Microsoft-Windows-EFS

172 events across 3 channels

Event	Title	Channel	Sample
1	An API call failed at FileNumber.	Debug	N
2	An API call failed at Data.	Debug	N
3	An API call failed at Data.	Debug	N
4	FileNumber.	Debug	N
256	EFS key promoted from current key.	Debug	N
257	EFS key demoted from current key.	Debug	N
258	EFS key flushed from cache.	Debug	N
259	FileNumber.	Debug	N
260	FileNumber.	Debug	N
261	FileNumber.	Debug	N
262	FileNumber.	Debug	N
263	FileNumber.	Debug	N
264	FileNumber.	Debug	N
265	FileNumber.	Debug	N
272	FileNumber.	Debug	N
273	FileNumber.	Debug	N
274	FileNumber.	Debug	N
275	FileNumber.	Debug	N
276	FileNumber.	Debug	N
277	FileNumber.	Debug	N
278	FileNumber.	Debug	N
279	FileNumber.	Debug	N
280	FileNumber.	Debug	N
281	FileNumber.	Debug	N
288	FileNumber.	Debug	N
289	FileNumber.	Debug	N
290	FileNumber.	Debug	N
512	FileNumber.	Debug	N
513	FileNumber.	Debug	N
514	FileNumber.	Debug	N
515	FileNumber.	Debug	N
516	FileNumber.	Debug	N
517	EFS key added to user cache.	Debug	N
518	FileNumber.	Debug	N
519	FileNumber.	Debug	N
520	FileNumber.	Debug	N
521	FileNumber.	Debug	N
768	FileNumber.	Debug	N
769	FileNumber.	Debug	N
770	FileNumber.	Debug	N
771	FileNumber.	Debug	N
772	FileNumber.	Debug	N
773	FileNumber.	Debug	N
774	FileNumber.	Debug	N
775	FileNumber.	Debug	N
776	FileNumber.	Debug	N
777	FileNumber.	Debug	N
784	FileNumber.	Debug	N
785	FileNumber.	Debug	N
786	FileNumber.	Debug	N
787	FileNumber.	Debug	N
788	FileNumber.	Debug	N
789	FileNumber.	Debug	N
790	FileNumber.	Debug	N
791	FileNumber.	Debug	N
792	FileNumber.	Debug	N
793	FileNumber.	Debug	N
800	FileNumber.	Debug	N
801	FileNumber.	Debug	N
802	FileNumber.	Debug	N
803	FileNumber.	Debug	N
804	FileNumber.	Debug	N
805	FileNumber.	Debug	N
1024	FileNumber.	Debug	N
1040	FileNumber.	Debug	N
1041	FileNumber.	Debug	N
1042	FileNumber.	Debug	N
1280	Actual.	Debug	N
1281	Actual.	Debug	N
1282	FileNumber.	Debug	N
1283	FileNumber.	Debug	N
1284	FileNumber.	Debug	N
1536	PIN prompt dialog has closed	Debug	N
1537	Prompt the user to select a smartcard-based EFS cert	Debug	N
1538	Smartcard-based EFS cert successfully selected by the user	Debug	N
1539	Prompt the user for PIN	Debug	N
1540	PIN successfully acquired from the user	Debug	N
1541	Perfect match found in cache.	Debug	N
1542	Masterkey history already loaded	Debug	N
1543	Current key loaded from cache	Debug	N
1544	Current key loaded from registry	Debug	N
1545	FileNumber.	Debug	N
4096	FileNumber.	Debug	N
4097	FileNumber.	Debug	N
4098	FileNumber.	Debug	N
4099	FileNumber.	Debug	N
4100	FileNumber.	Debug	N
4101	FileNumber.	Debug	N
4102	FileNumber.	Debug	N
4353	FileNumber.	Debug	N
4354	FileNumber.	Debug	N
4355	FileNumber.	Debug	N
4356	FileNumber.	Debug	N
4357	FileNumber.	Debug	N
4358	FileNumber.	Debug	N
4359	FileNumber.	Debug	N
4360	FileNumber.	Debug	N
4361	FileNumber.	Debug	N
4368	FileNumber.	Debug	N
4369	FileNumber.	Debug	N
4370	FileNumber.	Debug	N
4371	FileNumber.	Debug	N
4372	FileNumber.	Debug	N
4373	FileNumber.	Debug	N
4374	FileNumber.	Debug	N
4375	FileNumber.	Debug	N
4376	EFS Service failed to start.	Application	N
4377	FileNumber.	Debug	N
4378	FileNumber.	Debug	N
4379	EFS service was unable to populate SID information.	Application	N
4380	EFS service was unable to determine the computer name.	Application	N
4381	EFS service was unable to initialize cache lock.	Application	N
4382	EFS service was unable to initialize the BCrypt Algorithm Provider.	Application	N
4383	EFS service was unable to query Software Licensing for the cache size.	Application	N
4384	EFS service was unable to open handle to the MS_DEF_PROV provider.	Application	N
4385	EFS service was unable to setup notifications from LSA.	Application	N
4386	EFS service was unable to initialize the recovery policy resource.	Application	N
4387	EFS service was unable process the recovery policy.	Application	N
4388	EFS service was unable to notify NTFS of its state.	Application	N
4389	EFS service was unable to setup group policy change notifications.	Application	N
4390	EFS service was unable to process active user sessions.	Application	N
4391	Encrypting File System server ready to accept calls.	Debug	N
4392	FileNumber.	Application	N
4393	FileNumber.	Application	N
4400	FileNumber.	Application	N
4401	FileNumber.	Application	N
4402	FileNumber.	Application	N
4403	FileNumber.	Application	N
4404	FileNumber.	Application	N
4405	FileNumber.	Debug	N
4406	Code.	Debug	N
4407	FileNumber.	Debug	N
4408	FileNumber.	Debug	N
4409	FileNumber.	Debug	N
4410	FileNumber.	Debug	N
4411	Code.	Debug	N
4412	Code.	Debug	N
4413	Code.	Debug	N
4414	FileNumber.	Debug	N
4415	FileNumber.	Debug	N
4416	Code.	Debug	N
4417	Code.	Debug	N
4418	FileNumber.	Application	N
4419	Thread ThreadId: File, Line LineNumber, HRESULT HRESULT, Message: 'Message'.	Debug	N
4420	A client attempted to call an EFS service API without privacy level …	Application	N
4421	A client that called an EFS service API without privacy level authentication was …	Application	N
4422	Failed to unprotect device user credential key using Windows Hello for user: …	Operational	N
4423	Personal Data Encryption and Windows Hello status updated: 1) Windows Hello …	Operational	N
4424	Personal Data Encryption enabled for user Param1.	Operational	N
4425	Personal Data Encryption disabled for user Param1.	Operational	N
4432	User Param1 attempted to access user Param2's data protected with Personal Data …	Operational	N
4433	Personal Data Encryption conversion started.	Operational	N
4434	Personal Data Encryption conversion completed.	Operational	N
4435	Personal Data Encryption conversion did not complete.	Operational	N
4436	Personal Data Encryption conversion failed to convert one or more files or …	Operational	N
4437	Personal Data Encryption policy for Desktop folder is set to Param2 for user …	Operational	N
4438	Personal Data Encryption policy for Documents folder is set to Param2 for user …	Operational	N
4439	Personal Data Encryption policy for Pictures folder is set to Param2 for user …	Operational	N
4440	Personal Data Encryption policy for Desktop folder is deleted for user Param1.	Operational	N
4441	Personal Data Encryption policy for Documents folder is deleted for user Param1.	Operational	N
4448	Personal Data Encryption policy for Pictures folder is deleted for user Param1.	Operational	N
4449	Personal Data Encryption policy for Desktop folder is mapped to path "Param1" …	Operational	N
4450	Personal Data Encryption policy for Documents folder is mapped to path "Param1" …	Operational	N
4451	Personal Data Encryption policy for Pictures folder is mapped to path "Param1" …	Operational	N
4452	Personal Data Encryption: paths to protect folders is empty for user Param1.	Operational	N
4453	Windows Information Protection has been disabled.	Operational	N
4454	Windows Information Protection could not be disabled.	Operational	N
4455	Personal Data Encryption conversion did not complete the last time it was run.	Operational	N
4456	Personal Data Encryption is not available for the current device.	Operational	N
4457	Personal Data Encryption is not available for the current device.	Operational	N
7000	Machine role cannot be determined.	Application	N
7002	Default group policy object cannot be created.	Application	Y

