Microsoft-Windows-Dwm-Udwm

156 events across 1 channel

Event	Title	Channel	Sample
1	UdwmGraphicsStreamChangeStart	Diagnostic	N
2	UdwmGraphicsStreamChangeStop	Diagnostic	N
5	UdwmProcessModeChange	Diagnostic	N
6	UdwmEstablishTransportStart	Diagnostic	N
7	UdwmEstablishTransportStop	Diagnostic	N
8	UdwmEstablishStructuralRedirectionStart	Diagnostic	N
9	UdwmEstablishStructuralRedirectionStop	Diagnostic	N
10	UdwmEstablishDesktopCompositionStart	Diagnostic	N
11	UdwmEstablishDesktopCompositionStop	Diagnostic	N
12	UdwmEstablishKernelRedirectionStart	Diagnostic	N
13	UdwmEstablishKernelRedirectionStop	Diagnostic	N
14	UdwmRefreshDesktopComposition	Diagnostic	N
15	UdwmResetGraphicsStream	Diagnostic	N
5000	UdwmStartup	Diagnostic	N
5001	UdwmShutdownMessage	Diagnostic	N
5002	UdwmAnimation	Diagnostic	Y
5003	UdwmAnimation	Diagnostic	Y
5004	UdwmAnimation	Diagnostic	Y
5005	UdwmManageIconicThumbnail	Diagnostic	N
5006	UdwmSelectIconicRepresentation	Diagnostic	N
5007	UdwmProcessSetIconicThumbnailStart	Diagnostic	N
5008	UdwmProcessSetIconicThumbnailStop	Diagnostic	N
5009	UdwmProcessSnapshotIconicThumbnailStart	Diagnostic	N
5010	UdwmProcessSnapshotIconicThumbnailStop	Diagnostic	N
5011	UdwmLivePreviewAnimationStart	Diagnostic	N
5012	UdwmLivePreviewAnimationStop	Diagnostic	N
5013	UdwmAllAnimationFinished	Diagnostic	Y
5014	UdwmProcessSetIconicLivePreviewBitmapStart	Diagnostic	N
5015	UdwmProcessSetIconicLivePreviewBitmapStop	Diagnostic	N
5016	UdwmProcessInvalidateIconicBitmapsStart	Diagnostic	N
5017	UdwmProcessInvalidateIconicBitmapsStop	Diagnostic	N
5018	UdwmGlassSheetAnimationStart	Diagnostic	N
5019	UdwmGlassSheetAnimation	Diagnostic	N
5020	UdwmGlassSheetAnimationStop	Diagnostic	N
5021	UdwmRippleAnimation	Diagnostic	N
5022	UdwmRippleAnimation5022	Diagnostic	N
5023	UdwmGlassSheetFadeOut	Diagnostic	N
5024	UdwmGlassSheetFadeOut5024	Diagnostic	N
5025	UdwmLoadThemeStart	Diagnostic	N
5026	UdwmLoadThemeStop	Diagnostic	N
5027	UdwmDirectTouchDownAnimationStart	Diagnostic	N
5028	UdwmDirectTouchDownAnimation	Diagnostic	N
5029	UdwmDirectTouchDownAnimationStop	Diagnostic	N
5030	UdwmTouchUpReceived	Diagnostic	N
5031	UdwmContactStationaryVisualStart	Diagnostic	N
5032	UdwmContactStationaryVisualStop	Diagnostic	N
5035	UdwmAnimationInitializationStart	Diagnostic	N
5036	UdwmAnimationInitializationStop	Diagnostic	N
5037	UdwmAnimationRecalc	Diagnostic	Y
5038	UdwmAnimationRecalc	Diagnostic	Y
5047	UdwmPressTapVisualStart	Diagnostic	N
5048	UdwmPressTapVisualStop	Diagnostic	N
5049	UdwmTetherVisualStart	Diagnostic	N
5050	UdwmTetherVisualStop	Diagnostic	N
5051	UdwmPenPressHoldVisualStart	Diagnostic	N
5052	UdwmPenPressHoldVisualStop	Diagnostic	N
5053	UdwmFlickVisualStart	Diagnostic	N
5054	UdwmFlickVisualStop	Diagnostic	N
5055	UdwmTouchDragVisualStart	Diagnostic	N
5056	UdwmTouchDragVisual	Diagnostic	N
5057	UdwmTouchDragVisualStop	Diagnostic	N
5058	UdwmTitleTextAligned	Diagnostic	N
5059	UdwmAnimationEngineStart	Diagnostic	N
5060	UdwmAnimationEngineStop	Diagnostic	N
5061	UdwmLoginTransitionStart	Diagnostic	N
5062	UdwmLoginTransitionStop	Diagnostic	N
5063	UdwmTransitionVisualControllerStart	Diagnostic	N
5064	UdwmTransitionVisualController	Diagnostic	N
5065	UdwmTransitionVisualControllerStop	Diagnostic	N
5066	UdwmScreenRotationCapture	Diagnostic	N
5067	UdwmScreenRotationDelayStart	Diagnostic	N
5068	UdwmScreenRotationDelayStop	Diagnostic	N
5069	UdwmScreenRotationAnimationStart	Diagnostic	N
5070	UdwmScreenRotationAnimationStop	Diagnostic	N
5071	UdwmAnimationEngine	Diagnostic	N
5072	UdwmPenBarrelStart	Diagnostic	N
5073	UdwmPenBarrelStop	Diagnostic	N
5074	UdwmIndirectTouchVisualStart	Diagnostic	N
5075	UdwmIndirectTouchVisualStop	Diagnostic	N
