Microsoft-Windows-Diagnostics-Performance
113 events across 3 channels
Event ID 100: Windows has started up.
#Description
Windows has started up.
Message #
Fields #
| Name | Description |
|---|---|
BootTsVersion UInt32 | |
BootStartTime FILETIME | |
BootEndTime FILETIME | |
SystemBootInstance UInt32 | |
UserBootInstance UInt32 | |
BootTime UInt32 | |
MainPathBootTime UInt32 | |
BootKernelInitTime UInt32 | |
BootDriverInitTime UInt32 | |
BootDevicesInitTime UInt32 | |
BootPrefetchInitTime UInt32 | |
BootPrefetchBytes UInt32 | |
BootAutoChkTime UInt32 | |
BootSmssInitTime UInt32 | |
BootCriticalServicesInitTime UInt32 | |
BootUserProfileProcessingTime UInt32 | |
BootMachineProfileProcessingTime UInt32 | |
BootExplorerInitTime UInt32 | |
BootNumStartupApps UInt32 | |
BootPostBootTime UInt32 | |
BootIsRebootAfterInstall Boolean | |
BootRootCauseStepImprovementBits UInt32 | |
BootRootCauseGradualImprovementBits UInt32 | |
BootRootCauseStepDegradationBits UInt32 | |
BootRootCauseGradualDegradationBits UInt32 | |
BootIsDegradation Boolean | |
BootIsStepDegradation Boolean | |
BootIsGradualDegradation Boolean | |
BootImprovementDelta UInt32 | |
BootDegradationDelta UInt32 | |
BootIsRootCauseIdentified Boolean | |
OSLoaderDuration UInt32 | |
BootPNPInitStartTimeMS UInt32 | |
BootPNPInitDuration UInt32 | |
OtherKernelInitDuration UInt32 | |
SystemPNPInitStartTimeMS UInt32 | |
SystemPNPInitDuration UInt32 | |
SessionInitStartTimeMS UInt32 | |
Session0InitDuration UInt32 | |
Session1InitDuration UInt32 | |
SessionInitOtherDuration UInt32 | |
WinLogonStartTimeMS UInt32 | |
OtherLogonInitActivityDuration UInt32 | |
UserLogonWaitDuration UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnostics-Performance",
"guid": "CFC18EC0-96B1-4EBA-961B-622CAEE05B0A",
"event_source_name": "",
"event_id": 100,
"version": 2,
"level": 1,
"task": 4002,
"opcode": 34,
"keywords": 9223372036854841344,
"time_created": "2023-11-05T22:33:58.036254+00:00",
"event_record_id": 38,
"correlation": {
"ActivityID": "E4DB489E-1037-0003-0982-DBE43710DA01"
},
"execution": {
"process_id": 3160,
"thread_id": 3556
},
"channel": "Microsoft-Windows-Diagnostics-Performance/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"BootTsVersion": 2,
"BootStartTime": "2023-11-05T22:32:00.970725Z",
"BootEndTime": "2023-11-05T22:33:56.389945Z",
"SystemBootInstance": 8,
"UserBootInstance": 2,
"BootTime": 110680,
"MainPathBootTime": 34629,
"BootKernelInitTime": 164,
"BootDriverInitTime": 1567,
"BootDevicesInitTime": 2810,
"BootPrefetchInitTime": 0,
"BootPrefetchBytes": 0,
"BootAutoChkTime": 0,
"BootSmssInitTime": 6391,
"BootCriticalServicesInitTime": 1441,
"BootUserProfileProcessingTime": 1084,
"BootMachineProfileProcessingTime": 456,
"BootExplorerInitTime": 18858,
"BootNumStartupApps": 3,
"BootPostBootTime": 76051,
"BootIsRebootAfterInstall": false,
"BootRootCauseStepImprovementBits": 0,
"BootRootCauseGradualImprovementBits": 0,
"BootRootCauseStepDegradationBits": 13631488,
"BootRootCauseGradualDegradationBits": 13631488,
"BootIsDegradation": true,
"BootIsStepDegradation": true,
"BootIsGradualDegradation": true,
"BootImprovementDelta": 0,
"BootDegradationDelta": 68995,
"BootIsRootCauseIdentified": true,
"OSLoaderDuration": 3107,
"BootPNPInitStartTimeMS": 164,
"BootPNPInitDuration": 4163,
"OtherKernelInitDuration": 445,
"SystemPNPInitStartTimeMS": 4495,
"SystemPNPInitDuration": 1301,
"SessionInitStartTimeMS": 5910,
"Session0InitDuration": 1013,
"Session1InitDuration": 219,
"SessionInitOtherDuration": 5158,
"WinLogonStartTimeMS": 12302,
"OtherLogonInitActivityDuration": 1926,
"UserLogonWaitDuration": 4739
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 101: This application took longer than usual to start up, resulting in a performance degradation in the system startup process.