Event ID 1: An API call failed at FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

An API call failed at FileNumber.LineNumber. Error code: Param.

Message #

An API call failed at %1.%2.  Error code: %3

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param` UInt32

Event ID 2: An API call failed at Data.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

An API call failed at Data.FileNumber. Error code: LineNumber, Data: Param1.

Message #

An API call failed at %1.%2.  Error code: %3, Data: %4

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UInt32
`Param2` UInt32

Event ID 3: An API call failed at Data.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

An API call failed at Data.FileNumber. Error code: LineNumber, Data: Param1, Param2.

Message #

An API call failed at %1.%2.  Error code: %3, Data: %4, %5

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UInt32
`Param2` UInt32
`Param3` UInt32

Event ID 4: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Failed to allocate Param bytes.

Message #

%1.%2: Failed to allocate %3 bytes.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param` UInt32

Event ID 256: EFS key promoted from current key.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

EFS key promoted from current key. CertValidated: CertValidated, cbHash: cbHash, pbHash: pbHash, ContainerName: ContainerName, ProviderName: ProviderName, DisplayInformation: DisplayInformation, dwCapabilities: dwCapabilities, bIsCurrentKey: bIsCurrentKey, eKeyType: eKeyType.

Message #

EFS key promoted from current key.  CertValidated: %1, cbHash: %2, pbHash: %3, ContainerName: %4, ProviderName: %5, DisplayInformation: %6, dwCapabilities: %7, bIsCurrentKey: %8, eKeyType: %9

Fields #

Name	Description
`CertValidated` UInt32
`cbHash` UInt32
`pbHash` AnsiString
`ContainerName` UnicodeString
`ProviderName` UnicodeString
`DisplayInformation` UnicodeString
`dwCapabilities` AnsiString
`bIsCurrentKey` AnsiString
`eKeyType` AnsiString

Event ID 257: EFS key demoted from current key.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

EFS key demoted from current key. CertValidated: CertValidated, cbHash: cbHash, pbHash: pbHash, ContainerName: ContainerName, ProviderName: ProviderName, DisplayInformation: DisplayInformation, dwCapabilities: dwCapabilities, bIsCurrentKey: bIsCurrentKey, eKeyType: eKeyType.