5076	UdwmStoryboard	Diagnostic	N
5077	UdwmGradientLoadStart	Diagnostic	N
5078	UdwmGradientLoadStop	Diagnostic	N
5079	UdwmGradientColorizeStart	Diagnostic	N
5080	UdwmGradientColorizeStop	Diagnostic	N
5081	UdwmAccentLoadStart	Diagnostic	N
5082	UdwmAccentLoadStop	Diagnostic	N
5083	UdwmAnimationComponent	Diagnostic	N
5084	UdwmAnimationComponent5084	Diagnostic	N
5085	UdwmAnimationComponent5085	Diagnostic	N
5086	UdwmAnimationComponent5086	Diagnostic	N
5087	UdwmTouchPressHoldVisualStart	Diagnostic	N
5088	UdwmTouchPressHoldVisualStop	Diagnostic	N
5089	UdwmAnimatedTransitionVisual	Diagnostic	N
5090	UdwmIndirectTouchVisual	Diagnostic	N
5091	UdwmTransitionRequestStart	Diagnostic	N
5092	UdwmTransitionRequestStop	Diagnostic	N
5093	UdwmTransitionRequest	Diagnostic	N
5094	UdwmTransitionCVISnapshot	Diagnostic	N
5095	UdwmTransitionProcessSnapshotOnVisual	Diagnostic	N
5096	UdwmSecondaryWindowBrushSnapshot	Diagnostic	N
5097	UdwmSecondaryWindowMakeStatic	Diagnostic	N
5098	UdwmScreenRotationPreDelayAnimationStart	Diagnostic	N
5099	UdwmScreenRotationPreDelayAnimationStop	Diagnostic	N
5100	UdwmScreenRotationPostDelayAnimationStart	Diagnostic	N
5101	UdwmScreenRotationPostDelayAnimationStop	Diagnostic	N
5102	UdwmScreenRotationHintDelayStart	Diagnostic	N
5103	UdwmScreenRotationHintDelayStop	Diagnostic	N
5104	UdwmScreenRotationHintFired	Diagnostic	N
5105	UdwmHardwareExpressionCapture	Diagnostic	N
5106	UdwmHardwareExpressionDelayStart	Diagnostic	N
5107	UdwmHardwareExpressionDelayStop	Diagnostic	N
5108	UdwmHardwareExpressionHintDelayStart	Diagnostic	N
5109	UdwmHardwareExpressionHintDelayStop	Diagnostic	N
5110	UdwmHardwareExpressionPreDelayAnimationStart	Diagnostic	N
5111	UdwmHardwareExpressionPreDelayAnimationStop	Diagnostic	N
5112	UdwmHardwareExpressionPostDelayAnimationStart	Diagnostic	N
5113	UdwmHardwareExpressionPostDelayAnimationStop	Diagnostic	N
5114	UdwmHardwareExpressionAnimationStart	Diagnostic	N
5115	UdwmHardwareExpressionAnimationStop	Diagnostic	N
5116	UdwmHardwareExpressionHintFired	Diagnostic	N
5117	UdwmSystemAnimation	Diagnostic	Y
5118	UdwmSystemAnimation5118	Diagnostic	N
5119	UdwmSystemAnimation5119	Diagnostic	N
5120	UdwmSystemAnimation5120	Diagnostic	N
5121	UdwmSystemAnimation5121	Diagnostic	N
5122	UdwmSystemAnimation5122	Diagnostic	N
5123	UdwmSystemAnimation5123	Diagnostic	N
5124	UdwmSystemAnimation5124	Diagnostic	N
5125	UdwmSystemAnimationStart	Diagnostic	N
5126	UdwmSystemAnimationStop	Diagnostic	N
5127	UdwmAnimationClockStart	Diagnostic	N
5128	UdwmAnimationClockStop	Diagnostic	N
5129	UdwmAnimationClockStart5129	Diagnostic	N
5130	UdwmAnimationClockStop5130	Diagnostic	N
5131	UdwmAnimationClockStart5131	Diagnostic	N
5132	UdwmAnimationClockStop5132	Diagnostic	N
5133	UdwmAnimationClock	Diagnostic	N
5134	UdwmAnimationClock5134	Diagnostic	N
5150	UdwmThumbnailVisualValidated	Diagnostic	N
5151	UdwmSystemAnimation5151	Diagnostic	N
5152	UdwmAnimationResource	Diagnostic	N
5153	UdwmWindowDPIChange	Diagnostic	Y
5154	UdwmSystemAnimation5154	Diagnostic	N
5155	UdwmSystemAnimation5155	Diagnostic	N
5156	UdwmSystemAnimation5156	Diagnostic	N
5157	UdwmMaximizeSnapTransition	Diagnostic	N
9001	wr RemoveSecondaryWindowRepresentation …	Diagnostic	N
9002	RemoveSecondaryWindowRepresentation …	Diagnostic	Y
9003	RemoveSecondaryWindowRepresentation …	Diagnostic	Y
9004	_StopTrackingWindow CWindowData{CWindowData}.	Diagnostic	N
9005	Thumbnail hwndDestination{hwndDestination}.	Diagnostic	N
9006	ownedWindow pwd{pwd}, hwnd{hwnd}.	Diagnostic	N
9007	UpdateScene	Diagnostic	Y
9008	Disconnect	Diagnostic	N
9009	Snapshot pSnapshot{pSnapshot}.	Diagnostic	N
10000	PerfTrack_UdwmLivePreviewAnimation_FirstFrameFinished	Diagnostic	N

Event ID 1: UdwmGraphicsStreamChangeStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmGraphicsStreamChange
Opcode: Start

Fields #

Name	Description
`flags` UInt32

Event ID 2: UdwmGraphicsStreamChangeStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmGraphicsStreamChange
Opcode: Stop

Fields #

Name	Description
`flags` UInt32

Event ID 5: UdwmProcessModeChange

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmProcessModeChange

Fields #

Name	Description
`Height` UInt32
`Width` UInt32
`Depth` UInt32

Event ID 6: UdwmEstablishTransportStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmEstablishTransport
Opcode: Start

Event ID 7: UdwmEstablishTransportStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmEstablishTransport
Opcode: Stop

Event ID 8: UdwmEstablishStructuralRedirectionStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmEstablishStructuralRedirection
Opcode: Start

Event ID 9: UdwmEstablishStructuralRedirectionStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmEstablishStructuralRedirection
Opcode: Stop

Event ID 10: UdwmEstablishDesktopCompositionStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmEstablishDesktopComposition
Opcode: Start

Event ID 11: UdwmEstablishDesktopCompositionStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmEstablishDesktopComposition
Opcode: Stop

Event ID 12: UdwmEstablishKernelRedirectionStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmEstablishKernelRedirection
Opcode: Start

Event ID 13: UdwmEstablishKernelRedirectionStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmEstablishKernelRedirection
Opcode: Stop

Event ID 14: UdwmRefreshDesktopComposition

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmRefreshDesktopComposition
Opcode: Info

Event ID 15: UdwmResetGraphicsStream

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmResetGraphicsStream
Opcode: Info

Event ID 5000: UdwmStartup

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmStartup

Fields #

Name	Description
`Schedules` UInt32

Event ID 5001: UdwmShutdownMessage

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmShutdownMessage

Event ID 5002: UdwmAnimation

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: UdwmAnimation
Opcode: Start

Fields #

Name	Description
`AnimationType` UInt32
`Hwnd` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Dwm-Udwm",
    "guid": "{A2D1C713-093B-43A7-B445-D09370EC9F47}",
    "event_source_name": "",
    "event_id": 5002,
    "version": 0,
    "level": 4,
    "task": 5002,
    "opcode": 1,
    "keywords": "0x0000000000000001",
    "time_created": "2026-06-02T04:52:56.759+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 1648,
      "thread_id": 1704
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AnimationType": 1,
    "Hwnd": "0x2F0626"
  },
  "message": "UdwmAnimation"
}

Event ID 5003: UdwmAnimation

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: UdwmAnimation
Opcode: Stop

Fields #

Name	Description
`AnimationType` UInt32
`Hwnd` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Dwm-Udwm",
    "guid": "{A2D1C713-093B-43A7-B445-D09370EC9F47}",
    "event_source_name": "",
    "event_id": 5003,
    "version": 0,
    "level": 4,
    "task": 5002,
    "opcode": 2,
    "keywords": "0x0000000000000001",
    "time_created": "2026-06-02T04:52:57.073+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 1648,
      "thread_id": 2508
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AnimationType": 1,
    "Hwnd": "0x2F0626"
  },
  "message": "UdwmAnimation"
}

Event ID 5004: UdwmAnimation

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Level: Informational
Task: UdwmAnimation
Opcode: win:Info

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Dwm-Udwm",
    "guid": "{A2D1C713-093B-43A7-B445-D09370EC9F47}",
    "event_source_name": "",
    "event_id": 5004,
    "version": 0,
    "level": 4,
    "task": 5002,
    "opcode": 0,
    "keywords": "0x0000000000000001",
    "time_created": "2026-06-02T04:52:56.807+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 1648,
      "thread_id": 2508
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": "UdwmAnimation"
}

Event ID 5005: UdwmManageIconicThumbnail

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmManageIconicThumbnail

Fields #

Name	Description
`Action` UInt32
`Hwnd` Pointer

Event ID 5006: UdwmSelectIconicRepresentation

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSelectIconicRepresentation

Fields #

Name	Description
`Action` UInt32
`Hwnd` Pointer

Event ID 5007: UdwmProcessSetIconicThumbnailStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmProcessSetIconicThumbnail
Opcode: Start

Fields #

Name	Description
`hwnd` Pointer

Event ID 5008: UdwmProcessSetIconicThumbnailStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmProcessSetIconicThumbnail
Opcode: Stop

Fields #

Name	Description
`hwnd` Pointer

Event ID 5009: UdwmProcessSnapshotIconicThumbnailStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmProcessSnapshotIconicThumbnail
Opcode: Start

Fields #

Name	Description
`hwnd` Pointer

Event ID 5010: UdwmProcessSnapshotIconicThumbnailStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmProcessSnapshotIconicThumbnail
Opcode: Stop