#Description
This application took longer than usual to start up, resulting in a performance degradation in the system startup process.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
TotalTime UInt32 | |
DegradationTime UInt32 | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnostics-Performance",
"guid": "CFC18EC0-96B1-4EBA-961B-622CAEE05B0A",
"event_source_name": "",
"event_id": 101,
"version": 1,
"level": 3,
"task": 4002,
"opcode": 33,
"keywords": 9223372036854841344,
"time_created": "2023-11-05T22:33:58.036338+00:00",
"event_record_id": 44,
"correlation": {
"ActivityID": "E4DB489E-1037-0003-0982-DBE43710DA01"
},
"execution": {
"process_id": 3160,
"thread_id": 3556
},
"channel": "Microsoft-Windows-Diagnostics-Performance/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"StartTime": "2023-11-05T22:32:00.970725Z",
"NameLength": 28,
"Name": "StartMenuExperienceHost.exe",
"FriendlyNameLength": 30,
"FriendlyName": "Windows Start Experience Host",
"VersionLength": 39,
"Version": "10.0.22621.2361 (WinBuild.160101.0800)",
"TotalTime": 6125,
"DegradationTime": 3625,
"PathLength": 106,
"Path": "C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe",
"ProductNameLength": 37,
"ProductName": "Microsoft® Windows® Operating System",
"CompanyNameLength": 22,
"CompanyName": "Microsoft Corporation"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 102: This driver took longer to initialize, resulting in a performance degradation in the system start up process.
#Description
This driver took longer to initialize, resulting in a performance degradation in the system start up process.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
TotalTime UInt32 | |
DegradationTime UInt32 | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnostics-Performance",
"guid": "CFC18EC0-96B1-4EBA-961B-622CAEE05B0A",
"event_source_name": "",
"event_id": 102,
"version": 1,
"level": 3,
"task": 4002,
"opcode": 33,
"keywords": 9223372036854841344,
"time_created": "2023-10-25T22:05:44.601509+00:00",
"event_record_id": 25,
"correlation": {
"ActivityID": "028F2288-078F-0001-413E-8F028F07DA01"
},
"execution": {
"process_id": 2484,
"thread_id": 3796
},
"channel": "Microsoft-Windows-Diagnostics-Performance/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"StartTime": "2023-10-25T22:02:56.552302Z",
"NameLength": 7,
"Name": "VfpExt",
"FriendlyNameLength": 30,
"FriendlyName": "Microsoft Azure VFP Extension",
"VersionLength": 36,
"Version": "10.0.22621.1 (WinBuild.160101.0800)",
"TotalTime": 8403,
"DegradationTime": 6903,
"PathLength": 39,
"Path": "C:\\Windows\\system32\\drivers\\vfpext.sys",
"ProductNameLength": 37,
"ProductName": "Microsoft® Windows® Operating System",
"CompanyNameLength": 22,
"CompanyName": "Microsoft Corporation"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 103: This startup service took longer than expected to startup, resulting in a performance degradation in the system start up process.
