Microsoft-Windows-DriverFrameworks-UserMode
77 events across 4 channels
Event ID 1000: The Driver Manager service started successfully
#Description
The Driver Manager service started successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 1000,
"version": 2,
"level": 4,
"task": 16,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T20:05:02.700509+00:00",
"event_record_id": 1,
"correlation": {},
"execution": {
"process_id": 656,
"thread_id": 692
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 1001: The Driver Manager service failed to start.
#Event ID 1002: The Driver Manager service was stopped
#Description
The Driver Manager service was stopped.
Message #
Event ID 1003: The Driver Manager service is starting a host process for device UMDFDriverManagerHostCreateStart.DeviceInstanceId.
#Description
The Driver Manager service is starting a host process for device UMDFDriverManagerHostCreateStart.DeviceInstanceId.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
HostGuid UnicodeString | |
InstanceId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 1003,
"version": 1,
"level": 4,
"task": 17,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:00:23.938852+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 928,
"thread_id": 608
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"UMDFDriverManagerHostCreateStart": {
"LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
"HostGuid": "{193a1820-d9ac-4997-8c55-be817523f6aa}",
"DeviceInstanceId": "SWD.REMOTEDISPLAYENUM.RDPIDD_INDIRECTDISPLAY&SESSIONID_0001"
}
},
"message": ""
}
Event ID 1004: The host process (UMDFDriverManagerHostCreateEnd.LifetimeId) started successfully.
#Description
The host process (UMDFDriverManagerHostCreateEnd.LifetimeId) started successfully.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
FinalStatus UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 1004,
"version": 1,
"level": 4,
"task": 17,
"opcode": 2,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:00:23.989889+00:00",
"event_record_id": 5,
"correlation": {},
"execution": {
"process_id": 928,
"thread_id": 608
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"UMDFDriverManagerHostCreateEnd": {
"LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
"FinalStatus": 0
}
},
"message": ""
}
Event ID 1005: The host process (LifetimeId) failed to start successfully.
#Event ID 1006: The host process (UMDFDriverManagerHostShutdown.LifetimeId) is being asked to shutdown.
#Description
The host process (UMDFDriverManagerHostShutdown.LifetimeId) is being asked to shutdown.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 1006,
"version": 1,
"level": 4,
"task": 18,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:03:23.476353+00:00",
"event_record_id": 56,
"correlation": {},
"execution": {
"process_id": 656,
"thread_id": 1112
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"UMDFDriverManagerHostShutdown": {
"LifetimeId": "2E824AC4-1BF6-49DF-A55C-C63302D85A3E"
}
},
"message": ""
}
Event ID 1007: The host process (LifetimeId) has a problem (Problem) and is being terminated.
#Description
The host process (LifetimeId) has a problem (Problem) and is being terminated.
Message #
Fields #
| Name | Description |
|---|---|
UMDFHostProblem.LifetimeId GUID | |
UMDFHostProblem.Problem UInt8 | |
UMDFHostProblem.DetectedBy UInt8 | |
UMDFHostProblem.ActiveOperation UInt8 | |
UMDFHostProblem.ExitCode UInt32 | |
UMDFHostProblem.Message UInt32 | |
UMDFHostProblem.Status UInt32 | NTSTATUS reference |
LifetimeId GUID | |
Problem UInt8 | |
DetectedBy UInt8 | |
ActiveOperation UInt8 | |
ExitCode UInt32 | |
Message UInt32 | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "{2E35AAEB-857F-4BEB-A418-2E6C0E54D988}",
"event_source_name": "",
"event_id": 1007,
"version": 1,
"level": 2,
"task": 18,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-04-15T21:23:59.3708593+00:00",
"event_record_id": 4046,
"correlation": {},
"execution": {
"process_id": 1040,
"thread_id": 1184
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"UMDFHostProblem": {
"LifetimeId": "{d2ed148d-92b3-4630-b3ae-32cd0fdc873c}",
"Problem": "8",
"DetectedBy": "2",
"ActiveOperation": "0",
"ExitCode": "1879048193",
"Message": "0",
"Status": "4294967295"
}
},
"message": "The host process ({d2ed148d-92b3-4630-b3ae-32cd0fdc873c}) has a problem (8) and is being terminated."
