Microsoft-Windows-DotNETRuntime
145 events across 2 channels
Event ID 1: Count=.
#Description
Count=Count; Depth=Depth; Reason=Reason; Type=Type; ClrInstanceID=ClrInstanceID; ClientSequenceNumber=ClientSequenceNumber
Message #
Fields #
| Name | Description |
|---|---|
Count UInt32 | |
Depth UInt32 | |
Reason UInt32 | |
Type UInt32 | |
ClrInstanceID UInt16 | |
ClientSequenceNumber UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 1,
"version": 2,
"level": 4,
"task": 1,
"opcode": 1,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.456+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 14232,
"thread_id": 13300
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClientSequenceNumber": 0,
"ClrInstanceID": 10,
"Count": 5,
"Depth": 2,
"Reason": 1,
"Type": 0
},
"message": "GarbageCollection"
}
Event ID 1: Count=.
#Event ID 2: Count=.
#Description
Count=Count; Depth=Depth; ClrInstanceID=ClrInstanceID
Message #
Fields #
| Name | Description |
|---|---|
Count UInt32 | |
Depth UInt32 | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 2,
"version": 1,
"level": 4,
"task": 1,
"opcode": 2,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.462+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 19108
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"Count": 1,
"Depth": 2
},
"message": "GarbageCollection"
}
Event ID 3: ClrInstanceID=.
#Description
ClrInstanceID=ClrInstanceID
Message #
Fields #
| Name | Description |
|---|---|
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 3,
"version": 1,
"level": 4,
"task": 1,
"opcode": 132,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.462+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 19108
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9
},
"message": "GarbageCollection"
}
Event ID 4: GenerationSize0=GenerationSize0.
#Description
GenerationSize0=GenerationSize0.
Message #
Fields #
| Name | Description |
|---|---|
GenerationSize0 UInt64 | |
TotalPromotedSize0 UInt64 | |
GenerationSize1 UInt64 | |
TotalPromotedSize1 UInt64 | |
GenerationSize2 UInt64 | |
TotalPromotedSize2 UInt64 | |
GenerationSize3 UInt64 | |
TotalPromotedSize3 UInt64 | |
FinalizationPromotedSize UInt64 | |
FinalizationPromotedCount UInt64 | |
PinnedObjectCount UInt32 | |
SinkBlockCount UInt32 | |
GCHandleCount UInt32 | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 4,
"version": 1,
"level": 4,
"task": 1,
"opcode": 133,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.462+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 19108
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"FinalizationPromotedCount": 1,
"FinalizationPromotedSize": 32,
"GCHandleCount": 52,
"GenerationSize0": 24,
"GenerationSize1": 67368,
"GenerationSize2": 24,
"GenerationSize3": 68648,
"PinnedObjectCount": 7,
"SinkBlockCount": 9,
"TotalPromotedSize0": 44168,
"TotalPromotedSize1": 0,
"TotalPromotedSize2": 0,
"TotalPromotedSize3": 68488
},
"message": "GarbageCollection"
}
Event ID 4: GenerationSize0=.
#Event ID 5: Address=.
#Event ID 6: Address=.
#Event ID 7: ClrInstanceID=.
#Description
ClrInstanceID=ClrInstanceID
Message #
Fields #
| Name | Description |
|---|---|
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 7,
"version": 1,
"level": 4,
"task": 1,
"opcode": 136,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.462+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 19108
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9
},
"message": "GarbageCollection"
}
Event ID 8: ClrInstanceID=.
#Description
ClrInstanceID=ClrInstanceID
Message #
Fields #
| Name | Description |
|---|---|
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 8,
"version": 1,
"level": 4,
"task": 1,
"opcode": 137,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.456+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 14232,
"thread_id": 13300
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 10
},
"message": "GarbageCollection"
}
Event ID 9: Reason=.
#Description
Reason=Reason; Count=Count; ClrInstanceID=ClrInstanceID
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Count UInt32 | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 9,
"version": 1,
"level": 4,
"task": 1,
"opcode": 10,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.456+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 14232,
"thread_id": 13300
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 10,
"Count": 4,
"Reason": 1
},
"message": "GarbageCollection"
}
Event ID 10: Amount=.
#Description
Amount=AllocationAmount; Kind=AllocationKind; ClrInstanceID=ClrInstanceID;Amount64=AllocationAmount64; TypeID=TypeID; TypeName=TypeName; HeapIndex=HeapIndex; Address=Address
Message #
Fields #
| Name | Description |
|---|---|
AllocationAmount UInt32 | |
AllocationKind UInt32 | |
ClrInstanceID UInt16 | |
AllocationAmount64 UInt64 | |
TypeID Pointer | |
TypeName UnicodeString | |
HeapIndex UInt32 | |
Address Pointer |
Event ID 10: Amount=.
#Fields #
| Name | Description |
|---|---|
AllocationAmount | |
AllocationKind | |
ClrInstanceID | |
AllocationAmount64 | |
TypeID | |
TypeName | |
HeapIndex | |
Address |
Event ID 11: ClrInstanceID=.
#Event ID 11: NONE
#Event ID 12: NONE
#Event ID 13: Count=.
#Description
Count=Count; ClrInstanceID=ClrInstanceID
Message #
Fields #
| Name | Description |
|---|---|
Count UInt32 | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 13,
"version": 1,
"level": 4,
"task": 1,
"opcode": 15,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.463+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 15288
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"Count": 1
},
"message": "GarbageCollection"
}
Event ID 14: ClrInstanceID=.
#Description
ClrInstanceID=ClrInstanceID
Message #
Fields #
| Name | Description |
|---|---|
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 14,
"version": 1,
"level": 4,
"task": 1,
"opcode": 19,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.463+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 15288
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9
},
"message": "GarbageCollection"
}
Event ID 15: Count=.