Message #

EFS key demoted from current key.  CertValidated: %1, cbHash: %2, pbHash: %3, ContainerName: %4, ProviderName: %5, DisplayInformation: %6, dwCapabilities: %7, bIsCurrentKey: %8, eKeyType: %9

Fields #

Name	Description
`CertValidated` UInt32
`cbHash` UInt32
`pbHash` AnsiString
`ContainerName` UnicodeString
`ProviderName` UnicodeString
`DisplayInformation` UnicodeString
`dwCapabilities` AnsiString
`bIsCurrentKey` AnsiString
`eKeyType` AnsiString

Event ID 258: EFS key flushed from cache.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

EFS key flushed from cache. CertValidated: CertValidated, cbHash: cbHash, pbHash: pbHash, ContainerName: ContainerName, ProviderName: ProviderName, DisplayInformation: DisplayInformation, dwCapabilities: dwCapabilities, bIsCurrentKey: bIsCurrentKey, eKeyType: eKeyType.

Message #

EFS key flushed from cache.  CertValidated: %1, cbHash: %2, pbHash: %3, ContainerName: %4, ProviderName: %5, DisplayInformation: %6, dwCapabilities: %7, bIsCurrentKey: %8, eKeyType: %9

Fields #

Name	Description
`CertValidated` UInt32
`cbHash` UInt32
`pbHash` AnsiString
`ContainerName` UnicodeString
`ProviderName` UnicodeString
`DisplayInformation` UnicodeString
`dwCapabilities` AnsiString
`bIsCurrentKey` AnsiString
`eKeyType` AnsiString

Event ID 259: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: The specified key is not valid for EFS.

Message #

%1.%2: The specified key is not valid for EFS

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 260: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Attempt to create a new EFS key.

Message #

%1.%2: Attempt to create a new EFS key

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 261: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: A new EFS key was successfully created.

Message #

%1.%2: A new EFS key was successfully created

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 262: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Begin searching the MY store for a valid EFS key.

Message #

%1.%2: Begin searching the MY store for a valid EFS key

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 263: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Begin searching the MY store for a valid EFS key.

Message #

%1.%2: Begin searching the MY store for a valid EFS key

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 264: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Deleting currentkey from registry.

Message #

%1.%2: Deleting currentkey from registry

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 265: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: The EFS cert is self-signed, but self-signed certs are disabled by policy.

Message #

%1.%2: The EFS cert is self-signed, but self-signed certs are disabled by policy

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 272: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: RSA is required by policy, but the key does not support RSA encryption.

Message #

%1.%2: RSA is required by policy, but the key does not support RSA encryption

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 273: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: MASTERKEY is required by policy, but the key does not support MASTERKEY encryption.

Message #

%1.%2: MASTERKEY is required by policy, but the key does not support MASTERKEY encryption

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 274: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: SMARTCARDS are required by policy, but the key is not SMARTCARD-based.

Message #

%1.%2: SMARTCARDS are required by policy, but the key is not SMARTCARD-based

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 275: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: key is expired.

Message #

%1.%2: key is expired

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 276: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: key is valid.

Message #

%1.%2: key is valid

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 277: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: try and locate the matching key based on cert hash.

Message #

%1.%2: try and locate the matching key based on cert hash

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 278: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: key successfully loaded from registry.

Message #

%1.%2: key successfully loaded from registry

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 279: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: try and locate the matching key in cache.

Message #

%1.%2: try and locate the matching key in cache

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 280: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: trying to load the masterkey history.

Message #

%1.%2: trying to load the masterkey history

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 281: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: masterkey history loaded.

Message #

%1.%2: masterkey history loaded

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 288: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: failed to encrypt: SIS or HSM file.

Message #

%1.%2: failed to encrypt: SIS or HSM file

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 289: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Suite B is disabled by policy, but the key is a Suite B key.

Message #

%1.%2: Suite B is disabled by policy, but the key is a Suite B key

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 290: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Suite B is required by policy, but the key is not a Suite B key.

Message #

%1.%2: Suite B is required by policy, but the key is not a Suite B key

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 512: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: releasing user cache object. Refcount: Param.

Message #

%1.%2: releasing user cache object.  Refcount: %3

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param` UInt32

Event ID 513: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: trying to stop cache polling thread.

Message #

%1.%2: trying to stop cache polling thread

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 514: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: no decryption status in cache.

Message #

%1.%2: no decryption status in cache

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 515: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: found matching decryption status in cache.

Message #

%1.%2: found matching decryption status in cache

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 516: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: attempting to add key to user cache.

Message #

%1.%2: attempting to add key to user cache

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 517: EFS key added to user cache.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

EFS key added to user cache. CertValidated: CertValidated, cbHash: cbHash, pbHash: pbHash, ContainerName: ContainerName, ProviderName: ProviderName, DisplayInformation: DisplayInformation, dwCapabilities: dwCapabilities, bIsCurrentKey: bIsCurrentKey, eKeyType: eKeyType.

Message #

EFS key added to user cache.  CertValidated: %1, cbHash: %2, pbHash: %3, ContainerName: %4, ProviderName: %5, DisplayInformation: %6, dwCapabilities: %7, bIsCurrentKey: %8, eKeyType: %9

Fields #

Name	Description
`CertValidated` UInt32
`cbHash` UInt32
`pbHash` AnsiString
`ContainerName` UnicodeString
`ProviderName` UnicodeString
`DisplayInformation` UnicodeString
`dwCapabilities` AnsiString
`bIsCurrentKey` AnsiString
`eKeyType` AnsiString

Event ID 518: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: ensuring user has cache node.

Message #

%1.%2: ensuring user has cache node

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 519: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: found cache node in user info.

Message #

%1.%2: found cache node in user info

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 520: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: found cache node in global cache.

Message #

%1.%2: found cache node in global cache

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 521: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: creating new cache node for user.

Message #

%1.%2: creating new cache node for user

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 768: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Policy settings specified flush on card removal. Starting the polling thread...