#Description
This startup service took longer than expected to startup, resulting in a performance degradation in the system start up process.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
TotalTime UInt32 | |
DegradationTime UInt32 | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnostics-Performance",
"guid": "{CFC18EC0-96B1-4EBA-961B-622CAEE05B0A}",
"event_source_name": "",
"event_id": 103,
"version": 1,
"level": 3,
"task": 4002,
"opcode": 33,
"keywords": -9223372036854710272,
"time_created": "2026-03-17T18:15:25.9842765+00:00",
"event_record_id": 61,
"correlation": {
"ActivityID": "{B96DB0BB-B639-000A-71BF-6DB939B6DC01}"
},
"execution": {
"process_id": 3740,
"thread_id": 4612
},
"channel": "Microsoft-Windows-Diagnostics-Performance/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"StartTime": "2026-03-17T18:13:15.4645682Z",
"NameLength": "10",
"Name": "windefend",
"FriendlyNameLength": "0",
"FriendlyName": "",
"VersionLength": "0",
"Version": "",
"TotalTime": "326",
"DegradationTime": "234",
"PathLength": "80",
"Path": "\"c:\\programdata\\microsoft\\windows defender\\platform\\4.18.26010.5-0\\msmpeng.exe\"",
"ProductNameLength": "0",
"ProductName": "",
"CompanyNameLength": "0",
"CompanyName": ""
},
"message": "This startup service took longer than expected to startup, resulting in a performance degradation in the system start up process: \r\n File Name\t\t:\twindefend\r\n Friendly Name\t\t:\t\r\n Version\t\t:\t\r\n Total Time\t\t:\t326ms\r\n Degradation Time\t:\t234ms\r\n Incident Time (UTC)\t:\t2026-03-17T18:13:15.464568200Z"
}
Event ID 104: Core system took longer to initialize, resulting in a performance degradation in the system start up process.
#Event ID 105: Foreground optimizations (prefetching) took longer to complete, resulting in a performance degradation in the system start up process.
#Event ID 106: Background optimizations (prefetching) took longer to complete, resulting in a performance degradation in the system start up process.
#Event ID 107: Application of machine policy caused a slow down in the system start up process.
#Description
Application of machine policy caused a slow down in the system start up process.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
TotalTime UInt32 | |
DegradationTime UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnostics-Performance",
"guid": "CFC18EC0-96B1-4EBA-961B-622CAEE05B0A",
"event_source_name": "",
"event_id": 107,
"version": 1,
"level": 3,
"task": 4002,
"opcode": 33,
"keywords": 9223372036854841344,
"time_created": "2026-02-10T04:13:48.386918+00:00",
"event_record_id": 13,
"correlation": {
"ActivityID": "43A6D212-9A2A-0007-EC4C-A7432A9ADC01"
},
"execution": {
"process_id": 3924,
"thread_id": 4184
},
"channel": "Microsoft-Windows-Diagnostics-Performance/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"StartTime": "2026-02-10T01:12:02.866821Z",
"NameLength": 25,
"Name": "MachinePolicyApplication",
"TotalTime": 2121,
"DegradationTime": 1121
},
"message": ""
}
Event ID 108: Application of user policy caused a slow down in the system start up process.
#Event ID 109: This device took longer to initialize, resulting in a performance degradation in the system start up process.
#Description
This device took longer to initialize, resulting in a performance degradation in the system start up process.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
TotalTime UInt32 | |
DegradationTime UInt32 | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Event ID 110: Session manager initialization caused a slow down in the startup process.
#Description
Session manager initialization caused a slow down in the startup process.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
TotalTime UInt32 | |
DegradationTime UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnostics-Performance",
"guid": "CFC18EC0-96B1-4EBA-961B-622CAEE05B0A",
"event_source_name": "",
"event_id": 110,
"version": 1,
"level": 3,
"task": 4002,
"opcode": 33,
"keywords": 9223372036854841344,
"time_created": "2023-10-25T22:05:44.601513+00:00",
"event_record_id": 26,
"correlation": {
"ActivityID": "028F2288-078F-0001-413E-8F028F07DA01"
},
"execution": {
"process_id": 2484,
"thread_id": 3796
},
"channel": "Microsoft-Windows-Diagnostics-Performance/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"StartTime": "2023-10-25T22:02:56.552302Z",
"NameLength": 9,
"Name": "SMSSInit",
"TotalTime": 17567,
"DegradationTime": 7567
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 200: Windows has shutdown.
#Description
Windows has shutdown.