}
Event ID 1008: The host process (UMDFDriverManagerHostShutdown.LifetimeId) has been shutdown.
#Description
The host process (UMDFDriverManagerHostShutdown.LifetimeId) has been shutdown.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
TerminationStatus UInt32 | |
ExitCode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 1008,
"version": 1,
"level": 4,
"task": 18,
"opcode": 2,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:03:23.482031+00:00",
"event_record_id": 59,
"correlation": {},
"execution": {
"process_id": 656,
"thread_id": 1112
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"UMDFDriverManagerHostShutdown": {
"LifetimeId": "2E824AC4-1BF6-49DF-A55C-C63302D85A3E",
"TerminateStatus": 0,
"ExitCode": 0
}
},
"message": ""
}
Event ID 1009: The host process (LifetimeId) has a problem (Problem) and is being terminated.
#Description
The host process (LifetimeId) has a problem (Problem) and is being terminated.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
Problem UInt8 | |
DetectedBy UInt8 | |
ActiveOperation UInt8 | |
ExitCode UInt32 | |
Message UInt32 | |
Status UInt32 | NTSTATUS reference |
InstanceId UnicodeString | |
HardwareId UnicodeString | |
ServiceName UnicodeString |
Event ID 2000: The UMDF Host Process (UMDFHostStartupBegin.LifetimeId) is starting up.
#Description
The UMDF Host Process (UMDFHostStartupBegin.LifetimeId) is starting up.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 2000,
"version": 1,
"level": 4,
"task": 32,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:00:23.973052+00:00",
"event_record_id": 3,
"correlation": {},
"execution": {
"process_id": 8116,
"thread_id": 3552
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"UMDFHostStartupBegin": {
"LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322"
}
},
"message": ""
}
Event ID 2001: The UMDF Host Process (UMDFHostStartupEnd.LifetimeId) started successfully.
#Description
The UMDF Host Process (UMDFHostStartupEnd.LifetimeId) started successfully.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
ExitCode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 2001,
"version": 1,
"level": 4,
"task": 32,
"opcode": 2,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:00:23.978254+00:00",
"event_record_id": 4,
"correlation": {},
"execution": {
"process_id": 8116,
"thread_id": 3552
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"UMDFHostStartupEnd": {
"LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
"FinalStatus": 0
}
},
"message": ""
}
Event ID 2002: The UMDF Host Process (LifetimeId) failed to start successfully.
#Event ID 2003: The UMDF Host Process (UMDFHostDeviceArrivalBegin.LifetimeId) has been asked to load drivers for device UMDFHostDeviceArrivalBegin.InstanceId.
#Description
The UMDF Host Process (UMDFHostDeviceArrivalBegin.LifetimeId) has been asked to load drivers for device UMDFHostDeviceArrivalBegin.InstanceId.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
InstanceId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 2003,
"version": 1,
"level": 4,
"task": 33,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:00:23.998527+00:00",
"event_record_id": 6,
"correlation": {},
"execution": {
"process_id": 8116,
"thread_id": 7760
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"UMDFHostDeviceArrivalBegin": {
"LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
"InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001"
}
},
"message": ""
}
Detection Patterns #
Initial Access: Hardware Additions
DriverFrameworks-UserMode Event ID 2003: The UMDF Host Process (UMDFHostDeviceArrivalBegin.LifetimeId) has been asked to load drivers for device UMDFHostDeviceArrivalBegin.InstanceId.OREvent ID 2100: Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId.OREvent ID 2102: Forwarded a finished Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) to the lower driver for device UMDFHostDeviceRequest.InstanceId with status UMDFHostDeviceRequest.Status.
1 rule
Event ID 2004: The UMDF Host is loading driver UMDFHostAddDeviceBegin.Service at level UMDFHostAddDeviceBegin.Level for device UMDFHostAddDeviceBegin.InstanceId.