Message #

%1.%2: Policy settings specified flush on card removal.  Starting the polling thread...

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 769: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Policy settings specified NO flush on timeout. Stopping the polling thread...

Message #

%1.%2: Policy settings specified NO flush on timeout.  Stopping the polling thread...

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 770: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Policy settings specified flush on timeout. Starting the polling thread...

Message #

%1.%2: Policy settings specified flush on timeout.  Starting the polling thread...

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 771: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Policy settings specified new cache flush interval: Param. Stop polling (will restart if there are active user caches).

Message #

%1.%2: Policy settings specified new cache flush interval: %3.  Stop polling (will restart if there are active user caches)

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param` UInt32

Event ID 772: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Polling thread stopped.

Message #

%1.%2: Polling thread stopped

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 773: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Flush cache specified by policy, and we have active user caches. Start polling.

Message #

%1.%2: Flush cache specified by policy, and we have active user caches.  Start polling.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 774: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Polling thread started.

Message #

%1.%2: Polling thread started

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 775: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: User logon detected. Beginning SSO processing.

Message #

%1.%2: User logon detected.  Beginning SSO processing.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 776: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: User logon detected, but is not smartcard-based. No SSO processing required.

Message #

%1.%2: User logon detected, but is not smartcard-based.  No SSO processing required.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 777: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Smartcard notification detected. Beginning SSO processing.

Message #

%1.%2: Smartcard notification detected.  Beginning SSO processing.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 784: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Smartcard notification detected, but the logon cert is already cached. No processing required.

Message #

%1.%2: Smartcard notification detected, but the logon cert is already cached.  No processing required.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 785: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Current key matches the logon cert. Setting up the PIN cache.

Message #

%1.%2: Current key matches the logon cert.  Setting up the PIN cache.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 786: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: User does not yet have a current key. If smartcard is required by policy, the logon cert and PIN will be cached.

Message #

%1.%2: User does not yet have a current key.  If smartcard is required by policy, the logon cert and PIN will be cached.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 787: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Logon notification detected on DC. Beginning DRA install.

Message #

%1.%2: Logon notification detected on DC.  Beginning DRA install.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 788: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: user does not already have a cache: generating one now.

Message #

%1.%2: user does not already have a cache: generating one now

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 789: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: generating pre-cache for PIN and logon cert.

Message #

%1.%2: generating pre-cache for PIN and logon cert

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 790: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: tried to install logon cert, but it's not available (not a smartcard logon, or the smartcard was removed).

Message #

%1.%2: tried to install logon cert, but it's not available (not a smartcard logon, or the smartcard was removed)

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 791: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: logon cert successfully installed.

Message #

%1.%2: logon cert successfully installed

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 792: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: trying to install logon cert.

Message #

%1.%2: trying to install logon cert

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 793: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: User lock detected. Beginning SSO processing.

Message #

%1.%2: User lock detected.  Beginning SSO processing.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 800: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: User logoff detected. Beginning SSO processing.

Message #

%1.%2: User logoff detected.  Beginning SSO processing.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 801: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Flushing the user cache.

Message #

%1.%2: Flushing the user cache

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 802: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: User has locked workstation, but policy says not to flush cache.

Message #

%1.%2: User has locked workstation, but policy says not to flush cache

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 803: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Checking for expired cache entries.

Message #

%1.%2: Checking for expired cache entries

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 804: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Expired certificate in recovery policy.

Message #

%1.%2: Expired certificate in recovery policy

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 805: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Certificate in recovery policy is not yet valid.

Message #

%1.%2: Certificate in recovery policy is not yet valid

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1024: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: SL policy successfully updated.

Message #

%1.%2: SL policy successfully updated

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1040: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: EFS is disabled by SL policy.

Message #

%1.%2: EFS is disabled by SL policy

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1041: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: EFS is not yet initialized.

Message #

%1.%2: EFS is not yet initialized

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1042: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: EFS is disabled.

Message #

%1.%2: EFS is disabled

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1280: Actual.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Actual.FileNumber: the data received by the API was too large. Expected: LineNumber, Actual: Param1.

Message #

%1.%2: the data received by the API was too large.  Expected: %3, Actual: %4

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UInt32
`Param2` UInt32

Event ID 1281: Actual.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Actual.FileNumber: the data received by the API was too small. Expected: LineNumber, Actual: Param1.

Message #

%1.%2: the data received by the API was too small.  Expected: %3, Actual: %4

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UInt32
`Param2` UInt32

Event ID 1282: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: POSSIBLE EFS ATTACK DETECTED: DomainName, UserName, AttackId.

Message #

%1.%2: POSSIBLE EFS ATTACK DETECTED: %3, %4, %5

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`DomainName` UnicodeString
`UserName` UnicodeString
`AttackId` UInt32

Event ID 1283: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: attempting to validate EFS stream.

Message #

%1.%2: attempting to validate EFS stream

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1284: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: EFS stream validated.

Message #

%1.%2: EFS stream validated

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1536: PIN prompt dialog has closed

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

PIN prompt dialog has closed.

Message #

PIN prompt dialog has closed

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1537: Prompt the user to select a smartcard-based EFS cert

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Prompt the user to select a smartcard-based EFS cert.

Message #

Prompt the user to select a smartcard-based EFS cert

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1538: Smartcard-based EFS cert successfully selected by the user

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Smartcard-based EFS cert successfully selected by the user.

Message #

Smartcard-based EFS cert successfully selected by the user

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1539: Prompt the user for PIN

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Prompt the user for PIN.

Message #

Prompt the user for PIN

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1540: PIN successfully acquired from the user

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

PIN successfully acquired from the user.