#Description
Count=Count; ClrInstanceID=ClrInstanceID
Message #
Fields #
| Name | Description |
|---|---|
Count mof:UInt32 | |
ClrInstanceID UInt16 | |
Values Int8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 15,
"version": 0,
"level": 4,
"task": 21,
"opcode": 10,
"keywords": "0x0000000000080000",
"time_created": "2026-06-02T05:22:23.458+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 19108
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"Count": 31,
"Values": "789D0CE3F97F000000100AE3F97F00005B0100020000000012530079007300740065006D002E00560065007200730069006F006E0000000000000028280CE3F97F000000100AE3F97F0000BF0400020000000012530079007300740065006D002E0043006F006C006C0065006300740069006F006E0073002E00470065006E0065007200690063002E00440069006300740069006F006E00610072007900600032005B00530079007300740065006D002E0053007400720069006E0067002C00530079007300740065006D002E0041007000700043006F006E0074006500780074002B00530077006900740063006800560061006C0075006500530074006100740065005D00000002000000685A0CE3F97F0000382B0CE3F97F0000685A0CE3F97F000000100AE3F97F000073000002000000000E530079007300740065006D002E0053007400720069006E006700000000000000382B0CE3F97F000000100AE3F97F0000BF0A00020000000008530077006900740063006800560061006C00750065005300740061007400650000000000000068B50CE3F97F000000100AE3F97F0000880000020000000012530079007300740065006D002E005F005F00460069006C007400650072007300000000000000801514E3F97F000000100AE3F97F0000D20000020000000012530079007300740065006D002E00440042004E0075006C006C00000000000000A83314E3F97F000000100AE3F97F00001C0100020000000012530079007300740065006D002E004F007000650072006100740069006E006700530079007300740065006D00000000000000E01114E3F97F000000100AE3F97F0000EB0000020000000011530079007300740065006D002E00470075006900640000000000000038770CE3F97F000000100AE3F97F00002C0100020000000012530079007300740065006D002E00520075006E00740069006D006500540079007000650000000000000088E914E3F97F000000100AE3F97F0000F80A0002000000001241006300740069007600610074006F00720043006100630068006500000000000000985F0CE3F97F000000100AE3F97F00003E0100020000000012530079007300740065006D002E00530068006100720065006400530074006100740069006300730000000000000020B60CE3F97F000000100AE3F97F0000000600020100000012530079007300740065006D002E005200650066006C0065006300740069006F006E002E004D0065006D00620065007200460069006C00740065007200000000000000B0B60CE3F97F000000100AE3F97F00000A0600020000000012530079007300740065006D002E005200650066006C0065006300740069006F006E002E004D0069007300730069006E006700000000000000C2330AE3F97F000000100AE3F97F000000000002080000001D530079007300740065006D002E0054007900700065005B005D00000001000000A8700CE3F97F0000A8700CE3F97F000000100AE3F97F0000480100020000000012530079007300740065006D002E005400790070006500000000000000D8BF0CE3F97F000000100AE3F97F0000D40000020000000012530079007300740065006D002E00440065006600610075006C007400420069006E00640065007200000000000000E22F0AE3F97F000000100AE3F97F000000000002080000001D530079007300740065006D002E0043006800610072005B005D00000001000000E0680CE3F97F0000E0680CE3F97F000000100AE3F97F0000B60000020000000003530079007300740065006D002E004300680061007200000000000000C85014E3F97F000000100AE3F97F0000070300020000000012530079007300740065006D002E00530065006300750072006900740079002E005000650072006D0069007300730069006F006E0073002E00530065006300750072006900740079005000650072006D0069007300730069006F006E00000000000000683C14E3F97F000000100AE3F97F0000E10100020000000012530079007300740065006D002E00530065006300750072006900740079002E005000650072006D0069007300730069006F006E0054006F006B0065006E00000000000000803D14E3F97F000000100AE3F97F0000E20100020000000012530079007300740065006D002E00530065006300750072006900740079002E005000650072006D0069007300730069006F006E0054006F006B0065006E0046006100630074006F0072007900000000000000183D14E3F97F000000100AE3F97F00007E0300020000000012530079007300740065006D002E00530065006300750072006900740079002E005500740069006C002E0054006F006B0065006E0042006100730065006400530065007400000000000000389E0CE3F97F000000100AE3F97F0000A30300020000000012530079007300740065006D002E0047006C006F00620061006C0069007A006100740069006F006E002E00430061006C0065006E006400610072004400610074006100000000000000C09B0CE3F97F000000100AE3F97F0000A90300020000000012530079007300740065006D002E0047006C006F00620061006C0069007A006100740069006F006E002E00430075006C00740075007200650049006E0066006F00000000000000209D0CE3F97F000000100AE3F97F0000DC0300020000000012530079007300740065006D002E0047006C006F00620061006C0069007A006100740069006F006E002E00430075006C0074007500720065004400610074006100000000000000409F0CE3F97F000000100A...[truncated]"
},
"message": "Type"
}
Event ID 16: ClrInstanceID=Index.
#Description
ClrInstanceID=Index.
Message #
Fields #
| Name | Description |
|---|---|
Index UInt32 | |
Count UInt32 | |
ClrInstanceID UInt16 | |
Values UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 16,
"version": 0,
"level": 4,
"task": 1,
"opcode": 20,
"keywords": "0x0000000000100000",
"time_created": "2026-06-02T05:22:23.462+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 19108
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"Count": 116,
"Index": 0,
"Values": "10F20000B40100000000000000908985DEF97F00000000000000000000000000000058B475DEF97F000030F20000B4010000000000000058B475DEF97F000010F20000B4010000000000000058B475DEF97F00000000000000000000000000000058B475DEF97F0000B0E20000B40100000000000000185985DEF97F00000000000000000000000000000068D4B0C2F97F0000B0E20000B4010000000000000068D4B0C2F97F0000909C0010B401000000040000005036B0C2F97F0000909C0010B401000000040000005036B0C2F97F000038AE0000B401000000000000009837B0C2F97F00000000000000000000000000000018AE61C4F97F000018580000B4010000000000000018AE61C4F97F00000000000000000000000000000018AE61C4F97F000000430000B40100000000000000F8780AE3F97F0000C0580000B40100000000000000F8780AE3F97F0000904D0000B40100000000000000F8780AE3F97F000000000000000000000000000000F8780AE3F97F000000430000B40100000000000000B0BC27E3F97F0000F0570000B40100000000000000B0BC27E3F97F0000F8460000B40100000000000000B0BC27E3F97F0000C0580000B40100000000000000B0BC27E3F97F0000C0580000B4010000000000000098BC27E3F97F0000F8460000B4010000000000000098BC27E3F97F000000430000B4010000000000000098BC27E3F97F0000F0570000B4010000000000000098BC27E3F97F00000000000000000000000000000098BC27E3F97F00000000000000000000000000000098BC27E3F97F0000F0570000B401000000000000000000000000000000000000000000000000000000000000000000000000F8460000B401000000000000000000000000000000D8570000B40100000000000000000000000000000000430000B40100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018580000B401000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F0140100B4010000000000000068E626E3F97F0000F0140100B40100000000000000202227E3F97F000000000000000000000000000000202227E3F97F0000909C0010B401000000040000006073AFC2F97F000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000070750000B40100000000000000004729E3F97F000090030100B40100000000000000B8850AE3F97F000070750000B40100000000000000B8850AE3F97F000000000000000000000000000000B8850AE3F97F000000000000000000000000000000B8850AE3F97F000000000000000000000000000000B8850AE3F97F0000D0030100B40100000000000000B8850AE3F97F000000000000000000000000000000B8850AE3F97F000000000000000000000000000000B8850AE3F97F000000000000000000000000000000B8850AE3F97F000000000000000000000000000000B8850AE3F97F000000000000000000000000000000B8850AE3F97F000000000000000000000000000000B8850AE3F97F000000000000000000000000000000B8850AE3F97F000000000000000000000000000000B8850AE3F97F000000000000000000000000000000F0C528E3F97F000090030100B40100000000000000584C29E3F97F000018760000B40100000000000000584C29E3F97F0000E8FF0000B40100000004000000584C29E3F97F0000C8790000B40100000000000000584C29E3F97F000000000000000000000000000000584C29E3F97F000070750000B40100000000000000584C29E3F97F000000000000000000000000000000584C29E3F97F000058000100B4010000000000000000023BE3F97F000020970000B4010000000000000000023BE3F97F00000000000000000000000000000000023BE3F97F000070750000B4010000000000000000023BE3F97F000050B10000B401000001000000000000000000000000D8A70000B40100000202000000C0117F76B401000040A10000B40100000202000000C8117F76B401000040940000B40100000202000000D0117F76B4010000903F0000B40100000202000000F0117F76B4010000E8FF0000B4010000020000000050137F76B4010000D0030100B4010000020000000060137F76B401000098A10000B4010000020000000068137F76B4010000D8570000B4010000020000000070137F76B4010000104C0000B4010000020000000080137F76B4010000984A0000B4010000020000000088137F76B4010000B8490000B4010000020000000090137F76B401000010480000B4010000020000000098137F76B4010000F8460000B40100000200000000A0137F76B4010000B8200000B40100000200000000A8137F76B401000040140000B40100000200000000B0137F76B401000068130000B40100000200000000B8137F76B4010000C8120000B40100000200000000C0137F76B401000028120000B40100000200000000C8137F76B401000088110000B40100000200000000D0137F76B4010000E8100000B4010000020000...[truncated]"
},
"message": "GarbageCollection"
}
Event ID 17: ClrInstanceID=Index.