#Description
The UMDF Host is loading driver UMDFHostAddDeviceBegin.Service at level UMDFHostAddDeviceBegin.Level for device UMDFHostAddDeviceBegin.InstanceId.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
InstanceId UnicodeString | |
Level UInt32 | |
Service UnicodeString | |
ClsId GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 2004,
"version": 1,
"level": 5,
"task": 33,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:00:23.998872+00:00",
"event_record_id": 8,
"correlation": {},
"execution": {
"process_id": 8116,
"thread_id": 7760
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"UMDFHostAddDeviceBegin": {
"LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
"InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
"Level": 0,
"Service": "RdpIdd",
"DriverClsid": "00000000-0000-0000-0000-000000000000"
}
},
"message": ""
}
Event ID 2005: The UMDF Host Process (UMDFHostModuleLoad.LifetimeId) has loaded module UMDFHostModuleLoad.ModulePath while loading drivers for device UMDFHostModuleLoad.InstanceId.
#Description
The UMDF Host Process (UMDFHostModuleLoad.LifetimeId) has loaded module UMDFHostModuleLoad.ModulePath while loading drivers for device UMDFHostModuleLoad.InstanceId.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
InstanceId UnicodeString | |
ModulePath UnicodeString | |
CompanyName UnicodeString | |
FileDescription UnicodeString | |
FileVersion UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 2005,
"version": 1,
"level": 5,
"task": 33,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:00:24.104813+00:00",
"event_record_id": 9,
"correlation": {},
"execution": {
"process_id": 8116,
"thread_id": 7760
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"UMDFHostModuleLoad": {
"LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
"InstanceId": "NULL",
"ModulePath": "C:\\Windows\\System32\\WUDFx02000.dll",
"CompanyName": "Microsoft Corporation",
"FileDescription": "WDF:UMDF Framework Library",
"FileVersion": "10.0.20348.1 (WinBuild.160101.0800)"
}
},
"message": ""
}
Event ID 2006: The UMDF Host successfully loaded the driver at level UMDFHostAddDeviceEnd.Level.
#Description
The UMDF Host successfully loaded the driver at level UMDFHostAddDeviceEnd.Level.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
InstanceId UnicodeString | |
Level UInt32 | |
FinalStatus UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 2006,
"version": 1,
"level": 5,
"task": 33,
"opcode": 2,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:00:24.154881+00:00",
"event_record_id": 27,
"correlation": {},
"execution": {
"process_id": 8116,
"thread_id": 7760
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"UMDFHostAddDeviceEnd": {
"LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
"InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
"Level": 0,
"FinalStatus": 0
}
},
"message": ""
}
Event ID 2007: The UMDF Host failed to load the driver at level Level.
#Event ID 2010: The UMDF Host Process (UMDFHostDeviceArrivalEnd.LifetimeId) has successfully loaded drivers for device UMDFHostDeviceArrivalEnd.InstanceId.
#Description
The UMDF Host Process (UMDFHostDeviceArrivalEnd.LifetimeId) has successfully loaded drivers for device UMDFHostDeviceArrivalEnd.InstanceId.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
InstanceId UnicodeString | |
FinalStatus UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 2010,
"version": 1,
"level": 4,
"task": 33,
"opcode": 2,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:00:23.998782+00:00",
"event_record_id": 7,
"correlation": {},
"execution": {
"process_id": 8116,
"thread_id": 7760
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"UMDFHostDeviceArrivalEnd": {
"LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
"InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
"FinalStatus": 0
}
},
"message": ""
}
Event ID 2011: The UMDF Host Process (LifetimeId) has failed to load drivers for device InstanceId.
#Event ID 2100: Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId.