Message #
Fields #
| Name | Description |
|---|---|
ShutdownTsVersion UInt32 | |
ShutdownStartTime FILETIME | |
ShutdownEndTime FILETIME | |
ShutdownTime UInt32 | |
ShutdownUserSessionTime UInt32 | |
ShutdownUserPolicyTime UInt32 | |
ShutdownUserProfilesTime UInt32 | |
ShutdownSystemSessionsTime UInt32 | |
ShutdownPreShutdownNotificationsTime UInt32 | |
ShutdownServicesTime UInt32 | |
ShutdownKernelTime UInt32 | |
ShutdownRootCauseStepImprovementBits UInt32 | |
ShutdownRootCauseGradualImprovementBits UInt32 | |
ShutdownRootCauseStepDegradationBits UInt32 | |
ShutdownRootCauseGradualDegradationBits UInt32 | |
ShutdownIsDegradation Boolean | |
ShutdownTimeChange Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnostics-Performance",
"guid": "CFC18EC0-96B1-4EBA-961B-622CAEE05B0A",
"event_source_name": "",
"event_id": 200,
"version": 1,
"level": 3,
"task": 4007,
"opcode": 40,
"keywords": 9223372036854841344,
"time_created": "2023-11-05T22:33:56.991516+00:00",
"event_record_id": 36,
"correlation": {
"ActivityID": "E4DB489E-1037-0001-FD89-DBE43710DA01"
},
"execution": {
"process_id": 3160,
"thread_id": 3468
},
"channel": "Microsoft-Windows-Diagnostics-Performance/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ShutdownTsVersion": 1,
"ShutdownStartTime": "2023-11-05T22:31:30.287074Z",
"ShutdownEndTime": "2023-11-05T22:31:43.106260Z",
"ShutdownTime": 12819,
"ShutdownUserSessionTime": 3778,
"ShutdownUserPolicyTime": 17,
"ShutdownUserProfilesTime": 236,
"ShutdownSystemSessionsTime": 6148,
"ShutdownPreShutdownNotificationsTime": 1596,
"ShutdownServicesTime": 4185,
"ShutdownKernelTime": 2892,
"ShutdownRootCauseStepImprovementBits": 0,
"ShutdownRootCauseGradualImprovementBits": 0,
"ShutdownRootCauseStepDegradationBits": 72,
"ShutdownRootCauseGradualDegradationBits": 0,
"ShutdownIsDegradation": true,
"ShutdownTimeChange": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 201: This application caused a delay in the system shutdown process.
#Description
This application caused a delay in the system shutdown process.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
TotalTime UInt32 | |
DegradationTime UInt32 | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Event ID 202: This device caused a delay in the system shutdown process.
#Description
This device caused a delay in the system shutdown process.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
TotalTime UInt32 | |
DegradationTime UInt32 | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Event ID 203: This service caused a delay in the system shutdown process.
#Description
This service caused a delay in the system shutdown process.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
TotalTime UInt32 | |
DegradationTime UInt32 | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnostics-Performance",
"guid": "CFC18EC0-96B1-4EBA-961B-622CAEE05B0A",
"event_source_name": "",
"event_id": 203,
"version": 1,
"level": 3,
"task": 4007,
"opcode": 41,
"keywords": 9223372036854841344,
"time_created": "2023-11-05T22:33:56.991549+00:00",
"event_record_id": 37,
"correlation": {
"ActivityID": "E4DB489E-1037-0001-FD89-DBE43710DA01"
},
"execution": {
"process_id": 3160,
"thread_id": 3468
},
"channel": "Microsoft-Windows-Diagnostics-Performance/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"StartTime": "2023-11-05T22:31:30.287074Z",
"NameLength": 10,
"Name": "WinDefend",
"FriendlyNameLength": 0,
"FriendlyName": "",
"VersionLength": 0,
"Version": "",
"TotalTime": 4054,
"DegradationTime": 54,
"PathLength": 83,
"Path": "\"c:\\programdata\\microsoft\\windows defender\\platform\\4.18.23090.2008-0\\msmpeng.exe\"",
"ProductNameLength": 0,
"ProductName": "",
"CompanyNameLength": 0,
"CompanyName": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 300: Windows has resumed from standby.
#Description
Windows has resumed from standby.
