Microsoft-Windows-DotNETRuntimeRundown
23 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 0 | ClrInstanceID=ClrInstanceID. | Operational | N |
| 141 | MethodID=MethodID. | Operational | N |
| 142 | MethodID=MethodID. | Operational | N |
| 143 | MethodID=MethodID. | Operational | Y |
| 144 | MethodID=MethodID. | Operational | Y |
| 145 | ClrInstanceID=ClrInstanceID. | Operational | Y |
| 146 | ClrInstanceID=ClrInstanceID. | Operational | Y |
| 147 | ClrInstanceID=ClrInstanceID. | Operational | Y |
| 148 | ClrInstanceID=ClrInstanceID. | Operational | Y |
| 149 | MethodID=MethodID. | Operational | Y |
| 150 | MethodID=MethodID. | Operational | Y |
| 151 | ModuleID=ModuleID. | Operational | Y |
| 152 | ModuleID=ModuleID. | Operational | Y |
| 153 | ModuleID=ModuleID. | Operational | Y |
| 154 | ModuleID=ModuleID. | Operational | Y |
| 155 | AssemblyID=AssemblyID. | Operational | Y |
| 156 | AssemblyID=AssemblyID. | Operational | Y |
| 157 | AppDomainID=AppDomainID. | Operational | Y |
| 158 | AppDomainID=AppDomainID. | Operational | Y |
| 159 | ManagedThreadID=ManagedThreadID. | Operational | Y |
| 160 | ClrInstanceID=ClrInstanceID;%ModuleID=ModuleID. | Operational | Y |
| 161 | ClrInstanceID=ClrInstanceID;%ModuleID=ModuleID. | Operational | Y |
| 187 | ClrInstanceID=ClrInstanceID. | Operational | Y |
Event ID 0: ClrInstanceID=ClrInstanceID.
#Event ID 141: MethodID=MethodID.
#Event ID 142: MethodID=MethodID.
#Event ID 143: MethodID=MethodID.
#Description
MethodID=MethodID.
Message #
Fields #
| Name | Description |
|---|---|
MethodID UInt64 | |
ModuleID UInt64 | |
MethodStartAddress UInt64 | |
MethodSize UInt32 | |
MethodToken UInt32 | |
MethodFlags UInt32 | |
MethodNamespace UnicodeString | |
MethodName UnicodeString | |
MethodSignature UnicodeString | |
ClrInstanceID UInt16 | |
ReJITID UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 143,
"version": 1,
"level": 4,
"task": 1,
"opcode": 39,
"keywords": "0x0000000000000030",
"time_created": "2026-06-02T04:52:45.971+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 14288,
"thread_id": 11700
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"MethodFlags": 9,
"MethodID": 140709712278560,
"MethodName": "lambda_method",
"MethodNamespace": "dynamicClass",
"MethodSignature": "pMT: 00007FF9C4140630 (pMT: 00007FF9DD58DE20)",
"MethodSize": 92,
"MethodStartAddress": 140709712494720,
"MethodToken": 0,
"ModuleID": 140709712276448
},
"message": "CLRMethodRundown"
}
Event ID 144: MethodID=MethodID.
#Description
MethodID=MethodID.
Message #
Fields #
| Name | Description |
|---|---|
MethodID UInt64 | |
ModuleID UInt64 | |
MethodStartAddress UInt64 | |
MethodSize UInt32 | |
MethodToken UInt32 | |
MethodFlags UInt32 | |
MethodNamespace UnicodeString | |
MethodName UnicodeString | |
MethodSignature UnicodeString | |
ClrInstanceID UInt16 | |
ReJITID UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 144,
"version": 1,
"level": 4,
"task": 1,
"opcode": 40,
"keywords": "0x0000000000000030",
"time_created": "2026-06-02T04:52:45.972+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 18424,
"thread_id": 14004
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"MethodFlags": 8,
"MethodID": 140709710566296,
"MethodName": "Bind",
"MethodNamespace": "Microsoft.IdentityServer.Service.WmiProvider2.SecurityTokenService",
"MethodSignature": "class Microsoft.IdentityServer.Service.WmiProvider2.SecurityTokenService ()",
"MethodSize": 69,
"MethodStartAddress": 140709711644816,
"MethodToken": 100663599,
"ModuleID": 140709710556144
},
"message": "CLRMethodRundown"
}
Event ID 145: ClrInstanceID=ClrInstanceID.