#Description
Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
InstanceId UnicodeString | |
MajorCode UInt8 | |
MinorCode UInt8 | |
Argument1 Pointer | |
Argument2 Pointer | |
Argument3 Pointer | |
Argument4 Pointer | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 2100,
"version": 1,
"level": 4,
"task": 37,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:00:24.156732+00:00",
"event_record_id": 28,
"correlation": {},
"execution": {
"process_id": 8116,
"thread_id": 7940
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"UMDFHostDeviceRequest": {
"LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
"InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
"RequestMajorCode": 27,
"RequestMinorCode": 9,
"Argument1": "0x10040",
"Argument2": "0xffffffffffffffff",
"Argument3": "0x0",
"Argument4": "0x0",
"Status": 3221225659
}
},
"message": ""
}
Detection Patterns #
Initial Access: Hardware Additions
DriverFrameworks-UserMode Event ID 2003: The UMDF Host Process (UMDFHostDeviceArrivalBegin.LifetimeId) has been asked to load drivers for device UMDFHostDeviceArrivalBegin.InstanceId.OREvent ID 2100: Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId.OREvent ID 2102: Forwarded a finished Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) to the lower driver for device UMDFHostDeviceRequest.InstanceId with status UMDFHostDeviceRequest.Status.
1 rule
Event ID 2101: Completed a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId with status UMDFHostDeviceRequest.Sta...
#Description
Completed a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId with status UMDFHostDeviceRequest.Status.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
InstanceId UnicodeString | |
MajorCode UInt8 | |
MinorCode UInt8 | |
Argument1 Pointer | |
Argument2 Pointer | |
Argument3 Pointer | |
Argument4 Pointer | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 2101,
"version": 1,
"level": 4,
"task": 37,
"opcode": 2,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:00:24.156878+00:00",
"event_record_id": 31,
"correlation": {},
"execution": {
"process_id": 8116,
"thread_id": 7940
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"UMDFHostDeviceRequest": {
"LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
"InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
"RequestMajorCode": 27,
"RequestMinorCode": 9,
"Argument1": "0x2d000010040",
"Argument2": "0xffffffffffffffff",
"Argument3": "0x100000000",
"Argument4": "0x400000004",
"Status": 0
}
},
"message": ""
}
Event ID 2102: Forwarded a finished Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) to the lower driver for device UMDFHostDeviceRequest.InstanceId with sta...
#Description
Forwarded a finished Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) to the lower driver for device UMDFHostDeviceRequest.InstanceId with status UMDFHostDeviceRequest.Status.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
InstanceId UnicodeString | |
MajorCode UInt8 | |
MinorCode UInt8 | |
Argument1 Pointer | |
Argument2 Pointer | |
Argument3 Pointer | |
Argument4 Pointer | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 2102,
"version": 1,
"level": 4,
"task": 37,
"opcode": 2,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:03:23.459717+00:00",
"event_record_id": 53,
"correlation": {},
"execution": {
"process_id": 6928,
"thread_id": 6020
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"UMDFHostDeviceRequest": {
"LifetimeId": "2E824AC4-1BF6-49DF-A55C-C63302D85A3E",
"InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
"RequestMajorCode": 27,
"RequestMinorCode": 23,
"Argument1": "0x0",
"Argument2": "0x0",
"Argument3": "0x0",
"Argument4": "0x0",
"Status": 0
}
},
"message": ""
}
Detection Patterns #
Initial Access: Hardware Additions
DriverFrameworks-UserMode Event ID 2003: The UMDF Host Process (UMDFHostDeviceArrivalBegin.LifetimeId) has been asked to load drivers for device UMDFHostDeviceArrivalBegin.InstanceId.OREvent ID 2100: Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId.OREvent ID 2102: Forwarded a finished Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) to the lower driver for device UMDFHostDeviceRequest.InstanceId with status UMDFHostDeviceRequest.Status.
1 rule
Event ID 2103: Completed a Pnp or Power operation (MajorCode, MinorCode) for device InstanceId with status Status.
#Description
Completed a Pnp or Power operation (MajorCode, MinorCode) for device InstanceId with status Status.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
InstanceId UnicodeString | |
MajorCode UInt8 | |
MinorCode UInt8 | |
Argument1 Pointer | |
Argument2 Pointer | |
Argument3 Pointer | |
Argument4 Pointer | |
Status UInt32 | NTSTATUS reference |
Event ID 2105: Forwarded a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId to the lower driver with status UMDFH...