#Event ID 18: ClrInstanceID=Index.
#Description
ClrInstanceID=Index.
Message #
Fields #
| Name | Description |
|---|---|
Index UInt32 | |
Count UInt32 | |
ClrInstanceID UInt16 | |
Values UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 18,
"version": 0,
"level": 4,
"task": 1,
"opcode": 22,
"keywords": "0x0000000000100000",
"time_created": "2026-06-02T05:22:23.462+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 19108
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"Count": 608,
"Index": 0,
"Values": "48100000B4010000A000000000000000185C0CE3F97F00000000000000000000E8100000B4010000A000000000000000B05C0CE3F97F0000000000000000000088110000B4010000A000000000000000285D0CE3F97F0000000000000000000028120000B4010000A000000000000000A05D0CE3F97F00000000000000000000C8120000B4010000A000000000000000185E0CE3F97F0000000000000000000068130000B4010000A000000000000000185E0CE3F97F0000000000000000000008140000B40100001800000000000000805E0CE3F97F0000000000000000000020140000B40100001A00000000000000685A0CE3F97F0000000000000000000040140000B40100003000000000000000985F0CE3F97F0000000000000000000070140000B40100007000000000000000685A0CE3F97F00000000000000000000E0140000B40100009A00000000000000685A0CE3F97F0000000000000000000080150000B4010000D80000000000000008600CE3F97F0000030000000000000058160000B40100002200000000000000685A0CE3F97F0000000000000000000080160000B40100005A00000000000000685A0CE3F97F00000000000000000000E0160000B4010000800000000000000000670CE3F97F00000100000000000000F0170000B40100002800000000000000685A0CE3F97F0000000000000000000038180000B40100003600000000000000685A0CE3F97F0000000000000000000070180000B4010000A8000000000000001A300AE3F97F00000300000000000000D0190000B40100002800000000000000685A0CE3F97F00000000000000000000F8190000B40100001C00000000000000685A0CE3F97F00000000000000000000181A0000B40100003200000000000000685A0CE3F97F00000000000000000000501A0000B40100003800000000000000685A0CE3F97F00000000000000000000881A0000B40100003A00000000000000685A0CE3F97F00000000000000000000C81A0000B40100002E00000000000000685A0CE3F97F00000000000000000000F81A0000B40100002800000000000000685A0CE3F97F00000000000000000000201B0000B40100002A00000000000000685A0CE3F97F00000000000000000000501B0000B40100003200000000000000685A0CE3F97F00000000000000000000881B0000B40100004600000000000000685A0CE3F97F00000000000000000000D01B0000B40100004600000000000000685A0CE3F97F00000000000000000000181C0000B40100004C00000000000000685A0CE3F97F00000000000000000000681C0000B40100004000000000000000685A0CE3F97F00000000000000000000A81C0000B40100003E00000000000000685A0CE3F97F00000000000000000000E81C0000B40100003800000000000000685A0CE3F97F00000000000000000000201D0000B40100003800000000000000685A0CE3F97F00000000000000000000581D0000B40100002A00000000000000685A0CE3F97F00000000000000000000881D0000B40100003600000000000000685A0CE3F97F00000000000000000000C01D0000B40100004400000000000000685A0CE3F97F00000000000000000000081E0000B40100003000000000000000685A0CE3F97F00000000000000000000381E0000B40100002400000000000000685A0CE3F97F00000000000000000000A01F0000B40100005A00000000000000685A0CE3F97F0000000000000000000000200000B40100005200000000000000685A0CE3F97F0000000000000000000058200000B40100005E00000000000000685A0CE3F97F00000000000000000000B8200000B40100004000000000000000586C0CE3F97F0000000000000000000078220000B40100001E00000000000000685A0CE3F97F00000000000000000000A0230000B40100001C00000000000000685A0CE3F97F00000000000000000000C0230000B40100001C00000000000000685A0CE3F97F00000000000000000000E0230000B40100001C00000000000000685A0CE3F97F0000000000000000000000240000B40100001C00000000000000685A0CE3F97F0000000000000000000020240000B40100006600000000000000685A0CE3F97F0000000000000000000088240000B40100001E00000000000000685A0CE3F97F00000000000000000000A8240000B40100003E00000000000000685A0CE3F97F00000000000000000000E8240000B40100001E00000000000000685A0CE3F97F0000000000000000000008250000B40100003C00000000000000685A0CE3F97F0000000000000000000048250000B40100001C00000000000000685A0CE3F97F0000000000000000000068250000B40100001C00000000000000685A0CE3F97F0000000000000000000088250000B40100001C00000000000000685A0CE3F97F00000000000000000000A8250000B40100001C00000000000000685A0CE3F97F00000000000000000000C8250000B40100001C00000000000000685A0CE3F97F00000000000000000000E8250000B40100001C00000000000000685A0CE3F97F0000000000000000000008260000B40100001C00000000000000685A0CE3F97F0000000000000000000028260000B40100001C00000000000000685A0CE3F97F0000000000000000000048260000B40100001C00000000000000685A0CE3F97F0000000000000000000068260000B40100001C00000000000000685A0CE3F97F0000000000000000000088260000B40100001C00000000000000685A0CE3F97F00000000000000000000...[truncated]"
},
"message": "GarbageCollection"
}
Event ID 19: ClrInstanceID=Index.
#Description
ClrInstanceID=Index.