Message #

PIN successfully acquired from the user

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1541: Perfect match found in cache.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Perfect match found in cache.

Message #

Perfect match found in cache.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1542: Masterkey history already loaded

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Masterkey history already loaded.

Message #

Masterkey history already loaded

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1543: Current key loaded from cache

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Current key loaded from cache.

Message #

Current key loaded from cache

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1544: Current key loaded from registry

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Current key loaded from registry.

Message #

Current key loaded from registry

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 1545: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Masterkey history: failed size consistency check. Param1, Param2, Param3.

Message #

%1.%2: Masterkey history: failed size consistency check.  %3, %4, %5

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UInt32
`Param2` UInt32
`Param3` UInt32

Event ID 4096: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Encrypted keys not equal.

Message #

%1.%2: Encrypted keys not equal

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4097: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: doing a REKEY, but the DDF entry already exists.

Message #

%1.%2: doing a REKEY, but the DDF entry already exists

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4098: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: replace operation added a DDF (unexpected).

Message #

%1.%2: replace operation added a DDF (unexpected)

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4099: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: user is modifying a DDF entry not matching the PoP entry. Require WRITE_ATTRIBUTES.

Message #

%1.%2: user is modifying a DDF entry not matching the PoP entry.  Require WRITE_ATTRIBUTES

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4100: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: user is modifying a DDF matching the PoP entry, or the DRF. Don't require WRITE_ATTRIBUTES.

Message #

%1.%2: user is modifying a DDF matching the PoP entry, or the DRF.  Don't require WRITE_ATTRIBUTES

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4101: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: UNEXPECTED condition: no ENCRYPTED_KEY for SC failure.

Message #

%1.%2: UNEXPECTED condition: no ENCRYPTED_KEY for SC failure

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4102: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Plug-n-Play service not ready. EFS server will not try to detect interrupted encryption/decryption operation(s).

Message #

%1.%2: Plug-n-Play service not ready. EFS server will not try to detect interrupted encryption/decryption operation(s).

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4353: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Cannot open log file. Encryption/decryption operation(s) cannot be recovered.

Message #

%1.%2: Cannot open log file. Encryption/decryption operation(s) cannot be recovered.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4354: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Cannot read log file. Encryption/decryption operation(s) cannot be recovered.

Message #

%1.%2: Cannot read log file. Encryption/decryption operation(s) cannot be recovered.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4355: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: A corrupted or different format log file has been found. No action was taken.

Message #

%1.%2: A corrupted or different format log file has been found. No action was taken.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4356: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: The log file cannot be opened as non-cached IO. No action was taken.

Message #

%1.%2: The log file cannot be opened as non-cached IO. No action was taken.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4357: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Interrupted encryption/decryption operation(s) found on a volume. Recovery procedure started.

Message #

%1.%2: Interrupted encryption/decryption operation(s) found on a volume. Recovery procedure started.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4358: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: EFS recovery service cannot open the file Param1. The interrupted encryption/decryption operation cannot be recovered.

Message #

%1.%2: EFS recovery service cannot open the file %3. The interrupted encryption/decryption operation cannot be recovered.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString

Event ID 4359: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: EFS service recovered Param1 successfully.

Message #

%1.%2: EFS service recovered %3 successfully.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString

Event ID 4360: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: EFS service could not open all the streams on file Param1 The file was not recovered.

Message #

%1.%2: EFS service could not open all the streams on file %3  The file was not recovered.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString

Event ID 4361: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Param1 could not be recovered Completely. EFS driver may be missing.

Message #

%1.%2: %3 could not be recovered Completely.  EFS driver may be missing.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString

Event ID 4368: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: IO Error occurred during stream recovery. Param1 was not recovered.

Message #

%1.%2: IO Error occurred during stream recovery.  %3 was not recovered.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString

Event ID 4369: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: EFS recovery service cannot open the backup file Param1 by name. The interrupted encryption/decryption operation (on file Param2) may be recovered. The backup file will not be deleted. User should delete the backup file if the recovery operation is done successfully.

Message #

%1.%2: EFS recovery service cannot open the backup file %3 by name. The interrupted encryption/decryption operation (on file %4) may be recovered.  The backup file will not be deleted. User should delete the backup file if the recovery operation is done successfully.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UnicodeString

Event ID 4370: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Param1 was opened by File ID successfully the first time but not the second time. No recovery operation was tried on file Param2. This is an internal error.

Message #

%1.%2: %3 was opened by File ID successfully the first time but not the second time. No recovery operation was tried on file %4. This is an internal error.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UnicodeString

Event ID 4371: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: EFS recovery service cannot get the backup file name. The interrupted encryption/decryption operation (on file Param1) may be recovered. The temporary backup file Param2 is not deleted. User should delete the backup file if the recovery operation is done successfully.

Message #

%1.%2: EFS recovery service cannot get the backup file name. The interrupted encryption/decryption operation (on file %3) may be recovered.  The temporary backup file %4 is not deleted.  User should delete the backup file if the recovery operation is done successfully.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UnicodeString

Event ID 4372: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Param1 could not be opened. Param2 was not recovered.

Message #

%1.%2: %3 could not be opened. %4 was not recovered.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UnicodeString

Event ID 4373: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Stream Information could not be got from Param1. Param2 was not recovered.

Message #

%1.%2: Stream Information could not be got from %3. %4 was not recovered.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UnicodeString

Event ID 4374: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: EFS service could not open all the streams on file Param1. Param2 was not recovered.

Message #

%1.%2: EFS service could not open all the streams on file %3.  %4 was not recovered.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UnicodeString

Event ID 4375: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: EFS Service received logon notification.