#Description
Forwarded a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId to the lower driver with status UMDFHostDeviceRequest.Status.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
InstanceId UnicodeString | |
MajorCode UInt8 | |
MinorCode UInt8 | |
Argument1 Pointer | |
Argument2 Pointer | |
Argument3 Pointer | |
Argument4 Pointer | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 2105,
"version": 1,
"level": 4,
"task": 37,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:00:24.156800+00:00",
"event_record_id": 29,
"correlation": {},
"execution": {
"process_id": 8116,
"thread_id": 7940
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"UMDFHostDeviceRequest": {
"LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
"InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
"RequestMajorCode": 27,
"RequestMinorCode": 9,
"Argument1": "0x10040",
"Argument2": "0xffffffffffffffff",
"Argument3": "0x0",
"Argument4": "0x0",
"Status": 3221225659
}
},
"message": ""
}
Event ID 2106: Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId which was completed by the lower drive...
#Description
Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId which was completed by the lower drivers with status UMDFHostDeviceRequest.Status.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
InstanceId UnicodeString | |
MajorCode UInt8 | |
MinorCode UInt8 | |
Argument1 Pointer | |
Argument2 Pointer | |
Argument3 Pointer | |
Argument4 Pointer | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 2106,
"version": 1,
"level": 4,
"task": 37,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:00:24.156869+00:00",
"event_record_id": 30,
"correlation": {},
"execution": {
"process_id": 8116,
"thread_id": 7940
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"UMDFHostDeviceRequest": {
"LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
"InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
"RequestMajorCode": 27,
"RequestMinorCode": 9,
"Argument1": "0x10040",
"Argument2": "0xffffffffffffffff",
"Argument3": "0x0",
"Argument4": "0x0",
"Status": 0
}
},
"message": ""
}
Event ID 2107: Received a Pnp or Power operation (MajorCode, MinorCode) for device InstanceId which was completed by the lower drivers with status Status.
#Description
Received a Pnp or Power operation (MajorCode, MinorCode) for device InstanceId which was completed by the lower drivers with status Status.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
InstanceId UnicodeString | |
MajorCode UInt8 | |
MinorCode UInt8 | |
Argument1 Pointer | |
Argument2 Pointer | |
Argument3 Pointer | |
Argument4 Pointer | |
Status UInt32 | NTSTATUS reference |
Event ID 2900: The UMDF Host (UMDFHostShutdown.LifetimeId) has been asked to shutdown.
#Description
The UMDF Host (UMDFHostShutdown.LifetimeId) has been asked to shutdown.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 2900,
"version": 1,
"level": 4,
"task": 41,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:03:23.476446+00:00",
"event_record_id": 57,
"correlation": {},
"execution": {
"process_id": 6928,
"thread_id": 6020
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"UMDFHostShutdown": {
"LifetimeId": "2E824AC4-1BF6-49DF-A55C-C63302D85A3E"
}
},
"message": ""
}
Event ID 2901: The UMDF Host (UMDFHostShutdown.LifetimeId) has shutdown.
#Description
The UMDF Host (UMDFHostShutdown.LifetimeId) has shutdown.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 2901,
"version": 1,
"level": 4,
"task": 41,
"opcode": 2,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:03:23.477062+00:00",
"event_record_id": 58,
"correlation": {},
"execution": {
"process_id": 6928,
"thread_id": 8256
},
"channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"user_data": {
"UMDFHostShutdown": {
"LifetimeId": "2E824AC4-1BF6-49DF-A55C-C63302D85A3E"
}
},
"message": ""
}
Event ID 3000: UMDF State Machine StateMachine start processing event Event (Queueing Queueing).
#Event ID 3001: UMDF State Machine StateMachine dropped event Event.
#Event ID 3010: UMDF State Machine StateMachine state change from CurrentState to NewState on event Event.
#Event ID 3011: UMDF State Machine StateMachine event processing finished in state CurrentState.
#Event ID 3020: UMDF State Machine StateMachine event processing stopped in state Event.