Fields #

Name	Description
`hwnd` Pointer

Event ID 5011: UdwmLivePreviewAnimationStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmLivePreviewAnimation
Opcode: Start

Event ID 5012: UdwmLivePreviewAnimationStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmLivePreviewAnimation
Opcode: Stop

Event ID 5013: UdwmAllAnimationFinished

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Level: Informational
Task: UdwmAllAnimationFinished
Opcode: win:Info

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Dwm-Udwm",
    "guid": "{A2D1C713-093B-43A7-B445-D09370EC9F47}",
    "event_source_name": "",
    "event_id": 5013,
    "version": 0,
    "level": 4,
    "task": 5008,
    "opcode": 0,
    "keywords": "0x0000000000000001",
    "time_created": "2026-06-02T04:52:57.105+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 1648,
      "thread_id": 2508
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": "UdwmAllAnimationFinished"
}

Event ID 5014: UdwmProcessSetIconicLivePreviewBitmapStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmProcessSetIconicLivePreviewBitmap
Opcode: Start

Fields #

Name	Description
`hwnd` Pointer

Event ID 5015: UdwmProcessSetIconicLivePreviewBitmapStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmProcessSetIconicLivePreviewBitmap
Opcode: Stop

Fields #

Name	Description
`hwnd` Pointer

Event ID 5016: UdwmProcessInvalidateIconicBitmapsStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmProcessInvalidateIconicBitmaps
Opcode: Start

Fields #

Name	Description
`hwnd` Pointer

Event ID 5017: UdwmProcessInvalidateIconicBitmapsStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmProcessInvalidateIconicBitmaps
Opcode: Stop

Fields #

Name	Description
`hwnd` Pointer

Event ID 5018: UdwmGlassSheetAnimationStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmGlassSheetAnimation
Opcode: Start

Event ID 5019: UdwmGlassSheetAnimation

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmGlassSheetAnimation

Event ID 5020: UdwmGlassSheetAnimationStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmGlassSheetAnimation
Opcode: Stop

Fields #

Name	Description
`Left` Int32
`Top` Int32
`Right` Int32
`Bottom` Int32

Event ID 5021: UdwmRippleAnimation

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmRippleAnimation

Event ID 5022: UdwmRippleAnimation5022

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmRippleAnimation

Event ID 5023: UdwmGlassSheetFadeOut

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmGlassSheetFadeOut

Event ID 5024: UdwmGlassSheetFadeOut5024

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmGlassSheetFadeOut

Event ID 5025: UdwmLoadThemeStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmLoadTheme
Opcode: Start

Event ID 5026: UdwmLoadThemeStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmLoadTheme
Opcode: Stop

Event ID 5027: UdwmDirectTouchDownAnimationStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmDirectTouchDownAnimation
Opcode: Start

Fields #

Name	Description
`PointerID` UInt32

Event ID 5028: UdwmDirectTouchDownAnimation

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmDirectTouchDownAnimation

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5028
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5028

Event ID 5029: UdwmDirectTouchDownAnimationStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmDirectTouchDownAnimation
Opcode: Stop

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5029
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5029

Event ID 5030: UdwmTouchUpReceived

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTouchUpReceived

Fields #

Name	Description
`PointerID` UInt32

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5030
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5030

Event ID 5031: UdwmContactStationaryVisualStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmContactStationaryVisual
Opcode: Start

Fields #

Name	Description
`Enum` UInt32

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5031
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5031

Event ID 5032: UdwmContactStationaryVisualStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmContactStationaryVisual
Opcode: Stop

Fields #

Name	Description
`Enum` UInt32

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5032
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5032

Event ID 5035: UdwmAnimationInitializationStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationInitialization
Opcode: Start

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5035
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5035

Event ID 5036: UdwmAnimationInitializationStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationInitialization
Opcode: Stop

Event ID 5037: UdwmAnimationRecalc

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Level: Informational
Task: UdwmAnimationRecalc
Opcode: Start

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Dwm-Udwm",
    "guid": "{A2D1C713-093B-43A7-B445-D09370EC9F47}",
    "event_source_name": "",
    "event_id": 5037,
    "version": 0,
    "level": 4,
    "task": 5020,
    "opcode": 1,
    "keywords": "0x0000000000000001",
    "time_created": "2026-06-02T04:52:56.807+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 1648,
      "thread_id": 2508
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": "UdwmAnimationRecalc"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5037
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5037

Event ID 5038: UdwmAnimationRecalc

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Level: Informational
Task: UdwmAnimationRecalc
Opcode: Stop

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Dwm-Udwm",
    "guid": "{A2D1C713-093B-43A7-B445-D09370EC9F47}",
    "event_source_name": "",
    "event_id": 5038,
    "version": 0,
    "level": 4,
    "task": 5020,
    "opcode": 2,
    "keywords": "0x0000000000000001",
    "time_created": "2026-06-02T04:52:56.807+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 1648,
      "thread_id": 2508
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": "UdwmAnimationRecalc"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5038

Event ID 5047: UdwmPressTapVisualStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmPressTapVisual
Opcode: Start

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5047
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5047

Event ID 5048: UdwmPressTapVisualStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmPressTapVisual
Opcode: Stop

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5048
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5048