#Description
ClrInstanceID=ClrInstanceID.
Message #
Fields #
| Name | Description |
|---|---|
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 145,
"version": 1,
"level": 4,
"task": 1,
"opcode": 14,
"keywords": "0x0000000000020038",
"time_created": "2026-06-02T04:52:45.972+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 18424,
"thread_id": 14004
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9
},
"message": "CLRMethodRundown"
}
Event ID 146: ClrInstanceID=ClrInstanceID.
#Description
ClrInstanceID=ClrInstanceID.
Message #
Fields #
| Name | Description |
|---|---|
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 146,
"version": 1,
"level": 4,
"task": 1,
"opcode": 15,
"keywords": "0x0000000000020038",
"time_created": "2026-06-02T04:52:45.973+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 18424,
"thread_id": 14004
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9
},
"message": "CLRMethodRundown"
}
Event ID 147: ClrInstanceID=ClrInstanceID.
#Description
ClrInstanceID=ClrInstanceID.
Message #
Fields #
| Name | Description |
|---|---|
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 147,
"version": 1,
"level": 4,
"task": 1,
"opcode": 16,
"keywords": "0x0000000000020038",
"time_created": "2026-06-02T04:52:45.971+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 17484,
"thread_id": 20296
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9
},
"message": "CLRMethodRundown"
}
Event ID 148: ClrInstanceID=ClrInstanceID.
#Description
ClrInstanceID=ClrInstanceID.
Message #
Fields #
| Name | Description |
|---|---|
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 148,
"version": 1,
"level": 4,
"task": 1,
"opcode": 17,
"keywords": "0x0000000000020038",
"time_created": "2026-06-02T04:52:45.972+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 18424,
"thread_id": 14004
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9
},
"message": "CLRMethodRundown"
}
Event ID 149: MethodID=MethodID.
#Description
MethodID=MethodID.
Message #
Fields #
| Name | Description |
|---|---|
MethodID UInt64 | |
ReJITID UInt64 | |
MethodExtent UInt8 | |
CountOfMapEntries UInt16 | |
ILOffsets UInt32 | |
NativeOffsets UInt32 | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 149,
"version": 0,
"level": 5,
"task": 1,
"opcode": 41,
"keywords": "0x0000000000020000",
"time_created": "2026-06-02T04:52:45.971+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 9780,
"thread_id": 13396
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 65534,
"CountOfMapEntries": 12,
"ILOffsets": 4294967294,
"MethodExtent": 0,
"MethodID": 140709714070544,
"NativeOffsets": 4294967294,
"ReJITID": 0
},
"message": "CLRMethodRundown"
}
Event ID 150: MethodID=MethodID.
#Description
MethodID=MethodID.
Message #
Fields #
| Name | Description |
|---|---|
MethodID UInt64 | |
ReJITID UInt64 | |
MethodExtent UInt8 | |
CountOfMapEntries UInt16 | |
ILOffsets UInt32 | |
NativeOffsets UInt32 | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 150,
"version": 0,
"level": 5,
"task": 1,
"opcode": 42,
"keywords": "0x0000000000020000",
"time_created": "2026-06-02T04:52:45.972+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 18424,
"thread_id": 14004
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 0,
"CountOfMapEntries": 6,
"ILOffsets": 4294967294,
"MethodExtent": 0,
"MethodID": 140709710566296,
"NativeOffsets": 4294967294,
"ReJITID": 0
},
"message": "CLRMethodRundown"
}
Event ID 151: ModuleID=ModuleID.
#Description
ModuleID=ModuleID.
Message #
Fields #
| Name | Description |
|---|---|
ModuleID UInt64 | |
AssemblyID UInt64 | |
AppDomainID UInt64 | |
ModuleFlags UInt32 | |
Reserved1 UInt32 | |
ModuleILPath UnicodeString | |
ModuleNativePath UnicodeString | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 151,
"version": 1,
"level": 4,
"task": 2,
"opcode": 46,
"keywords": "0x0000000000000008",
"time_created": "2026-06-02T04:52:45.971+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 17484,
"thread_id": 20296
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AppDomainID": 2117511435920,
"AssemblyID": 2117928960608,
"ClrInstanceID": 9,
"ModuleFlags": 12,
"ModuleID": 140709712276448,
"ModuleILPath": "Anonymously Hosted DynamicMethods Assembly",
"ModuleNativePath": "",
"Reserved1": 0
},
"message": "CLRLoaderRundown"
}
Event ID 152: ModuleID=ModuleID.