#Event ID 4000: A runtime failure has occurred in user-mode driver Driver and the hosting process has been terminated.
#Description
A runtime failure has occurred in user-mode driver Driver and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices. Please contact the device manufacturer or driver vendor for more information about this problem.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
Category UnicodeString | |
ErrorNumber HexInt64 | |
Location UnicodeString | |
Driver UnicodeString | |
ImageVersion UnicodeString | |
UMDFVersion UnicodeString |
Event ID 10000: A driver package which uses user-mode driver framework version UMDFDeviceInstallBegin.FrameworkVersion is being installed on device UMDFDeviceInstallBegin.DeviceId.
#Description
A driver package which uses user-mode driver framework version UMDFDeviceInstallBegin.FrameworkVersion is being installed on device UMDFDeviceInstallBegin.DeviceId.
Message #
Fields #
| Name | Description |
|---|---|
DeviceId | |
FrameworkVersion |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 10000,
"version": 1,
"level": 4,
"task": 48,
"opcode": 1,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T16:53:01.068372+00:00",
"event_record_id": 375,
"correlation": {},
"execution": {
"process_id": 2204,
"thread_id": 4904
},
"channel": "System",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"UMDFDeviceInstallBegin": {
"DeviceId": "SWD\\WPDBUSENUM\\_??_USBSTOR#DISK&VEN_VENDORCO&PROD_PRODUCTCODE&REV_2.00#9207032533193411390&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}",
"FrameworkVersion": "2.33.0"
}
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 10001: The UMDF service UMDFServiceInstall.ServiceName (CLSID UMDFServiceInstall.CLSID) was installed.
#Description
The UMDF service UMDFServiceInstall.ServiceName (CLSID UMDFServiceInstall.CLSID) was installed. It requires framework version UMDFServiceInstall.MinimumFxVersion or higher.
Message #
Fields #
| Name | Description |
|---|---|
ServiceName | |
CLSID | |
FxVersion | |
Upgrade |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 10001,
"version": 1,
"level": 4,
"task": 48,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T16:53:01.087249+00:00",
"event_record_id": 376,
"correlation": {},
"execution": {
"process_id": 2204,
"thread_id": 4904
},
"channel": "System",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"UMDFServiceInstall": {
"ServiceName": "WpdFs",
"CLSID": "112DE495-AC4C-46F8-B663-6A4266C53313",
"MinimumFxVersion": "2.33.0",
"Upgrade": false
}
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 10002: The UMDF service ServiceName (CLSID CLSID) was upgraded.
#Event ID 10100: The driver package installation has succeeded.
#Description
The driver package installation has succeeded.
Message #
Fields #
| Name | Description |
|---|---|
FinalStatus |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
"event_source_name": "",
"event_id": 10100,
"version": 1,
"level": 4,
"task": 48,
"opcode": 2,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T16:53:01.102346+00:00",
"event_record_id": 377,
"correlation": {},
"execution": {
"process_id": 2204,
"thread_id": 4904
},
"channel": "System",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"UMDFDeviceInstallEnd": {
"FinalStatus": 0
}
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 10101: The driver package installation has failed.
#Event ID 10110: A problem has occurred with one or more user-mode drivers and the hosting process has been terminated.
#Description
A problem has occurred with one or more user-mode drivers and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices.
Message #
Fields #
| Name | Description |
|---|---|
UMDFHostProblem.LifetimeId GUID | |
UMDFHostProblem.Problem UInt8 | |
UMDFHostProblem.DetectedBy UInt8 | |
UMDFHostProblem.ActiveOperation UInt8 | |
UMDFHostProblem.ExitCode UInt32 | |
UMDFHostProblem.Message UInt32 | |
UMDFHostProblem.Status UInt32 | NTSTATUS reference |
LifetimeId GUID | |
Problem UInt8 | |
DetectedBy UInt8 | |
ActiveOperation UInt8 | |
ExitCode UInt32 | |
Message UInt32 | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "{2E35AAEB-857F-4BEB-A418-2E6C0E54D988}",
"event_source_name": "",
"event_id": 10110,
"version": 1,
"level": 1,
"task": 64,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-04-15T21:23:59.3708761+00:00",
"event_record_id": 5290,
"correlation": {},
"execution": {
"process_id": 1040,
"thread_id": 1184
},
"channel": "System",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"UMDFHostProblem": {
"LifetimeId": "{d2ed148d-92b3-4630-b3ae-32cd0fdc873c}",
"Problem": "8",
"DetectedBy": "2",
"ActiveOperation": "0",
"ExitCode": "1879048193",
"Message": "0",
"Status": "4294967295"
}
},
"message": "A problem has occurred with one or more user-mode drivers and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices."
