnsiString
`Line` UInt32
`Address` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "{E4D53F84-7DE3-11D8-9435-505054503030}",
    "event_source_name": "",
    "event_id": 5015,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": "0x4000000000000200",
    "time_created": "2026-06-02T05:15:39.405+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 23132,
      "thread_id": 19600
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Address": "0x1A9792FB8C0",
    "FileName": "",
    "Line": 0
  },
  "message": ""
}

Event ID 5016: task_05016

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug
Also via: realtime ETW trace

Fields #

Name	Description
`FileName` AnsiString
`Line` UInt32
`Address` Pointer
`Size` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "{E4D53F84-7DE3-11D8-9435-505054503030}",
    "event_source_name": "",
    "event_id": 5016,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": "0x4000000000000200",
    "time_created": "2026-06-02T05:15:39.407+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 23132,
      "thread_id": 19600
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Address": "0x1A97930B850",
    "FileName": "",
    "Line": 0,
    "Size": "0x1098"
  },
  "message": ""
}

Event ID 5017: task_05017

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug
Also via: realtime ETW trace

Fields #

Name	Description
`FileName` AnsiString
`Line` UInt32
`Address` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "{E4D53F84-7DE3-11D8-9435-505054503030}",
    "event_source_name": "",
    "event_id": 5017,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": "0x4000000000000200",
    "time_created": "2026-06-02T05:15:39.408+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 23132,
      "thread_id": 19600
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Address": "0x1A97930C8F0",
    "FileName": "",
    "Line": 0
  },
  "message": ""
}

Event ID 5018: task_05018

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug

Fields #

Name	Description
`FileName` AnsiString
`Line` UInt32
`Address` Pointer
`Size` Pointer
`OrigAddress` Pointer

Event ID 5019: task_05019

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug
Also via: realtime ETW trace

Fields #

Name	Description
`FileName` AnsiString
`Line` UInt32
`Address` Pointer
`Size` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "{E4D53F84-7DE3-11D8-9435-505054503030}",
    "event_source_name": "",
    "event_id": 5019,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": "0x4000000000000200",
    "time_created": "2026-06-02T05:15:39.406+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 23132,
      "thread_id": 19600
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Address": "0x1A979309AB8",
    "FileName": "",
    "Line": 0,
    "Size": "0x28"
  },
  "message": ""
}

Event ID 5020: task_05020

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug
Also via: realtime ETW trace

Fields #

Name	Description
`FileName` AnsiString
`Line` UInt32
`Address` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "{E4D53F84-7DE3-11D8-9435-505054503030}",
    "event_source_name": "",
    "event_id": 5020,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": "0x4000000000000200",
    "time_created": "2026-06-02T05:15:39.407+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 23132,
      "thread_id": 19600
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Address": "0x1A9792FF6B8",
    "FileName": "",
    "Line": 0
  },
  "message": ""
}

Event ID 5021: task_05021

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug
Also via: realtime ETW trace

Fields #

Name	Description
`Name` AnsiString
`Address` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "{E4D53F84-7DE3-11D8-9435-505054503030}",
    "event_source_name": "",
    "event_id": 5021,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": "0x4000000000000400",
    "time_created": "2026-06-02T05:15:39.405+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 23132,
      "thread_id": 19600
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Address": "0x1A9792FEC90",
    "Name": "struct IDataCollectorSet"
  },
  "message": ""
}

Event ID 5022: task_05022

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug
Also via: realtime ETW trace

Fields #

Name	Description
`Name` AnsiString
`Address` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "{E4D53F84-7DE3-11D8-9435-505054503030}",
    "event_source_name": "",
    "event_id": 5022,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": "0x4000000000000400",
    "time_created": "2026-06-02T05:15:39.407+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 23132,
      "thread_id": 19600
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Address": "0x1A9792ECD30",
    "Name": "struct IEnumVARIANT"
  },
  "message": ""
}

Event ID 5023: task_05023

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug
Also via: realtime ETW trace

Fields #

Name	Description
`Name` AnsiString
`Address` Pointer
`RefCount` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "{E4D53F84-7DE3-11D8-9435-505054503030}",
    "event_source_name": "",
    "event_id": 5023,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": "0x4000000000000400",
    "time_created": "2026-06-02T05:15:39.405+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 23132,
      "thread_id": 19600
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Address": "0x1A9792FEC90",
    "Name": "struct IDataCollectorSet",
    "RefCount": 2
  },
  "message": ""
}

Event ID 5024: task_05024

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug
Also via: realtime ETW trace

Fields #

Name	Description
`Name` AnsiString
`Address` Pointer
`RefCount` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "{E4D53F84-7DE3-11D8-9435-505054503030}",
    "event_source_name": "",
    "event_id": 5024,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": "0x4000000000000400",
    "time_created": "2026-06-02T05:15:39.405+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 23132,
      "thread_id": 19600
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Address": "0x1A9792FEC90",
    "Name": "struct IDataCollectorSet",
    "RefCount": 1
  },
  "message": ""
}

Event ID 5025: task_05025

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug
Also via: realtime ETW trace

Fields #

Name	Description
`Name` AnsiString
`Address` Pointer
`RefCount` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "{E4D53F84-7DE3-11D8-9435-505054503030}",
    "event_source_name": "",
    "event_id": 5025,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": "0x4000000000000400",
    "time_created": "2026-06-02T05:15:39.405+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 23132,
      "thread_id": 19600
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Address": "0x1A9792FEC90",
    "Name": "CDataCollectorSet::Query",
    "RefCount": 1
  },
  "message": ""
}

Event ID 5026: task_05026

Provider: Microsoft-Windows-Diagnosis-PLA
Channel: Debug
Also via: realtime ETW trace

Fields #

Name	Description
`Error` UInt32
`FileName` AnsiString
`Line` UInt32
`Function` AnsiString
`User` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PLA",
    "guid": "{E4D53F84-7DE3-11D8-9435-505054503030}",
    "event_source_name": "",
    "event_id": 5026,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": "0x4000000000000800",
    "time_created": "2026-06-02T05:15:39.407+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 23132,
      "thread_id": 19600
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Error": 2147943568,
    "FileName": "",
    "Function": "Enumerator::GetNamedItem",
    "Line": 0,
    "User": "ludus\\domainadmin"
  },
  "message": ""
}

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {E4D53F84-7DE3-11D8-9435-505054503030}

Defined in pla.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)