#Description
ModuleID=ModuleID.
Message #
Fields #
| Name | Description |
|---|---|
ModuleID UInt64 | |
AssemblyID UInt64 | |
AppDomainID UInt64 | |
ModuleFlags UInt32 | |
Reserved1 UInt32 | |
ModuleILPath UnicodeString | |
ModuleNativePath UnicodeString | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 152,
"version": 1,
"level": 4,
"task": 2,
"opcode": 47,
"keywords": "0x0000000000000008",
"time_created": "2026-06-02T04:52:45.972+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 18424,
"thread_id": 14004
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AppDomainID": 1782304869376,
"AssemblyID": 1782305227376,
"ClrInstanceID": 9,
"ModuleFlags": 10,
"ModuleID": 140710973870080,
"ModuleILPath": "C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Instrumentation\\v4.0_4.0.0.0__b77a5c561934e089\\System.Management.Instrumentation.dll",
"ModuleNativePath": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaf08ebffb#\\a38e5caee7861d3edf6aca46d0c496e6\\System.Management.Instrumentation.ni.dll",
"Reserved1": 0
},
"message": "CLRLoaderRundown"
}
Event ID 153: ModuleID=ModuleID.
#Description
ModuleID=ModuleID.
Message #
Fields #
| Name | Description |
|---|---|
ModuleID UInt64 | |
AssemblyID UInt64 | |
ModuleFlags UInt32 | |
Reserved1 UInt32 | |
ModuleILPath UnicodeString | |
ModuleNativePath UnicodeString | |
ClrInstanceID UInt16 | |
ManagedPdbSignature GUID | |
ManagedPdbAge UInt32 | |
ManagedPdbBuildPath UnicodeString | |
NativePdbSignature GUID | |
NativePdbAge UInt32 | |
NativePdbBuildPath UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 153,
"version": 2,
"level": 4,
"task": 2,
"opcode": 35,
"keywords": "0x0000000020000008",
"time_created": "2026-06-02T04:52:45.971+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 17484,
"thread_id": 20296
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AssemblyID": 2117928960608,
"ClrInstanceID": 9,
"ManagedPdbAge": 0,
"ManagedPdbBuildPath": "",
"ManagedPdbSignature": "{00000000-0000-0000-0000-000000000000}",
"ModuleFlags": 12,
"ModuleID": 140709712276448,
"ModuleILPath": "Anonymously Hosted DynamicMethods Assembly",
"ModuleNativePath": "",
"NativePdbAge": 0,
"NativePdbBuildPath": "",
"NativePdbSignature": "{00000000-0000-0000-0000-000000000000}",
"Reserved1": 0
},
"message": "CLRLoaderRundown"
}
Event ID 154: ModuleID=ModuleID.
#Description
ModuleID=ModuleID.
Message #
Fields #
| Name | Description |
|---|---|
ModuleID UInt64 | |
AssemblyID UInt64 | |
ModuleFlags UInt32 | |
Reserved1 UInt32 | |
ModuleILPath UnicodeString | |
ModuleNativePath UnicodeString | |
ClrInstanceID UInt16 | |
ManagedPdbSignature GUID | |
ManagedPdbAge UInt32 | |
ManagedPdbBuildPath UnicodeString | |
NativePdbSignature GUID | |
NativePdbAge UInt32 | |
NativePdbBuildPath UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 154,
"version": 2,
"level": 4,
"task": 2,
"opcode": 36,
"keywords": "0x0000000020000008",
"time_created": "2026-06-02T04:52:45.972+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 18424,
"thread_id": 14004
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AssemblyID": 1782305227376,
"ClrInstanceID": 9,
"ManagedPdbAge": 1,
"ManagedPdbBuildPath": "System.Management.Instrumentation.pdb",
"ManagedPdbSignature": "{F1C5C0E3-DBCA-49E9-ADF0-DAA0C1A44874}",
"ModuleFlags": 10,
"ModuleID": 140710973870080,
"ModuleILPath": "C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Instrumentation\\v4.0_4.0.0.0__b77a5c561934e089\\System.Management.Instrumentation.dll",
"ModuleNativePath": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaf08ebffb#\\a38e5caee7861d3edf6aca46d0c496e6\\System.Management.Instrumentation.ni.dll",
"NativePdbAge": 1,
"NativePdbBuildPath": "System.Management.Instrumentation.ni.pdb",
"NativePdbSignature": "{A38E5CAE-E786-1D3E-DF6A-CA46D0C496E6}",
"Reserved1": 0
},
"message": "CLRLoaderRundown"
}
Event ID 155: AssemblyID=AssemblyID.