Message #

%1.%2: EFS Service received logon notification.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4376: EFS Service failed to start.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

EFS Service failed to start. Error code: ErrorCode.

Message #

EFS Service failed to start. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4377: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: User cache entry purged. Reference count: Param.

Message #

%1.%2: User cache entry purged. Reference count: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param` UInt32

Event ID 4378: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: All user cache entries purged. Reference count: Param.

Message #

%1.%2: All user cache entries purged. Reference count: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param` UInt32

Event ID 4379: EFS service was unable to populate SID information.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

EFS service was unable to populate SID information. Error code: ErrorCode.

Message #

EFS service was unable to populate SID information. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4380: EFS service was unable to determine the computer name.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

EFS service was unable to determine the computer name. Error code: ErrorCode.

Message #

EFS service was unable to determine the computer name. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4381: EFS service was unable to initialize cache lock.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

EFS service was unable to initialize cache lock. Error code: ErrorCode.

Message #

EFS service was unable to initialize cache lock. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4382: EFS service was unable to initialize the BCrypt Algorithm Provider.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

EFS service was unable to initialize the BCrypt Algorithm Provider. Error code: ErrorCode.

Message #

EFS service was unable to initialize the BCrypt Algorithm Provider. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4383: EFS service was unable to query Software Licensing for the cache size.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

EFS service was unable to query Software Licensing for the cache size. Error code: ErrorCode.

Message #

EFS service was unable to query Software Licensing for the cache size. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4384: EFS service was unable to open handle to the MS_DEF_PROV provider.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

EFS service was unable to open handle to the MS_DEF_PROV provider. Error code: ErrorCode.

Message #

EFS service was unable to open handle to the MS_DEF_PROV provider. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4385: EFS service was unable to setup notifications from LSA.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

EFS service was unable to setup notifications from LSA. Error code: ErrorCode.

Message #

EFS service was unable to setup notifications from LSA. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4386: EFS service was unable to initialize the recovery policy resource.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

EFS service was unable to initialize the recovery policy resource. Error code: ErrorCode.

Message #

EFS service was unable to initialize the recovery policy resource. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4387: EFS service was unable process the recovery policy.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

EFS service was unable process the recovery policy. Error code: ErrorCode.

Message #

EFS service was unable process the recovery policy. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4388: EFS service was unable to notify NTFS of its state.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

EFS service was unable to notify NTFS of its state. Error code: ErrorCode.

Message #

EFS service was unable to notify NTFS of its state. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4389: EFS service was unable to setup group policy change notifications.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

EFS service was unable to setup group policy change notifications. Error code: ErrorCode.

Message #

EFS service was unable to setup group policy change notifications. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4390: EFS service was unable to process active user sessions.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

EFS service was unable to process active user sessions. Error code: ErrorCode.

Message #

EFS service was unable to process active user sessions. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4391: Encrypting File System server ready to accept calls.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Encrypting File System server ready to accept calls.

Message #

Encrypting File System server ready to accept calls.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4392: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

FileNumber.LineNumber: EFS service failed to subscribe for updates to an MDM policy. Index: ErrorCode.

Message #

%1.%2: EFS service failed to subscribe for updates to an MDM policy. Index: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4393: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

FileNumber.LineNumber: Failed to initialize one or more synchronization objects. Error code: ErrorCode.

Message #

%1.%2: Failed to initialize one or more synchronization objects. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4400: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

FileNumber.LineNumber: EFS service failed to process MDM policy updates. Error code: ErrorCode.

Message #

%1.%2: EFS service failed to process MDM policy updates. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4401: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

FileNumber.LineNumber: EFS service failed to provision a user for Windows Information Protection. Error code: ErrorCode.

Message #

%1.%2: EFS service failed to provision a user for Windows Information Protection. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4402: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

FileNumber.LineNumber: EFS service failed to provision a user for DPL. Error code: ErrorCode.

Message #

%1.%2: EFS service failed to provision a user for DPL. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4403: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

FileNumber.LineNumber: EFS service failed to initialize file encryption queues. Error code: ErrorCode.

Message #

%1.%2: EFS service failed to initialize file encryption queues. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4404: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

FileNumber.LineNumber: Recovery policy data is in an invalid format. Error code: ErrorCode.

Message #

%1.%2: Recovery policy data is in an invalid format. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4405: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Start: Param1.

Message #

%1.%2: Start: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString

Event ID 4406: Code.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Code.FileNumber: Complete: LineNumber. Code: Param1.

Message #

%1.%2: Complete: %3. Code: %4.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` HexInt32

Event ID 4407: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Error Code: Param1.

Message #

%1.%2: Error Code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` HexInt32

Event ID 4408: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Status Code: Param1.

Message #

%1.%2: Status Code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` HexInt32

Event ID 4409: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Enter: Param1.

Message #

%1.%2: Enter: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString

Event ID 4410: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Leave: Param1.

Message #

%1.%2: Leave: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString

Event ID 4411: Code.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Code.FileNumber: Leave: LineNumber. Code: Param1.

Message #

%1.%2: Leave: %3. Code: %4.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` HexInt32

Event ID 4412: Code.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Code.FileNumber: Error: LineNumber. Code: Param1.

Message #

%1.%2: Error: %3. Code: %4.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` HexInt32

Event ID 4413: Code.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Code.FileNumber: Warning: LineNumber. Code: Param1.

Message #

%1.%2: Warning: %3. Code: %4.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` HexInt32

Event ID 4414: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Param1. Code: Param2.