Message #
Fields #
| Name | Description |
|---|---|
StandbyTsVersion UInt32 | |
StandbyAppCount UInt32 | |
StandbyServicesCount UInt32 | |
StandbyDevicesCount UInt32 | |
StandbyStartTime FILETIME | |
StandbyEndTime FILETIME | |
StandbySuspendTotal UInt32 | |
StandbySuspendTotalChange Int32 | |
StandbySuspendQueryApps UInt32 | |
StandbySuspendQueryAppsChange Int32 | |
StandbySuspendQueryServices UInt32 | |
StandbySuspendQueryServicesChange Int32 | |
StandbySuspendApps UInt32 | |
StandbySuspendAppsChange Int32 | |
StandbySuspendServices UInt32 | |
StandbySuspendServicesChange Int32 | |
StandbySuspendShowUI UInt32 | |
StandbySuspendShowUIChange Int32 | |
StandbySuspendSuperfetchPageIn UInt32 | |
StandbySuspendSuperfetchPageInChange Int32 | |
StandbySuspendWinlogon UInt32 | |
StandbySuspendWinlogonChange Int32 | |
StandbySuspendLockPageableSections UInt32 | |
StandbySuspendLockPageableSectionsChange Int32 | |
StandbySuspendPreSleepCallbacks UInt32 | |
StandbySuspendPreSleepCallbacksChange Int32 | |
StandbySuspendSwapInWorkerThreads UInt32 | |
StandbySuspendSwapInWorkerThreadsChange Int32 | |
StandbySuspendQueryDevices UInt32 | |
StandbySuspendQueryDevicesChange Int32 | |
StandbySuspendFlushVolumes UInt32 | |
StandbySuspendFlushVolumesChange Int32 | |
StandbySuspendSuspendDevices UInt32 | |
StandbySuspendSuspendDevicesChange Int32 | |
StandbySuspendHibernateWrite UInt32 | |
StandbySuspendHibernateWriteChange Int32 | |
ResumeStartTime FILETIME | |
ResumeEndTime FILETIME | |
StandbyResumeTotal UInt32 | |
StandbyResumeTotalChange Int32 | |
StandbyResumeHibernateRead UInt32 | |
StandbyResumeHibernateReadChange Int32 | |
StandbyResumeS3BiosInitTime UInt32 | |
StandbyResumeS3BiosInitTimeChange Int32 | |
StandbyResumeResumeDevices UInt32 | |
StandbyResumeResumeDevicesChange Int32 | |
StandbyRootCauseDegradationGradual UInt32 | |
StandbyRootCauseImprovementGradual UInt32 | |
StandbyRootCauseDegradationStep UInt32 | |
StandbyRootCauseImprovementStep UInt32 | |
StandbyIsDegradation Boolean | |
StandbyIsTroubleshooterLaunched Boolean | |
StandbyIsRootCauseIdentified Boolean |
Event ID 301: This application caused a delay during standby.
#Description
This application caused a delay during standby.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
TotalTime UInt32 | |
DegradationTime UInt32 | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Event ID 302: This driver caused a delay during standby while servicing a device.
#Description
This driver caused a delay during standby while servicing a device.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
TotalTime UInt32 | |
DegradationTime UInt32 | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString | |
DeviceNameLength UInt32 | |
DeviceName UnicodeString | |
DeviceFriendlyNameLength UInt32 | |
DeviceFriendlyName UnicodeString | |
DeviceTotalTime UInt32 | |
DeviceDegradationTime UInt32 |
Event ID 303: This service caused a delay during hybrid-sleep.
#Description
This service caused a delay during hybrid-sleep.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
TotalTime UInt32 | |
DegradationTime UInt32 | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Event ID 304: Creation of the hiber-file was slower than expected.
#Event ID 305: Persisting disk caches was slower than expected.
#Event ID 306: Preparing the video subsystem for sleep was slower than expected.
#Event ID 307: Preparing Winlogon for sleep was slower than expected.
#Event ID 308: Preparing system memory for sleep was slower than expected.
#Event ID 309: Preparing core system for sleep was slower than expected.
#Event ID 310: Preparing system worker threads for sleep was slower than expected.
#Event ID 350: Bios initialization time was greater than 250ms (logo requirement) during system resume.
#Event ID 351: This driver responded slower than expected to the resume request while servicing this device.