Event ID 5049: UdwmTetherVisualStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTetherVisual
Opcode: Start

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5049
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5049

Event ID 5050: UdwmTetherVisualStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTetherVisual
Opcode: Stop

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5050

Event ID 5051: UdwmPenPressHoldVisualStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmPenPressHoldVisual
Opcode: Start

Fields #

Name	Description
`flags` UInt32

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5051
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5051

Event ID 5052: UdwmPenPressHoldVisualStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmPenPressHoldVisual
Opcode: Stop

Fields #

Name	Description
`flags` UInt32

Event ID 5053: UdwmFlickVisualStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmFlickVisual
Opcode: Start

Fields #

Name	Description
`Enum` UInt32

Event ID 5054: UdwmFlickVisualStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmFlickVisual
Opcode: Stop

Fields #

Name	Description
`Enum` UInt32

Event ID 5055: UdwmTouchDragVisualStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTouchDragVisual
Opcode: Start

Fields #

Name	Description
`PointerID` UInt32

Event ID 5056: UdwmTouchDragVisual

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTouchDragVisual

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5056
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5056

Event ID 5057: UdwmTouchDragVisualStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTouchDragVisual
Opcode: Stop

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5057
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5057

Event ID 5058: UdwmTitleTextAligned

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTitleTextAligned

Fields #

Name	Description
`alignment` Int32

Event ID 5059: UdwmAnimationEngineStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationEngine
Opcode: Start

Fields #

Name	Description
`AnimationID` UInt32
`StoryboardID` Int32
`TickCount` UInt32

Event ID 5060: UdwmAnimationEngineStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationEngine
Opcode: Stop

Fields #

Name	Description
`AnimationID` UInt32
`StoryboardID` Int32
`TickCount` UInt32

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5060
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5060

Event ID 5061: UdwmLoginTransitionStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmLoginTransition
Opcode: Start

Event ID 5062: UdwmLoginTransitionStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmLoginTransition
Opcode: Stop

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5062
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5062

Event ID 5063: UdwmTransitionVisualControllerStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTransitionVisualController
Opcode: Start

Fields #

Name	Description
`StoryboardID` Int32

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5063
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5063

Event ID 5064: UdwmTransitionVisualController

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTransitionVisualController

Fields #

Name	Description
`StoryboardID` Int32

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5064
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5064

Event ID 5065: UdwmTransitionVisualControllerStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTransitionVisualController
Opcode: Stop

Fields #

Name	Description
`StoryboardID` Int32

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5065
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5065

Event ID 5066: UdwmScreenRotationCapture

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmScreenRotationCapture

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5066
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5066

Event ID 5067: UdwmScreenRotationDelayStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmScreenRotationDelay
Opcode: Start

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5067
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5067

Event ID 5068: UdwmScreenRotationDelayStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmScreenRotationDelay
Opcode: Stop

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5068
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5068

Event ID 5069: UdwmScreenRotationAnimationStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmScreenRotationAnimation
Opcode: Start

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5069
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5069

Event ID 5070: UdwmScreenRotationAnimationStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmScreenRotationAnimation
Opcode: Stop

Fields #

Name	Description
`EventId` UInt32

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5070
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5070

Event ID 5071: UdwmAnimationEngine

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationEngine

Fields #

Name	Description
`AnimationID` UInt32
`x0` Float
`y0` Float
`x1` Float
`y1` Float

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5071

Event ID 5072: UdwmPenBarrelStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmPenBarrel
Opcode: Start

Fields #

Name	Description
`PointerID` UInt32

Event ID 5073: UdwmPenBarrelStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmPenBarrel
Opcode: Stop

Fields #

Name	Description
`PointerID` UInt32

Event ID 5074: UdwmIndirectTouchVisualStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmIndirectTouchVisual
Opcode: Start

Fields #

Name	Description
`PointerID` UInt32
`Enum` UInt32

Event ID 5075: UdwmIndirectTouchVisualStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmIndirectTouchVisual
Opcode: Stop

Fields #

Name	Description
`PointerID` UInt32
`Enum` UInt32

Event ID 5076: UdwmStoryboard

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmStoryboard

Fields #

Name	Description
`State` UInt32
`AnimationID` Int32

Event ID 5077: UdwmGradientLoadStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmGradientLoad
Opcode: Start

Event ID 5078: UdwmGradientLoadStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmGradientLoad
Opcode: Stop

Event ID 5079: UdwmGradientColorizeStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmGradientColorize
Opcode: Start

Event ID 5080: UdwmGradientColorizeStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmGradientColorize
Opcode: Stop

Event ID 5081: UdwmAccentLoadStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAccentLoad
Opcode: Start

Fields #

Name	Description
`ResourceId` UInt32

Event ID 5082: UdwmAccentLoadStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAccentLoad
Opcode: Stop

Event ID 5083: UdwmAnimationComponent

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationComponent

Fields #

Name	Description
`hwnd` Pointer
`StoryboardId` Int32
`Target` Int32

Event ID 5084: UdwmAnimationComponent5084

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationComponent

Fields #

Name	Description
`hwnd` Pointer
`StoryboardId` Int32
`Target` Int32

Event ID 5085: UdwmAnimationComponent5085

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationComponent

Fields #

Name	Description
`hwnd` Pointer
`StoryboardId` Int32
`Target` Int32

Event ID 5086: UdwmAnimationComponent5086

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationComponent

Fields #

Name	Description
`hwnd` Pointer
`StoryboardId` Int32
`Target` Int32

Event ID 5087: UdwmTouchPressHoldVisualStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTouchPressHoldVisual
Opcode: Start