Message #
Fields #
| Name | Description |
|---|---|
Index UInt32 | |
Count UInt32 | |
ClrInstanceID UInt16 | |
Values UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 19,
"version": 0,
"level": 4,
"task": 1,
"opcode": 23,
"keywords": "0x0000000000100000",
"time_created": "2026-06-02T05:22:23.462+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 19108
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"Count": 1751,
"Index": 0,
"Values": "E0160000B401000000000000E8940000B40100000000000028950000B40100000000000070180000B40100000000000070140000B401000000000000E0140000B40100000000000038180000B40100000000000020140000B40100000000000020140000B40100000000000020140000B40100000000000020140000B40100000000000020240000B40100000000000020240000B40100000000000020140000B40100000000000088240000B401000000000000A8240000B401000000000000A8240000B401000000000000A8240000B401000000000000E8240000B40100000000000008250000B40100000000000008250000B401000000000000E8240000B40100000000000048250000B40100000000000068250000B401000000000000A82C0000B401000000000000102D0000B401000000000000E0230000B40100000000000088260000B401000000000000A8260000B401000000000000C8260000B401000000000000F8260000B40100000000000028270000B40100000000000048270000B40100000000000068270000B40100000000000088270000B401000000000000A8270000B401000000000000A8270000B401000000000000302D0000B401000000000000E0230000B40100000000000088260000B40100000000000088260000B401000000000000F8270000B40100000000000018280000B401000000000000502D0000B401000000000000702D0000B401000000000000A82D0000B401000000000000C82D0000B401000000000000E82D0000B40100000000000020140000B40100000000000020140000B40100000000000010290000B40100000000000038290000B40100000000000058290000B40100000000000078290000B40100000000000098290000B40100000000000020140000B401000000000000B8290000B40100000000000000240000B401000000000000C0230000B40100000000000088250000B401000000000000A8250000B401000000000000C8250000B401000000000000E8250000B40100000000000008260000B40100000000000028260000B40100000000000048260000B40100000000000068260000B40100000000000038280000B40100000000000068280000B40100000000000090280000B401000000000000C0280000B401000000000000E8280000B40100000000000038280000B40100000000000080360000B401000000000000002F0000B40100000000000020370000B40100000000000068370000B40100000000000048370000B40100000000000010300000B40100000000000088370000B401000000000000A8370000B401000000000000C8370000B401000000000000E8370000B40100000000000038380000B40100000000000088380000B401000000000000D8380000B40100000000000058390000B401000000000000D8380000B40100000000000058390000B401000000000000D8380000B401000000000000402F0000B401000000000000702F0000B401000000000000A02F0000B401000000000000E02F0000B401000000000000B82E0000B401000000000000E02E0000B401000000000000E02E0000B40100000000000038300000B40100000000000060300000B40100000000000088300000B401000000000000B0300000B401000000000000E0300000B40100000000000010310000B40100000000000038310000B40100000000000068310000B40100000000000088310000B401000000000000A8310000B401000000000000C8310000B401000000000000E8310000B40100000000000008320000B40100000000000028320000B40100000000000048320000B40100000000000068320000B40100000000000088320000B401000000000000A8320000B401000000000000C8320000B401000000000000E8320000B40100000000000008330000B40100000000000028330000B40100000000000050330000B40100000000000080330000B401000000000000A8330000B401000000000000D0330000B401000000000000F0330000B40100000000000018340000B40100000000000040340000B40100000000000068340000B40100000000000098340000B401000000000000C0340000B401000000000000F0340000B40100000000000020140000B40100000000000020350000B40100000000000040350000B40100000000000060350000B40100000000000080350000B401000000000000D0330000B401000000000000A0350000B401000000000000C0350000B401000000000000E0350000B40100000000000000360000B40100000000000020360000B40100000000000040360000B40100000000000060360000B40100000000000020140000B401000000000000083D0000B401000000000000083D0000B401000000000000083D0000B401000000000000483C0000B401000000000000C0460000B40100000000000070400000B40100000000000058460000B40100000000000048440000B401000000000000103C0000B40100000000000018410000B401000000000000903F0000B401000000000000483C0000B401000000000000903F0000B40100000000000038420000B401000000000000D0410000B401000000000000A8400000B40100000000000020420000B401000000000000483C0000B401000000000000B83C0000B40100000000000048430000B401000000000000E0430000B401000000000000483C0000B40100000000000000430000B40100000000000028460000B401000000000000903F0000B401000000000000F0450000B40100000000000090460000B4010000...[truncated]"
},
"message": "GarbageCollection"
}
Event ID 19: ClrInstanceID=.
#Event ID 20: High:ClrInstanceID=Address.
#Event ID 21: ClrInstanceID=Index.
#Description
ClrInstanceID=Index.
Message #
Fields #
| Name | Description |
|---|---|
Index UInt32 | |
Count UInt32 | |
ClrInstanceID UInt16 | |
Values UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 21,
"version": 0,
"level": 4,
"task": 1,
"opcode": 25,
"keywords": "0x0000000000400000",
"time_created": "2026-06-02T05:22:23.457+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 19108
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"Count": 5,
"Index": 0,
"Values": "38100010B4010000F02700000000000048380010B40100001804000000000000803C0010B4010000F81F000000000000985C0010B4010000D83F000000000000909C0010B4010000987F000000000000"
},
"message": "GarbageCollection"
}
Event ID 22: ClrInstanceID=Index.
#Description
ClrInstanceID=Index.
Message #
Fields #
| Name | Description |
|---|---|
Index UInt32 | |
Count UInt32 | |
ClrInstanceID UInt16 | |
Values UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 22,
"version": 0,
"level": 4,
"task": 1,
"opcode": 26,
"keywords": "0x0000000000400000",
"time_created": "2026-06-02T05:22:23.457+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 14508,
"thread_id": 4072
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"Count": 457,
"Index": 0,
"Values": "4810559ED50100003010559ED5010000C0030000000000000814559ED50100000814559ED501000038000000000000004014559ED50100004014559ED50100002003000000000000F017559ED50100006017559ED501000028000000000000003818559ED50100008817559ED5010000E000000000000000D019559ED50100008018559ED50100009004000000000000A01F559ED5010000281D559ED501000058010000000000007822559ED5010000801E559ED50100002000000000000000A023559ED5010000A01E559ED50100008816000000000000E83A559ED50100004035559ED50100002800000000000000B83B559ED50100006835559ED5010000C003000000000000903F559ED50100004039559ED5010000A8010000000000005841559ED5010000E83A559ED50100001800000000000000D041559ED5010000003B559ED501000080000000000000000043559ED5010000803B559ED50100008001000000000000D044559ED5010000003D559ED5010000C000000000000000B045559ED5010000D83D559ED501000028020000000000001048559ED50100000040559ED50100005001000000000000B849559ED50100005041559ED5010000C001000000000000104C559ED50100002843559ED5010000D800000000000000904D559ED50100000044559ED50100000002000000000000B84F559ED50100000046559ED501000038000000000000006050559ED50100003846559ED5010000A0060000000000001857559ED5010000F04C559ED50100009000000000000000D857559ED5010000804D559ED50100007802000000000000D05A559ED5010000F84F559ED50100006000000000000000085C559ED50100005850559ED5010000B001000000000000E85F559ED50100002052559ED501000038000000000000002862559ED50100005852559ED50100008800000000000000D863559ED5010000E052559ED5010000B80A0000000000001070559ED5010000B05D559ED50100001002000000000000B072559ED5010000C05F559ED501000088000000000000006073559ED50100004860559ED50100005000000000000000E874559ED50100009860559ED50100008800000000000000B875559ED50100002061559ED5010000F003000000000000C879559ED50100002865559ED50100003001000000000000A07B559ED50100005866559ED50100009800000000000000507D559ED5010000F066559ED50100003800000000000000B88C559ED50100002867559ED50100003001000000000000408F559ED50100005868559ED501000068000000000000008891559ED5010000C068559ED5010000F803000000000000B095559ED5010000D06C559ED501000038000000000000002096559ED5010000086D559ED501000038000000000000007896559ED5010000406D559ED50100001009000000000000A09F559ED50100006876559ED5010000A80200000000000090A2559ED50100001079559ED5010000A80400000000000050A7559ED5010000D07D559ED5010000700700000000000050B0559ED50100005885559ED5010000E00000000000000050B1559ED50100003886559ED50100003802000000000000B0B3559ED50100007088559ED5010000380300000000000018B8559ED5010000C08B559ED5010000B003000000000000F0C5559ED5010000708F559ED5010000700000000000000080C6559ED5010000F88F559ED5010000800000000000000028C7559ED50100007890559ED5010000800000000000000000C8559ED5010000F890559ED5010000580300000000000080CB559ED50100006894559ED5010000A00000000000000048CC559ED50100000895559ED5010000580000000000000048CD559ED50100006095559ED5010000D80200000000000048D0559ED50100005098559ED5010000500000000000000038D1559ED5010000A098559ED5010000A80000000000000070D5559ED50100004899559ED5010000380000000000000028E2559ED50100008099559ED5010000200000000000000090E2559ED5010000A099559ED5010000100600000000000000E9559ED5010000C89F559ED5010000480000000000000008EA559ED501000010A0559ED5010000480000000000000000EC559ED501000058A0559ED5010000D005000000000000F0F1559ED501000040A6559ED50100002000000000000000D0F4559ED501000060A6559ED50100003800000000000000E8FF559ED501000098A6559ED5010000C810000000000000C810569ED501000078B7559ED501000038000000000000006813569ED5010000B0B7559ED5010000F800000000000000A014569ED5010000A8B8559ED50100005000000000000000501A569ED5010000F8B8559ED50100002800000000000000A81B569ED501000020B9559ED50100000801000000000000E81F569ED501000028BA559ED501000050050000000000005825569ED501000090BF559ED501000050000000000000001826569ED5010000E0BF559ED501000090020000000000001829569ED501000070C2559ED5010000C002000000000000282C569ED501000048C5559ED50100008801000000000000502E569ED5010000D0C6559ED50100009000000000000000802F569ED501000060C7559ED50100001001000000000000E830569ED501000070C8559ED501000030000000000000007031569ED5010000A0C8559ED501000058010000000000006837569ED501000010CA559ED501000070000000000000007040569ED501000080CA559ED50100003800000000000000C040569ED5010000...[truncated]"
},
"message": "GarbageCollection"
}
Event ID 23: ClrInstanceID=Generation.