#Description
This driver responded slower than expected to the resume request while servicing this device.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
TotalTime UInt32 | |
DegradationTime UInt32 | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString | |
DeviceNameLength UInt32 | |
DeviceName UnicodeString | |
DeviceFriendlyNameLength UInt32 | |
DeviceFriendlyName UnicodeString | |
DeviceTotalTime UInt32 | |
DeviceDegradationTime UInt32 |
Event ID 352: Reading the hiber-file was slower than expected.
#Event ID 400: Information about the system performance monitoring event.
#Description
Information about the system performance monitoring event.
Message #
Fields #
| Name | Description |
|---|---|
ShellScenarioStartTime FILETIME | |
ShellScenarioEndTime FILETIME | |
ShellSubScenario UInt32 | |
ShellScenarioDuration UInt32 | |
ShellRootCauseBits UInt32 | |
ShellAnalysisResult UInt32 | |
ShellDegradationType UInt32 | |
ShellTsVersion UInt32 | |
ShellMachineUpTimeHours UInt32 | |
ShellMachineSleepPattern UInt32 |
Event ID 401: This process is using up processor time and is impacting the performance of Windows.
#Description
This process is using up processor time and is impacting the performance of Windows.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
ThreadTime UInt32 | |
BlockedTime UInt32 | |
PercentTime Double | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Event ID 402: This process is doing excessive disk activities and is impacting the performance of Windows.
#Description
This process is doing excessive disk activities and is impacting the performance of Windows.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
ThreadTime UInt32 | |
BlockedTime UInt32 | |
PercentTime Double | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Event ID 403: This driver is using up too many resources and is impacting the performance of Windows.
#Description
This driver is using up too many resources and is impacting the performance of Windows.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
ThreadTime UInt32 | |
BlockedTime UInt32 | |
PercentTime Double | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Event ID 404: This driver is waiting longer than expected on a device.
#Description
This driver is waiting longer than expected on a device.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
ThreadTime UInt32 | |
BlockedTime UInt32 | |
PercentTime Double | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Event ID 405: This file is fragmented and is impacting the performance of Windows.
#Description
This file is fragmented and is impacting the performance of Windows.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
ThreadTime UInt32 | |
BlockedTime UInt32 | |
PercentTime Double | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Event ID 406: Disk IO to this file is taking longer than expected.
#Description
Disk IO to this file is taking longer than expected.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
ThreadTime UInt32 | |
BlockedTime UInt32 | |
PercentTime Double | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Event ID 407: This process is using up too much system memory.
#Description
This process is using up too much system memory.
Message #
Fields #
| Name | Description |
|---|---|
StartTime FILETIME | |
NameLength UInt32 | |
Name UnicodeString | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
VersionLength UInt32 | |
Version UnicodeString | |
WorkingSetSizeKb UInt32 | |
PeakWorkingSetSizeKb UInt32 | |
ProcessId UInt32 | |
PercentMemory Double | |
PathLength UInt32 | |
Path UnicodeString | |
ProductNameLength UInt32 | |
ProductName UnicodeString | |
CompanyNameLength UInt32 | |
CompanyName UnicodeString |
Event ID 408: Many processes are using too much system memory.
#Event ID 500: The Desktop Window Manager is experiencing heavy resource contention.
#Event ID 501: The Desktop Window Manager is experiencing heavy resource contention.
#Event ID 1002: Status
#Event ID 1007: Status
#Event ID 2005: Status
#Event ID 2006: Status
#Event ID 2007: Status
#Event ID 2008: Status
#Event ID 2009: Status
#Event ID 2010: Status
#Event ID 2011: Status
#Event ID 2012: Status
#Event ID 2013: Status
#Event ID 2014: Status
#Event ID 2015: Status
#Event ID 2016: Status
#Event ID 9003: Status
#Event ID 9009: Status
#Event ID 11001: Standby_ReceivedEvent
#Fields #
| Name | Description |
|---|---|
GUID GUID | |
EventId UInt16 | |
InternalState UInt32 |
Event ID 11003: Standby_FailedTransition
#Event ID 11005: Standby_DetectRegressionsStart
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID cfc18ec0-96b1-4eba-961b-622caee05b0a
Defined in diagperf.dll, which carries the event manifest.
Observed on:
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02