}
Event ID 10111: The device FriendlyName (location Location) is offline due to a user-mode driver crash.
#Description
The device UmdfDeviceOffline.FriendlyName (location UmdfDeviceOffline.Location) is offline due to a user-mode driver crash. Windows will attempt to restart the device UmdfDeviceOffline.RestartCount more times. Please contact the device manufacturer for more information about this problem.
Message #
Fields #
| Name | Description |
|---|---|
UmdfDeviceOffline.LifetimeId GUID | |
UmdfDeviceOffline.FriendlyName UnicodeString | |
UmdfDeviceOffline.Location UnicodeString | |
UmdfDeviceOffline.InstanceId UnicodeString | |
UmdfDeviceOffline.RestartCount UInt32 | |
LifetimeId GUID | |
FriendlyName UnicodeString | |
Location UnicodeString | |
InstanceId UnicodeString | |
RestartCount UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DriverFrameworks-UserMode",
"guid": "{2E35AAEB-857F-4BEB-A418-2E6C0E54D988}",
"event_source_name": "",
"event_id": 10111,
"version": 1,
"level": 1,
"task": 64,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-04-15T21:23:59.3775735+00:00",
"event_record_id": 5291,
"correlation": {},
"execution": {
"process_id": 1040,
"thread_id": 1184
},
"channel": "System",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"UmdfDeviceOffline": {
"LifetimeId": "{d2ed148d-92b3-4630-b3ae-32cd0fdc873c}",
"FriendlyName": "Microsoft Remote Display Adapter",
"Location": "(unknown)",
"InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
"RestartCount": "5"
}
},
"message": "The device Microsoft Remote Display Adapter (location (unknown)) is offline due to a user-mode driver crash. Windows will attempt to restart the device 5 more times. Please contact the device manufacturer for more information about this problem."
}
Event ID 10112: The device FriendlyName (location Location) is offline due to a user-mode device crash.
#Description
The device FriendlyName (location Location) is offline due to a user-mode device crash. Windows will no longer attempt to restart this device because the maximum restart limit has been reached. Disconnecting the device and reconnecting it, or disabling it and re-enabling it from the device manager, will reset this limit and allow the device to be accessed again. Please contact the device manufacturer for more information about this problem.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
FriendlyName UnicodeString | |
Location UnicodeString | |
InstanceId UnicodeString | |
RestartCount UInt32 |
Event ID 10113: The device InstanceId was unable to start due to conflict between the settings for driver DriverName (ConflictingParameter - Value) and the other drivers.
#Description
The device InstanceId was unable to start due to conflict between the settings for driver DriverName (ConflictingParameter - Value) and the other drivers. Windows will not be able to start this device. Please contact the device manufacturer for assistance.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
InstanceId UnicodeString | |
ConflictingParameter UnicodeString | |
Value UInt64 | |
DriverName UnicodeString |
Event ID 10114: {UnstartedService} (part of UMDF) did not load yet.
#Event ID 10115: The device FriendlyName (location Location) is offline due to a user-mode driver crash.
#Description
The device FriendlyName (location Location) is offline due to a user-mode driver crash. Windows will attempt to restart the device RestartCount more times in its own process. Please contact the device manufacturer for more information about this problem.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
FriendlyName UnicodeString | |
Location UnicodeString | |
InstanceId UnicodeString | |
RestartCount UInt32 |
Event ID 10116: The device FriendlyName (location Location) is offline due to a user-mode driver crash.