Message #

%1.%2: %3. Code: %4.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` HexInt32

Event ID 4415: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

FileNumber.LineNumber: Param1. Value: Param2.

Message #

%1.%2: %3. Value: %4.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UInt32

Event ID 4416: Code.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Code.FileNumber: Complete: LineNumber. Code: Param1.

Message #

%1.%2: Complete: %3. Code: %4.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` HexInt32

Event ID 4417: Code.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Code.FileNumber: Leave: LineNumber. Code: Param1.

Message #

%1.%2: Leave: %3. Code: %4.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` HexInt32

Event ID 4418: FileNumber.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

FileNumber.LineNumber: EFS service failed to provision RMS for Windows Information Protection. Error code: ErrorCode.

Message #

%1.%2: EFS service failed to provision RMS for Windows Information Protection. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4419: Thread ThreadId: File, Line LineNumber, HRESULT HRESULT, Message: 'Message'.

Provider: Microsoft-Windows-EFS
Channel: Debug

Description

Thread ThreadId: File, Line LineNumber, HRESULT HRESULT, Message: 'Message'.

Message #

Thread %1: %2, Line %3, HRESULT %4, Message: '%5'

Fields #

Name	Description
`ThreadId` HexInt32
`File` AnsiString
`LineNumber` UInt32
`HRESULT` HexInt32
`Message` UnicodeString

Event ID 4420: A client attempted to call an EFS service API without privacy level authentication.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

A client attempted to call an EFS service API without privacy level authentication. Error code: ErrorCode. See https://go.microsoft.com/fwlink/?linkid=2181030.

Message #

A client attempted to call an EFS service API without privacy level authentication. Error code: %3. See https://go.microsoft.com/fwlink/?linkid=2181030.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4421: A client that called an EFS service API without privacy level authentication was allowed.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

A client that called an EFS service API without privacy level authentication was allowed. See https://go.microsoft.com/fwlink/?linkid=2181030.

Message #

A client that called an EFS service API without privacy level authentication was allowed. See https://go.microsoft.com/fwlink/?linkid=2181030.

Event ID 4422: Failed to unprotect device user credential key using Windows Hello for user: Param1.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Failed to unprotect device user credential key using Windows Hello for user: Param1. Error code: Param2.

Message #

Failed to unprotect device user credential key using Windows Hello for user: %3. Error code: %4

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UInt32

Event ID 4423: Personal Data Encryption and Windows Hello status updated: 1) Windows Hello availability: Param1; 2) Windows Hello logon capability: Param2; 3) Windows Hel...

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption and Windows Hello status updated: 1) Windows Hello availability: Param1; 2) Windows Hello logon capability: Param2; 3) Windows Hello hardware capability: Param3; 4) Remote Desktop remote connections disabled: Param4; 5) Windows automatic restart sign-on disabled: Param5.

Message #

Personal Data Encryption and Windows Hello status updated: 1) Windows Hello availability: %3; 2) Windows Hello logon capability: %4; 3) Windows Hello hardware capability: %5; 4) Remote Desktop remote connections disabled: %6; 5) Windows automatic restart sign-on disabled: %7.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UInt32
`Param2` UInt32
`Param3` UInt32
`Param4` UInt32
`Param5` UInt32

Event ID 4424: Personal Data Encryption enabled for user Param1.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption enabled for user Param1.

Message #

Personal Data Encryption enabled for user %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString

Event ID 4425: Personal Data Encryption disabled for user Param1.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption disabled for user Param1. 1) Policy value: Param2; and 2) Is opted out: Param3.

Message #

Personal Data Encryption disabled for user %3. 1) Policy value: %4; and 2) Is opted out: %5.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UInt32
`Param3` UInt32

Event ID 4432: User Param1 attempted to access user Param2's data protected with Personal Data Encryption and was denied.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

User Param1 attempted to access user Param2's data protected with Personal Data Encryption and was denied.

Message #

User %3 attempted to access user %4's data protected with Personal Data Encryption and was denied.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UnicodeString

Event ID 4433: Personal Data Encryption conversion started.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption conversion started.

Message #

Personal Data Encryption conversion started.
Mode: "%3",
paths in policy: "%4",
paths protected: "%5",
paths attempted: "%6",
status: %7.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UnicodeString
`Param3` UnicodeString
`Param4` UnicodeString
`Param5` UInt32

Event ID 4434: Personal Data Encryption conversion completed.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption conversion completed.

Message #

Personal Data Encryption conversion completed.
Mode: "%3",
paths in policy: "%4",
paths protected: "%5",
paths attempted: "%6",
status: %7,
number of items converted: %8 (total bytes converted: %9),
number of system items : %10,
number of read-only files : %11,
number of items looked at : %12.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UnicodeString
`Param3` UnicodeString
`Param4` UnicodeString
`Param5` UInt32
`Param6` UInt64
`Param7` UInt64
`Param8` UInt64
`Param9` UInt64
`Param10` UInt64

Event ID 4435: Personal Data Encryption conversion did not complete.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption conversion did not complete.

Message #

Personal Data Encryption conversion did not complete.
Mode: "%3",
paths in policy: "%4",
paths protected: "%5",
paths attempted: "%6",
status: %7,
number of items converted: %8 (total bytes converted: %9),
number of system items: %10,
number of read-only files : %11,
number of items looked at : %12,
number of unknown failures: %13,
number of items not protectable: %14.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UnicodeString
`Param3` UnicodeString
`Param4` UnicodeString
`Param5` UInt32
`Param6` UInt64
`Param7` UInt64
`Param8` UInt64
`Param9` UInt64
`Param10` UInt64
`Param11` UInt64
`Param12` UInt64

Event ID 4436: Personal Data Encryption conversion failed to convert one or more files or folders.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption conversion failed to convert one or more files or folders. First encountered failure on file or folder "Param1" was Param2.