Fields #

Name	Description
`Enum` UInt32

Event ID 5088: UdwmTouchPressHoldVisualStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTouchPressHoldVisual
Opcode: Stop

Fields #

Name	Description
`Enum` UInt32

Event ID 5089: UdwmAnimatedTransitionVisual

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimatedTransitionVisual

Fields #

Name	Description
`StoryboardId` Int32
`TargetId` Int32
`BeginLeft` Int32
`BeginTop` Int32
`BeginRight` Int32
`BeginBottom` Int32
`EndLeft` Int32
`EndTop` Int32
`EndRight` Int32
`EndBottom` Int32
`BeginOpacity` Float
`EndOpacity` Float
`BeginDepth` Float
`EndDepth` Float
`ResourceHandle` UInt32
`StaggerOrder` UInt32
`AnimationId` UInt32

Event ID 5090: UdwmIndirectTouchVisual

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmIndirectTouchVisual

Fields #

Name	Description
`PointerID` UInt32

Event ID 5091: UdwmTransitionRequestStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTransitionRequest
Opcode: Start

Fields #

Name	Description
`StoryboardID` Int32

Event ID 5092: UdwmTransitionRequestStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTransitionRequest
Opcode: Stop

Fields #

Name	Description
`StoryboardID` Int32

Event ID 5093: UdwmTransitionRequest

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTransitionRequest

Fields #

Name	Description
`hwnd` Pointer
`Target` HexInt32

Event ID 5094: UdwmTransitionCVISnapshot

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTransitionCVISnapshot

Event ID 5095: UdwmTransitionProcessSnapshotOnVisual

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmTransitionProcessSnapshotOnVisual

Event ID 5096: UdwmSecondaryWindowBrushSnapshot

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSecondaryWindowBrushSnapshot

Fields #

Name	Description
`Title` UnicodeString

Event ID 5097: UdwmSecondaryWindowMakeStatic

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSecondaryWindowMakeStatic
Opcode: Info

Event ID 5098: UdwmScreenRotationPreDelayAnimationStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmScreenRotationPreDelayAnimation
Opcode: Start

Event ID 5099: UdwmScreenRotationPreDelayAnimationStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmScreenRotationPreDelayAnimation
Opcode: Stop

Event ID 5100: UdwmScreenRotationPostDelayAnimationStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmScreenRotationPostDelayAnimation
Opcode: Start

Event ID 5101: UdwmScreenRotationPostDelayAnimationStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmScreenRotationPostDelayAnimation
Opcode: Stop

Event ID 5102: UdwmScreenRotationHintDelayStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmScreenRotationHintDelay
Opcode: Start

Event ID 5103: UdwmScreenRotationHintDelayStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmScreenRotationHintDelay
Opcode: Stop

Event ID 5104: UdwmScreenRotationHintFired

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmScreenRotationHintFired
Opcode: Info

Event ID 5105: UdwmHardwareExpressionCapture

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmHardwareExpressionCapture
Opcode: Info

Event ID 5106: UdwmHardwareExpressionDelayStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmHardwareExpressionDelay
Opcode: Start

Event ID 5107: UdwmHardwareExpressionDelayStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmHardwareExpressionDelay
Opcode: Stop

Event ID 5108: UdwmHardwareExpressionHintDelayStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmHardwareExpressionHintDelay
Opcode: Start

Event ID 5109: UdwmHardwareExpressionHintDelayStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmHardwareExpressionHintDelay
Opcode: Stop

Event ID 5110: UdwmHardwareExpressionPreDelayAnimationStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmHardwareExpressionPreDelayAnimation
Opcode: Start

Event ID 5111: UdwmHardwareExpressionPreDelayAnimationStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmHardwareExpressionPreDelayAnimation
Opcode: Stop

Event ID 5112: UdwmHardwareExpressionPostDelayAnimationStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmHardwareExpressionPostDelayAnimation
Opcode: Start

Event ID 5113: UdwmHardwareExpressionPostDelayAnimationStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmHardwareExpressionPostDelayAnimation
Opcode: Stop

Event ID 5114: UdwmHardwareExpressionAnimationStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmHardwareExpressionAnimation
Opcode: Start

Event ID 5115: UdwmHardwareExpressionAnimationStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmHardwareExpressionAnimation
Opcode: Stop

Fields #

Name	Description
`EventId` UInt32

Event ID 5116: UdwmHardwareExpressionHintFired

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmHardwareExpressionHintFired
Opcode: Info

Event ID 5117: UdwmSystemAnimation

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: UdwmSystemAnimation
Opcode: win:Info

Fields #

Name	Description
`hwnd` Pointer
`Cloaked` UInt32
`Tracked` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Dwm-Udwm",
    "guid": "{A2D1C713-093B-43A7-B445-D09370EC9F47}",
    "event_source_name": "",
    "event_id": 5117,
    "version": 0,
    "level": 4,
    "task": 5021,
    "opcode": 0,
    "keywords": "0x0000000000000001",
    "time_created": "2026-06-02T04:52:56.759+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 1648,
      "thread_id": 1704
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Cloaked": 0,
    "Tracked": 0,
    "hwnd": "0x2F0626"
  },
  "message": "UdwmSystemAnimation"
}