#Description
ClrInstanceID=Generation.
Message #
Fields #
| Name | Description |
|---|---|
Generation UInt8 | |
RangeStart Pointer | |
RangeUsedLength UInt64 | |
RangeReservedLength UInt64 | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 23,
"version": 0,
"level": 4,
"task": 1,
"opcode": 27,
"keywords": "0x0000000000400000",
"time_created": "2026-06-02T05:22:23.456+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 14232,
"thread_id": 13300
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 10,
"Generation": 3,
"RangeReservedLength": 134213632,
"RangeStart": "0x20C77AB1000",
"RangeUsedLength": 1421496
},
"message": "GarbageCollection"
}
Event ID 25: HeapNum=.
#Event ID 26: HeapNum=.
#Event ID 27: HeapNum=.
#Event ID 28: HeapNum=.
#Event ID 29: TypeID=.
#Description
TypeID=TypeID; ObjectID=ObjectID; ClrInstanceID=ClrInstanceID
Message #
Fields #
| Name | Description |
|---|---|
TypeID Pointer | |
ObjectID Pointer | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 29,
"version": 0,
"level": 5,
"task": 1,
"opcode": 32,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.463+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 15288
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"ObjectID": "0x1B40000B150",
"TypeID": "0x7FF9E3143430"
},
"message": "GarbageCollection"
}
Event ID 30: HandleID=HandleID.
#Description
HandleID=HandleID.
Message #
Fields #
| Name | Description |
|---|---|
HandleID Pointer | |
ObjectID Pointer | |
Kind UInt32 | |
Generation UInt32 | |
AppDomainID UInt64 | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 30,
"version": 0,
"level": 4,
"task": 1,
"opcode": 33,
"keywords": "0x0000000000000002",
"time_created": "2026-06-02T05:22:23.456+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 16352,
"thread_id": 20944
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AppDomainID": 1985424221824,
"ClrInstanceID": 9,
"Generation": 0,
"HandleID": "0x1CE44EC4440",
"Kind": 0,
"ObjectID": "0x0"
},
"message": "GarbageCollection"
}
Event ID 31: HandleID=HandleID.
#Description
HandleID=HandleID.
Message #
Fields #
| Name | Description |
|---|---|
HandleID Pointer | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 31,
"version": 0,
"level": 4,
"task": 1,
"opcode": 34,
"keywords": "0x0000000000000002",
"time_created": "2026-06-02T05:22:23.461+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 16352,
"thread_id": 20944
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"HandleID": "0x1CE44EC4448"
},
"message": "GarbageCollection"
}
Event ID 32: Low:ClrInstanceID=Address.
#Event ID 33: HandleID=MethodIdentifier.
#Description
HandleID=MethodIdentifier.
Message #
Fields #
| Name | Description |
|---|---|
HandleID Pointer | |
ObjectID Pointer | |
ObjectSize UInt64 | |
TypeName UnicodeString | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 33,
"version": 0,
"level": 5,
"task": 1,
"opcode": 36,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.456+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 17236,
"thread_id": 11988
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 7,
"HandleID": "0x162A9D417C0",
"ObjectID": "0x162B9EF0AF0",
"ObjectSize": 4120,
"TypeName": "System.Object[]"
},
"message": "GarbageCollection"
}
Event ID 33: HandleID=.
#Event ID 34: Method Load/UnLoad Info
#Fields #
| Name | Description |
|---|---|
MethodIdentifier mof:UInt64 | |
ModuleID mof:UInt64 | |
MethodStartAddress mof:UInt64 | |
MethodSize mof:UInt32 | |
MethodToken mof:UInt32 | |
MethodFlags mof:UInt32 |
Event ID 35: Reason=.
#Description
Reason=Reason
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 35,
"version": 0,
"level": 4,
"task": 1,
"opcode": 35,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.456+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 14232,
"thread_id": 13300
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 10,
"Reason": 1
},
"message": "GarbageCollection"
}
Event ID 36: ClrInstanceID=MethodIdentifier.
#Description
ClrInstanceID=MethodIdentifier.
Message #
Fields #
| Name | Description |
|---|---|
Count UInt32 | |
ClrInstanceID UInt16 | |
Values Int8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 36,
"version": 0,
"level": 4,
"task": 1,
"opcode": 38,
"keywords": "0x0000000000100000",
"time_created": "2026-06-02T05:22:23.462+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 19108
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"Count": 4,
"Values": "E0197F76B401000068790000B401000070D313E3F97F000098FE8A76B4010000010000000000000001000000E8197F76B401000000430000B401000000AA6AC4F97F000018FF8A76B4010000020000000000000001000000F0197F76B401000010440000B4010000A0010DE3F97F000098FF8A76B4010000010000000000000001000000F8197F76B401000080150000B401000008600CE3F97F000018008A76B4010000030000000000000001000000"
},
"message": "GarbageCollection"
}
Event ID 36: ClrInstanceID=.
#Event ID 37: ClrInstanceID=MethodIdentifier.
#Description
ClrInstanceID=MethodIdentifier.
Message #
Fields #
| Name | Description |
|---|---|
Count UInt32 | |
ClrInstanceID UInt16 | |
Values Int8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 37,
"version": 0,
"level": 4,
"task": 1,
"opcode": 39,
"keywords": "0x0000000000100000",
"time_created": "2026-06-02T05:22:23.462+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 19108
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"Count": 1,
"Values": "48790000B401000088D514E3F97F0000E01F1C76B401000058E1E5F9F97F00000100000000000000"
},
"message": "GarbageCollection"
}
Event ID 37: ClrInstanceID=.
#Event ID 38: ClrInstanceID=MethodIdentifier.