#Description
AssemblyID=AssemblyID.
Message #
Fields #
| Name | Description |
|---|---|
AssemblyID UInt64 | |
AppDomainID UInt64 | |
BindingID UInt64 | |
AssemblyFlags UInt32 | |
FullyQualifiedAssemblyName UnicodeString | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 155,
"version": 1,
"level": 4,
"task": 2,
"opcode": 39,
"keywords": "0x0000000000000008",
"time_created": "2026-06-02T04:52:45.971+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 17484,
"thread_id": 20296
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AppDomainID": 2117511435920,
"AssemblyFlags": 2,
"AssemblyID": 2117928960608,
"BindingID": 0,
"ClrInstanceID": 9,
"FullyQualifiedAssemblyName": "Anonymously Hosted DynamicMethods Assembly, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"
},
"message": "CLRLoaderRundown"
}
Event ID 156: AssemblyID=AssemblyID.
#Description
AssemblyID=AssemblyID.
Message #
Fields #
| Name | Description |
|---|---|
AssemblyID UInt64 | |
AppDomainID UInt64 | |
BindingID UInt64 | |
AssemblyFlags UInt32 | |
FullyQualifiedAssemblyName UnicodeString | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 156,
"version": 1,
"level": 4,
"task": 2,
"opcode": 40,
"keywords": "0x0000000000000008",
"time_created": "2026-06-02T04:52:45.972+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 18424,
"thread_id": 14004
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AppDomainID": 1782304869376,
"AssemblyFlags": 4,
"AssemblyID": 1782305227376,
"BindingID": 0,
"ClrInstanceID": 9,
"FullyQualifiedAssemblyName": "System.Management.Instrumentation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
},
"message": "CLRLoaderRundown"
}
Event ID 157: AppDomainID=AppDomainID.
#Description
AppDomainID=AppDomainID.
Message #
Fields #
| Name | Description |
|---|---|
AppDomainID UInt64 | |
AppDomainFlags UInt32 | |
AppDomainName UnicodeString | |
AppDomainIndex UInt32 | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 157,
"version": 1,
"level": 4,
"task": 2,
"opcode": 43,
"keywords": "0x0000000000000008",
"time_created": "2026-06-02T04:52:45.971+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 17484,
"thread_id": 20296
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AppDomainFlags": 536870915,
"AppDomainID": 2117511435920,
"AppDomainIndex": 1,
"AppDomainName": "DefaultDomain",
"ClrInstanceID": 9
},
"message": "CLRLoaderRundown"
}
Event ID 158: AppDomainID=AppDomainID.
#Description
AppDomainID=AppDomainID.
Message #
Fields #
| Name | Description |
|---|---|
AppDomainID UInt64 | |
AppDomainFlags UInt32 | |
AppDomainName UnicodeString | |
AppDomainIndex UInt32 | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 158,
"version": 1,
"level": 4,
"task": 2,
"opcode": 44,
"keywords": "0x0000000000000008",
"time_created": "2026-06-02T04:52:45.973+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 18424,
"thread_id": 14004
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AppDomainFlags": 268435459,
"AppDomainID": 1782304869376,
"AppDomainIndex": 1,
"AppDomainName": "DefaultDomain",
"ClrInstanceID": 9
},
"message": "CLRLoaderRundown"
}
Event ID 159: ManagedThreadID=ManagedThreadID.
#Description
ManagedThreadID=ManagedThreadID.