Message #

Personal Data Encryption conversion failed to convert one or more files or folders. First encountered failure on file or folder "%3" was %4.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UInt32

Event ID 4437: Personal Data Encryption policy for Desktop folder is set to Param2 for user Param1.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption policy for Desktop folder is set to Param2 for user Param1.

Message #

Personal Data Encryption policy for Desktop folder is set to %4 for user %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UInt32

Event ID 4438: Personal Data Encryption policy for Documents folder is set to Param2 for user Param1.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption policy for Documents folder is set to Param2 for user Param1.

Message #

Personal Data Encryption policy for Documents folder is set to %4 for user %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UInt32

Event ID 4439: Personal Data Encryption policy for Pictures folder is set to Param2 for user Param1.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption policy for Pictures folder is set to Param2 for user Param1.

Message #

Personal Data Encryption policy for Pictures folder is set to %4 for user %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UInt32

Event ID 4440: Personal Data Encryption policy for Desktop folder is deleted for user Param1.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption policy for Desktop folder is deleted for user Param1.

Message #

Personal Data Encryption policy for Desktop folder is deleted for user %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString

Event ID 4441: Personal Data Encryption policy for Documents folder is deleted for user Param1.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption policy for Documents folder is deleted for user Param1.

Message #

Personal Data Encryption policy for Documents folder is deleted for user %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString

Event ID 4448: Personal Data Encryption policy for Pictures folder is deleted for user Param1.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption policy for Pictures folder is deleted for user Param1.

Message #

Personal Data Encryption policy for Pictures folder is deleted for user %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString

Event ID 4449: Personal Data Encryption policy for Desktop folder is mapped to path "Param1" for user Param2.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption policy for Desktop folder is mapped to path "Param1" for user Param2.

Message #

Personal Data Encryption policy for Desktop folder is mapped to path "%3" for user %4.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UnicodeString

Event ID 4450: Personal Data Encryption policy for Documents folder is mapped to path "Param1" for user Param2.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption policy for Documents folder is mapped to path "Param1" for user Param2.

Message #

Personal Data Encryption policy for Documents folder is mapped to path "%3" for user %4.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UnicodeString

Event ID 4451: Personal Data Encryption policy for Pictures folder is mapped to path "Param1" for user Param2.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption policy for Pictures folder is mapped to path "Param1" for user Param2.

Message #

Personal Data Encryption policy for Pictures folder is mapped to path "%3" for user %4.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString
`Param2` UnicodeString

Event ID 4452: Personal Data Encryption: paths to protect folders is empty for user Param1.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption: paths to protect folders is empty for user Param1.

Message #

Personal Data Encryption: paths to protect folders is empty for user %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param1` UnicodeString

Event ID 4453: Windows Information Protection has been disabled.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Windows Information Protection has been disabled.

Message #

Windows Information Protection has been disabled.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4454: Windows Information Protection could not be disabled.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Windows Information Protection could not be disabled. Error code: ErrorCode.

Message #

Windows Information Protection could not be disabled. Error code: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`ErrorCode` HexInt32

Event ID 4455: Personal Data Encryption conversion did not complete the last time it was run.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption conversion did not complete the last time it was run. Last run mode: Param.

Message #

Personal Data Encryption conversion did not complete the last time it was run. Last run mode: %3.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32
`Param` UInt32

Event ID 4456: Personal Data Encryption is not available for the current device.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption is not available for the current device. Only Azure AD joined devices are supported.

Message #

Personal Data Encryption is not available for the current device. Only Azure AD joined devices are supported.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 4457: Personal Data Encryption is not available for the current device.

Provider: Microsoft-Windows-EFS
Channel: Operational

Description

Personal Data Encryption is not available for the current device. Supported device types are Azure AD joined and Hybrid Azure AD joined devices.

Message #

Personal Data Encryption is not available for the current device. Supported device types are Azure AD joined and Hybrid Azure AD joined devices.

Fields #

Name	Description
`FileNumber` UInt32
`LineNumber` UInt32

Event ID 7000: Machine role cannot be determined.

Provider: Microsoft-Windows-EFS
Channel: Application

Description

Machine role cannot be determined. Reason.

Message #

Machine role cannot be determined. %1

Fields #

Name	Description
`Reason` UnicodeString

Event ID 7002: Default group policy object cannot be created.

Provider: Microsoft-Windows-EFS
Channel: Application
Level: Error

Description

Default group policy object cannot be created. Reason.

Message #

Default group policy object cannot be created. %1

Fields #

Name	Description
`Reason` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-EFS",
    "guid": "{3663A992-84BE-40EA-BBA9-90C7ED544222}",
    "event_source_name": "",
    "event_id": 7002,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-05-28T03:43:46.9077024+00:00",
    "event_record_id": 230,
    "correlation": {},
    "execution": {
      "process_id": 4940,
      "thread_id": 5316
    },
    "channel": "Application",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1000"
    }
  },
  "event_data": {
    "Reason": "Error 80070005 to open GPO Domain EFS Recovery Policy in domain LDAP://DC=cell-d,DC=ludus,DC=domain."
  },
  "message": "Default group policy object cannot be created. Error 80070005 to open GPO Domain EFS Recovery Policy in domain LDAP://DC=cell-d,DC=ludus,DC=domain."
}

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 3663a992-84be-40ea-bba9-90c7ed544222

Defined in efscore.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)