#Description
ClrInstanceID=MethodIdentifier.
Message #
Fields #
| Name | Description |
|---|---|
Count UInt32 | |
AppDomainID UInt64 | |
ClrInstanceID UInt16 | |
Values UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 38,
"version": 0,
"level": 4,
"task": 1,
"opcode": 40,
"keywords": "0x0000000000100000",
"time_created": "2026-06-02T05:22:23.462+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 19108
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AppDomainID": 1874586659216,
"ClrInstanceID": 9,
"Count": 127,
"Values": "48100010B4010000A8BB0000B4010000789D0CE3F97F0000000000005400680072006500610064004500720072006F0072004D006F00640065004D0069006E004F007300560065007200730069006F006E00000098100010B401000028620000B401000028280CE3F97F00000000000073005F007300770069007400630068004D00610070000000A0100010B4010000C8640000B4010000685A0CE3F97F0000000000005300770069007400630068004E006F004100730079006E006300430075007200720065006E007400430075006C0074007500720065000000A8100010B401000048650000B4010000685A0CE3F97F00000000000053007700690074006300680045006E0066006F007200630065004A006100700061006E006500730065004500720061005900650061007200520061006E006700650073000000B0100010B4010000D8650000B4010000685A0CE3F97F00000000000053007700690074006300680046006F0072006D00610074004A006100700061006E006500730065004600690072007300740059006500610072004100730041004E0075006D006200650072000000B8100010B401000070660000B4010000685A0CE3F97F00000000000053007700690074006300680045006E0066006F007200630065004C00650067006100630079004A006100700061006E006500730065004400610074006500500061007200730069006E0067000000C0100010B401000008670000B4010000685A0CE3F97F0000000000005300770069007400630068005400680072006F00770045007800630065007000740069006F006E004900660044006900730070006F00730065006400430061006E00630065006C006C006100740069006F006E0054006F006B0065006E0053006F0075007200630065000000C8100010B4010000B0670000B4010000685A0CE3F97F000000000000530077006900740063006800500072006500730065007200760065004500760065006E0074004C006900730074006E00650072004F0062006A006500630074004900640065006E0074006900740079000000D0100010B401000060680000B4010000685A0CE3F97F0000000000005300770069007400630068005500730065004C00650067006100630079005000610074006800480061006E0064006C0069006E0067000000D8100010B4010000C8680000B4010000685A0CE3F97F00000000000053007700690074006300680042006C006F0063006B004C006F006E006700500061007400680073000000E0100010B401000020690000B4010000685A0CE3F97F00000000000053007700690074006300680044006F004E006F00740041006400640072004F00660043007300700050006100720065006E007400570069006E0064006F007700480061006E0064006C0065000000E8100010B4010000C8690000B4010000685A0CE3F97F0000000000005300770069007400630068005300650074004100630074006F007200410073005200650066006500720065006E00630065005700680065006E0043006F007000790069006E00670043006C00610069006D0073004900640065006E0074006900740079000000F0100010B4010000886A0000B4010000685A0CE3F97F000000000000530077006900740063006800490067006E006F007200650050006F0072007400610062006C006500500044004200730049006E0053007400610063006B005400720061006300650073000000F8100010B4010000186B0000B4010000685A0CE3F97F0000000000005300770069007400630068005500730065004E00650077004D006100780041007200720061007900530069007A006500000000110010B4010000A06B0000B4010000685A0CE3F97F00000000000053007700690074006300680055007300650043006F006E00630075007200720065006E00740046006F0072006D0061007400740065007200540079007000650043006100630068006500000008110010B4010000406C0000B4010000685A0CE3F97F0000000000005300770069007400630068005500730065004C006500670061006300790045007800650063007500740069006F006E0043006F006E0074006500780074004200650068006100760069006F007200550070006F006E0055006E0064006F004600610069006C00750072006500000010110010B4010000F06C0000B4010000685A0CE3F97F000000000000530077006900740063006800430072007900700074006F006700720061007000680079005500730065004C006500670061006300790046006900700073005400680072006F007700000018110010B4010000786D0000B4010000685A0CE3F97F00000000000053007700690074006300680044006F004E006F0074004D00610072007300680061006C004F0075007400420079007200650066005300610066006500410072007200610079004F006E0049006E0076006F006B006500000020110010B4010000286E0000B4010000685A0CE3F97F0000000000005300770069007400630068005500730065004E006500740043006F0072006500540069006D0065007200000028110010B401000020140000B4010000685A0CE3F97F00000000000045006D00700074007900000088110010B4010000083D0000B401000068B50CE3F97F00000000000049006E007300740061006E0063006500000060120010B401000030440000B4010000801514E3F97F000000000000560061006C00750065000000D0120010B401000078960000B4010000A83314E3F97F0000000000006D005F006F0073000000E0120010...[truncated]"
},
"message": "GarbageCollection"
}
Event ID 38: ClrInstanceID=.
#Event ID 39: Method Load/UnLoad Verbose Info
#Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
DataSize UInt32 | |
Data Binary | |
ClrInstanceID UInt16 |
Event ID 39
#Event ID 40: WorkerThreadCount=MethodIdentifier.
#Event ID 40: WorkerThreadCount=.
#Description
WorkerThreadCount=.
Fields #
| Name | Description |
|---|---|
WorkerThreadCount | |
RetiredWorkerThreads |
Event ID 41: WorkerThreadCount=WorkerThreadCount.
#Event ID 42: WorkerThreadCount=WorkerThreadCount.
#Event ID 43: WorkerThreadCount=WorkerThreadCount.
#Event ID 44: IOThreadCount=IOThreadCount.
#Event ID 45: IOThreadCount=IOThreadCount.
#Event ID 46: IOThreadCount=IOThreadCount.
#Event ID 47: IOThreadCount=IOThreadCount.
#Event ID 48: ClrThreadID=ClrThreadID.
#Event ID 49: ClrThreadID=ClrThreadID.
#Event ID 50: WorkerThreadCount=ActiveWorkerThreadCount.
#Event ID 51: WorkerThreadCount=ActiveWorkerThreadCount.
#Event ID 52: WorkerThreadCount=ActiveWorkerThreadCount.
#Event ID 53: WorkerThreadCount=ActiveWorkerThreadCount.
#Event ID 54: Throughput=Throughput.
#Event ID 55: AverageThroughput=AverageThroughput.
#Event ID 56: Duration=Duration.
#Description
Duration=Duration.
Message #
Fields #
| Name | Description |
|---|---|
Duration Double | |
Throughput Double | |
ThreadWave Double | |
ThroughputWave Double | |
ThroughputErrorEstimate Double | |
AverageThroughputErrorEstimate Double | |
ThroughputRatio Double | |
Confidence Double | |
NewControlSetting Double | |
NewThreadWaveMagnitude UInt16 | |
ClrInstanceID UInt16 |
Event ID 57: WorkerThreadCount=ActiveWorkerThreadCount.
#Event ID 60: Count=.
#Event ID 61: WorkID=.
#Event ID 62: WorkID=.
#Event ID 63: WorkID=.
#Event ID 64: WorkID=.
#Event ID 65: WorkID=.
#Event ID 70: ID=.
#Event ID 71: ID=.