Message #
Fields #
| Name | Description |
|---|---|
ManagedThreadID UInt64 | |
AppDomainID UInt64 | |
Flags UInt32 | |
ManagedThreadIndex UInt32 | |
OSThreadID UInt32 | |
ClrInstanceID UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 159,
"version": 0,
"level": 4,
"task": 2,
"opcode": 48,
"keywords": "0x0000000000010800",
"time_created": "2026-06-02T04:52:45.972+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 18424,
"thread_id": 14004
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AppDomainID": 1782304869376,
"ClrInstanceID": 9,
"Flags": 2,
"ManagedThreadID": 1782305100160,
"ManagedThreadIndex": 2,
"OSThreadID": 12972
},
"message": "CLRLoaderRundown"
}
Event ID 160: ClrInstanceID=ClrInstanceID;%ModuleID=ModuleID.
#Description
ClrInstanceID=ClrInstanceID;%ModuleID=ModuleID.
Message #
Fields #
| Name | Description |
|---|---|
ClrInstanceID UInt16 | |
ModuleID UInt64 | |
RangeBegin UInt32 | |
RangeSize UInt32 | |
RangeType UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 160,
"version": 0,
"level": 4,
"task": 20,
"opcode": 10,
"keywords": "0x0000000020000000",
"time_created": "2026-06-02T04:52:45.971+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 1764,
"thread_id": 15068
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 7,
"ModuleID": 140711137054720,
"RangeBegin": 368160,
"RangeSize": 659280,
"RangeType": 4
},
"message": "CLRPerfTrackRundown"
}
Event ID 161: ClrInstanceID=ClrInstanceID;%ModuleID=ModuleID.
#Description
ClrInstanceID=ClrInstanceID;%ModuleID=ModuleID.
Message #
Fields #
| Name | Description |
|---|---|
ClrInstanceID UInt16 | |
ModuleID UInt64 | |
RangeBegin UInt32 | |
RangeSize UInt32 | |
RangeType UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 161,
"version": 0,
"level": 4,
"task": 20,
"opcode": 11,
"keywords": "0x0000000020000000",
"time_created": "2026-06-02T04:52:45.972+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 18424,
"thread_id": 14004
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ClrInstanceID": 9,
"ModuleID": 140711155798016,
"RangeBegin": 607200,
"RangeSize": 244776,
"RangeType": 4
},
"message": "CLRPerfTrackRundown"
}
Event ID 187: ClrInstanceID=ClrInstanceID.
#Description
ClrInstanceID=ClrInstanceID.
Message #
Fields #
| Name | Description |
|---|---|
ClrInstanceID UInt16 | |
Sku UInt16 | |
BclMajorVersion UInt16 | |
BclMinorVersion UInt16 | |
BclBuildNumber UInt16 | |
BclQfeNumber UInt16 | |
VMMajorVersion UInt16 | |
VMMinorVersion UInt16 | |
VMBuildNumber UInt16 | |
VMQfeNumber UInt16 | |
StartupFlags UInt32 | |
StartupMode UInt8 | |
CommandLine UnicodeString | |
ComObjectGuid GUID | |
RuntimeDllPath UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DotNETRuntimeRundown",
"guid": "{A669021C-C450-4609-A035-5AF59AF4DF18}",
"event_source_name": "",
"event_id": 187,
"version": 0,
"level": 4,
"task": 19,
"opcode": 1,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T04:52:45.971+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 17484,
"thread_id": 20296
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"BclBuildNumber": 0,
"BclMajorVersion": 4,
"BclMinorVersion": 0,
"BclQfeNumber": 0,
"ClrInstanceID": 9,
"ComObjectGuid": "{00000000-0000-0000-0000-000000000000}",
"CommandLine": "",
"RuntimeDllPath": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll",
"Sku": 1,
"StartupFlags": 4,
"StartupMode": 2,
"VMBuildNumber": 30319,
"VMMajorVersion": 4,
"VMMinorVersion": 0,
"VMQfeNumber": 0
},
"message": "CLRRuntimeInformationRundown"
}
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {A669021C-C450-4609-A035-5AF59AF4DF18}
Defined in clretwrc.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 4.8.4161.0 built by: NET48REL1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 4.8.4161.0, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 4.8.9221.0, captured 2026-06-02