Event ID 5118: UdwmSystemAnimation5118

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSystemAnimation

Fields #

Name	Description
`hwnd` Pointer
`Target` HexInt32

Event ID 5119: UdwmSystemAnimation5119

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSystemAnimation

Fields #

Name	Description
`hwnd` Pointer
`Show` UInt32

Event ID 5120: UdwmSystemAnimation5120

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSystemAnimation

Fields #

Name	Description
`StoryboardID` Int32

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5120

Event ID 5121: UdwmSystemAnimation5121

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSystemAnimation

Fields #

Name	Description
`StoryboardID` Int32

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5121

Event ID 5122: UdwmSystemAnimation5122

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSystemAnimation

Fields #

Name	Description
`StoryboardID` Int32

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5122

Event ID 5123: UdwmSystemAnimation5123

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSystemAnimation

Fields #

Name	Description
`hwndCloned` Pointer
`hwndAfter` Pointer

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5123

Event ID 5124: UdwmSystemAnimation5124

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSystemAnimation

Fields #

Name	Description
`hwnd` Pointer

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5124

Event ID 5125: UdwmSystemAnimationStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSystemAnimation
Opcode: Start

Fields #

Name	Description
`hwnd` Pointer

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5125

Event ID 5126: UdwmSystemAnimationStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSystemAnimation
Opcode: Stop

Fields #

Name	Description
`hwnd` Pointer

Event ID 5127: UdwmAnimationClockStart

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationClock
Opcode: Start

Fields #

Name	Description
`clockId` GUID
`timespan` UInt32

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5127

Event ID 5128: UdwmAnimationClockStop

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationClock
Opcode: Stop

Fields #

Name	Description
`clockId` GUID

Event ID 5129: UdwmAnimationClockStart5129

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationClock
Opcode: Start

Fields #

Name	Description
`clockId` GUID
`timespan` UInt32
`count` Int64

Event ID 5130: UdwmAnimationClockStop5130

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationClock
Opcode: Stop

Fields #

Name	Description
`clockId` GUID
`count` Int64

Event ID 5131: UdwmAnimationClockStart5131

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationClock
Opcode: Start

Fields #

Name	Description
`clockId` GUID
`time` Int64

Event ID 5132: UdwmAnimationClockStop5132

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationClock
Opcode: Stop

Fields #

Name	Description
`clockId` GUID

Event ID 5133: UdwmAnimationClock

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationClock

Fields #

Name	Description
`clockId` GUID
`time` Int64

Event ID 5134: UdwmAnimationClock5134

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationClock

Fields #

Name	Description
`clockId` GUID
`oldValue` Int32
`newValue` Int32

Event ID 5150: UdwmThumbnailVisualValidated

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmThumbnailVisualValidated

Fields #

Name	Description
`Enum` UInt32

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5150
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5150

Event ID 5151: UdwmSystemAnimation5151

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSystemAnimation

Fields #

Name	Description
`StoryboardId` Int32
`TargetId` Int32
`VisualHandle` UInt32
`EffectGroupHandle` UInt32
`Transform3DGroupHandle` UInt32
`TranslateTransform3DHandle` UInt32
`ScaleTransform3DHandle` UInt32
`RotateTransform3DHandle` UInt32
`Channel` Pointer

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5151
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5151

Event ID 5152: UdwmAnimationResource

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmAnimationResource

Fields #

Name	Description
`AnimationHandle` UInt32
`ResourceHandle` UInt32
`PropertyID` UInt32
`Channel` Pointer

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5152

Event ID 5153: UdwmWindowDPIChange

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: UdwmWindowDPIChange
Opcode: win:Info

Fields #

Name	Description
`hwnd` Pointer
`DPI` Int32
`LogicalOriginX` Int32
`LogicalOriginY` Int32
`PhysicalOriginX` Int32
`PhysicalOriginY` Int32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Dwm-Udwm",
    "guid": "{A2D1C713-093B-43A7-B445-D09370EC9F47}",
    "event_source_name": "",
    "event_id": 5153,
    "version": 0,
    "level": 4,
    "task": 5127,
    "opcode": 0,
    "keywords": "0x0000000000000001",
    "time_created": "2026-06-02T04:52:56.595+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 1648,
      "thread_id": 1704
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "DPI": 96,
    "LogicalOriginX": 0,
    "LogicalOriginY": 0,
    "PhysicalOriginX": 0,
    "PhysicalOriginY": 0,
    "hwnd": "0x2F0626"
  },
  "message": "UdwmWindowDPIChange"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5153
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5153

Event ID 5154: UdwmSystemAnimation5154

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSystemAnimation

Fields #

Name	Description
`hwnd` Pointer
`left` Int32
`top` Int32
`right` Int32
`bottom` Int32
`HRESULT` UInt32

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5154
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5154

Event ID 5155: UdwmSystemAnimation5155

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSystemAnimation

Fields #

Name	Description
`hwnd` Pointer
`StoryboardId` Int32
`Target` Int32
`CreationMethod` Int32
`Left` Int32
`Top` Int32
`Right` Int32
`Bottom` Int32