#Event ID 80: NONE
#Description
ExceptionType=ExceptionType; ExceptionMessage=ExceptionMessage; ExceptionEIP=ExceptionEIP; ExceptionHRESULT=ExceptionHRESULT; ExceptionFlags=ExceptionFlags; ClrInstanceID=ClrInstanceID
Message #
Fields #
| Name | Description |
|---|---|
ExceptionType UnicodeString | |
ExceptionMessage UnicodeString | |
ExceptionEIP Pointer | |
ExceptionHRESULT UInt32 | |
ExceptionFlags UInt16 | |
ClrInstanceID UInt16 |
Event ID 81: NONE
#Event ID 82: ClrInstanceID=ClrInstanceID.
#Description
ClrInstanceID=ClrInstanceID.
Message #
Fields #
| Name | Description |
|---|---|
ClrInstanceID UInt16 | |
Reserved1 UInt8 | |
Reserved2 UInt8 | |
FrameCount UInt32 | |
Stack Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 82,
"version": 0,
"level": 0,
"task": 11,
"opcode": 82,
"keywords": "0x0000000040000000",
"time_created": "2026-06-02T05:22:23.456+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 14232,
"thread_id": 13300
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 10,
"FrameCount": 19,
"Reserved1": 0,
"Reserved2": 0,
"Stack": "0x7FF9E7FB0F20"
},
"message": "CLRStack"
}
Event ID 83: AppDomainID=AppDomainID.
#Event ID 84: AppDomainID=AppDomainID.
#Event ID 85: ManagedThreadID=ManagedThreadID.
#Description
ManagedThreadID=ManagedThreadID.
Message #
Fields #
| Name | Description |
|---|---|
ManagedThreadID UInt64 | |
AppDomainID UInt64 | |
Flags UInt32 | |
ManagedThreadIndex UInt32 | |
OSThreadID UInt32 | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 85,
"version": 0,
"level": 4,
"task": 14,
"opcode": 50,
"keywords": "0x0000000000010800",
"time_created": "2026-06-02T05:22:23.456+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 16352,
"thread_id": 20944
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AppDomainID": 1985424221824,
"ClrInstanceID": 9,
"Flags": 0,
"ManagedThreadID": 1985849307744,
"ManagedThreadIndex": 7,
"OSThreadID": 20944
},
"message": "AppDomainResourceManagement"
}
Event ID 86: ManagedThreadID=ManagedThreadID.
#Event ID 87: ManagedThreadID=ManagedThreadID.
#Event ID 88: ClrInstanceID=ClrInstanceID.
#Description
ClrInstanceID=ClrInstanceID.
Message #
Fields #
| Name | Description |
|---|---|
ClrInstanceID UInt16 | |
ModuleID UInt64 | |
StubMethodID UInt64 | |
StubFlags UInt32 | |
ManagedInteropMethodToken UInt32 | |
ManagedInteropMethodNamespace UnicodeString | |
ManagedInteropMethodName UnicodeString | |
ManagedInteropMethodSignature UnicodeString | |
NativeMethodSignature UnicodeString | |
StubMethodSignature UnicodeString | |
StubMethodILCode UnicodeString |
Event ID 89: ClrInstanceID=ClrInstanceID.
#Event ID 91: ContentionFlags=ContentionFlags.
#Event ID 137: MethodID=MethodID.
#Event ID 138: MethodID=MethodID.
#Event ID 139: MethodID=MethodID.
#Event ID 140: MethodID=MethodID.
#Event ID 141: MethodID=MethodID.
#Event ID 142: MethodID=MethodID.
#Event ID 143: MethodID=MethodID.
#Event ID 144: MethodID=MethodID.
#Event ID 145: MethodID=MethodID.
#Event ID 149: ModuleID=ModuleID.
#Event ID 150: ModuleID=ModuleID.
#Event ID 151: ModuleID=ModuleID.
#Event ID 152: ModuleID=ModuleID.
#Description
ModuleID=ModuleID.
Message #
Fields #
| Name | Description |
|---|---|
ModuleID UInt64 | |
AssemblyID UInt64 | |
ModuleFlags UInt32 | |
Reserved1 UInt32 | |
ModuleILPath UnicodeString | |
ModuleNativePath UnicodeString | |
ClrInstanceID UInt16 | |
ManagedPdbSignature GUID | |
ManagedPdbAge UInt32 | |
ManagedPdbBuildPath UnicodeString | |
NativePdbSignature GUID | |
NativePdbAge UInt32 | |
NativePdbBuildPath UnicodeString |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
parent_process_name | in | cscript.exe | 1 rule | elastic, kusto, splunk |
parent_process_name | in | mmc.exe | 1 rule | kusto, splunk |
parent_process_name | in | mshta.exe | 1 rule | elastic, kusto |
parent_process_name | in | wscript.exe | 1 rule | elastic, kusto, splunk |
Detection Rules #
View all rules referencing this event →Kusto # view in coverage
Event ID 153: ModuleID=ModuleID.
#Description
ModuleID=ModuleID.
Message #
Fields #
| Name | Description |
|---|---|
ModuleID UInt64 | |
AssemblyID UInt64 | |
ModuleFlags UInt32 | |
Reserved1 UInt32 | |
ModuleILPath UnicodeString | |
ModuleNativePath UnicodeString | |
ClrInstanceID UInt16 | |
ManagedPdbSignature GUID | |
ManagedPdbAge UInt32 | |
ManagedPdbBuildPath UnicodeString | |
NativePdbSignature GUID | |
NativePdbAge UInt32 | |
NativePdbBuildPath UnicodeString |
Event ID 154: AssemblyID=AssemblyID.
#Event ID 155: AssemblyID=AssemblyID.
#Event ID 156: AppDomainID=AppDomainID.
#Event ID 157: AppDomainID=AppDomainID.
#Event ID 158: ClrInstanceID=ClrInstanceID;%ModuleID=ModuleID.
#Event ID 181: VerificationFlags=VerificationFlags.
#Event ID 182: VerificationFlags=VerificationFlags.
#Event ID 183: VerificationFlags=VerificationFlags.
#Event ID 184: VerificationFlags=VerificationFlags.
#Event ID 185: MethodBeingCompiledNamespace=MethodBeingCompiledNamespace.
#Description
MethodBeingCompiledNamespace=MethodBeingCompiledNamespace.
Message #
Fields #
| Name | Description |
|---|---|
MethodBeingCompiledNamespace UnicodeString | |
MethodBeingCompiledName UnicodeString | |
MethodBeingCompiledNameSignature UnicodeString | |
InlinerNamespace UnicodeString | |
InlinerName UnicodeString | |
InlinerNameSignature UnicodeString | |
InlineeNamespace UnicodeString | |
InlineeName UnicodeString | |
InlineeNameSignature UnicodeString | |
ClrInstanceID UInt16 |
Event ID 186: MethodBeingCompiledNamespace=MethodBeingCompiledNamespace.
#Description
MethodBeingCompiledNamespace=MethodBeingCompiledNamespace.
Message #
Fields #
| Name | Description |
|---|---|
MethodBeingCompiledNamespace UnicodeString | |
MethodBeingCompiledName UnicodeString | |
MethodBeingCompiledNameSignature UnicodeString | |
InlinerNamespace UnicodeString | |
InlinerName UnicodeString | |
InlinerNameSignature UnicodeString | |
InlineeNamespace UnicodeString | |
InlineeName UnicodeString | |
InlineeNameSignature UnicodeString | |
FailAlways Boolean | |
FailReason AnsiString | |
ClrInstanceID UInt16 |
Event ID 187: ClrInstanceID=ClrInstanceID.