#Description
The device FriendlyName (location Location) is offline due to a user-mode driver crash. Windows will attempt to restart the device in the shared process RestartCount more times before moving the device in its own process. Please contact the device manufacturer for more information about this problem.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
FriendlyName UnicodeString | |
Location UnicodeString | |
InstanceId UnicodeString | |
RestartCount UInt32 |
Event ID 10117: UMDF driver service ServiceName failed to load because it was compiled using a pre-release version of the Windows Driver Kit(WDK).
#Description
UMDF driver service ServiceName failed to load because it was compiled using a pre-release version of the Windows Driver Kit(WDK). The driver should be recompiled using a release version of the WDK. Driver's function table count is ActualFuntionTableCount and the expected count is ExpectedFuntionTableCount.
Message #
Fields #
| Name | Description |
|---|---|
ServiceName UnicodeString | |
ActualFuntionTableCount UInt32 | |
ExpectedFuntionTableCount UInt32 |
Event ID 10118: UMDF reflector is unable to connect to service control manager (SCM).
#Description
UMDF reflector is unable to connect to service control manager (SCM). This is expected during boot, when SCM has not started yet. Will retry when it starts.
Message #
Event ID 10120: A problem has occurred with one or more user-mode drivers and the hosting process has been terminated.
#Description
A problem has occurred with one or more user-mode drivers and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
Problem UInt8 | |
DetectedBy UInt8 | |
ActiveOperation UInt8 | |
ExitCode UInt32 | |
Message UInt32 | |
Status UInt32 | NTSTATUS reference |
InstanceId UnicodeString | |
HardwareId UnicodeString | |
ServiceName UnicodeString |
Event ID 10121: A runtime failure has occurred in user-mode driver Driver and the hosting process has been terminated.
#Description
A runtime failure has occurred in user-mode driver Driver and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices. Please contact the device manufacturer or driver vendor for more information about this problem.
Message #
Fields #
| Name | Description |
|---|---|
LifetimeId GUID | |
Category UnicodeString | |
ErrorNumber HexInt64 | |
Location UnicodeString | |
Driver UnicodeString | |
ImageVersion UnicodeString | |
UMDFVersion UnicodeString |
Event ID 19999: UMDF Test Event (String).
#Event ID 20030: Power IRP related event in the User-mode Driver Frameworks Host Process
#Event ID 20031: Power IRP related event in the User-mode Driver Frameworks Host Process
#Event ID 20032: Power IRP related event in the User-mode Driver Frameworks Host Process
#Event ID 20033: Power IRP related event in the User-mode Driver Frameworks Host Process
#Event ID 30000: A driver package which uses user-mode driver framework version {FrameworkVersion} is being installed on device {DeviceId}.
#Event ID 30001: The driver package installation has finished.
#Event ID 30002: PreDevice installation (UMDF version {FrameworkVersion}) is starting for device {DeviceId}.
#Event ID 30003: PreDevice installation has finished.
#Event ID 30004: PostDevice installation (UMDF version {FrameworkVersion}) is starting for device {DeviceId}.
#Event ID 30005: PostDevice installation has finished.
#Event ID 30007: UMDF has been updated.
#Event ID 30008: DDI to read from hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).
#Event ID 30009: DDI to read from hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).
#Event ID 30010: Read from hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).
#Event ID 30011: Read from hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).
#Event ID 30012: DDI to write to hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).
#Event ID 30013: DDI to write to hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).
#Event ID 30014: Write to hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).
#Event ID 30015: Write to hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).
#Event ID 30016: Read from hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).
#Event ID 30017: Read from hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).
#Event ID 30018: Write to hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).
#Event ID 30019: Write to hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).
#Event ID 30020: UMDF Reflector sent notification for hardware interrupt (Message ID InterruptMessageNumber).
#Event ID 30021: UMDF framework received notification for hardware interrupt (Message ID InterruptMessageNumber).
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 2e35aaeb-857f-4beb-a418-2e6c0e54d988
Defined in WUDFPlatform.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02