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5155
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5155

Event ID 5156: UdwmSystemAnimation5156

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmSystemAnimation

Fields #

Name	Description
`UseDelayStoryboard` Boolean
`AbandonCrossfade` Boolean
`FoundValidTarget` Boolean
`IsResize` Boolean

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5156

Event ID 5157: UdwmMaximizeSnapTransition

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: UdwmMaximizeSnapTransition

Fields #

Name	Description
`Hwnd` Pointer
`Left` Int32
`Top` Int32
`Right` Int32
`Bottom` Int32

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5157

Event ID 9001: wr RemoveSecondaryWindowRepresentation secondarywindowpointer{secondarywindowpointer}, hwnd{hwnd}.

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Opcode: Info

Description

wr RemoveSecondaryWindowRepresentation secondarywindowpointer{secondarywindowpointer}, hwnd{hwnd}.

Message #

wr RemoveSecondaryWindowRepresentation %1{secondarywindowpointer}, %2{hwnd}

Fields #

Name	Description
`secondarywindowpointer` Pointer
`hwnd` Pointer

Event ID 9002: RemoveSecondaryWindowRepresentation secondarywindowpointer{secondarywindowpointer}, hwnd{hwnd} representationType{representationType}.

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Opcode: Info

Description

RemoveSecondaryWindowRepresentation secondarywindowpointer{secondarywindowpointer}, hwnd{hwnd} representationType{representationType}.

Message #

RemoveSecondaryWindowRepresentation %1{secondarywindowpointer}, %2{hwnd} %3{representationType}

Fields #

Name	Description
`secondarywindowpointer` Pointer
`hwnd` Pointer
`representationType` Int32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Dwm-Udwm",
    "guid": "{A2D1C713-093B-43A7-B445-D09370EC9F47}",
    "event_source_name": "",
    "event_id": 9002,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": "0x0000000000000001",
    "time_created": "2026-06-02T04:52:57.073+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 1648,
      "thread_id": 2508
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "hwnd": "0x2F0626",
    "representationType": 1,
    "secondarywindowpointer": "0x1B7FF783DC0"
  },
  "message": ""
}

Event ID 9003: RemoveSecondaryWindowRepresentation secondarywindowpointer{secondarywindowpointer}, hwnd{hwnd}.

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Opcode: Info

Description

RemoveSecondaryWindowRepresentation secondarywindowpointer{secondarywindowpointer}, hwnd{hwnd}.

Message #

RemoveSecondaryWindowRepresentation %1{secondarywindowpointer}, %2{hwnd}

Fields #

Name	Description
`secondarywindowpointer` Pointer
`hwnd` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Dwm-Udwm",
    "guid": "{A2D1C713-093B-43A7-B445-D09370EC9F47}",
    "event_source_name": "",
    "event_id": 9003,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": "0x0000000000000001",
    "time_created": "2026-06-02T04:52:57.073+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 1648,
      "thread_id": 2508
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "hwnd": "0x2F0626",
    "secondarywindowpointer": "0x1B7FF783DC0"
  },
  "message": ""
}

Event ID 9004: _StopTrackingWindow CWindowData{CWindowData}.

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Opcode: Info

Description

_StopTrackingWindow CWindowData{CWindowData}.

Message #

_StopTrackingWindow %1{CWindowData}

Fields #

Name	Description
`CWindowData` Pointer

Event ID 9005: Thumbnail hwndDestination{hwndDestination}.

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Opcode: Info

Description

Thumbnail hwndDestination{hwndDestination}.

Message #

Thumbnail %1{hwndDestination}

Fields #

Name	Description
`hwndDestination` Pointer

Event ID 9006: ownedWindow pwd{pwd}, hwnd{hwnd}.

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Opcode: Info

Description

ownedWindow pwd{pwd}, hwnd{hwnd}.

Message #

ownedWindow %1{pwd}, %2{hwnd}

Fields #

Name	Description
`pwd` Pointer
`hwnd` Pointer

Event ID 9007: UpdateScene

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Level: Informational
Opcode: Info

Description

UpdateScene.

Message #

UpdateScene

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Dwm-Udwm",
    "guid": "{A2D1C713-093B-43A7-B445-D09370EC9F47}",
    "event_source_name": "",
    "event_id": 9007,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": "0x0000000000000001",
    "time_created": "2026-06-02T04:52:54.632+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 1648,
      "thread_id": 1704
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 9008: Disconnect

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Opcode: Info

Description

Disconnect.

Message #

Disconnect

Event ID 9009: Snapshot pSnapshot{pSnapshot}.

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Opcode: Info

Description

Snapshot pSnapshot{pSnapshot}.

Message #

Snapshot %1{pSnapshot}

Fields #

Name	Description
`pSnapshot` Pointer

Event ID 10000: PerfTrack_UdwmLivePreviewAnimation_FirstFrameFinished

Provider: Microsoft-Windows-Dwm-Udwm
Channel: Diagnostic
Task: PerfTrack_UdwmLivePreviewAnimation_FirstFrameFinished

Fields #

Name	Description
`PerfTrackId` UInt32

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {A2D1C713-093B-43A7-B445-D09370EC9F47}

Defined in udwm.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)