#Description
ClrInstanceID=ClrInstanceID.
Message #
Fields #
| Name | Description |
|---|---|
ClrInstanceID UInt16 | |
Sku UInt16 | |
BclMajorVersion UInt16 | |
BclMinorVersion UInt16 | |
BclBuildNumber UInt16 | |
BclQfeNumber UInt16 | |
VMMajorVersion UInt16 | |
VMMinorVersion UInt16 | |
VMBuildNumber UInt16 | |
VMQfeNumber UInt16 | |
StartupFlags UInt32 | |
StartupMode UInt8 | |
CommandLine UnicodeString | |
ComObjectGuid GUID | |
RuntimeDllPath UnicodeString |
Event ID 188: MethodBeingCompiledNamespace=MethodBeingCompiledNamespace.
#Description
MethodBeingCompiledNamespace=MethodBeingCompiledNamespace.
Message #
Fields #
| Name | Description |
|---|---|
MethodBeingCompiledNamespace UnicodeString | |
MethodBeingCompiledName UnicodeString | |
MethodBeingCompiledNameSignature UnicodeString | |
CallerNamespace UnicodeString | |
CallerName UnicodeString | |
CallerNameSignature UnicodeString | |
CalleeNamespace UnicodeString | |
CalleeName UnicodeString | |
CalleeNameSignature UnicodeString | |
TailPrefix Boolean | |
TailCallType UInt32 | |
ClrInstanceID UInt16 |
Event ID 189: MethodBeingCompiledNamespace=MethodBeingCompiledNamespace.
#Description
MethodBeingCompiledNamespace=MethodBeingCompiledNamespace.
Message #
Fields #
| Name | Description |
|---|---|
MethodBeingCompiledNamespace UnicodeString | |
MethodBeingCompiledName UnicodeString | |
MethodBeingCompiledNameSignature UnicodeString | |
CallerNamespace UnicodeString | |
CallerName UnicodeString | |
CallerNameSignature UnicodeString | |
CalleeNamespace UnicodeString | |
CalleeName UnicodeString | |
CalleeNameSignature UnicodeString | |
TailPrefix Boolean | |
FailReason AnsiString | |
ClrInstanceID UInt16 |
Event ID 190: MethodID=MethodID.
#Event ID 200: BytesAllocated=BytesAllocated.
#Event ID 201: BytesFreed=BytesFreed.
#Description
BytesFreed=BytesFreed.
Message #
Fields #
| Name | Description |
|---|---|
BytesFreed UInt64 | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 201,
"version": 0,
"level": 5,
"task": 1,
"opcode": 201,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.463+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 15288
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"BytesFreed": 1000,
"ClrInstanceID": 9
},
"message": "GarbageCollection"
}
Event ID 202: HeapNum=.
#Description
HeapNum=HeapNum; ClrInstanceID=ClrInstanceID; Type=Type; Bytes=Bytes
Message #
Fields #
| Name | Description |
|---|---|
HeapNum UInt32 | |
ClrInstanceID UInt16 | |
Type UInt32 | |
Bytes UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 202,
"version": 0,
"level": 4,
"task": 1,
"opcode": 202,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.456+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 17236,
"thread_id": 11988
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Bytes": 177142,
"ClrInstanceID": 7,
"HeapNum": 0,
"Type": 0
},
"message": "GarbageCollection"
}
Event ID 203: Heap=.
#Event ID 204: ClrInstanceID=ClrInstanceID.
#Description
ClrInstanceID=ClrInstanceID.
Message #
Fields #
| Name | Description |
|---|---|
ClrInstanceID UInt16 | |
FreeListAllocated Pointer | |
FreeListRejected Pointer | |
EndOfSegAllocated Pointer | |
CondemnedAllocated Pointer | |
PinnedAllocated Pointer | |
PinnedAllocatedAdvance Pointer | |
RunningFreeListEfficiency UInt32 | |
CondemnReasons0 UInt32 | |
CondemnReasons1 UInt32 | |
CompactMechanisms UInt32 | |
ExpandMechanisms UInt32 | |
HeapIndex UInt32 | |
ExtraGen0Commit Pointer | |
Count UInt32 | |
Values Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 204,
"version": 3,
"level": 4,
"task": 1,
"opcode": 204,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.457+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 19108
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"CompactMechanisms": 0,
"CondemnReasons0": 10,
"CondemnReasons1": 8193,
"CondemnedAllocated": "0x0",
"Count": 4,
"EndOfSegAllocated": "0x0",
"ExpandMechanisms": 0,
"ExtraGen0Commit": "0x8A8",
"FreeListAllocated": "0x0",
"FreeListRejected": "0x0",
"HeapIndex": 0,
"PinnedAllocated": "0x0",
"PinnedAllocatedAdvance": "0x0",
"RunningFreeListEfficiency": 0,
"Values": "10070100000000000000000000000000A00B0000000000001800000000000000000000000000000000000000000000000000000000000000500200000000000038AA00000000000000008000000000001800000000000000000000000000000000000000000000002807010000000000E057000000000000F00200000000000088AC0000000000000000000000000000000000000000000000000400000000001800000000000000000000000000000000000000000000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000280C01000000000000000000000000000000000000000000280C0100000000000000000000000000A00000000000000000000000000000000000000000000000880B0100000000000000300000000000"
},
"message": "GarbageCollection"
}
Event ID 205: FinalYoungestDesired=FinalYoungestDesired.
#Description
FinalYoungestDesired=FinalYoungestDesired.
Message #
Fields #
| Name | Description |
|---|---|
FinalYoungestDesired UInt64 | |
NumHeaps Int32 | |
CondemnedGeneration UInt32 | |
Gen0ReductionCount UInt32 | |
Reason UInt32 | |
GlobalMechanisms UInt32 | |
ClrInstanceID UInt16 | |
PauseMode UInt32 | |
MemoryPressure UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntime",
"guid": "{E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}",
"event_source_name": "",
"event_id": 205,
"version": 2,
"level": 4,
"task": 1,
"opcode": 205,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:22:23.457+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3240,
"thread_id": 19108
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"CondemnedGeneration": 2,
"FinalYoungestDesired": 8388608,
"Gen0ReductionCount": 0,
"GlobalMechanisms": 28,
"MemoryPressure": 28,
"NumHeaps": 1,
"PauseMode": 0,
"Reason": 1
},
"message": "GarbageCollection"
}
Event ID 206: GCName=GCName;ClrInstanceID=ClrInstanceID.
#Event ID 240: DebugIPCEventStart
#Event ID 241: DebugIPCEventStop
#Event ID 242: DebugExceptionProcessingStart
#Event ID 243: DebugExceptionProcessingStop
#Event ID 250: EntryEIP=EntryEIP.
#Event ID 252: EntryEIP=EntryEIP.
#Event ID 254: EntryEIP=EntryEIP.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}
Defined in clretwrc.dll, which carries the event manifest.
Observed on:
- WS2025-26100.0, schema read from the WMI MOF class, captured 2026-02-26
Taken from Windows installation media (build 26100.1), not a patched system, so the exact update level is unknown.
- WS2022-20348.4893, sample captured from a live trace, binary version 4.8.4161.0 built by: NET48REL1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 4.8.4161.0, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 4.8.9221.0, captured 2026-06-02